access_vectors: Remove unused permission definitions
Description stolen from
42a9699a9f
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
This commit is contained in:
parent
f25e5550a7
commit
11dc03e5a2
@ -24,7 +24,6 @@ common file
|
|||||||
link
|
link
|
||||||
rename
|
rename
|
||||||
execute
|
execute
|
||||||
swapon
|
|
||||||
quotaon
|
quotaon
|
||||||
mounton
|
mounton
|
||||||
}
|
}
|
||||||
@ -57,8 +56,6 @@ common socket
|
|||||||
shutdown
|
shutdown
|
||||||
recvfrom
|
recvfrom
|
||||||
sendto
|
sendto
|
||||||
recv_msg
|
|
||||||
send_msg
|
|
||||||
name_bind
|
name_bind
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -97,7 +94,6 @@ class filesystem
|
|||||||
getattr
|
getattr
|
||||||
relabelfrom
|
relabelfrom
|
||||||
relabelto
|
relabelto
|
||||||
transition
|
|
||||||
associate
|
associate
|
||||||
quotamod
|
quotamod
|
||||||
quotaget
|
quotaget
|
||||||
@ -184,9 +180,6 @@ inherits socket
|
|||||||
class tcp_socket
|
class tcp_socket
|
||||||
inherits socket
|
inherits socket
|
||||||
{
|
{
|
||||||
connectto
|
|
||||||
newconn
|
|
||||||
acceptfrom
|
|
||||||
node_bind
|
node_bind
|
||||||
name_connect
|
name_connect
|
||||||
}
|
}
|
||||||
@ -205,29 +198,12 @@ inherits socket
|
|||||||
|
|
||||||
class node
|
class node
|
||||||
{
|
{
|
||||||
tcp_recv
|
|
||||||
tcp_send
|
|
||||||
udp_recv
|
|
||||||
udp_send
|
|
||||||
rawip_recv
|
|
||||||
rawip_send
|
|
||||||
enforce_dest
|
|
||||||
dccp_recv
|
|
||||||
dccp_send
|
|
||||||
recvfrom
|
recvfrom
|
||||||
sendto
|
sendto
|
||||||
}
|
}
|
||||||
|
|
||||||
class netif
|
class netif
|
||||||
{
|
{
|
||||||
tcp_recv
|
|
||||||
tcp_send
|
|
||||||
udp_recv
|
|
||||||
udp_send
|
|
||||||
rawip_recv
|
|
||||||
rawip_send
|
|
||||||
dccp_recv
|
|
||||||
dccp_send
|
|
||||||
ingress
|
ingress
|
||||||
egress
|
egress
|
||||||
}
|
}
|
||||||
@ -245,8 +221,6 @@ class unix_stream_socket
|
|||||||
inherits socket
|
inherits socket
|
||||||
{
|
{
|
||||||
connectto
|
connectto
|
||||||
newconn
|
|
||||||
acceptfrom
|
|
||||||
}
|
}
|
||||||
|
|
||||||
class unix_dgram_socket
|
class unix_dgram_socket
|
||||||
|
@ -237,7 +237,7 @@ define(`selinux_check_access', `
|
|||||||
r_dir_file($1, selinuxfs)
|
r_dir_file($1, selinuxfs)
|
||||||
allow $1 selinuxfs:file w_file_perms;
|
allow $1 selinuxfs:file w_file_perms;
|
||||||
allow $1 kernel:security compute_av;
|
allow $1 kernel:security compute_av;
|
||||||
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
|
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
|
||||||
')
|
')
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
|
Loading…
Reference in New Issue
Block a user