[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit:     35fcdde6d201c06c42444034c65138a47be00563
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Nov  3 15:56:13 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 16 00:22:34 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35fcdde6

Revert "kernel: remove some unused initial SID contexts"

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/kernel.te | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index a92f6a467..ba3a133aa 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -215,12 +215,23 @@ sid file gen_context(system_u:object_r:unlabeled_t,s0)
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 neverallow * unlabeled_t:file entrypoint;
 
-# Default socket label if no kernel sock is available
+# These initial sids are no longer used, and can be removed:
 sid any_socket         
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-
-# Label for userspace tasks surviving from early boot if
-# userspace_initial_context policycap is defined.
+sid file_labels                gen_context(system_u:object_r:unlabeled_t,s0)
+sid icmp_socket                
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid igmp_packet                
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid init               gen_context(system_u:object_r:unlabeled_t,s0)
+sid kmod               
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid policy             
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid scmp_packet                
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid sysctl_modprobe    gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_fs          gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_kernel      gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net         gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net_unix    gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_vm          gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_dev         gen_context(system_u:object_r:unlabeled_t,s0)
+sid tcp_socket         
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 
 ########################################
 #