From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 15 Jan 2017 13:04:23 -0500 Subject: [refpolicy] [PATCH] refpolicy: drop unused socket security classes In-Reply-To: <1484235748-19363-1-git-send-email-sds@tycho.nsa.gov> References: <1484235748-19363-1-git-send-email-sds@tycho.nsa.gov> Message-ID: <36ecf559-e20b-f45a-18ab-1435ad379aa2@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/12/17 10:42, Stephen Smalley via refpolicy wrote: > A few of the socket classes added by commit 09ebf2b59a7255 ("refpolicy: > Define extended_socket_class policy capability and socket classes") are > never used because sockets can never be created with the associated > address family. Remove these unused socket security classes. > The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB, > and mpls_socket for PF_MPLS. Merged, thanks. > Signed-off-by: Stephen Smalley > --- > policy/flask/access_vectors | 9 --------- > policy/flask/security_classes | 3 --- > policy/policy_capabilities | 3 --- > policy/support/obj_perm_sets.spt | 2 +- > 4 files changed, 1 insertion(+), 16 deletions(-) > > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors > index ffe6ca0..69f69af 100644 > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -990,9 +990,6 @@ inherits socket > class netrom_socket > inherits socket > > -class bridge_socket > -inherits socket > - > class atmpvc_socket > inherits socket > > @@ -1020,12 +1017,6 @@ inherits socket > class llc_socket > inherits socket > > -class ib_socket > -inherits socket > - > -class mpls_socket > -inherits socket > - > class can_socket > inherits socket > > diff --git a/policy/flask/security_classes b/policy/flask/security_classes > index be94e9a..18f18fd 100644 > --- a/policy/flask/security_classes > +++ b/policy/flask/security_classes > @@ -159,7 +159,6 @@ class icmp_socket > class ax25_socket > class ipx_socket > class netrom_socket > -class bridge_socket > class atmpvc_socket > class x25_socket > class rose_socket > @@ -169,8 +168,6 @@ class rds_socket > class irda_socket > class pppox_socket > class llc_socket > -class ib_socket > -class mpls_socket > class can_socket > class tipc_socket > class bluetooth_socket > diff --git a/policy/policy_capabilities b/policy/policy_capabilities > index 103420e..39e3930 100644 > --- a/policy/policy_capabilities > +++ b/policy/policy_capabilities > @@ -54,7 +54,6 @@ policycap open_perms; > # ax25_socket > # ipx_socket > # netrom_socket > -# bridge_socket > # atmpvc_socket > # x25_socket > # rose_socket > @@ -64,8 +63,6 @@ policycap open_perms; > # irda_socket > # pppox_socket > # llc_socket > -# ib_socket > -# mpls_socket > # can_socket > # tipc_socket > # bluetooth_socket > diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt > index 0adce32..1d21fd0 100644 > --- a/policy/support/obj_perm_sets.spt > +++ b/policy/support/obj_perm_sets.spt > @@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }') > # > # All socket classes. > # > -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket bridge_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket ib_socket mpls_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}') > +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}') > > # > # Datagram socket classes. > -- Chris PeBenito