From cdae7debe68bf20521085237b80da9417328841b Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 14 May 2014 09:31:06 -0400
Subject: [PATCH] Drop unused rules for raw I/O, mknod, and block device
 access.

We added these rules to the kernel domain when we removed them
from unconfined to ensure that we did not break anything.  But
we have seen no uses of these rules and this matches our expectation
that any actual operations that require these permissions occurs
after switching to the init domain.

Change-Id: I6f3556a26b0f6f4e6effcb874bfc9498e7dfaa47
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 kernel.te | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/kernel.te b/kernel.te
index c40d08b5a..0048a626e 100644
--- a/kernel.te
+++ b/kernel.te
@@ -17,10 +17,3 @@ dontaudit kernel self:security setenforce;
 
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;
-
-# For operations performed by kernel or init prior to switching to init domain.
-## TODO: Investigate whether it is safe to remove these
-allow kernel self:capability { sys_rawio mknod };
-auditallow kernel self:capability { sys_rawio mknod };
-allow kernel dev_type:blk_file rw_file_perms;
-auditallow kernel dev_type:blk_file rw_file_perms;
-- 
GitLab