On Fri, May 29, 2015 at 5:38 PM, Dominick Grift <dac.override@xxxxxxxxx> wrote:
> On Fri, May 29, 2015 at 05:14:53PM -0400, Paul Moore wrote:
>> On Wed, May 27, 2015 at 11:03 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>> > Remove unused permission definitions from SELinux.
>> > Many of these were only ever used in pre-mainline
>> > versions of SELinux, prior to Linux 2.6.0. Some of them
>> > were used in the legacy network or compat_net=1 checks
>> > that were disabled by default in Linux 2.6.18 and
>> > fully removed in Linux 2.6.30.
>> >
>> > Permissions never used in mainline Linux:
>> > file swapon
>> > filesystem transition
>> > tcp_socket { connectto newconn acceptfrom }
>> > node enforce_dest
>> > unix_stream_socket { newconn acceptfrom }
>> >
>> > Legacy network checks, removed in 2.6.30:
>> > socket { recv_msg send_msg }
>> > node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
>> > netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
>> >
>> > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
>> > ---
>> > security/selinux/include/classmap.h | 22 ++++++++--------------
>> > 1 file changed, 8 insertions(+), 14 deletions(-)
>>
>> Seems very reasonable to me. Chris, any objections from a policy point of view?
>
> I do not mean to reply on Chris' behalf but in light of what he said earlier:
>
> "The short answer is that I'd prefer to remove policy known to be unusable."
>
> I just want to mention that i like the idea of losing some dead weight where it makes sense as well.
Me too. I doubt Chris will have a problem with it, but there is no
particular rush with this patch so I figured I would check with him
first just to make sure.
--
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
