[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/contrib/, policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/contrib/, policy/modules/apps/

[Jason Zaman]

commit:     fd6ef0c54af495c90e7f5335923ba6274fdb36ac
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 15 08:28:18 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 08:31:07 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd6ef0c5

access_vectors: Remove gentoo-specific unused permissions

Follow-on to commit 8c38998a0c3024ef16de5fdc1bc12cef5c521759

tcp/udp sendrecv permissions are obsolete and removed from the policy
completely.

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/portage.te      | 1 -
 policy/modules/admin/puppet.te       | 1 -
 policy/modules/apps/mozilla.te       | 4 ----
 policy/modules/contrib/bitcoin.te    | 2 --
 policy/modules/contrib/dirsrv.te     | 1 -
 policy/modules/contrib/dropbox.te    | 1 -
 policy/modules/contrib/kdeconnect.te | 2 --
 policy/modules/contrib/mutt.te       | 2 --
 policy/modules/contrib/pan.te        | 1 -
 policy/modules/contrib/rtorrent.te   | 1 -
 policy/modules/contrib/skype.te      | 1 -
 11 files changed, 17 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 63393962..671ee7f0 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -525,7 +525,6 @@ gen_tunable(portage_enable_test, false)
 		corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
 		corenet_udp_bind_all_unreserved_ports(portage_sandbox_t)
 		corenet_udp_bind_generic_node(portage_sandbox_t)
-		corenet_udp_sendrecv_all_ports(portage_sandbox_t)
 	')
 
 	##########################################

diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
index f2b11568..3670df76 100644
--- a/policy/modules/admin/puppet.te
+++ b/policy/modules/admin/puppet.te
@@ -368,7 +368,6 @@ ifdef(`distro_gentoo',`
 
 	corenet_sendrecv_puppetclient_server_packets(puppet_t)
 	corenet_tcp_bind_puppetclient_port(puppet_t)
-	corenet_tcp_sendrecv_puppetclient_port(puppet_t)
 
 	usermanage_domtrans_passwd(puppet_t)
 

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 744c7df2..c4ac2c7e 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -724,10 +724,8 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
 	allow mozilla_t mozilla_xdg_cache_t:file map;
 
 	corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
-	corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
 	corenet_sendrecv_tor_client_packets(mozilla_t)
 	corenet_tcp_connect_tor_port(mozilla_t)
-	corenet_tcp_sendrecv_tor_port(mozilla_t)
 
 	domain_use_interactive_fds(mozilla_t)
 
@@ -738,7 +736,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
 	tunable_policy(`mozilla_bind_all_unreserved_ports',`
 		corenet_sendrecv_all_server_packets(mozilla_t)
 		corenet_tcp_bind_all_unreserved_ports(mozilla_t)
-		corenet_tcp_sendrecv_all_ports(mozilla_t)
 	')
 
 	optional_policy(`
@@ -771,7 +768,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false)
 
 	corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t)
 	corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
-	corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t)
 
 	userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
 	userdom_rw_user_tmpfs_files(mozilla_plugin_t)

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
index c5667519..6cc82f77 100644
--- a/policy/modules/contrib/bitcoin.te
+++ b/policy/modules/contrib/bitcoin.te
@@ -69,12 +69,10 @@ corenet_tcp_bind_bitcoin_port(bitcoin_t)
 corenet_tcp_connect_bitcoin_port(bitcoin_t)
 corenet_tcp_connect_http_port(bitcoin_t)
 corenet_tcp_bind_generic_node(bitcoin_t)
-corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
 corenet_tcp_sendrecv_generic_if(bitcoin_t)
 corenet_tcp_sendrecv_generic_node(bitcoin_t)
 #corenet_sendrecv_dns_server_packets(bitcoin_t)
 #corenet_udp_bind_dns_port(bitcoin_t)
-#corenet_udp_sendrecv_dns_port(bitcoin_t)
 
 dev_read_sysfs(bitcoin_t)
 dev_read_urand(bitcoin_t)

diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te
index e7c8d06e..0fa0b069 100644
--- a/policy/modules/contrib/dirsrv.te
+++ b/policy/modules/contrib/dirsrv.te
@@ -125,7 +125,6 @@ corenet_all_recvfrom_unlabeled(dirsrv_t)
 corenet_all_recvfrom_netlabel(dirsrv_t)
 corenet_tcp_sendrecv_generic_if(dirsrv_t)
 corenet_tcp_sendrecv_generic_node(dirsrv_t)
-corenet_tcp_sendrecv_all_ports(dirsrv_t)
 corenet_tcp_bind_all_nodes(dirsrv_t)
 corenet_tcp_bind_ldap_port(dirsrv_t)
 corenet_tcp_bind_all_rpc_ports(dirsrv_t)

diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te
index 80d8af37..2aa9a93b 100644
--- a/policy/modules/contrib/dropbox.te
+++ b/policy/modules/contrib/dropbox.te
@@ -108,7 +108,6 @@ corenet_tcp_sendrecv_generic_node(dropbox_t)
 
 tunable_policy(`dropbox_bind_port',`
 	allow dropbox_t self:tcp_socket { accept listen };
-	allow dropbox_t self:udp_socket { send_msg recv_msg };
 
 	corenet_tcp_bind_dropbox_port(dropbox_t)
 	corenet_udp_bind_dropbox_port(dropbox_t)

diff --git a/policy/modules/contrib/kdeconnect.te b/policy/modules/contrib/kdeconnect.te
index 92be330d..8e6b5226 100644
--- a/policy/modules/contrib/kdeconnect.te
+++ b/policy/modules/contrib/kdeconnect.te
@@ -72,9 +72,7 @@ corenet_sendrecv_kdeconnect_server_packets(kdeconnect_t)
 corenet_tcp_bind_kdeconnect_port(kdeconnect_t)
 corenet_tcp_bind_generic_node(kdeconnect_t)
 corenet_tcp_connect_kdeconnect_port(kdeconnect_t)
-corenet_tcp_sendrecv_kdeconnect_port(kdeconnect_t)
 corenet_udp_bind_kdeconnect_port(kdeconnect_t)
-corenet_udp_sendrecv_kdeconnect_port(kdeconnect_t)
 corenet_udp_bind_generic_node(kdeconnect_t)
 
 dev_read_sysfs(kdeconnect_t)

diff --git a/policy/modules/contrib/mutt.te b/policy/modules/contrib/mutt.te
index 393b9438..bc09f380 100644
--- a/policy/modules/contrib/mutt.te
+++ b/policy/modules/contrib/mutt.te
@@ -59,8 +59,6 @@ corenet_tcp_connect_pop_port(mutt_t)
 corenet_tcp_connect_smtp_port(mutt_t)
 corenet_tcp_sendrecv_generic_if(mutt_t)
 corenet_tcp_sendrecv_generic_node(mutt_t)
-corenet_tcp_sendrecv_pop_port(mutt_t)
-corenet_tcp_sendrecv_smtp_port(mutt_t)
 
 dev_read_rand(mutt_t)
 dev_read_urand(mutt_t)

diff --git a/policy/modules/contrib/pan.te b/policy/modules/contrib/pan.te
index 89bc61d0..48b07b85 100644
--- a/policy/modules/contrib/pan.te
+++ b/policy/modules/contrib/pan.te
@@ -51,7 +51,6 @@ corenet_sendrecv_innd_client_packets(pan_t)
 corenet_tcp_connect_innd_port(pan_t)
 corenet_tcp_sendrecv_generic_if(pan_t)
 corenet_tcp_sendrecv_generic_node(pan_t)
-corenet_tcp_sendrecv_innd_port(pan_t)
 
 domain_dontaudit_use_interactive_fds(pan_t)
 

diff --git a/policy/modules/contrib/rtorrent.te b/policy/modules/contrib/rtorrent.te
index e7f7c354..34fad1c5 100644
--- a/policy/modules/contrib/rtorrent.te
+++ b/policy/modules/contrib/rtorrent.te
@@ -49,7 +49,6 @@ allow rtorrent_t rtorrent_session_t:file map;
 corenet_tcp_bind_generic_node(rtorrent_t)
 corenet_tcp_bind_rtorrent_port(rtorrent_t)
 corenet_tcp_connect_all_ports(rtorrent_t)
-corenet_tcp_sendrecv_all_ports(rtorrent_t)
 
 domain_use_interactive_fds(rtorrent_t)
 

diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index dc7f73ec..8a70ad35 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -81,7 +81,6 @@ corenet_tcp_bind_generic_port(skype_t)
 corenet_tcp_connect_all_unreserved_ports(skype_t)
 corenet_tcp_connect_generic_port(skype_t)
 corenet_tcp_connect_http_port(skype_t)
-corenet_tcp_sendrecv_http_port(skype_t)
 corenet_udp_bind_generic_node(skype_t)
 corenet_udp_bind_generic_port(skype_t)