commit: 89cbc037a65cd4e6871a32337bb9f0e1c1f4dc95
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 17:36:25 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89cbc037
various: deprecate mcs override interfaces
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/mcs | 2 +-
policy/modules/admin/rpm.te | 2 --
policy/modules/admin/tmpreaper.te | 2 --
policy/modules/kernel/mcs.if | 24 ++++--------------------
policy/modules/services/policykit.te | 2 --
policy/modules/services/postfix.te | 10 ----------
policy/modules/services/watchdog.te | 2 --
policy/modules/system/init.te | 6 ------
policy/modules/system/systemd.te | 1 -
policy/modules/system/udev.te | 2 --
policy/modules/system/unconfined.te | 3 ---
11 files changed, 5 insertions(+), 51 deletions(-)
diff --git a/policy/mcs b/policy/mcs
index cc922a02..c8c573e9 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -173,7 +173,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket }
node_bind
# because the subject in this particular case is the remote domain which is
# writing data out the network node which is acting as the object
mlsconstrain { node } { recvfrom sendto }
- (( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+ (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { packet peer } { recv }
(( l1 dom l2 ) or
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 860207e5..6823e6e3 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
-mcs_killall(rpm_script_t)
-
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
diff --git a/policy/modules/admin/tmpreaper.te
b/policy/modules/admin/tmpreaper.te
index f4ce8dba..1acefd7f 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
files_setattr_all_tmp_dirs(tmpreaper_t)
-mcs_file_read_all(tmpreaper_t)
-mcs_file_write_all(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index eb4bcfcb..55b5a7fe 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
## <rolecap/>
#
interface(`mcs_file_read_all',`
- gen_require(`
- attribute mcsreadall;
- ')
-
- typeattribute $1 mcsreadall;
+ refpolicywarn(`$0() has been deprecated, please remove
mcs_constrained() instead.')
')
########################################
@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
## <rolecap/>
#
interface(`mcs_file_write_all',`
- gen_require(`
- attribute mcswriteall;
- ')
-
- typeattribute $1 mcswriteall;
+ refpolicywarn(`$0() has been deprecated, please remove
mcs_constrained() instead.')
')
########################################
@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
## <rolecap/>
#
interface(`mcs_killall',`
- gen_require(`
- attribute mcskillall;
- ')
-
- typeattribute $1 mcskillall;
+ refpolicywarn(`$0() has been deprecated, please remove
mcs_constrained() instead.')
')
########################################
@@ -104,11 +92,7 @@ interface(`mcs_killall',`
## </param>
#
interface(`mcs_ptrace_all',`
- gen_require(`
- attribute mcsptraceall;
- ')
-
- typeattribute $1 mcsptraceall;
+ refpolicywarn(`$0() has been deprecated, please remove
mcs_constrained() instead.')
')
########################################
diff --git a/policy/modules/services/policykit.te
b/policy/modules/services/policykit.te
index 7e00d524..f03614d0 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -267,8 +267,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t)
domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
-mcs_ptrace_all(policykit_resolve_t)
-
auth_use_nsswitch(policykit_resolve_t)
userdom_read_all_users_state(policykit_resolve_t)
diff --git a/policy/modules/services/postfix.te
b/policy/modules/services/postfix.te
index 98416368..b6a9bb6b 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t)
files_search_tmp(postfix_master_t)
-mcs_file_read_all(postfix_master_t)
-
term_dontaudit_search_ptys(postfix_master_t)
hostname_exec(postfix_master_t)
@@ -568,9 +566,6 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir
list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t,
postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t,
postfix_spool_maildrop_t)
-mcs_file_read_all(postfix_pickup_t)
-mcs_file_write_all(postfix_pickup_t)
-
optional_policy(`
dbus_system_bus_client(postfix_pickup_t)
init_dbus_chat(postfix_pickup_t)
@@ -639,9 +634,6 @@ allow postfix_postdrop_t postfix_local_t:unix_stream_socket
{ read write };
# for /var/spool/postfix/public/pickup
stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t,
postfix_master_t)
-mcs_file_read_all(postfix_postdrop_t)
-mcs_file_write_all(postfix_postdrop_t)
-
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
@@ -747,8 +739,6 @@ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file
read_lnk_file_perms;
allow postfix_showq_t postfix_spool_t:file read_file_perms;
-mcs_file_read_all(postfix_showq_t)
-
term_use_all_ptys(postfix_showq_t)
term_use_all_ttys(postfix_showq_t)
diff --git a/policy/modules/services/watchdog.te
b/policy/modules/services/watchdog.te
index 6ad40858..ab9d9458 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -76,8 +76,6 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
-mcs_killall(watchdog_t)
-
miscfiles_read_localization(watchdog_t)
sysnet_dns_name_resolve(watchdog_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0b61cb71..565b7cb7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -212,7 +212,6 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
-mcs_killall(init_t)
mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
@@ -790,11 +789,6 @@ fs_getattr_all_fs(initrc_t)
fs_search_all(initrc_t)
fs_getattr_nfsd_files(initrc_t)
-# initrc_t needs to do a pidof which requires ptrace
-mcs_ptrace_all(initrc_t)
-mcs_file_read_all(initrc_t)
-mcs_file_write_all(initrc_t)
-mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6696f2ca..118158e4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -197,7 +197,6 @@ init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
-mcs_killall(systemd_nspawn_t)
type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
files_runtime_file(systemd_nspawn_runtime_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 68fefade..a13dff43 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -143,8 +143,6 @@ fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
fs_search_tracefs(udev_t)
-mcs_ptrace_all(udev_t)
-
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
mls_file_upgrade(udev_t)
diff --git a/policy/modules/system/unconfined.te
b/policy/modules/system/unconfined.te
index d3867243..2ac5b2e1 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -30,9 +30,6 @@ domtrans_pattern(unconfined_t, unconfined_execmem_exec_t,
unconfined_execmem_t)
files_create_boot_flag(unconfined_t)
-mcs_killall(unconfined_t)
-mcs_ptrace_all(unconfined_t)
-
libs_run_ldconfig(unconfined_t, unconfined_r)
logging_send_syslog_msg(unconfined_t)
