commit: 89cbc037a65cd4e6871a32337bb9f0e1c1f4dc95 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Wed Oct 13 17:36:25 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Nov 20 22:58:24 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89cbc037
various: deprecate mcs override interfaces Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/mcs | 2 +- policy/modules/admin/rpm.te | 2 -- policy/modules/admin/tmpreaper.te | 2 -- policy/modules/kernel/mcs.if | 24 ++++-------------------- policy/modules/services/policykit.te | 2 -- policy/modules/services/postfix.te | 10 ---------- policy/modules/services/watchdog.te | 2 -- policy/modules/system/init.te | 6 ------ policy/modules/system/systemd.te | 1 - policy/modules/system/udev.te | 2 -- policy/modules/system/unconfined.te | 3 --- 11 files changed, 5 insertions(+), 51 deletions(-) diff --git a/policy/mcs b/policy/mcs index cc922a02..c8c573e9 100644 --- a/policy/mcs +++ b/policy/mcs @@ -173,7 +173,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind # because the subject in this particular case is the remote domain which is # writing data out the network node which is acting as the object mlsconstrain { node } { recvfrom sendto } - (( l1 dom l2 ) or ( t1 != msc_constrained_type )); + (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { packet peer } { recv } (( l1 dom l2 ) or diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 860207e5..6823e6e3 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) -mcs_killall(rpm_script_t) - mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index f4ce8dba..1acefd7f 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) files_setattr_all_tmp_dirs(tmpreaper_t) -mcs_file_read_all(tmpreaper_t) -mcs_file_write_all(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index eb4bcfcb..55b5a7fe 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -44,11 +44,7 @@ interface(`mcs_constrained',` ## <rolecap/> # interface(`mcs_file_read_all',` - gen_require(` - attribute mcsreadall; - ') - - typeattribute $1 mcsreadall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` ## <rolecap/> # interface(`mcs_file_write_all',` - gen_require(` - attribute mcswriteall; - ') - - typeattribute $1 mcswriteall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` ## <rolecap/> # interface(`mcs_killall',` - gen_require(` - attribute mcskillall; - ') - - typeattribute $1 mcskillall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -104,11 +92,7 @@ interface(`mcs_killall',` ## </param> # interface(`mcs_ptrace_all',` - gen_require(` - attribute mcsptraceall; - ') - - typeattribute $1 mcsptraceall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 7e00d524..f03614d0 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -267,8 +267,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t) domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) -mcs_ptrace_all(policykit_resolve_t) - auth_use_nsswitch(policykit_resolve_t) userdom_read_all_users_state(policykit_resolve_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 98416368..b6a9bb6b 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t) files_search_tmp(postfix_master_t) -mcs_file_read_all(postfix_master_t) - term_dontaudit_search_ptys(postfix_master_t) hostname_exec(postfix_master_t) @@ -568,9 +566,6 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -mcs_file_read_all(postfix_pickup_t) -mcs_file_write_all(postfix_pickup_t) - optional_policy(` dbus_system_bus_client(postfix_pickup_t) init_dbus_chat(postfix_pickup_t) @@ -639,9 +634,6 @@ allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; # for /var/spool/postfix/public/pickup stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t) -mcs_file_read_all(postfix_postdrop_t) -mcs_file_write_all(postfix_postdrop_t) - term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) @@ -747,8 +739,6 @@ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; allow postfix_showq_t postfix_spool_t:file read_file_perms; -mcs_file_read_all(postfix_showq_t) - term_use_all_ptys(postfix_showq_t) term_use_all_ttys(postfix_showq_t) diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index 6ad40858..ab9d9458 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -76,8 +76,6 @@ auth_append_login_records(watchdog_t) logging_send_syslog_msg(watchdog_t) -mcs_killall(watchdog_t) - miscfiles_read_localization(watchdog_t) sysnet_dns_name_resolve(watchdog_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 0b61cb71..565b7cb7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -212,7 +212,6 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) -mcs_killall(init_t) mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) @@ -790,11 +789,6 @@ fs_getattr_all_fs(initrc_t) fs_search_all(initrc_t) fs_getattr_nfsd_files(initrc_t) -# initrc_t needs to do a pidof which requires ptrace -mcs_ptrace_all(initrc_t) -mcs_file_read_all(initrc_t) -mcs_file_write_all(initrc_t) -mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 6696f2ca..118158e4 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -197,7 +197,6 @@ init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) type systemd_nspawn_t; type systemd_nspawn_exec_t; init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) -mcs_killall(systemd_nspawn_t) type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t; files_runtime_file(systemd_nspawn_runtime_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 68fefade..a13dff43 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -143,8 +143,6 @@ fs_read_cgroup_files(udev_t) fs_rw_anon_inodefs_files(udev_t) fs_search_tracefs(udev_t) -mcs_ptrace_all(udev_t) - mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) mls_file_upgrade(udev_t) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index d3867243..2ac5b2e1 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -30,9 +30,6 @@ domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) files_create_boot_flag(unconfined_t) -mcs_killall(unconfined_t) -mcs_ptrace_all(unconfined_t) - libs_run_ldconfig(unconfined_t, unconfined_r) logging_send_syslog_msg(unconfined_t)