This usage under /dev/.udev has been unused for a very long time and
replaced by functionality in /run/udev. Since these have separate types,
take this opportunity to revoke these likely unnecessary rules.
Fixes#221
Derived from Laurent Bigonville's work in #230
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On Wed, Mar 23, 2011 at 09:10:37AM -0400, Christopher J. PeBenito wrote:
> > userdom_use_user_ptys(mozilla_t)
> > +userdom_manage_user_tmp_files(mozilla_t)
> > +userdom_manage_user_tmp_sockets(mozilla_t)
>
> Do you have more info on these? Such as what files and sockets are
> being managed?
Not anymore apparently. Been running now for quite some time without these
privileges and I get no problems with it. Retry:
Mozilla/Firefox creates temporary files for its plugin support (for instance
while viewing flc streams), like /tmp/plugtmp/plugin-crossdomain.xml.
Update policy to allow it to create its own tmp type and perform a file
transition when creating a file or directory in a tmp_t location (like
/tmp).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Chris PeBenito
Topi Miettinen
bauen1
Guido Trentalancia
Stephen Smalley
Jason Zaman
Chris PeBenito
Matthew Ife
Sven Vermeulen
Dominick Grift