From: eparis@parisplace.org (Eric Paris) Date: Wed, 16 Feb 2011 16:18:26 -0500 Subject: [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see. In-Reply-To: <1297879140.27031.46.camel@moss-pluto> References: <20110214204602.GA9446@localhost.localdomain> <4D5BFB09.80003@tresys.com> <1297879140.27031.46.camel@moss-pluto> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Feb 16, 2011 at 12:59 PM, Stephen Smalley wrote: > On Wed, 2011-02-16 at 11:27 -0500, Christopher J. PeBenito wrote: >> On 02/14/11 15:46, Dominick Grift wrote: >> > These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy. >> >> No, they are deprecated. ?You can't just comment out the permissions in >> kernel object classes. ?They're still in the kernel, but not used. ?In >> the future, if we need new packet permissions, these could be reclaimed >> if necessary. >> >> > Signed-off-by: Dominick Grift >> > --- >> > :100644 100644 1966443... 3257105... M ? ? ?policy/flask/access_vectors >> > ?policy/flask/access_vectors | ? ?4 ++-- >> > ?1 files changed, 2 insertions(+), 2 deletions(-) >> > >> > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >> > index 1966443..3257105 100644 >> > --- a/policy/flask/access_vectors >> > +++ b/policy/flask/access_vectors >> > @@ -687,8 +687,8 @@ class packet >> > ? ? send >> > ? ? recv >> > ? ? relabelto >> > - ? flow_in ? ? ? ? # deprecated >> > - ? flow_out ? ? ? ?# deprecated >> > + ? flow_in >> > + ? flow_out >> > ? ? forward_in >> > ? ? forward_out >> > ?} > > Eric - while we can't remove these permissions without breaking certain > old Fedora kernels, can't we remove them from the classmap.h definitions > in the modern kernels as they are not being used (and never were used by > any mainline kernel?)? I don't see why not. I'll send a patch in a bit. -Eric