Add interface similar to files_mountpoint() and add a conditional which
allows mount on non_security_file_type.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
entrypoint and execute_no_trans permissions are only ever checked by the
kernel to regular files. They were added to the chr_file class when
execmod was added (which can be checked on chr_file) to ensure that it
was assigned the same value as for the file class, since the kernel code
always checked FILE__EXECMOD. However, the policy definitions are not
necessary since the kernel and policy values have been decoupled ever
since dynamic class/perm support was introduced and further with the
move of execmod to the common definitions, they were not even needed
in the kernel.
These were removed from the kernel's classmap by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b424485abe2b16580a178b469917a7b6ee0c152a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
Chris PeBenito
Chris PeBenito
Stephen Smalley
Chris PeBenito