Pull in some changes from the Fedora policy's MCS constraints.
Most notably, the MCS override attributes were deprecated in favor of
mcs_constrained_type. This means that domains will have unchecked
access to objects with categories UNLESS the domain is
mcs_constrained_type. This alleviates confusion between the MCS
overrides and mcs_constrained_type to imply that a domain must be
MCS-constrained to have MCS checks at all.
Other changes include additional constraints to miscellaneous IPC
objects, node "write" operations, and netif egress/ingress operations.
Kenton Groombridge (7):
mcs: deprecate mcs overrides
mcs: restrict create, relabelto on mcs files
mcs: add additional constraints to databases
mcs: constrain misc IPC objects
mcs: combine single-level object creation constraints
various: deprecate mcs override interfaces
corenet: make netlabel_peer_t mcs constrained
policy/mcs | 61 ++++++++++++++++---------
policy/modules/admin/rpm.te | 2 -
policy/modules/admin/tmpreaper.te | 2 -
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/kernel/mcs.if | 24 ++--------
policy/modules/services/policykit.te | 2 -
policy/modules/services/postfix.te | 10 ----
policy/modules/services/watchdog.te | 2 -
policy/modules/system/init.te | 6 ---
policy/modules/system/systemd.te | 1 -
policy/modules/system/udev.te | 2 -
policy/modules/system/unconfined.te | 3 --
12 files changed, 45 insertions(+), 71 deletions(-)
--
2.33.1