Signed-off-by: Kenton Groombridge <me@xxxxxxxxxx>
---
policy/mcs | 2 +-
policy/modules/admin/rpm.te | 2 --
policy/modules/admin/tmpreaper.te | 2 --
policy/modules/kernel/mcs.if | 24 ++++--------------------
policy/modules/services/policykit.te | 2 --
policy/modules/services/postfix.te | 10 ----------
policy/modules/services/watchdog.te | 2 --
policy/modules/system/init.te | 6 ------
policy/modules/system/systemd.te | 1 -
policy/modules/system/udev.te | 2 --
policy/modules/system/unconfined.te | 3 ---
11 files changed, 5 insertions(+), 51 deletions(-)
diff --git a/policy/mcs b/policy/mcs
index 54d06f292..860c8fcc1 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -176,7 +176,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
# because the subject in this particular case is the remote domain which is
# writing data out the network node which is acting as the object
mlsconstrain { node } { recvfrom sendto }
- (( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+ (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { packet peer } { recv }
(( l1 dom l2 ) or
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index f82fd21f2..274052958 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
-mcs_killall(rpm_script_t)
-
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index f4ce8dba9..1acefd7fe 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
files_setattr_all_tmp_dirs(tmpreaper_t)
-mcs_file_read_all(tmpreaper_t)
-mcs_file_write_all(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index eb4bcfcbe..55b5a7fe1 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
## <rolecap/>
#
interface(`mcs_file_read_all',`
- gen_require(`
- attribute mcsreadall;
- ')
-
- typeattribute $1 mcsreadall;
+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
')
########################################
@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
## <rolecap/>
#
interface(`mcs_file_write_all',`
- gen_require(`
- attribute mcswriteall;
- ')
-
- typeattribute $1 mcswriteall;
+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
')
########################################
@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
## <rolecap/>
#
interface(`mcs_killall',`
- gen_require(`
- attribute mcskillall;
- ')
-
- typeattribute $1 mcskillall;
+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
')
########################################
@@ -104,11 +92,7 @@ interface(`mcs_killall',`
## </param>
#
interface(`mcs_ptrace_all',`
- gen_require(`
- attribute mcsptraceall;
- ')
-
- typeattribute $1 mcsptraceall;
+ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
')
########################################
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 721534a0b..7ba8dbb13 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -265,8 +265,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t)
domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
-mcs_ptrace_all(policykit_resolve_t)
-
auth_use_nsswitch(policykit_resolve_t)
userdom_read_all_users_state(policykit_resolve_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 067d42f08..23c8c0ef1 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t)
files_search_tmp(postfix_master_t)
-mcs_file_read_all(postfix_master_t)
-
term_dontaudit_search_ptys(postfix_master_t)
hostname_exec(postfix_master_t)
@@ -564,9 +562,6 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-mcs_file_read_all(postfix_pickup_t)
-mcs_file_write_all(postfix_pickup_t)
-
optional_policy(`
dbus_system_bus_client(postfix_pickup_t)
init_dbus_chat(postfix_pickup_t)
@@ -635,9 +630,6 @@ allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
# for /var/spool/postfix/public/pickup
stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t)
-mcs_file_read_all(postfix_postdrop_t)
-mcs_file_write_all(postfix_postdrop_t)
-
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
@@ -743,8 +735,6 @@ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
allow postfix_showq_t postfix_spool_t:file read_file_perms;
-mcs_file_read_all(postfix_showq_t)
-
term_use_all_ptys(postfix_showq_t)
term_use_all_ttys(postfix_showq_t)
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 6ad408584..ab9d94585 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -76,8 +76,6 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
-mcs_killall(watchdog_t)
-
miscfiles_read_localization(watchdog_t)
sysnet_dns_name_resolve(watchdog_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 649f431dc..6093de7f5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -212,7 +212,6 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
-mcs_killall(init_t)
mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
@@ -790,11 +789,6 @@ fs_getattr_all_fs(initrc_t)
fs_search_all(initrc_t)
fs_getattr_nfsd_files(initrc_t)
-# initrc_t needs to do a pidof which requires ptrace
-mcs_ptrace_all(initrc_t)
-mcs_file_read_all(initrc_t)
-mcs_file_write_all(initrc_t)
-mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 30d23c3fe..fe493277b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -193,7 +193,6 @@ init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
-mcs_killall(systemd_nspawn_t)
type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
files_runtime_file(systemd_nspawn_runtime_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 4463f086b..81b0dd1fe 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -141,8 +141,6 @@ fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
fs_search_tracefs(udev_t)
-mcs_ptrace_all(udev_t)
-
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
mls_file_upgrade(udev_t)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 385c88695..9df73ac76 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -30,9 +30,6 @@ domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
files_create_boot_flag(unconfined_t)
-mcs_killall(unconfined_t)
-mcs_ptrace_all(unconfined_t)
-
libs_run_ldconfig(unconfined_t, unconfined_r)
logging_send_syslog_msg(unconfined_t)
--
2.33.1
