These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 1966443... 3257105... M policy/flask/access_vectors
policy/flask/access_vectors | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 1966443..3257105 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -687,8 +687,8 @@ class packet
send
recv
relabelto
- flow_in # deprecated
- flow_out # deprecated
+ flow_in
+ flow_out
forward_in
forward_out
}
--
1.7.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110214/c6f17549/attachment.bin
On 02/14/11 15:46, Dominick Grift wrote:
> These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy.
No, they are deprecated. You can't just comment out the permissions in
kernel object classes. They're still in the kernel, but not used. In
the future, if we need new packet permissions, these could be reclaimed
if necessary.
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 1966443... 3257105... M policy/flask/access_vectors
> policy/flask/access_vectors | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 1966443..3257105 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -687,8 +687,8 @@ class packet
> send
> recv
> relabelto
> - flow_in # deprecated
> - flow_out # deprecated
> + flow_in
> + flow_out
> forward_in
> forward_out
> }
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, 2011-02-16 at 11:27 -0500, Christopher J. PeBenito wrote:
> On 02/14/11 15:46, Dominick Grift wrote:
> > These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy.
>
> No, they are deprecated. You can't just comment out the permissions in
> kernel object classes. They're still in the kernel, but not used. In
> the future, if we need new packet permissions, these could be reclaimed
> if necessary.
>
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > :100644 100644 1966443... 3257105... M policy/flask/access_vectors
> > policy/flask/access_vectors | 4 ++--
> > 1 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> > index 1966443..3257105 100644
> > --- a/policy/flask/access_vectors
> > +++ b/policy/flask/access_vectors
> > @@ -687,8 +687,8 @@ class packet
> > send
> > recv
> > relabelto
> > - flow_in # deprecated
> > - flow_out # deprecated
> > + flow_in
> > + flow_out
> > forward_in
> > forward_out
> > }
Eric - while we can't remove these permissions without breaking certain
old Fedora kernels, can't we remove them from the classmap.h definitions
in the modern kernels as they are not being used (and never were used by
any mainline kernel?)?
--
Stephen Smalley
National Security Agency
On Wed, Feb 16, 2011 at 12:59 PM, Stephen Smalley <[email protected]> wrote:
> On Wed, 2011-02-16 at 11:27 -0500, Christopher J. PeBenito wrote:
>> On 02/14/11 15:46, Dominick Grift wrote:
>> > These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy.
>>
>> No, they are deprecated. ?You can't just comment out the permissions in
>> kernel object classes. ?They're still in the kernel, but not used. ?In
>> the future, if we need new packet permissions, these could be reclaimed
>> if necessary.
>>
>> > Signed-off-by: Dominick Grift <[email protected]>
>> > ---
>> > :100644 100644 1966443... 3257105... M ? ? ?policy/flask/access_vectors
>> > ?policy/flask/access_vectors | ? ?4 ++--
>> > ?1 files changed, 2 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
>> > index 1966443..3257105 100644
>> > --- a/policy/flask/access_vectors
>> > +++ b/policy/flask/access_vectors
>> > @@ -687,8 +687,8 @@ class packet
>> > ? ? send
>> > ? ? recv
>> > ? ? relabelto
>> > - ? flow_in ? ? ? ? # deprecated
>> > - ? flow_out ? ? ? ?# deprecated
>> > + ? flow_in
>> > + ? flow_out
>> > ? ? forward_in
>> > ? ? forward_out
>> > ?}
>
> Eric - while we can't remove these permissions without breaking certain
> old Fedora kernels, can't we remove them from the classmap.h definitions
> in the modern kernels as they are not being used (and never were used by
> any mainline kernel?)?
I don't see why not. I'll send a patch in a bit.
-Eric