Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp506013pxb;
        Fri, 29 Oct 2021 14:13:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx321GgcgyQqcEi56JgiMpOFwc0MZirBMBhmYad/j7nsfL69qoj+O15+q8XW+D0UHrzPmh1
X-Received: by 2002:a17:906:f241:: with SMTP id gy1mr16002397ejb.192.1635542009154;
        Fri, 29 Oct 2021 14:13:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1635542009; cv=none;
        d=google.com; s=arc-20160816;
        b=IGySFr3q3a/4SKOUc4TMFdwHYk7HOHCXSzmqaTfWcRAGTHOfDQIr6KWhjL1Xg8bRz9
         11qokC7Si+UaEJjUzzqv+Ewa9fDWdVqDEUK12tl17JyciST5dG0XtaHUWO6b9MpiBYJz
         Q7QwwsUq0PMSnVTLMR6OUn53LWduPLYytYja4N1i2+vaHeQ2wQqkJGeV+7R2QDyoJunz
         59JrfP4C7hwF916WlShFBbxhNERSAAsF48CGk3LQptPVn4JpoP08esON91Gxxt97QN9X
         rbKo35OX9zlVBJwNdTblOd5hz9+L+nTuKdRWfbJVLOnlsoahrYDeLai51BFplgM/aYwT
         fqSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=lnTz1lPj3SEFtPUqUC8TrZ2VWhYnaE73pY9WsPa/QA0=;
        b=J+Ws/LaThyTc6c9sdSwzxbFLR/f/xZ/BiGAy0k0VnU1SvrNL4Z2xBvHodzcFqf6UNU
         7EmpuuBgQ3xcYAHS9iIZgCxp0mWkvKSTrhZDblpe4jq6hQ7uE2YNdCqZJ7BkA187GVCm
         6GkjsJCNlVrBIOnVOrHBG4KnPXvjIMcJYmkMInQE3QCdEFoT3KOvpcNkyeBP3+5DwxN0
         id+HYB8luN5mymuogz+fCHB/+LbhYGzUd0NSjBtgH1NbrBkOzVHwiHzXO/LbnbBh4082
         qB8ezz7SIbuGJlNvtMbQHRp5JXmKT3bMePJTgSrFgrqft92d31ooTVVpMSZJm3Lf9v1y
         lcpg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@concord.sh header.s=dkim header.b=GQI+fJTv;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o2si13774358ejy.80.2021.10.29.14.13.23;
        Fri, 29 Oct 2021 14:13:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@concord.sh header.s=dkim header.b=GQI+fJTv;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231270AbhJ2VPk (ORCPT <rfc822;apot1624@gmail.com> + 20 others);
        Fri, 29 Oct 2021 17:15:40 -0400
Received: from yunyun.fuwafuwatime.moe ([107.191.99.165]:33194 "EHLO
        yunyun.fuwafuwatime.moe" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230267AbhJ2VPk (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 29 Oct 2021 17:15:40 -0400
Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id 28F05C3AC4
        for <selinux-refpolicy@vger.kernel.org>; Fri, 29 Oct 2021 17:04:56 -0400 (EDT)
Received: from bubbles.localdomain (bubbles.localdomain [192.168.1.122])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id 372198EF4D;
        Fri, 29 Oct 2021 17:04:55 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim;
        t=1635541495;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=lnTz1lPj3SEFtPUqUC8TrZ2VWhYnaE73pY9WsPa/QA0=;
        b=GQI+fJTvGOhtOZpez+91m0Y6VABKQmlalLuCiHyrnE7pdY+B4eiTdmYo/v8cgHilQwEmRB
        4oMUkozts/Kz3MWK42UA/S+HFDg8mfvkY+zqvJAqj7qXSqQREjDAmCsZO3oh1yeOgnjr67
        JpqUog7a3plCzOUU8cyNLnXevwup3uZWXvdfwsZ9u0XRDvMQQc1yyWxi081f7Gbu/t6hpE
        ZNcDH4Pjzu8oGT1gYyn7tJ2V7JW34NjZA5vaX9ZmFb1E69rK6SBJnDsCCrIaBCw/hww3Ld
        xfiYNJvxMUAltmFZ2IH3guVV1oGiZrflDcRrrwXLeX+LAY6llbANOCKyMj3ulA==
From:   Kenton Groombridge <me@concord.sh>
To:     selinux-refpolicy@vger.kernel.org
Cc:     Kenton Groombridge <me@concord.sh>
Subject: [PATCH 6/7] various: deprecate mcs override interfaces
Date:   Fri, 29 Oct 2021 17:04:42 -0400
Message-Id: <20211029210443.17461-7-me@concord.sh>
X-Mailer: git-send-email 2.33.1
In-Reply-To: <20211029210443.17461-1-me@concord.sh>
References: <20211029210443.17461-1-me@concord.sh>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Authentication-Results: ORIGINATING;
        auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh
X-Spam-Status: No, score=-2.60
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/mcs                           |  2 +-
 policy/modules/admin/rpm.te          |  2 --
 policy/modules/admin/tmpreaper.te    |  2 --
 policy/modules/kernel/mcs.if         | 24 ++++--------------------
 policy/modules/services/policykit.te |  2 --
 policy/modules/services/postfix.te   | 10 ----------
 policy/modules/services/watchdog.te  |  2 --
 policy/modules/system/init.te        |  6 ------
 policy/modules/system/systemd.te     |  1 -
 policy/modules/system/udev.te        |  2 --
 policy/modules/system/unconfined.te  |  3 ---
 11 files changed, 5 insertions(+), 51 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index 54d06f292..860c8fcc1 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -176,7 +176,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
 # because the subject in this particular case is the remote domain which is
 # writing data out the network node which is acting as the object
 mlsconstrain { node } { recvfrom sendto }
-	(( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { packet peer } { recv }
 	(( l1 dom l2 ) or
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index f82fd21f2..274052958 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t)
 fs_unmount_xattr_fs(rpm_script_t)
 fs_search_auto_mountpoints(rpm_script_t)
 
-mcs_killall(rpm_script_t)
-
 mls_file_read_all_levels(rpm_script_t)
 mls_file_write_all_levels(rpm_script_t)
 
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index f4ce8dba9..1acefd7fe 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
 files_setattr_all_tmp_dirs(tmpreaper_t)
 
-mcs_file_read_all(tmpreaper_t)
-mcs_file_write_all(tmpreaper_t)
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
 
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index eb4bcfcbe..55b5a7fe1 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
 ## <rolecap/>
 #
 interface(`mcs_file_read_all',`
-	gen_require(`
-		attribute mcsreadall;
-	')
-
-	typeattribute $1 mcsreadall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
 ## <rolecap/>
 #
 interface(`mcs_file_write_all',`
-	gen_require(`
-		attribute mcswriteall;
-	')
-
-	typeattribute $1 mcswriteall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
 ## <rolecap/>
 #
 interface(`mcs_killall',`
-	gen_require(`
-		attribute mcskillall;
-	')
-
-	typeattribute $1 mcskillall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -104,11 +92,7 @@ interface(`mcs_killall',`
 ## </param>
 #
 interface(`mcs_ptrace_all',`
-	gen_require(`
-		attribute mcsptraceall;
-	')
-
-	typeattribute $1 mcsptraceall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 721534a0b..7ba8dbb13 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -265,8 +265,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t)
 
 domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
 
-mcs_ptrace_all(policykit_resolve_t)
-
 auth_use_nsswitch(policykit_resolve_t)
 
 userdom_read_all_users_state(policykit_resolve_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 067d42f08..23c8c0ef1 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t)
 
 files_search_tmp(postfix_master_t)
 
-mcs_file_read_all(postfix_master_t)
-
 term_dontaudit_search_ptys(postfix_master_t)
 
 hostname_exec(postfix_master_t)
@@ -564,9 +562,6 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
 read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
-mcs_file_read_all(postfix_pickup_t)
-mcs_file_write_all(postfix_pickup_t)
-
 optional_policy(`
 	dbus_system_bus_client(postfix_pickup_t)
 	init_dbus_chat(postfix_pickup_t)
@@ -635,9 +630,6 @@ allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
 # for /var/spool/postfix/public/pickup
 stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t)
 
-mcs_file_read_all(postfix_postdrop_t)
-mcs_file_write_all(postfix_postdrop_t)
-
 term_dontaudit_use_all_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_ttys(postfix_postdrop_t)
 
@@ -743,8 +735,6 @@ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
 allow postfix_showq_t postfix_spool_t:file read_file_perms;
 
-mcs_file_read_all(postfix_showq_t)
-
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)
 
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 6ad408584..ab9d94585 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -76,8 +76,6 @@ auth_append_login_records(watchdog_t)
 
 logging_send_syslog_msg(watchdog_t)
 
-mcs_killall(watchdog_t)
-
 miscfiles_read_localization(watchdog_t)
 
 sysnet_dns_name_resolve(watchdog_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 649f431dc..6093de7f5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -212,7 +212,6 @@ fs_list_inotifyfs(init_t)
 fs_write_ramfs_sockets(init_t)
 
 mcs_process_set_categories(init_t)
-mcs_killall(init_t)
 
 mls_file_read_all_levels(init_t)
 mls_file_write_all_levels(init_t)
@@ -790,11 +789,6 @@ fs_getattr_all_fs(initrc_t)
 fs_search_all(initrc_t)
 fs_getattr_nfsd_files(initrc_t)
 
-# initrc_t needs to do a pidof which requires ptrace
-mcs_ptrace_all(initrc_t)
-mcs_file_read_all(initrc_t)
-mcs_file_write_all(initrc_t)
-mcs_killall(initrc_t)
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 30d23c3fe..fe493277b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -193,7 +193,6 @@ init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
 type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
-mcs_killall(systemd_nspawn_t)
 
 type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
 files_runtime_file(systemd_nspawn_runtime_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 4463f086b..81b0dd1fe 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -141,8 +141,6 @@ fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
 fs_search_tracefs(udev_t)
 
-mcs_ptrace_all(udev_t)
-
 mls_file_read_all_levels(udev_t)
 mls_file_write_all_levels(udev_t)
 mls_file_upgrade(udev_t)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 385c88695..9df73ac76 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -30,9 +30,6 @@ domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
 
 files_create_boot_flag(unconfined_t)
 
-mcs_killall(unconfined_t)
-mcs_ptrace_all(unconfined_t)
-
 libs_run_ldconfig(unconfined_t, unconfined_r)
 
 logging_send_syslog_msg(unconfined_t)
-- 
2.33.1