[refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see.

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see.
@ 2011-02-14 20:46 Dominick Grift
  2011-02-16 16:27 ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2011-02-14 20:46 UTC (permalink / raw)
  To: refpolicy

These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 1966443... 3257105... M	policy/flask/access_vectors
 policy/flask/access_vectors |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 1966443..3257105 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -687,8 +687,8 @@ class packet
 	send
 	recv
 	relabelto
-	flow_in		# deprecated
-	flow_out	# deprecated
+	flow_in
+	flow_out
 	forward_in
 	forward_out
 }
-- 
1.7.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110214/c6f17549/attachment.bin 

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see.
  2011-02-14 20:46 [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see Dominick Grift
@ 2011-02-16 16:27 ` Christopher J. PeBenito
  2011-02-16 17:59   ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2011-02-16 16:27 UTC (permalink / raw)
  To: refpolicy

On 02/14/11 15:46, Dominick Grift wrote:
> These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy.

No, they are deprecated.  You can't just comment out the permissions in
kernel object classes.  They're still in the kernel, but not used.  In
the future, if we need new packet permissions, these could be reclaimed
if necessary.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 1966443... 3257105... M	policy/flask/access_vectors
>  policy/flask/access_vectors |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 1966443..3257105 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -687,8 +687,8 @@ class packet
>  	send
>  	recv
>  	relabelto
> -	flow_in		# deprecated
> -	flow_out	# deprecated
> +	flow_in
> +	flow_out
>  	forward_in
>  	forward_out
>  }
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see.
  2011-02-16 16:27 ` Christopher J. PeBenito
@ 2011-02-16 17:59   ` Stephen Smalley
  2011-02-16 21:18     ` Eric Paris
  0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2011-02-16 17:59 UTC (permalink / raw)
  To: refpolicy

On Wed, 2011-02-16 at 11:27 -0500, Christopher J. PeBenito wrote:
> On 02/14/11 15:46, Dominick Grift wrote:
> > These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy.
> 
> No, they are deprecated.  You can't just comment out the permissions in
> kernel object classes.  They're still in the kernel, but not used.  In
> the future, if we need new packet permissions, these could be reclaimed
> if necessary.
> 
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> > ---
> > :100644 100644 1966443... 3257105... M	policy/flask/access_vectors
> >  policy/flask/access_vectors |    4 ++--
> >  1 files changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> > index 1966443..3257105 100644
> > --- a/policy/flask/access_vectors
> > +++ b/policy/flask/access_vectors
> > @@ -687,8 +687,8 @@ class packet
> >  	send
> >  	recv
> >  	relabelto
> > -	flow_in		# deprecated
> > -	flow_out	# deprecated
> > +	flow_in
> > +	flow_out
> >  	forward_in
> >  	forward_out
> >  }

Eric - while we can't remove these permissions without breaking certain
old Fedora kernels, can't we remove them from the classmap.h definitions
in the modern kernels as they are not being used (and never were used by
any mainline kernel?)?

-- 
Stephen Smalley
National Security Agency

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see.
  2011-02-16 17:59   ` Stephen Smalley
@ 2011-02-16 21:18     ` Eric Paris
  0 siblings, 0 replies; 4+ messages in thread
From: Eric Paris @ 2011-02-16 21:18 UTC (permalink / raw)
  To: refpolicy

On Wed, Feb 16, 2011 at 12:59 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2011-02-16 at 11:27 -0500, Christopher J. PeBenito wrote:
>> On 02/14/11 15:46, Dominick Grift wrote:
>> > These seem to not be deprecated. Atleast, when i commented them out i got complaints when loading policy.
>>
>> No, they are deprecated. ?You can't just comment out the permissions in
>> kernel object classes. ?They're still in the kernel, but not used. ?In
>> the future, if we need new packet permissions, these could be reclaimed
>> if necessary.
>>
>> > Signed-off-by: Dominick Grift <domg472@gmail.com>
>> > ---
>> > :100644 100644 1966443... 3257105... M ? ? ?policy/flask/access_vectors
>> > ?policy/flask/access_vectors | ? ?4 ++--
>> > ?1 files changed, 2 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
>> > index 1966443..3257105 100644
>> > --- a/policy/flask/access_vectors
>> > +++ b/policy/flask/access_vectors
>> > @@ -687,8 +687,8 @@ class packet
>> > ? ? send
>> > ? ? recv
>> > ? ? relabelto
>> > - ? flow_in ? ? ? ? # deprecated
>> > - ? flow_out ? ? ? ?# deprecated
>> > + ? flow_in
>> > + ? flow_out
>> > ? ? forward_in
>> > ? ? forward_out
>> > ?}
>
> Eric - while we can't remove these permissions without breaking certain
> old Fedora kernels, can't we remove them from the classmap.h definitions
> in the modern kernels as they are not being used (and never were used by
> any mainline kernel?)?

I don't see why not.  I'll send a patch in a bit.

-Eric

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-02-16 21:18 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-02-14 20:46 [refpolicy] [ access_vectors patch 2/2] These are not deprecated as far as i can see Dominick Grift
2011-02-16 16:27 ` Christopher J. PeBenito
2011-02-16 17:59   ` Stephen Smalley
2011-02-16 21:18     ` Eric Paris

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.