On 5/29/2015 5:14 PM, Paul Moore wrote:
> On Wed, May 27, 2015 at 11:03 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>> Remove unused permission definitions from SELinux.
>> Many of these were only ever used in pre-mainline
>> versions of SELinux, prior to Linux 2.6.0. Some of them
>> were used in the legacy network or compat_net=1 checks
>> that were disabled by default in Linux 2.6.18 and
>> fully removed in Linux 2.6.30.
>>
>> Permissions never used in mainline Linux:
>> file swapon
>> filesystem transition
>> tcp_socket { connectto newconn acceptfrom }
>> node enforce_dest
>> unix_stream_socket { newconn acceptfrom }
>>
>> Legacy network checks, removed in 2.6.30:
>> socket { recv_msg send_msg }
>> node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
>> netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
>>
>> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
>> ---
>> security/selinux/include/classmap.h | 22 ++++++++--------------
>> 1 file changed, 8 insertions(+), 14 deletions(-)
>
> Seems very reasonable to me. Chris, any objections from a policy point of view?
Nope. Please remove dead permissions :)
>> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
>> index 1d8b924..5a4eef5 100644
>> --- a/security/selinux/include/classmap.h
>> +++ b/security/selinux/include/classmap.h
>> @@ -2,12 +2,12 @@
>> "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
>>
>> #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
>> - "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
>> + "rename", "execute", "quotaon", "mounton", "audit_access", \
>> "open", "execmod"
>>
>> #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
>> "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
>> - "sendto", "recv_msg", "send_msg", "name_bind"
>> + "sendto", "name_bind"
>>
>> #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
>> "write", "associate", "unix_read", "unix_write"
>> @@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
>> "audit_control", "setfcap", NULL } },
>> { "filesystem",
>> { "mount", "remount", "unmount", "getattr",
>> - "relabelfrom", "relabelto", "transition", "associate", "quotamod",
>> + "relabelfrom", "relabelto", "associate", "quotamod",
>> "quotaget", NULL } },
>> { "file",
>> { COMMON_FILE_PERMS,
>> @@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
>> { COMMON_SOCK_PERMS, NULL } },
>> { "tcp_socket",
>> { COMMON_SOCK_PERMS,
>> - "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
>> + "node_bind", "name_connect",
>> NULL } },
>> { "udp_socket",
>> { COMMON_SOCK_PERMS,
>> @@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
>> { COMMON_SOCK_PERMS,
>> "node_bind", NULL } },
>> { "node",
>> - { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
>> - "rawip_recv", "rawip_send", "enforce_dest",
>> - "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
>> + { "recvfrom", "sendto", NULL } },
>> { "netif",
>> - { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
>> - "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
>> - "ingress", "egress", NULL } },
>> + { "ingress", "egress", NULL } },
>> { "netlink_socket",
>> { COMMON_SOCK_PERMS, NULL } },
>> { "packet_socket",
>> @@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
>> { "key_socket",
>> { COMMON_SOCK_PERMS, NULL } },
>> { "unix_stream_socket",
>> - { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
>> - } },
>> + { COMMON_SOCK_PERMS, "connectto", NULL } },
>> { "unix_dgram_socket",
>> - { COMMON_SOCK_PERMS, NULL
>> - } },
>> + { COMMON_SOCK_PERMS, NULL } },
>> { "sem",
>> { COMMON_IPC_PERMS, NULL } },
>> { "msg", { "send", "receive", NULL } },
>> --
>> 2.1.0
>>
>
>
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
