Rule downgrades are used to provide some confinement when a feature is only partially supported by the kernel.
Eg. On a kernel that doesn't support fine grained af_unix mediation but does support network mediation.
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), will be downgraded to network unix type=stream,
Which while more permissive still provides some mediation while allowing the appication to still function. However making the rule a deny rule result in tightening the profile.
Eg. deny unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
will be downgraded to deny network unix type=stream,
and that deny rule will take priority over any allow rule. Which means that if the profile also had unix allow rules they will get blocked by the downgraded deny rule, because deny rules have a higher priority, and the application will break. Even worse there is no way to add the functionality back to the profile without deleting the offending deny rule.
To fix this we drop deny rules that can't be downgraded in a way that won't break the application.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766 Signed-off-by: John Johansen email@example.com