From f4459adf3242ed2dbc35e2125f55ec299378c04c Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 14 Jan 2020 11:28:53 -0500
Subject: [PATCH] access_vectors: remove flow_in and flow_out permissions from
 packet class

These permissions were never used upstream; they were only added to the
kernel's classmap when the peer class was added for consistency with
Fedora SELinux policies by:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f67f4f315f31e7907779adb3296fb6682e755342
and were removed from the
kernel's classmap in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47ac19ea429aee561f66e9cd05b908e8ffbc498a

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/flask/access_vectors             | 2 --
 policy/modules/kernel/corenetwork.te.in | 2 +-
 policy/modules/kernel/kernel.te         | 2 +-
 3 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 2d084f510..2702bbabd 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -696,8 +696,6 @@ class packet
 	send
 	recv
 	relabelto
-	flow_in		# deprecated
-	flow_out	# deprecated
 	forward_in
 	forward_out
 }
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 6077a816f..5a2661c54 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -355,7 +355,7 @@ typealias netif_t alias lo_netif_t;
 
 allow corenet_unconfined_type node_type:node { recvfrom sendto };
 allow corenet_unconfined_type netif_type:netif { ingress egress };
-allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out };
+allow corenet_unconfined_type packet_type:packet { send recv relabelto forward_in forward_out };
 allow corenet_unconfined_type port_type:tcp_socket { name_connect };
 allow corenet_unconfined_type port_type:sctp_socket { name_connect };
 
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 103a936fc..6b255797c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -523,5 +523,5 @@ allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabelfrom r
 allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod };
 allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget };
 allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch };
-allow kern_unconfined unlabeled_t:packet { send recv relabelto flow_in flow_out forward_in forward_out };
+allow kern_unconfined unlabeled_t:packet { send recv relabelto forward_in forward_out };
 allow kern_unconfined unlabeled_t:process { fork signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate getrlimit };