From: sds@tycho.nsa.gov (Stephen Smalley) Date: Wed, 16 Feb 2011 12:59:00 -0500 Subject: [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see. In-Reply-To: <4D5BFB09.80003@tresys.com> References: <20110214204602.GA9446@localhost.localdomain> <4D5BFB09.80003@tresys.com> Message-ID: <1297879140.27031.46.camel@moss-pluto> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2011-02-16 at 11:27 -0500, Christopher J. PeBenito wrote: > On 02/14/11 15:46, Dominick Grift wrote: > > These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy. > > No, they are deprecated. You can't just comment out the permissions in > kernel object classes. They're still in the kernel, but not used. In > the future, if we need new packet permissions, these could be reclaimed > if necessary. > > > Signed-off-by: Dominick Grift > > --- > > :100644 100644 1966443... 3257105... M policy/flask/access_vectors > > policy/flask/access_vectors | 4 ++-- > > 1 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors > > index 1966443..3257105 100644 > > --- a/policy/flask/access_vectors > > +++ b/policy/flask/access_vectors > > @@ -687,8 +687,8 @@ class packet > > send > > recv > > relabelto > > - flow_in # deprecated > > - flow_out # deprecated > > + flow_in > > + flow_out > > forward_in > > forward_out > > } Eric - while we can't remove these permissions without breaking certain old Fedora kernels, can't we remove them from the classmap.h definitions in the modern kernels as they are not being used (and never were used by any mainline kernel?)? -- Stephen Smalley National Security Agency