fedora-selinux · zpytela · Jan 30, 2023 · Jan 30, 2023 · Oct 25, 2024
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
@@ -1090,12 +1090,6 @@ class perf_event
 	write
 }
 
-class lockdown
-{
-    integrity
-    confidentiality
-}
-
 class io_uring
 {
     override_creds

diff --git a/policy/flask/flask_documentation.md b/policy/flask/flask_documentation.md
@@ -1906,16 +1906,6 @@ Used to manage access while attaching BPF programs to tracepoints, perf profilin
 
 ---
 
-## class lockdown
-
-*deprecated*
-
-**integrity**
-
-**confidentiality**
-
----
-
 ## class io\_uring
 
 Used to control the ability to use special io\_uring features by the process. See also [the original kernel commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=740b03414b20e7f1879cd99aae27d8c401bbcbf9) for more details.

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
@@ -201,8 +201,6 @@ class mctp_socket
 
 class perf_event
 
-class lockdown
-
 class io_uring
 
 class user_namespace

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
@@ -282,7 +282,7 @@ allow unconfined_domain_type self:lnk_file setattr;
 
 # Use/sendto/connectto sockets created by any domain.
 allow unconfined_domain_type self:cap_userns all_cap_userns_perms;
-allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+allow unconfined_domain_type domain:socket_class_set *;
 
 allow unconfined_domain_type domain:system all_system_perms;
 # Use descriptors and pipes created by any domain.

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
 #
 # All socket classes.
 #
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket dccp_socket xdp_socket mctp_socket}')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket dccp_socket xdp_socket mctp_socket key_socket}')
 
 #
 # Datagram socket classes.