On Fri, May 29, 2015 at 05:14:53PM -0400, Paul Moore wrote:
> On Wed, May 27, 2015 at 11:03 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > Remove unused permission definitions from SELinux.
> > Many of these were only ever used in pre-mainline
> > versions of SELinux, prior to Linux 2.6.0. Some of them
> > were used in the legacy network or compat_net=1 checks
> > that were disabled by default in Linux 2.6.18 and
> > fully removed in Linux 2.6.30.
> >
> > Permissions never used in mainline Linux:
> > file swapon
> > filesystem transition
> > tcp_socket { connectto newconn acceptfrom }
> > node enforce_dest
> > unix_stream_socket { newconn acceptfrom }
> >
> > Legacy network checks, removed in 2.6.30:
> > socket { recv_msg send_msg }
> > node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> > netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> >
> > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> > ---
> > security/selinux/include/classmap.h | 22 ++++++++--------------
> > 1 file changed, 8 insertions(+), 14 deletions(-)
>
> Seems very reasonable to me. Chris, any objections from a policy point of view?
I do not mean to reply on Chris' behalf but in light of what he said earlier:
"The short answer is that I'd prefer to remove policy known to be unusable."
I just want to mention that i like the idea of losing some dead weight where it makes sense as well.
>
> > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> > index 1d8b924..5a4eef5 100644
> > --- a/security/selinux/include/classmap.h
> > +++ b/security/selinux/include/classmap.h
> > @@ -2,12 +2,12 @@
> > "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
> >
> > #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
> > - "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
> > + "rename", "execute", "quotaon", "mounton", "audit_access", \
> > "open", "execmod"
> >
> > #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
> > "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
> > - "sendto", "recv_msg", "send_msg", "name_bind"
> > + "sendto", "name_bind"
> >
> > #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
> > "write", "associate", "unix_read", "unix_write"
> > @@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
> > "audit_control", "setfcap", NULL } },
> > { "filesystem",
> > { "mount", "remount", "unmount", "getattr",
> > - "relabelfrom", "relabelto", "transition", "associate", "quotamod",
> > + "relabelfrom", "relabelto", "associate", "quotamod",
> > "quotaget", NULL } },
> > { "file",
> > { COMMON_FILE_PERMS,
> > @@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
> > { COMMON_SOCK_PERMS, NULL } },
> > { "tcp_socket",
> > { COMMON_SOCK_PERMS,
> > - "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
> > + "node_bind", "name_connect",
> > NULL } },
> > { "udp_socket",
> > { COMMON_SOCK_PERMS,
> > @@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
> > { COMMON_SOCK_PERMS,
> > "node_bind", NULL } },
> > { "node",
> > - { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> > - "rawip_recv", "rawip_send", "enforce_dest",
> > - "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
> > + { "recvfrom", "sendto", NULL } },
> > { "netif",
> > - { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> > - "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
> > - "ingress", "egress", NULL } },
> > + { "ingress", "egress", NULL } },
> > { "netlink_socket",
> > { COMMON_SOCK_PERMS, NULL } },
> > { "packet_socket",
> > @@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
> > { "key_socket",
> > { COMMON_SOCK_PERMS, NULL } },
> > { "unix_stream_socket",
> > - { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
> > - } },
> > + { COMMON_SOCK_PERMS, "connectto", NULL } },
> > { "unix_dgram_socket",
> > - { COMMON_SOCK_PERMS, NULL
> > - } },
> > + { COMMON_SOCK_PERMS, NULL } },
> > { "sem",
> > { COMMON_IPC_PERMS, NULL } },
> > { "msg", { "send", "receive", NULL } },
> > --
> > 2.1.0
> >
>
>
>
> --
> paul moore
> www.paul-moore.com
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
Attachment:
pgpMRKDI3gC5C.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
