Skip to content

Commit 40f0fb8

Browse files
pcmoorepcmoore
committed
notebook: make use of "allowlist" instead of "whitelist"
Signed-off-by: Paul Moore <[email protected]>
1 parent 1ed0ec1 commit 40f0fb8

File tree

2 files changed

+5
-6
lines changed

2 files changed

+5
-6
lines changed

src/types_of_policy.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -348,7 +348,7 @@ Requires kernel 3.14 minimum.
348348

349349
For the *selinux* target platform adds new *xperm* rules as explained in the
350350
[**Extended Access Vector Rules**](xperm_rules.md#extended-access-vector-rules)
351-
section. This is to support 'ioctl whitelisting' as explained in the
351+
section. This is to support ioctl allowlists as explained in the
352352
[***ioctl* Operation Rules**](xperm_rules.md#ioctl-operation-rules) section.
353353
Requires kernel 4.3 minimum.
354354
For modular policy support requires libsepol 2.7 minimum.

src/xperm_rules.md

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
99

1010
The rules for extended permissions are subject to the 'operation' they
1111
perform with Policy version 30 and kernels from 4.3 supporting ioctl
12-
whitelisting (if required to be declared in modular policy, then
12+
allowlists (if required to be declared in modular policy, then
1313
libsepol 2.7 minimum is required).
1414

1515
**The common format for Extended Access Vector Rules are:**
@@ -74,7 +74,7 @@ Conditional Policy Statements
7474

7575
### *ioctl* Operation Rules
7676

77-
Use cases and implementation details for ioctl command whitelisting are
77+
Use cases and implementation details for ioctl command allowlists are
7878
described in detail at
7979
<http://marc.info/?l=selinux&m=143336061925628&w=2>, with the final
8080
policy format changes shown in the example below with a brief overview
@@ -118,9 +118,8 @@ tclass=udp_socket permissive=0
118118

119119
Notes:
120120

121-
1. Important: The ioctl operation is not 'deny all' ioctl requests
122-
(hence whitelisting). It is targeted at the specific
123-
source/target/class set of ioctl commands. As no other *allowxperm*
121+
1. Important: The ioctl operation is not 'deny all', it is targeted at the
122+
specific source/target/class set of ioctl commands. As no other *allowxperm*
124123
rules have been defined in the example, all other ioctl calls may
125124
continue to use any valid request parameters (provided there are
126125
*allow* rules for the *ioctl* permission).

0 commit comments

Comments
 (0)