access_vectors: remove flow_in and flow_out permissions from packet class

These permissions were never used upstream; they were only added to the
kernel's classmap when the peer class was added for consistency with
Fedora SELinux policies by:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f67f4f315f31e7907779adb3296fb6682e755342
and were removed from the
kernel's classmap in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47ac19ea429aee561f66e9cd05b908e8ffbc498a

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2020-01-14 11:28:53 -05:00
parent 8486b8aa83
commit f4459adf32
3 changed files with 2 additions and 4 deletions

View File

@ -696,8 +696,6 @@ class packet
send
recv
relabelto
flow_in # deprecated
flow_out # deprecated
forward_in
forward_out
}

View File

@ -355,7 +355,7 @@ typealias netif_t alias lo_netif_t;
allow corenet_unconfined_type node_type:node { recvfrom sendto };
allow corenet_unconfined_type netif_type:netif { ingress egress };
allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out };
allow corenet_unconfined_type packet_type:packet { send recv relabelto forward_in forward_out };
allow corenet_unconfined_type port_type:tcp_socket { name_connect };
allow corenet_unconfined_type port_type:sctp_socket { name_connect };

View File

@ -523,5 +523,5 @@ allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabelfrom r
allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod };
allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget };
allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch };
allow kern_unconfined unlabeled_t:packet { send recv relabelto flow_in flow_out forward_in forward_out };
allow kern_unconfined unlabeled_t:packet { send recv relabelto forward_in forward_out };
allow kern_unconfined unlabeled_t:process { fork signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate getrlimit };