bottlerocket-os · bcressey · Jun 22, 2020 · Jun 10, 2020 · Jun 10, 2020
diff --git a/SECURITY_FEATURES.md b/SECURITY_FEATURES.md
@@ -137,7 +137,5 @@ The policy in Bottlerocket has the following objectives:
 2) Block most components from modifying the container archives saved on disk.
 3) Stop containers from directly modifying the layers for other running containers.
 
-The policy is currently **incomplete**.
-Notably, all domains are marked as "permissive", which means that actions denied by the policy will be logged but not blocked.
-This is a temporary measure to allow us to evaluate compatibility with common use cases.
-Additional work is tracked in #764.
+The policy is currently aimed at hardening the OS against persistent threats.
+Future enhancements to the policy will focus on mitigating the impact of OS vulnerabilities, and protecting containers from other containers.
diff --git a/packages/selinux-policy/rules.cil b/packages/selinux-policy/rules.cil
@@ -147,13 +147,3 @@
 
 ; Untrusted processes cannot use systems-level management functions.
 (neverallow untrusted_s global (systems (manage)))
-
-; TODO: remove once we're confident that we aren't generating AVC
-; denials for the majority of workloads.
-(typepermissive kernel_t)
-(typepermissive init_t)
-(typepermissive system_t)
-(typepermissive api_t)
-(typepermissive runtime_t)
-(typepermissive container_t)
-(typepermissive super_t)