diff mbox series

notebook: make use of "allowlist" instead of "whitelist"

Message ID 20221216172528.146970-1-paul@paul-moore.com (mailing list archive)
State Accepted
Delegated to: Paul Moore
Headers show
Series notebook: make use of "allowlist" instead of "whitelist" | expand

Commit Message

Paul Moore Dec. 16, 2022, 5:25 p.m. UTC
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 src/types_of_policy.md | 2 +-
 src/xperm_rules.md     | 9 ++++-----
 2 files changed, 5 insertions(+), 6 deletions(-)
diff mbox series

Patch

diff --git a/src/types_of_policy.md b/src/types_of_policy.md
index 8172947..b224460 100644
--- a/src/types_of_policy.md
+++ b/src/types_of_policy.md
@@ -348,7 +348,7 @@  Requires kernel 3.14 minimum.
 
 For the *selinux* target platform adds new *xperm* rules as explained in the
 [**Extended Access Vector Rules**](xperm_rules.md#extended-access-vector-rules)
-section. This is to support 'ioctl whitelisting' as explained in the
+section. This is to support ioctl allowlists as explained in the
 [***ioctl* Operation Rules**](xperm_rules.md#ioctl-operation-rules) section.
 Requires kernel 4.3 minimum.
 For modular policy support requires libsepol 2.7 minimum.
diff --git a/src/xperm_rules.md b/src/xperm_rules.md
index ea5d335..a74af9f 100644
--- a/src/xperm_rules.md
+++ b/src/xperm_rules.md
@@ -9,7 +9,7 @@  a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
 
 The rules for extended permissions are subject to the 'operation' they
 perform with Policy version 30 and kernels from 4.3 supporting ioctl
-whitelisting (if required to be declared in modular policy, then
+allowlists (if required to be declared in modular policy, then
 libsepol 2.7 minimum is required).
 
 **The common format for Extended Access Vector Rules are:**
@@ -74,7 +74,7 @@  Conditional Policy Statements
 
 ### *ioctl* Operation Rules
 
-Use cases and implementation details for ioctl command whitelisting are
+Use cases and implementation details for ioctl command allowlists are
 described in detail at
 <http://marc.info/?l=selinux&m=143336061925628&w=2>, with the final
 policy format changes shown in the example below with a brief overview
@@ -118,9 +118,8 @@  tclass=udp_socket permissive=0
 
 Notes:
 
-1. Important: The ioctl operation is not 'deny all' ioctl requests
-   (hence whitelisting). It is targeted at the specific
-   source/target/class set of ioctl commands. As no other *allowxperm*
+1. Important: The ioctl operation is not 'deny all', it is targeted at the
+   specific source/target/class set of ioctl commands. As no other *allowxperm*
    rules have been defined in the example, all other ioctl calls may
    continue to use any valid request parameters (provided there are
    *allow* rules for the *ioctl* permission).