Pull in some changes from the Fedora policy's MCS constraints. Most notably, the MCS override attributes were deprecated in favor of mcs_constrained_type. This means that domains will have unchecked access to objects with categories UNLESS the domain is mcs_constrained_type. This alleviates confusion between the MCS overrides and mcs_constrained_type to imply that a domain must be MCS-constrained to have MCS checks at all. Other changes include additional constraints to miscellaneous IPC objects, node "write" operations, and netif egress/ingress operations. Kenton Groombridge (7): mcs: deprecate mcs overrides mcs: restrict create, relabelto on mcs files mcs: add additional constraints to databases mcs: constrain misc IPC objects mcs: combine single-level object creation constraints various: deprecate mcs override interfaces corenet: make netlabel_peer_t mcs constrained policy/mcs | 61 ++++++++++++++++--------- policy/modules/admin/rpm.te | 2 - policy/modules/admin/tmpreaper.te | 2 - policy/modules/kernel/corenetwork.te.in | 1 + policy/modules/kernel/mcs.if | 24 ++-------- policy/modules/services/policykit.te | 2 - policy/modules/services/postfix.te | 10 ---- policy/modules/services/watchdog.te | 2 - policy/modules/system/init.te | 6 --- policy/modules/system/systemd.te | 1 - policy/modules/system/udev.te | 2 - policy/modules/system/unconfined.te | 3 -- 12 files changed, 45 insertions(+), 71 deletions(-) -- 2.33.1
