Remove unused translate permission in context userspace class.

mcstransd never implemented this permission. To keep permission indices lined up, replace the permission with "unused_perm" to make it clear that it has no effect.
SELinuxProject · Oct 13, 2018 · 65da822 · 65da822
1 parent e256e55
commit 65da822
Show file tree

Hide file tree

Showing 7 changed files with 8 additions and 29 deletions.
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
@@ -765,7 +765,7 @@ class key
 
 class context
 {
-	translate
+	unused_perm
 	contains
 }
 

diff --git a/policy/mls b/policy/mls
@@ -764,9 +764,6 @@ mlsconstrain association { polmatch }
 # MLS policy for the context class
 #
 
-mlsconstrain context translate
-	(( h1 dom h2 ) or ( t1 == mlstranslate ));
-
 mlsconstrain context contains
 	(( h1 dom h2 ) and ( l1 domby l2));
 

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
@@ -1,4 +1,4 @@
-policy_module(domain, 1.14.0)
+policy_module(domain, 1.14.1)
 
 ########################################
 #
@@ -137,10 +137,6 @@ optional_policy(`
 	libs_use_shared_libs(domain)
 ')
 
-optional_policy(`
-	setrans_translate_context(domain)
-')
-
 # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)

diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
@@ -849,7 +849,7 @@ interface(`mls_fd_share_all_levels',`
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
-##	for translating contexts at all levels.
+##	for translating contexts at all levels.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -859,11 +859,7 @@ interface(`mls_fd_share_all_levels',`
 ## <rolecap/>
 #
 interface(`mls_context_translate_all_levels',`
-	gen_require(`
-		attribute mlstranslate;
-	')
-
-	typeattribute $1 mlstranslate;
+	refpolicywarn(`$0($*) has been deprecated')
 ')
 
 ########################################

diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
@@ -1,4 +1,4 @@
-policy_module(mls, 1.10.0)
+policy_module(mls, 1.10.1)
 
 ########################################
 #
@@ -69,7 +69,5 @@ attribute mlsrangetrans;
 attribute mlsfduse;
 attribute mlsfdshare;
 
-attribute mlstranslate;
-
 attribute mlsdbusrecv;
 attribute mlsdbussend;
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
@@ -21,7 +21,7 @@ interface(`setrans_initrc_domtrans',`
 
 #######################################
 ## <summary>
-##	Allow a domain to translate contexts.
+##	Allow a domain to translate contexts.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -30,15 +30,7 @@ interface(`setrans_initrc_domtrans',`
 ## </param>
 #
 interface(`setrans_translate_context',`
-	gen_require(`
-		type setrans_t, setrans_var_run_t;
-		class context translate;
-	')
-
-	allow $1 self:unix_stream_socket create_stream_socket_perms;
-	allow $1 setrans_t:context translate;
-	stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
-	files_list_pids($1)
+	refpolicywarn(`$0($*) has been deprecated')
 ')
 
 ######################################

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.14.0)
+policy_module(setrans, 1.14.1)
 
 gen_require(`
 	class context contains;