diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index 67b78aa0e..1822169aa 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -228,5 +228,5 @@ interface(`dpkg_lock_db',`
 
 	files_search_var_lib($1)
 	allow $1 dpkg_var_lib_t:dir list_dir_perms;
-	allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
+	allow $1 dpkg_lock_t:file manage_file_perms;
 ')
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 4f69198c8..da338abea 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -111,7 +111,7 @@ interface(`portage_compile_domain',`
 
 	# write compile logs
 	allow $1 portage_log_t:dir setattr;
-	allow $1 portage_log_t:file { append write setattr };
+	allow $1 portage_log_t:file { write_file_perms setattr };
 
 	# run scripts out of the build directory
 	can_exec(portage_sandbox_t, portage_tmp_t)
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 94bd0f39f..9e09e88e6 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -85,7 +85,7 @@ interface(`prelink_read_cache',`
 	')
 
 	files_search_etc($1)
-	allow $1 prelink_cache_t:file { getattr read };
+	allow $1 prelink_cache_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 66f46592a..d50b4b793 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -166,9 +166,7 @@ template(`evolution_per_role_template',`
 	userdom_search_user_home_dirs($1, $1_evolution_t)
 
 	# Allow the user domain to signal/ps.
-	allow $2 $1_evolution_t:dir { search getattr read };
-	allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
-	allow $2 $1_evolution_t:process getattr;
+	ps_process_pattern($2, $1_evolution_t)
 
 	domain_dontaudit_read_all_domains_state($1_evolution_t)
 
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index 810ee0448..a83364477 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -79,7 +79,7 @@ template(`uml_per_role_template',`
 	allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
 
 	# allow the UML thing to happen
-	allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
+	allow $1_uml_t $1_uml_devpts_t:chr_file { rw_chr_file_perms setattr };
 	term_create_pty($1_uml_t,$1_uml_devpts_t)
 
 	manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index 806bb8059..d4d83f6a0 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -180,7 +180,7 @@ interface(`vmware_read_system_config',`
 		type vmware_sys_conf_t;
 	')
 
-	allow $1 vmware_sys_conf_t:file { getattr read };
+	allow $1 vmware_sys_conf_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 777dc4929..7df3bdeff 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -360,8 +360,7 @@ interface(`corecmd_mmap_bin_files',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir search_dir_perms;
-	allow $1 bin_t:file { getattr read execute };
+	mmap_files_pattern($1, bin_t, bin_t)
 ')
 
 ########################################
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 2b473b301..e89e304e5 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1555,7 +1555,7 @@ interface(`corenet_rw_tun_tap_dev',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tun_tap_device_t:chr_file { getattr read write ioctl  lock append };
+	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
@@ -1574,7 +1574,7 @@ interface(`corenet_rw_ppp_dev',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 ppp_device_t:chr_file rw_file_perms;
+	allow $1 ppp_device_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 9e4865b49..acede2856 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1119,7 +1119,7 @@ interface(`files_mounton_all_mountpoints',`
 		attribute mountpoint;
 	')
 
-	allow $1 mountpoint:dir { getattr search mounton };
+	allow $1 mountpoint:dir { search_dir_perms mounton };
 	allow $1 mountpoint:file { getattr mounton };
 ')
 
@@ -1552,7 +1552,7 @@ interface(`files_create_kernel_img',`
 		type boot_t;
 	')
 
-	allow $1 boot_t:file { getattr read write create };
+	allow $1 boot_t:file { create_file_perms rw_file_perms };
 	manage_lnk_files_pattern($1, boot_t, boot_t)
 ')
 
@@ -1682,7 +1682,7 @@ interface(`files_mounton_default',`
 		type default_t;
 	')
 
-	allow $1 default_t:dir { getattr search mounton };
+	allow $1 default_t:dir { search_dir_perms mounton };
 ')
 
 ########################################
@@ -3723,7 +3723,7 @@ interface(`files_create_kernel_symbol_table',`
 	')
 
 	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-	allow $1 system_map_t:file { rw_file_perms create };
+	allow $1 system_map_t:file { create_file_perms rw_file_perms };
 ')
 
 ########################################
@@ -4742,7 +4742,7 @@ interface(`files_polyinstantiate_all',`
 	allow $1 self:capability { chown fsetid sys_admin };
 
 	# Need to give access to the directories to be polyinstantiated
-	allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir };
+	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
 
 	# Need to give access to the polyinstantiated subdirectories
 	allow $1 polymember:dir search_dir_perms;
@@ -4754,8 +4754,8 @@ interface(`files_polyinstantiate_all',`
 	# Need to give permission to create directories where applicable
 	allow $1 self:process setfscreate;
 	allow $1 polymember: dir { create setattr relabelto };
-	allow $1 polydir: dir { write add_name };
-	allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto };
+	allow $1 polydir: dir { write add_name open };
+	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
 
 	# Default type for mountpoints
 	allow $1 poly_t:dir { create mounton };
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 60877b01a..08535cf1d 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1936,7 +1936,6 @@ interface(`fs_read_rpc_sockets',`
 	')
 
 	allow $1 rpc_pipefs_t:sock_file { read write };
-
 ')
 
 ########################################
@@ -2706,7 +2705,7 @@ interface(`fs_rw_rpc_named_pipes',`
 		type rpc_pipefs_t;
 	')
 
-	allow $1 rpc_pipefs_t:fifo_file { read write };
+	allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index c16bf9a5b..111596b08 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2147,7 +2147,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 		type unlabeled_t;
 	')
 
-	allow $1 unlabeled_t:dir { getattr search read relabelfrom };
+	allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
 ')
 
 ########################################
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index c931e1eb7..946f8fc1d 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -165,7 +165,7 @@ interface(`selinux_dontaudit_read_fs',`
 	')
 
 	dontaudit $1 security_t:dir search_dir_perms;
-	dontaudit $1 security_t:file { getattr read };
+	dontaudit $1 security_t:file read_file_perms;
 ')
 
 ########################################
@@ -186,7 +186,7 @@ interface(`selinux_get_enforce_mode',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read };
+	allow $1 security_t:file read_file_perms;
 ')
 
 ########################################
@@ -219,7 +219,7 @@ interface(`selinux_set_enforce_mode',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 	typeattribute $1 can_setenforce;
 
 	if(!secure_mode_policyload) {
@@ -250,7 +250,7 @@ interface(`selinux_load_policy',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 	typeattribute $1 can_load_policy;
 
 	if(!secure_mode_policyload) {
@@ -292,7 +292,7 @@ interface(`selinux_set_boolean',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 
 	if(!secure_mode_policyload) {
 		allow $1 security_t:security setbool;
@@ -333,7 +333,7 @@ interface(`selinux_set_parameters',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security setsecparam;
 	auditallow $1 security_t:security setsecparam;
 	typeattribute $1 can_setsecparam;
@@ -356,7 +356,7 @@ interface(`selinux_validate_context',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security check_context;
 ')
 
@@ -377,7 +377,7 @@ interface(`selinux_dontaudit_validate_context',`
 	')
 
 	dontaudit $1 security_t:dir list_dir_perms;
-	dontaudit $1 security_t:file { getattr read write };
+	dontaudit $1 security_t:file rw_file_perms;
 	dontaudit $1 security_t:security check_context;
 ')
 
@@ -398,7 +398,7 @@ interface(`selinux_compute_access_vector',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_av;
 ')
 
@@ -419,7 +419,7 @@ interface(`selinux_compute_create_context',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_create;
 ')
 
@@ -440,7 +440,7 @@ interface(`selinux_compute_member',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_member;
 ')
 
@@ -469,7 +469,7 @@ interface(`selinux_compute_relabel_context',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_relabel;
 ')
 
@@ -489,7 +489,7 @@ interface(`selinux_compute_user_contexts',`
 	')
 
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file { getattr read write };
+	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_user;
 ')
 
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 548655360..38b493a7e 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -173,7 +173,7 @@ interface(`term_use_all_terms',`
 
 	dev_list_all_dev_nodes($1)
 	allow $1 devpts_t:dir list_dir_perms;
-	allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
+	allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
 ')
 
 ########################################
@@ -932,7 +932,7 @@ interface(`term_append_unallocated_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tty_device_t:chr_file { getattr append };
+	allow $1 tty_device_t:chr_file append_chr_file_perms;
 ')
 
 ########################################
@@ -951,7 +951,7 @@ interface(`term_write_unallocated_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tty_device_t:chr_file { getattr write };
+	allow $1 tty_device_t:chr_file write_chr_file_perms;
 ')
 
 ########################################
@@ -971,7 +971,7 @@ interface(`term_use_unallocated_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tty_device_t:chr_file { rw_term_perms lock append };
+	allow $1 tty_device_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
@@ -990,7 +990,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 		type tty_device_t;
 	')
 
-	dontaudit $1 tty_device_t:chr_file { rw_term_perms lock append };
+	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
@@ -1092,7 +1092,7 @@ interface(`term_write_all_user_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 ttynode:chr_file { getattr write append };
+	allow $1 ttynode:chr_file write_chr_file_perms;
 ')
 
 ########################################
@@ -1112,7 +1112,7 @@ interface(`term_use_all_user_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 ttynode:chr_file { rw_term_perms lock append };
+	allow $1 ttynode:chr_file rw_chr_file_perms;
 ')
 
 ########################################
@@ -1131,5 +1131,5 @@ interface(`term_dontaudit_use_all_user_ttys',`
 		attribute ttynode;
 	')
 
-	dontaudit $1 ttynode:chr_file { read write };
+	dontaudit $1 ttynode:chr_file rw_chr_file_perms;
 ')
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index 3e5f6dbe2..db18f31c5 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -37,7 +37,7 @@ interface(`amavis_read_spool_files',`
 	')
 
 	files_search_spool($1)
-	allow $1 amavis_spool_t:file { getattr read };
+	allow $1 amavis_spool_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index f038c0d43..7946f4033 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -940,7 +940,7 @@ interface(`apache_read_squirrelmail_data',`
 		type httpd_squirrelmail_t;
 	')
 
-	allow $1 httpd_squirrelmail_t:file { getattr read };
+	allow $1 httpd_squirrelmail_t:file read_file_perms;
 ')
 
 ########################################
@@ -959,7 +959,7 @@ interface(`apache_append_squirrelmail_data',`
 		type httpd_squirrelmail_t;
 	')
 
-	allow $1 httpd_squirrelmail_t:file { getattr append };
+	allow $1 httpd_squirrelmail_t:file append_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index 4da96a505..d8a10d00c 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -55,7 +55,7 @@ interface(`apcupsd_read_log',`
 
 	logging_search_logs($1)
 	allow $1 apcupsd_log_t:dir list_dir_perms;
-	allow $1 apcupsd_log_t:file { read getattr lock };
+	allow $1 apcupsd_log_t:file read_file_perms;
 ')
 
 ########################################
@@ -76,7 +76,7 @@ interface(`apcupsd_append_log',`
 
 	logging_search_logs($1)
 	allow $1 apcupsd_log_t:dir list_dir_perms;
-	allow $1 apcupsd_log_t:file { getattr append };
+	allow $1 apcupsd_log_t:file append_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if
index 9e12e9514..293f0fd1f 100644
--- a/policy/modules/services/bitlbee.if
+++ b/policy/modules/services/bitlbee.if
@@ -16,8 +16,8 @@ interface(`bitlbee_read_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 bitlbee_conf_t:dir { getattr read search };
-	allow $1 bitlbee_conf_t:file { read getattr };
+	allow $1 bitlbee_conf_t:dir list_dir_perms;
+	allow $1 bitlbee_conf_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 00186a151..0822ff972 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -285,7 +285,7 @@ template(`cron_admin_template',`
 	')
 
 	# Allow our crontab domain to unlink a user cron spool file.
-	allow $1_crontab_t cron_spool_type:file { getattr read unlink };
+	allow $1_crontab_t cron_spool_type:file { read_file_perms delete_file_perms };
 
 	logging_read_generic_logs($1_crond_t)
 
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 8d6b4af6a..5ee59302a 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -207,7 +207,7 @@ interface(`cups_read_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 cupsd_log_t:file { getattr read };
+	allow $1 cupsd_log_t:file read_file_perms;
 ')
 
 ########################################
@@ -226,7 +226,7 @@ interface(`cups_write_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 cupsd_log_t:file write;
+	allow $1 cupsd_log_t:file write_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index fced31059..d9fc7e1c2 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -36,7 +36,7 @@ interface(`fail2ban_read_log',`
 
 	logging_search_logs($1)
 	allow $1 fail2ban_log_t:dir list_dir_perms;
-	allow $1 fail2ban_log_t:file { read getattr lock };
+	allow $1 fail2ban_log_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 63c9801fd..f07f6d44b 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -67,7 +67,7 @@ interface(`ftp_read_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 ftpd_etc_t:file { getattr read };
+	allow $1 ftpd_etc_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index f3291e924..124033784 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -93,9 +93,9 @@ interface(`inn_read_config',`
 		type innd_etc_t;
 	')
 
-	allow $1 innd_etc_t:dir { getattr read search };
-	allow $1 innd_etc_t:file { read getattr };
-	allow $1 innd_etc_t:lnk_file { getattr read };
+	allow $1 innd_etc_t:dir list_dir_perms;
+	allow $1 innd_etc_t:file read_file_perms;
+	allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -113,9 +113,9 @@ interface(`inn_read_news_lib',`
 		type innd_var_lib_t;
 	')
 
-	allow $1 innd_var_lib_t:dir { getattr read search };
-	allow $1 innd_var_lib_t:file { read getattr };
-	allow $1 innd_var_lib_t:lnk_file { getattr read };
+	allow $1 innd_var_lib_t:dir list_dir_perms;
+	allow $1 innd_var_lib_t:file read_file_perms;
+	allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -133,9 +133,9 @@ interface(`inn_read_news_spool',`
 		type news_spool_t;
 	')
 
-	allow $1 news_spool_t:dir { getattr read search };
-	allow $1 news_spool_t:file { read getattr };
-	allow $1 news_spool_t:lnk_file { getattr read };
+	allow $1 news_spool_t:dir list_dir_perms;
+	allow $1 news_spool_t:file read_file_perms;
+	allow $1 news_spool_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 366f39542..12c1cfc43 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -73,7 +73,7 @@ interface(`kerberos_use',`
 	')
 
 	files_search_etc($1)
-	allow $1 krb5_conf_t:file { getattr read };
+	allow $1 krb5_conf_t:file read_file_perms;
 	dontaudit $1 krb5_conf_t:file write;
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
 	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 2d767ff0e..3aa8fa778 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -36,7 +36,7 @@ interface(`ldap_read_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 slapd_etc_t:file { getattr read };
+	allow $1 slapd_etc_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 23ba2b263..5bfa326c8 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -114,7 +114,7 @@ template(`mta_base_mail_template',`
 		manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
 		files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
 
-		allow $1_mail_t etc_mail_t:dir { getattr search };
+		allow $1_mail_t etc_mail_t:dir search_dir_perms;
 
 		# Write to /var/spool/mail and /var/spool/mqueue.
 		manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 0115dbf1b..308a383b8 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -74,9 +74,9 @@ interface(`mysql_read_config',`
 		type mysqld_etc_t;
 	')
 
-	allow $1 mysqld_etc_t:dir { getattr read search };
-	allow $1 mysqld_etc_t:file { read getattr };
-	allow $1 mysqld_etc_t:lnk_file { getattr read };
+	allow $1 mysqld_etc_t:dir list_dir_perms;
+	allow $1 mysqld_etc_t:file read_file_perms;
+	allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -98,7 +98,7 @@ interface(`mysql_search_db',`
 	')
 
 	files_search_var_lib($1)
-	allow $1 mysqld_db_t:dir search;
+	allow $1 mysqld_db_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -156,7 +156,7 @@ interface(`mysql_rw_db_sockets',`
 	')
 
 	files_search_var_lib($1)
-	allow $1 mysqld_db_t:dir search;
+	allow $1 mysqld_db_t:dir search_dir_perms;
 	allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
 ')
 
@@ -176,5 +176,5 @@ interface(`mysql_write_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 mysqld_log_t:file { write append setattr ioctl };
+	allow $1 mysqld_log_t:file { write_file_perms setattr };
 ')
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index f1196e1f5..2e23018d8 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -223,7 +223,7 @@ interface(`nis_read_ypserv_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 ypserv_conf_t:file { getattr read };
+	allow $1 ypserv_conf_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
index 4fa21233b..039c6de87 100644
--- a/policy/modules/services/portmap.if
+++ b/policy/modules/services/portmap.if
@@ -49,7 +49,7 @@ interface(`portmap_run_helper',`
 
 	portmap_domtrans_helper($1)
 	role $2 types portmap_helper_t;
-	allow portmap_helper_t $3:chr_file { getattr read write ioctl };
+	allow portmap_helper_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index a9d7b7169..0eeb4e700 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -208,9 +208,9 @@ interface(`postfix_read_config',`
 		type postfix_etc_t;
 	')
 
-	allow $1 postfix_etc_t:dir { getattr read search };
-	allow $1 postfix_etc_t:file { read getattr };
-	allow $1 postfix_etc_t:lnk_file { getattr read };
+	allow $1 postfix_etc_t:dir list_dir_perms;
+	allow $1 postfix_etc_t:file read_file_perms;
+	allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
 	files_search_etc($1)
 ')
 
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index bae1e10f4..4351a8c1e 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -272,9 +272,9 @@ interface(`postgresql_read_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 postgresql_etc_t:dir { getattr read search };
-	allow $1 postgresql_etc_t:file { read getattr };
-	allow $1 postgresql_etc_t:lnk_file { getattr read };
+	allow $1 postgresql_etc_t:dir list_dir_perms;
+	allow $1 postgresql_etc_t:file read_file_perms;
+	allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 5d987978d..e100e9af2 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -230,7 +230,7 @@ interface(`ppp_read_rw_config',`
 	')
 
 	allow $1 pppd_etc_t:dir list_dir_perms;
-	allow $1 pppd_etc_rw_t:file { getattr read };
+	allow $1 pppd_etc_rw_t:file read_file_perms;
 	files_search_etc($1)
 ')
 
@@ -250,7 +250,7 @@ interface(`ppp_read_secrets',`
 	')
 
 	allow $1 pppd_etc_t:dir list_dir_perms;
-	allow $1 pppd_secret_t:file { getattr read };
+	allow $1 pppd_secret_t:file read_file_perms;
 	files_search_etc($1)
 ')
 
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index ed7618652..a40b0a236 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -72,9 +72,9 @@ template(`qmail_child_domain_template',`
 	allow $1_t $2:fifo_file rw_file_perms;
 	allow $1_t $2:process sigchld;
 
-	allow $1_t qmail_etc_t:dir { getattr read search };
-	allow $1_t qmail_etc_t:file { getattr read };
-	allow $1_t qmail_etc_t:lnk_file { getattr read };
+	allow $1_t qmail_etc_t:dir list_dir_perms;
+	allow $1_t qmail_etc_t:file read_file_perms;
+	allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
 
 	allow $1_t qmail_start_t:fd use;
 
@@ -158,9 +158,9 @@ interface(`qmail_read_config',`
 		type qmail_etc_t;
 	')
 
-	allow $1 qmail_etc_t:dir { getattr read search };
-	allow $1 qmail_etc_t:file { getattr read };
-	allow $1 qmail_etc_t:lnk_file { getattr read };
+	allow $1 qmail_etc_t:dir list_dir_perms;
+	allow $1 qmail_etc_t:file read_file_perms;
+	allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
 	files_search_var($1)
 
 	ifdef(`distro_debian',`
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index f3480f0f6..37fc17047 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -56,7 +56,8 @@ template(`razor_common_domain_template',`
 	files_search_var_lib($1_t)
 
 	# Razor is one executable and several symlinks
-	allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
+	allow $1_t razor_exec_t:file read_file_perms;
+	allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
 
 	kernel_read_system_state($1_t)
 	kernel_read_network_state($1_t)
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
index c9711c6c6..d7d282aa7 100644
--- a/policy/modules/services/rhgb.if
+++ b/policy/modules/services/rhgb.if
@@ -194,5 +194,5 @@ interface(`rhgb_rw_tmpfs_files',`
 		type rhgb_tmpfs_t;
 	')
 
-	allow $1 rhgb_tmpfs_t:file { read write };
+	allow $1 rhgb_tmpfs_t:file rw_file_perms;
 ')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index dddbcd9df..23da55270 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -263,7 +263,7 @@ interface(`samba_read_secrets',`
 	')
 
 	files_search_etc($1)
-	allow $1 samba_secrets_t:file { read getattr lock };
+	allow $1 samba_secrets_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index 85663947b..f3d845986 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -15,7 +15,7 @@ interface(`smartmon_read_tmp_files',`
 		type fsdaemon_tmp_t;
 	')
 
-	allow $1 fsdaemon_tmp_t:file { getattr ioctl read };
+	allow $1 fsdaemon_tmp_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index d56747910..58b25e645 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -391,7 +391,7 @@ template(`ssh_per_role_template',`
 		allow $1_ssh_keysign_t self:capability { setgid setuid };
 		allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
 
-		allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+		allow $1_ssh_keysign_t sshd_key_t:file read_file_perms;
 
 		dev_read_urand($1_ssh_keysign_t)
 
@@ -452,7 +452,7 @@ template(`ssh_server_template', `
 	can_exec($1_t, sshd_exec_t)
 
 	# Access key files
-	allow $1_t sshd_key_t:file { getattr read };
+	allow $1_t sshd_key_t:file read_file_perms;
 
 	kernel_read_kernel_sysctls($1_t)
 
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 5b7e8f4a2..ffa2bd78a 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -320,7 +320,7 @@ template(`xserver_per_role_template',`
 
 	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
 
-	allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+	allow $1_xserver_t $1_xauth_home_t:file read_file_perms;
 
 	domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
 	allow $1_xserver_t $2:process signal;
@@ -539,7 +539,7 @@ template(`xserver_ro_session_template',`
 	allow $2 $1_xserver_t:process signal;
 
 	# Read /tmp/.X0-lock
-	allow $2 $1_xserver_tmp_t:file { getattr read };
+	allow $2 $1_xserver_tmp_t:file read_file_perms;
 
 	# Client read xserver shm
 	allow $2 $1_xserver_t:fd use;
@@ -615,8 +615,8 @@ template(`xserver_user_client_template',`
 	allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
-	allow $2 $1_xauth_home_t:file { getattr read };
-	allow $2 $1_iceauth_home_t:file { getattr read };
+	allow $2 $1_xauth_home_t:file read_file_perms;
+	allow $2 $1_iceauth_home_t:file read_file_perms;
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
@@ -885,13 +885,13 @@ template(`xserver_user_x_domain_template',`
 	allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
 
 	# Read .Xauthority file
-	allow $3 $1_xauth_home_t:file { getattr read };
-	allow $3 $1_iceauth_home_t:file { getattr read };
+	allow $3 $1_xauth_home_t:file read_file_perms;
+	allow $3 $1_iceauth_home_t:file read_file_perms;
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $3 xdm_t:fd use;
 	allow $3 xdm_t:fifo_file { getattr read write ioctl };
-	allow $3 xdm_tmp_t:dir search;
+	allow $3 xdm_tmp_t:dir search_dir_perms;
 	allow $3 xdm_tmp_t:sock_file { read write };
 	dontaudit $3 xdm_t:tcp_socket { read write };
 
@@ -1230,7 +1230,7 @@ interface(`xserver_read_xdm_rw_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 xdm_rw_etc_t:file { getattr read };
+	allow $1 xdm_rw_etc_t:file read_file_perms;
 ')
 
 ########################################
@@ -1306,7 +1306,7 @@ interface(`xserver_read_xdm_lib_files',`
 		type xdm_var_lib_t;
 	')
 
-	allow $1 xdm_var_lib_t:file { getattr read };
+	allow $1 xdm_var_lib_t:file read_file_perms;
 ')
 
 ########################################
@@ -1479,7 +1479,7 @@ interface(`xserver_read_xdm_xserver_tmp_files',`
 		type xdm_xserver_tmp_t;
 	')
 
-	allow $1 xdm_xserver_tmp_t:file { getattr read };
+	allow $1 xdm_xserver_tmp_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index deb5755c3..0a1258701 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -31,7 +31,7 @@ template(`authlogin_common_auth_domain_template',`
 	allow $1_chkpwd_t self:process getattr;
 
 	files_list_etc($1_chkpwd_t)
-	allow $1_chkpwd_t shadow_t:file { getattr read };
+	allow $1_chkpwd_t shadow_t:file read_file_perms;
 
 	# is_selinux_enabled
 	kernel_read_system_state($1_chkpwd_t)
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index 2665facf9..29397afa7 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -47,7 +47,7 @@ interface(`clock_run',`
 
 	clock_domtrans($1)
 	role $2 types hwclock_t;
-	allow hwclock_t $3:chr_file { getattr read write ioctl };
+	allow hwclock_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 2b1dddab6..e529bd6f4 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -48,7 +48,7 @@ interface(`fstools_run',`
 
 	fstools_domtrans($1)
 	role $2 types fsadm_t;
-	allow fsadm_t $3:chr_file { getattr read write ioctl };
+	allow fsadm_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
index bd8ead461..9ae3682ec 100644
--- a/policy/modules/system/getty.if
+++ b/policy/modules/system/getty.if
@@ -54,7 +54,7 @@ interface(`getty_read_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 getty_log_t:file { getattr read };
+	allow $1 getty_log_t:file read_file_perms;
 ')
 
 ########################################
@@ -74,7 +74,7 @@ interface(`getty_read_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 getty_etc_t:file { getattr read };
+	allow $1 getty_etc_t:file read_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
index f325978fd..791003704 100644
--- a/policy/modules/system/hostname.if
+++ b/policy/modules/system/hostname.if
@@ -47,7 +47,7 @@ interface(`hostname_run',`
 
 	hostname_domtrans($1)
 	role $2 types hostname_t;
-	allow hostname_t $3:chr_file { getattr read write ioctl };
+	allow hostname_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index e6a1c8335..d6f0c522c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1394,7 +1394,7 @@ interface(`init_write_utmp',`
 	')
 
 	files_list_pids($1)
-	allow $1 initrc_var_run_t:file { getattr write };
+	allow $1 initrc_var_run_t:file { getattr open write };
 ')
 
 ########################################
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index e8bd0c7e1..57a33a74d 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -48,7 +48,7 @@ interface(`sysnet_run_dhcpc',`
 
 	sysnet_domtrans_dhcpc($1)
 	role $2 types dhcpc_t;
-	allow dhcpc_t $3:chr_file { getattr read write ioctl };
+	allow dhcpc_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -198,7 +198,7 @@ interface(`sysnet_read_dhcpc_state',`
 		type dhcpc_state_t;
 	')
 
-	allow $1 dhcpc_state_t:file { getattr read };
+	allow $1 dhcpc_state_t:file read_file_perms;
 ')
 
 #######################################
@@ -348,7 +348,7 @@ interface(`sysnet_read_dhcpc_pid',`
 	')
 
 	files_list_pids($1)
-	allow $1 dhcpc_var_run_t:file { getattr read };
+	allow $1 dhcpc_var_run_t:file read_file_perms;
 ')
 
 #######################################
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 21df88019..cb43eb104 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -645,5 +645,5 @@ interface(`unconfined_write_tmp_files',`
 		type unconfined_tmp_t;
 	')
 
-	allow $1 unconfined_tmp_t:file { getattr write append };
+	allow $1 unconfined_tmp_t:file write_file_perms;
 ')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ff37b3591..d546c89ee 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -57,7 +57,7 @@ template(`userdom_base_user_template',`
 	allow $1_t self:context contains;
 	dontaudit $1_t self:socket create;
 
-	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+	allow $1_t $1_devpts_t:chr_file { setattr rw_chr_file_perms };
 	term_create_pty($1_t,$1_devpts_t)
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -5310,7 +5310,7 @@ interface(`userdom_write_unpriv_users_tmp_files',`
 		attribute user_tmpfile;
 	')
 
-	allow $1 user_tmpfile:file { getattr write append };
+	allow $1 user_tmpfile:file write_file_perms;
 ')
 
 ########################################
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index ca7aa4382..56d4c5d92 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -2,7 +2,7 @@
 # Specified domain transition patterns
 #
 define(`domain_transition_pattern',`
-	allow $1 $2:file { getattr read execute };
+	allow $1 $2:file { getattr open read execute };
 	allow $1 $3:process transition;
 	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
 ')
@@ -48,7 +48,8 @@ define(`send_audit_msgs_pattern',`
 ')
 
 define(`ps_process_pattern',`
-	allow $1 $2:dir { search getattr read };
-	allow $1 $2:{ file lnk_file } { read getattr };
+	allow $1 $2:dir list_dir_perms;
+	allow $1 $2:file read_file_perms;
+	allow $1 $2:lnk_file read_lnk_file_perms;
 	allow $1 $2:process getattr;
 ')