This patch removes every macro and interface that was deprecated in 20190201.
Some of them date back to 2016 or 2017. I chose 20190201 as that is the one
that is in the previous release of Debian. For any distribution I don't
think it makes sense to carry interfaces that were deprecated in version N
to version N+1.
One thing that particularly annoys me is when audit2allow -R gives deprecated
interfaces in it's output. Removing some of these should reduce the
incidence of that.
I believe this is worthy of merging.
Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
Index: refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/dphysswapfile.if
+++ refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if
@@ -2,26 +2,6 @@
########################################
## <summary>
-## Dontaudit access to the swap file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dphysswapfile_dontaudit_read_swap',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type dphysswapfile_swap_t;
- ')
-
- dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an dphys-swapfile environment.
## </summary>
Index: refpolicy-2.20210120/policy/modules/admin/fakehwclock.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/fakehwclock.if
+++ refpolicy-2.20210120/policy/modules/admin/fakehwclock.if
@@ -2,55 +2,6 @@
########################################
## <summary>
-## Execute a domain transition to run fake-hwclock.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`fakehwclock_domtrans',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type fakehwclock_t, fakehwclock_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, fakehwclock_exec_t, fakehwclock_t)
-')
-
-########################################
-## <summary>
-## Execute fake-hwclock in the fake-hwclock domain,
-## and allow the specified role
-## the fake-hwclock domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`fakehwclock_run',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- attribute_role fakehwclock_roles;
- ')
-
- fakehwclock_domtrans($1)
- roleattribute $2 fakehwclock_roles;
-')
-
-########################################
-## <summary>
## All the rules required to
## administrate an fake-hwclock environment.
## </summary>
Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if
+++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if
@@ -238,22 +238,6 @@ interface(`corecmd_dontaudit_write_bin_f
########################################
## <summary>
-## Read symbolic links in bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_bin_symlinks',`
- refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
-
- corecmd_search_bin($1)
-')
-
-########################################
-## <summary>
## Read pipes in bin directories.
## </summary>
## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20210120/policy/modules/kernel/devices.if
@@ -3631,20 +3631,6 @@ interface(`dev_rw_pmqos',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
-## </summary>
-## <param name="domain" unused="true">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_printk',`
- refpolicywarn(`$0() has been deprecated.')
-')
-
-########################################
-## <summary>
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
Index: refpolicy-2.20210120/policy/modules/kernel/mls.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/mls.if
+++ refpolicy-2.20210120/policy/modules/kernel/mls.if
@@ -849,22 +849,6 @@ interface(`mls_fd_share_all_levels',`
########################################
## <summary>
## Make specified domain MLS trusted
-## for translating contexts at all levels. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`mls_context_translate_all_levels',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
## for reading from databases at any level.
## </summary>
## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/services/vnstatd.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/vnstatd.if
+++ refpolicy-2.20210120/policy/modules/services/vnstatd.if
@@ -47,113 +47,6 @@ interface(`vnstatd_run_vnstat',`
########################################
## <summary>
-## Execute a domain transition to run vnstatd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`vnstatd_domtrans',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_t, vnstatd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
-')
-
-########################################
-## <summary>
-## Search vnstatd lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_search_lib',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 vnstatd_var_lib_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## vnstatd lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_manage_lib_dirs',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-')
-
-########################################
-## <summary>
-## Read vnstatd lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_read_lib_files',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## vnstatd lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_manage_lib_files',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an vnstatd environment.
## </summary>
Index: refpolicy-2.20210120/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210120/policy/modules/services/xserver.if
@@ -866,21 +866,6 @@ interface(`xserver_setsched_xdm',`
########################################
## <summary>
-## Create, read, write, and delete
-## xdm_spool files.
-## </summary>
-## <param name="domain" unused="true">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_manage_xdm_spool_files',`
- refpolicywarn(`$0() has been deprecated.')
-')
-
-########################################
-## <summary>
## Connect to XDM over a unix domain
## stream socket.
## </summary>
Index: refpolicy-2.20210120/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/init.if
+++ refpolicy-2.20210120/policy/modules/system/init.if
@@ -3038,22 +3038,6 @@ interface(`init_relabel_utmp',`
## </summary>
## </param>
#
-interface(`init_pid_filetrans_utmp',`
- refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans_utmp() instead.')
- init_runtime_filetrans_utmp($1)
-')
-
-########################################
-## <summary>
-## Create files in /var/run with the
-## utmp file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`init_runtime_filetrans_utmp',`
gen_require(`
type initrc_runtime_t;
@@ -3072,21 +3056,6 @@ interface(`init_runtime_filetrans_utmp',
## </summary>
## </param>
#
-interface(`init_create_pid_dirs',`
- refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_dirs() instead.')
- init_create_runtime_dirs($1)
-')
-
-#######################################
-## <summary>
-## Create a directory in the /run/systemd directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`init_create_runtime_dirs',`
gen_require(`
type init_runtime_t;
@@ -3124,21 +3093,6 @@ interface(`init_read_runtime_files',`
## </summary>
## </param>
#
-interface(`init_rename_pid_files',`
- refpolicywarn(`$0($*) has been deprecated, please use init_rename_runtime_files() instead.')
- init_rename_runtime_files($1)
-')
-
-########################################
-## <summary>
-## Rename init_runtime_t files
-## </summary>
-## <param name="domain">
-## <summary>
-## domain
-## </summary>
-## </param>
-#
interface(`init_rename_runtime_files',`
gen_require(`
type init_runtime_t;
@@ -3175,21 +3129,6 @@ interface(`init_setattr_runtime_files',`
## </summary>
## </param>
#
-interface(`init_delete_pid_files',`
- refpolicywarn(`$0($*) has been deprecated, please use init_delete_runtime_files() instead.')
- init_delete_runtime_files($1)
-')
-
-########################################
-## <summary>
-## Delete init_runtime_t files
-## </summary>
-## <param name="domain">
-## <summary>
-## domain
-## </summary>
-## </param>
-#
interface(`init_delete_runtime_files',`
gen_require(`
type init_runtime_t;
@@ -3209,22 +3148,6 @@ interface(`init_delete_runtime_files',`
## </summary>
## </param>
#
-interface(`init_write_pid_socket',`
- refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_socket() instead.')
- init_write_runtime_socket($1)
-')
-
-#######################################
-## <summary>
-## Allow the specified domain to write to
-## init sock file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`init_write_runtime_socket',`
gen_require(`
type init_runtime_t;
@@ -3234,21 +3157,6 @@ interface(`init_write_runtime_socket',`
')
########################################
-## <summary>
-## Read init unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_read_pid_pipes',`
- refpolicywarn(`$0($*) has been deprecated, please use init_read_runtime_pipes() instead.')
- init_read_runtime_pipes($1)
-')
-
-########################################
## <summary>
## Read init unnamed pipes.
## </summary>
Index: refpolicy-2.20210120/policy/modules/system/modutils.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/modutils.if
+++ refpolicy-2.20210120/policy/modules/system/modutils.if
@@ -207,190 +207,3 @@ interface(`modutils_exec',`
corecmd_search_bin($1)
can_exec($1, kmod_exec_t)
')
-
-########################################
-## <summary>
-## Unconditionally execute insmod in the insmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-# cjp: this is added for pppd, due to nested
-# conditionals not working.
-interface(`modutils_domtrans_insmod_uncond',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute insmod in the insmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_insmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute insmod in the insmod domain, and
-## allow the specified role the insmod domain,
-## and use the caller's terminal. Has a sigchld
-## backchannel.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_run_insmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
- modutils_run($1, $2)
-')
-
-########################################
-## <summary>
-## Execute insmod in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_insmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
- modutils_exec($1)
-')
-
-########################################
-## <summary>
-## Execute depmod in the depmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_depmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute depmod in the depmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_run_depmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
- modutils_run($1, $2)
-')
-
-########################################
-## <summary>
-## Execute depmod in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_depmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
- modutils_exec($1)
-')
-
-########################################
-## <summary>
-## Execute update_modules in the update_modules domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_update_mods',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute update_modules in the update_modules domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_run_update_mods',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
- modutils_run($1, $2)
-')
-
-########################################
-## <summary>
-## Execute update_modules in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_update_mods',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
- modutils_exec($1)
-')
-
-########################################
-## <summary>
-## Read kmod lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_read_var_run_files',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
Index: refpolicy-2.20210120/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210120/policy/modules/system/systemd.if
@@ -376,21 +376,6 @@ interface(`systemd_dbus_chat_logind',`
########################################
## <summary>
-## Allow process to write to systemd_kmod_conf_t.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`systemd_write_kmod_files',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Get the system status information from systemd_login
## </summary>
## <param name="domain">
Index: refpolicy-2.20210120/policy/support/file_patterns.spt
===================================================================
--- refpolicy-2.20210120.orig/policy/support/file_patterns.spt
+++ refpolicy-2.20210120/policy/support/file_patterns.spt
@@ -104,13 +104,6 @@ define(`mmap_read_files_pattern',`
allow $1 $3:file mmap_read_file_perms;
')
-define(`mmap_files_pattern',`
- # deprecated 20171213
- refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
- allow $1 $2:dir search_dir_perms;
- allow $1 $3:file mmap_exec_file_perms;
-')
-
define(`mmap_exec_files_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:file mmap_exec_file_perms;
Index: refpolicy-2.20210120/policy/support/misc_patterns.spt
===================================================================
--- refpolicy-2.20210120.orig/policy/support/misc_patterns.spt
+++ refpolicy-2.20210120/policy/support/misc_patterns.spt
@@ -12,12 +12,6 @@ define(`domain_transition_pattern',`
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
-# compatibility: Deprecated (20161201)
-define(`domain_trans',`
- refpolicywarn(`$0() has been deprecated, please use domain_transition_pattern() instead.')
- domain_transition_pattern($*)
-')
-
#
# Specified domain transition patterns
@@ -49,12 +43,6 @@ define(`domain_auto_transition_pattern',
type_transition $1 $2:process $3;
')
-# compatibility: Deprecated (20161201)
-define(`domain_auto_trans',`
- refpolicywarn(`$0() has been deprecated, please use domain_auto_transition_pattern() instead.')
- domain_auto_transition_pattern($*)
-')
-
#
# Automatic domain transition patterns
# with feedback permissions
Index: refpolicy-2.20210120/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy-2.20210120.orig/policy/support/obj_perm_sets.spt
+++ refpolicy-2.20210120/policy/support/obj_perm_sets.spt
@@ -150,11 +150,6 @@ define(`getattr_file_perms',`{ getattr }
define(`setattr_file_perms',`{ setattr }')
define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
-# deprecated 20171213
-define(`mmap_file_perms',`
- { getattr open map read execute ioctl }
- refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')
-')
define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
