Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to socket_class_set #1580

Open
wants to merge 3 commits into
base: rawhide
Choose a base branch
from
Open

Update to socket_class_set #1580

wants to merge 3 commits into from

Conversation

zpytela
Copy link
Contributor

@zpytela zpytela commented Jan 30, 2023

No description provided.

@zpytela
Copy link
Contributor Author

zpytela commented Jan 30, 2023

I believe removing "socket" can be done in 2 steps, with removing all references to the class and deprecating interfaces coming later.

@zpytela
Include key_socket in socket_class_set
083314c 
The key_socket security class was added to the policy with 134191b
("move flask dir to top level, and update them from nsa cvs..."),
but not added to the socket_class_set object permissions set.
@zpytela
Remove socket from socket_class_set
672b12c 
It seems socket is not used as a security class any longer, just as a
common prefix which is then inherited by particular socket classes.
@zpytela
Remove the lockdown class from the policy
fd7c18f 
A comprehensive fix for all the problems caused by the lockdown SELinux
class was rejected by Linus and for the lack of a better option,
the consensus upstream was to just remove the class entirely and stop
checking anything in the lockdown hook.

This commit is a follow-up to the previous commit
12f821c ("Remove the lockdown-class rules from the policy").
@zpytela zpytela marked this pull request as ready for review October 25, 2024 22:15
@zpytela
Copy link
Contributor Author

zpytela commented Oct 25, 2024

@WOnder93 Please review. A good thing to say about this pr is that the system boots.

@WOnder93
Copy link
Member

The commit message of the second commit (Remove socket from socket_class_set) should be changed, because socket is not being removed from the socket_class_set macro, just from the unconfined_domain_type allow rule.

Otherwise LGTM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zpytela @WOnder93