Re: [RFC][PATCH] selinux: Remove unused permission definitions

[Dominick Grift <dac.override@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 5236 bytes --]

On Fri, May 29, 2015 at 05:14:53PM -0400, Paul Moore wrote:
> On Wed, May 27, 2015 at 11:03 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > Remove unused permission definitions from SELinux.
> > Many of these were only ever used in pre-mainline
> > versions of SELinux, prior to Linux 2.6.0.  Some of them
> > were used in the legacy network or compat_net=1 checks
> > that were disabled by default in Linux 2.6.18 and
> > fully removed in Linux 2.6.30.
> >
> > Permissions never used in mainline Linux:
> > file swapon
> > filesystem transition
> > tcp_socket { connectto newconn acceptfrom }
> > node enforce_dest
> > unix_stream_socket { newconn acceptfrom }
> >
> > Legacy network checks, removed in 2.6.30:
> > socket { recv_msg send_msg }
> > node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> > netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> >
> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> > ---
> >  security/selinux/include/classmap.h | 22 ++++++++--------------
> >  1 file changed, 8 insertions(+), 14 deletions(-)
> 
> Seems very reasonable to me.  Chris, any objections from a policy point of view?

I do not mean to reply on Chris' behalf but in light of what he said earlier:

"The short answer is that I'd prefer to remove policy known to be unusable."

I just want to mention that i like the idea of losing some dead weight where it makes sense as well.

> 
> > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> > index 1d8b924..5a4eef5 100644
> > --- a/security/selinux/include/classmap.h
> > +++ b/security/selinux/include/classmap.h
> > @@ -2,12 +2,12 @@
> >      "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
> >
> >  #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
> > -    "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
> > +    "rename", "execute", "quotaon", "mounton", "audit_access", \
> >      "open", "execmod"
> >
> >  #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
> >      "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
> > -    "sendto", "recv_msg", "send_msg", "name_bind"
> > +    "sendto", "name_bind"
> >
> >  #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
> >             "write", "associate", "unix_read", "unix_write"
> > @@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
> >             "audit_control", "setfcap", NULL } },
> >         { "filesystem",
> >           { "mount", "remount", "unmount", "getattr",
> > -           "relabelfrom", "relabelto", "transition", "associate", "quotamod",
> > +           "relabelfrom", "relabelto", "associate", "quotamod",
> >             "quotaget", NULL } },
> >         { "file",
> >           { COMMON_FILE_PERMS,
> > @@ -67,7 +67,7 @@ struct security_class_mapping secclass_map[] = {
> >           { COMMON_SOCK_PERMS, NULL } },
> >         { "tcp_socket",
> >           { COMMON_SOCK_PERMS,
> > -           "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
> > +           "node_bind", "name_connect",
> >             NULL } },
> >         { "udp_socket",
> >           { COMMON_SOCK_PERMS,
> > @@ -76,13 +76,9 @@ struct security_class_mapping secclass_map[] = {
> >           { COMMON_SOCK_PERMS,
> >             "node_bind", NULL } },
> >         { "node",
> > -         { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> > -           "rawip_recv", "rawip_send", "enforce_dest",
> > -           "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
> > +         { "recvfrom", "sendto", NULL } },
> >         { "netif",
> > -         {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
> > -            "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
> > -            "ingress", "egress", NULL } },
> > +         { "ingress", "egress", NULL } },
> >         { "netlink_socket",
> >           { COMMON_SOCK_PERMS, NULL } },
> >         { "packet_socket",
> > @@ -90,11 +86,9 @@ struct security_class_mapping secclass_map[] = {
> >         { "key_socket",
> >           { COMMON_SOCK_PERMS, NULL } },
> >         { "unix_stream_socket",
> > -         { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
> > -         } },
> > +         { COMMON_SOCK_PERMS, "connectto", NULL } },
> >         { "unix_dgram_socket",
> > -         { COMMON_SOCK_PERMS, NULL
> > -         } },
> > +         { COMMON_SOCK_PERMS, NULL } },
> >         { "sem",
> >           { COMMON_IPC_PERMS, NULL } },
> >         { "msg", { "send", "receive", NULL } },
> > --
> > 2.1.0
> >
> 
> 
> 
> -- 
> paul moore
> www.paul-moore.com
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]