From: sds@tycho.nsa.gov (Stephen Smalley)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see.
Date: Wed, 16 Feb 2011 12:59:00 -0500 [thread overview]
Message-ID: <1297879140.27031.46.camel@moss-pluto> (raw)
In-Reply-To: <4D5BFB09.80003@tresys.com>
On Wed, 2011-02-16 at 11:27 -0500, Christopher J. PeBenito wrote:
> On 02/14/11 15:46, Dominick Grift wrote:
> > These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy.
>
> No, they are deprecated. You can't just comment out the permissions in
> kernel object classes. They're still in the kernel, but not used. In
> the future, if we need new packet permissions, these could be reclaimed
> if necessary.
>
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> > ---
> > :100644 100644 1966443... 3257105... M policy/flask/access_vectors
> > policy/flask/access_vectors | 4 ++--
> > 1 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> > index 1966443..3257105 100644
> > --- a/policy/flask/access_vectors
> > +++ b/policy/flask/access_vectors
> > @@ -687,8 +687,8 @@ class packet
> > send
> > recv
> > relabelto
> > - flow_in # deprecated
> > - flow_out # deprecated
> > + flow_in
> > + flow_out
> > forward_in
> > forward_out
> > }
Eric - while we can't remove these permissions without breaking certain
old Fedora kernels, can't we remove them from the classmap.h definitions
in the modern kernels as they are not being used (and never were used by
any mainline kernel?)?
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2011-02-16 17:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-14 20:46 [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see Dominick Grift
2011-02-16 16:27 ` Christopher J. PeBenito
2011-02-16 17:59 ` Stephen Smalley [this message]
2011-02-16 21:18 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1297879140.27031.46.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.