Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp506013pxb; Fri, 29 Oct 2021 14:13:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx321GgcgyQqcEi56JgiMpOFwc0MZirBMBhmYad/j7nsfL69qoj+O15+q8XW+D0UHrzPmh1 X-Received: by 2002:a17:906:f241:: with SMTP id gy1mr16002397ejb.192.1635542009154; Fri, 29 Oct 2021 14:13:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635542009; cv=none; d=google.com; s=arc-20160816; b=IGySFr3q3a/4SKOUc4TMFdwHYk7HOHCXSzmqaTfWcRAGTHOfDQIr6KWhjL1Xg8bRz9 11qokC7Si+UaEJjUzzqv+Ewa9fDWdVqDEUK12tl17JyciST5dG0XtaHUWO6b9MpiBYJz Q7QwwsUq0PMSnVTLMR6OUn53LWduPLYytYja4N1i2+vaHeQ2wQqkJGeV+7R2QDyoJunz 59JrfP4C7hwF916WlShFBbxhNERSAAsF48CGk3LQptPVn4JpoP08esON91Gxxt97QN9X rbKo35OX9zlVBJwNdTblOd5hz9+L+nTuKdRWfbJVLOnlsoahrYDeLai51BFplgM/aYwT fqSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=lnTz1lPj3SEFtPUqUC8TrZ2VWhYnaE73pY9WsPa/QA0=; b=J+Ws/LaThyTc6c9sdSwzxbFLR/f/xZ/BiGAy0k0VnU1SvrNL4Z2xBvHodzcFqf6UNU 7EmpuuBgQ3xcYAHS9iIZgCxp0mWkvKSTrhZDblpe4jq6hQ7uE2YNdCqZJ7BkA187GVCm 6GkjsJCNlVrBIOnVOrHBG4KnPXvjIMcJYmkMInQE3QCdEFoT3KOvpcNkyeBP3+5DwxN0 id+HYB8luN5mymuogz+fCHB/+LbhYGzUd0NSjBtgH1NbrBkOzVHwiHzXO/LbnbBh4082 qB8ezz7SIbuGJlNvtMbQHRp5JXmKT3bMePJTgSrFgrqft92d31ooTVVpMSZJm3Lf9v1y lcpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=GQI+fJTv; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o2si13774358ejy.80.2021.10.29.14.13.23; Fri, 29 Oct 2021 14:13:29 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=GQI+fJTv; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231270AbhJ2VPk (ORCPT + 20 others); Fri, 29 Oct 2021 17:15:40 -0400 Received: from yunyun.fuwafuwatime.moe ([107.191.99.165]:33194 "EHLO yunyun.fuwafuwatime.moe" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230267AbhJ2VPk (ORCPT ); Fri, 29 Oct 2021 17:15:40 -0400 Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id 28F05C3AC4 for ; Fri, 29 Oct 2021 17:04:56 -0400 (EDT) Received: from bubbles.localdomain (bubbles.localdomain [192.168.1.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id 372198EF4D; Fri, 29 Oct 2021 17:04:55 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim; t=1635541495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lnTz1lPj3SEFtPUqUC8TrZ2VWhYnaE73pY9WsPa/QA0=; b=GQI+fJTvGOhtOZpez+91m0Y6VABKQmlalLuCiHyrnE7pdY+B4eiTdmYo/v8cgHilQwEmRB 4oMUkozts/Kz3MWK42UA/S+HFDg8mfvkY+zqvJAqj7qXSqQREjDAmCsZO3oh1yeOgnjr67 JpqUog7a3plCzOUU8cyNLnXevwup3uZWXvdfwsZ9u0XRDvMQQc1yyWxi081f7Gbu/t6hpE ZNcDH4Pjzu8oGT1gYyn7tJ2V7JW34NjZA5vaX9ZmFb1E69rK6SBJnDsCCrIaBCw/hww3Ld xfiYNJvxMUAltmFZ2IH3guVV1oGiZrflDcRrrwXLeX+LAY6llbANOCKyMj3ulA== From: Kenton Groombridge To: selinux-refpolicy@vger.kernel.org Cc: Kenton Groombridge Subject: [PATCH 6/7] various: deprecate mcs override interfaces Date: Fri, 29 Oct 2021 17:04:42 -0400 Message-Id: <20211029210443.17461-7-me@concord.sh> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211029210443.17461-1-me@concord.sh> References: <20211029210443.17461-1-me@concord.sh> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Authentication-Results: ORIGINATING; auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh X-Spam-Status: No, score=-2.60 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Signed-off-by: Kenton Groombridge --- policy/mcs | 2 +- policy/modules/admin/rpm.te | 2 -- policy/modules/admin/tmpreaper.te | 2 -- policy/modules/kernel/mcs.if | 24 ++++-------------------- policy/modules/services/policykit.te | 2 -- policy/modules/services/postfix.te | 10 ---------- policy/modules/services/watchdog.te | 2 -- policy/modules/system/init.te | 6 ------ policy/modules/system/systemd.te | 1 - policy/modules/system/udev.te | 2 -- policy/modules/system/unconfined.te | 3 --- 11 files changed, 5 insertions(+), 51 deletions(-) diff --git a/policy/mcs b/policy/mcs index 54d06f292..860c8fcc1 100644 --- a/policy/mcs +++ b/policy/mcs @@ -176,7 +176,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind # because the subject in this particular case is the remote domain which is # writing data out the network node which is acting as the object mlsconstrain { node } { recvfrom sendto } - (( l1 dom l2 ) or ( t1 != msc_constrained_type )); + (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { packet peer } { recv } (( l1 dom l2 ) or diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index f82fd21f2..274052958 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) -mcs_killall(rpm_script_t) - mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index f4ce8dba9..1acefd7fe 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) files_setattr_all_tmp_dirs(tmpreaper_t) -mcs_file_read_all(tmpreaper_t) -mcs_file_write_all(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index eb4bcfcbe..55b5a7fe1 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -44,11 +44,7 @@ interface(`mcs_constrained',` ## # interface(`mcs_file_read_all',` - gen_require(` - attribute mcsreadall; - ') - - typeattribute $1 mcsreadall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` ## # interface(`mcs_file_write_all',` - gen_require(` - attribute mcswriteall; - ') - - typeattribute $1 mcswriteall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` ## # interface(`mcs_killall',` - gen_require(` - attribute mcskillall; - ') - - typeattribute $1 mcskillall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -104,11 +92,7 @@ interface(`mcs_killall',` ## # interface(`mcs_ptrace_all',` - gen_require(` - attribute mcsptraceall; - ') - - typeattribute $1 mcsptraceall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 721534a0b..7ba8dbb13 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -265,8 +265,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t) domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) -mcs_ptrace_all(policykit_resolve_t) - auth_use_nsswitch(policykit_resolve_t) userdom_read_all_users_state(policykit_resolve_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 067d42f08..23c8c0ef1 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t) files_search_tmp(postfix_master_t) -mcs_file_read_all(postfix_master_t) - term_dontaudit_search_ptys(postfix_master_t) hostname_exec(postfix_master_t) @@ -564,9 +562,6 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -mcs_file_read_all(postfix_pickup_t) -mcs_file_write_all(postfix_pickup_t) - optional_policy(` dbus_system_bus_client(postfix_pickup_t) init_dbus_chat(postfix_pickup_t) @@ -635,9 +630,6 @@ allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; # for /var/spool/postfix/public/pickup stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t) -mcs_file_read_all(postfix_postdrop_t) -mcs_file_write_all(postfix_postdrop_t) - term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) @@ -743,8 +735,6 @@ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; allow postfix_showq_t postfix_spool_t:file read_file_perms; -mcs_file_read_all(postfix_showq_t) - term_use_all_ptys(postfix_showq_t) term_use_all_ttys(postfix_showq_t) diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index 6ad408584..ab9d94585 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -76,8 +76,6 @@ auth_append_login_records(watchdog_t) logging_send_syslog_msg(watchdog_t) -mcs_killall(watchdog_t) - miscfiles_read_localization(watchdog_t) sysnet_dns_name_resolve(watchdog_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 649f431dc..6093de7f5 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -212,7 +212,6 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) -mcs_killall(init_t) mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) @@ -790,11 +789,6 @@ fs_getattr_all_fs(initrc_t) fs_search_all(initrc_t) fs_getattr_nfsd_files(initrc_t) -# initrc_t needs to do a pidof which requires ptrace -mcs_ptrace_all(initrc_t) -mcs_file_read_all(initrc_t) -mcs_file_write_all(initrc_t) -mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 30d23c3fe..fe493277b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -193,7 +193,6 @@ init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) type systemd_nspawn_t; type systemd_nspawn_exec_t; init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) -mcs_killall(systemd_nspawn_t) type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t; files_runtime_file(systemd_nspawn_runtime_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 4463f086b..81b0dd1fe 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -141,8 +141,6 @@ fs_read_cgroup_files(udev_t) fs_rw_anon_inodefs_files(udev_t) fs_search_tracefs(udev_t) -mcs_ptrace_all(udev_t) - mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) mls_file_upgrade(udev_t) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 385c88695..9df73ac76 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -30,9 +30,6 @@ domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) files_create_boot_flag(unconfined_t) -mcs_killall(unconfined_t) -mcs_ptrace_all(unconfined_t) - libs_run_ldconfig(unconfined_t, unconfined_r) logging_send_syslog_msg(unconfined_t) -- 2.33.1