[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/flask/, policy/modules/system/, policy/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/flask/, policy/modules/system/, policy/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; only message in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     de73378ad96f678ee8882969b84bdcf3b721db1a
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Oct  8 17:46:05 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de73378a

Remove unused translate permission in context userspace class.

mcstransd never implemented this permission.  To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/flask/access_vectors      |  2 +-
 policy/mls                       |  3 ---
 policy/modules/kernel/domain.te  |  6 +-----
 policy/modules/kernel/mls.if     |  8 ++------
 policy/modules/kernel/mls.te     |  4 +---
 policy/modules/system/setrans.if | 12 ++----------
 policy/modules/system/setrans.te |  2 +-
 7 files changed, 8 insertions(+), 29 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 0630f012..b011d37e 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -765,7 +765,7 @@ class key
 
 class context
 {
-	translate
+	unused_perm
 	contains
 }
 

diff --git a/policy/mls b/policy/mls
index eeca15a8..484e3ca3 100644
--- a/policy/mls
+++ b/policy/mls
@@ -764,9 +764,6 @@ mlsconstrain association { polmatch }
 # MLS policy for the context class
 #
 
-mlsconstrain context translate
-	(( h1 dom h2 ) or ( t1 == mlstranslate ));
-
 mlsconstrain context contains
 	(( h1 dom h2 ) and ( l1 domby l2));
 

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 7a34bb07..41ae69db 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,4 +1,4 @@
-policy_module(domain, 1.14.0)
+policy_module(domain, 1.14.1)
 
 ########################################
 #
@@ -137,10 +137,6 @@ optional_policy(`
 	libs_use_shared_libs(domain)
 ')
 
-optional_policy(`
-	setrans_translate_context(domain)
-')
-
 # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)

diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 2e2bebc2..c11c7b95 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -849,7 +849,7 @@ interface(`mls_fd_share_all_levels',`
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
-##	for translating contexts at all levels.
+##	for translating contexts at all levels.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -859,11 +859,7 @@ interface(`mls_fd_share_all_levels',`
 ## <rolecap/>
 #
 interface(`mls_context_translate_all_levels',`
-	gen_require(`
-		attribute mlstranslate;
-	')
-
-	typeattribute $1 mlstranslate;
+	refpolicywarn(`$0($*) has been deprecated')
 ')
 
 ########################################

diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 3f842ea3..6fc595e2 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,4 +1,4 @@
-policy_module(mls, 1.10.0)
+policy_module(mls, 1.10.1)
 
 ########################################
 #
@@ -69,7 +69,5 @@ attribute mlsrangetrans;
 attribute mlsfduse;
 attribute mlsfdshare;
 
-attribute mlstranslate;
-
 attribute mlsdbusrecv;
 attribute mlsdbussend;

diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 9478dd9b..03afaa92 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -21,7 +21,7 @@ interface(`setrans_initrc_domtrans',`
 
 #######################################
 ## <summary>
-##	Allow a domain to translate contexts.
+##	Allow a domain to translate contexts.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -30,15 +30,7 @@ interface(`setrans_initrc_domtrans',`
 ## </param>
 #
 interface(`setrans_translate_context',`
-	gen_require(`
-		type setrans_t, setrans_var_run_t;
-		class context translate;
-	')
-
-	allow $1 self:unix_stream_socket create_stream_socket_perms;
-	allow $1 setrans_t:context translate;
-	stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
-	files_list_pids($1)
+	refpolicywarn(`$0($*) has been deprecated')
 ')
 
 ######################################

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 3f50e546..24c3577e 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.14.0)
+policy_module(setrans, 1.14.1)
 
 gen_require(`
 	class context contains;


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2018-11-11 23:29 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-11 23:29 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/flask/, policy/modules/system/, policy/ Jason Zaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox