Remove the lockdown class from the policy

A comprehensive fix for all the problems caused by the lockdown SELinux class was rejected by Linus and for the lack of a better option, the consensus upstream was to just remove the class entirely and stop checking anything in the lockdown hook. This commit is a follow-up to the previous commit 12f821c ("Remove the lockdown-class rules from the policy"). Resolves: RHEL-36741
zpytela · Jan 17, 2025 · 3abbd46 · 3abbd46
1 parent 11b7c87
commit 3abbd46
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 18 deletions.
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
@@ -1090,12 +1090,6 @@ class perf_event
 	write
 }
 
-class lockdown
-{
-    integrity
-    confidentiality
-}
-
 class io_uring
 {
     override_creds

diff --git a/policy/flask/flask_documentation.md b/policy/flask/flask_documentation.md
@@ -1906,16 +1906,6 @@ Used to manage access while attaching BPF programs to tracepoints, perf profilin
 
 ---
 
-## class lockdown
-
-*deprecated*
-
-**integrity**
-
-**confidentiality**
-
----
-
 ## class io\_uring
 
 Used to control the ability to use special io\_uring features by the process. See also [the original kernel commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=740b03414b20e7f1879cd99aae27d8c401bbcbf9) for more details.

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
@@ -201,8 +201,6 @@ class mctp_socket
 
 class perf_event
 
-class lockdown
-
 class io_uring
 
 class user_namespace