From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] remove deprecated from 20190201
Date: Sat, 23 Jan 2021 00:10:54 +1100 [thread overview]
Message-ID: <YArO3ukOO0Laj5du@xev> (raw)
This patch removes every macro and interface that was deprecated in 20190201.
Some of them date back to 2016 or 2017. I chose 20190201 as that is the one
that is in the previous release of Debian. For any distribution I don't
think it makes sense to carry interfaces that were deprecated in version N
to version N+1.
One thing that particularly annoys me is when audit2allow -R gives deprecated
interfaces in it's output. Removing some of these should reduce the
incidence of that.
I believe this is worthy of merging.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/dphysswapfile.if
+++ refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if
@@ -2,26 +2,6 @@
########################################
## <summary>
-## Dontaudit access to the swap file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dphysswapfile_dontaudit_read_swap',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type dphysswapfile_swap_t;
- ')
-
- dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an dphys-swapfile environment.
## </summary>
Index: refpolicy-2.20210120/policy/modules/admin/fakehwclock.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/fakehwclock.if
+++ refpolicy-2.20210120/policy/modules/admin/fakehwclock.if
@@ -2,55 +2,6 @@
########################################
## <summary>
-## Execute a domain transition to run fake-hwclock.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`fakehwclock_domtrans',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type fakehwclock_t, fakehwclock_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, fakehwclock_exec_t, fakehwclock_t)
-')
-
-########################################
-## <summary>
-## Execute fake-hwclock in the fake-hwclock domain,
-## and allow the specified role
-## the fake-hwclock domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`fakehwclock_run',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- attribute_role fakehwclock_roles;
- ')
-
- fakehwclock_domtrans($1)
- roleattribute $2 fakehwclock_roles;
-')
-
-########################################
-## <summary>
## All the rules required to
## administrate an fake-hwclock environment.
## </summary>
Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if
+++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if
@@ -238,22 +238,6 @@ interface(`corecmd_dontaudit_write_bin_f
########################################
## <summary>
-## Read symbolic links in bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_bin_symlinks',`
- refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
-
- corecmd_search_bin($1)
-')
-
-########################################
-## <summary>
## Read pipes in bin directories.
## </summary>
## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20210120/policy/modules/kernel/devices.if
@@ -3631,20 +3631,6 @@ interface(`dev_rw_pmqos',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
-## </summary>
-## <param name="domain" unused="true">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_printk',`
- refpolicywarn(`$0() has been deprecated.')
-')
-
-########################################
-## <summary>
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
Index: refpolicy-2.20210120/policy/modules/kernel/mls.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/mls.if
+++ refpolicy-2.20210120/policy/modules/kernel/mls.if
@@ -849,22 +849,6 @@ interface(`mls_fd_share_all_levels',`
########################################
## <summary>
## Make specified domain MLS trusted
-## for translating contexts at all levels. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`mls_context_translate_all_levels',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
## for reading from databases at any level.
## </summary>
## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/services/vnstatd.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/vnstatd.if
+++ refpolicy-2.20210120/policy/modules/services/vnstatd.if
@@ -47,113 +47,6 @@ interface(`vnstatd_run_vnstat',`
########################################
## <summary>
-## Execute a domain transition to run vnstatd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`vnstatd_domtrans',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_t, vnstatd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
-')
-
-########################################
-## <summary>
-## Search vnstatd lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_search_lib',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 vnstatd_var_lib_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## vnstatd lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_manage_lib_dirs',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-')
-
-########################################
-## <summary>
-## Read vnstatd lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_read_lib_files',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## vnstatd lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_manage_lib_files',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an vnstatd environment.
## </summary>
Index: refpolicy-2.20210120/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210120/policy/modules/services/xserver.if
@@ -866,21 +866,6 @@ interface(`xserver_setsched_xdm',`
########################################
## <summary>
-## Create, read, write, and delete
-## xdm_spool files.
-## </summary>
-## <param name="domain" unused="true">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_manage_xdm_spool_files',`
- refpolicywarn(`$0() has been deprecated.')
-')
-
-########################################
-## <summary>
## Connect to XDM over a unix domain
## stream socket.
## </summary>
Index: refpolicy-2.20210120/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/init.if
+++ refpolicy-2.20210120/policy/modules/system/init.if
@@ -3038,22 +3038,6 @@ interface(`init_relabel_utmp',`
## </summary>
## </param>
#
-interface(`init_pid_filetrans_utmp',`
- refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans_utmp() instead.')
- init_runtime_filetrans_utmp($1)
-')
-
-########################################
-## <summary>
-## Create files in /var/run with the
-## utmp file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`init_runtime_filetrans_utmp',`
gen_require(`
type initrc_runtime_t;
@@ -3072,21 +3056,6 @@ interface(`init_runtime_filetrans_utmp',
## </summary>
## </param>
#
-interface(`init_create_pid_dirs',`
- refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_dirs() instead.')
- init_create_runtime_dirs($1)
-')
-
-#######################################
-## <summary>
-## Create a directory in the /run/systemd directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`init_create_runtime_dirs',`
gen_require(`
type init_runtime_t;
@@ -3124,21 +3093,6 @@ interface(`init_read_runtime_files',`
## </summary>
## </param>
#
-interface(`init_rename_pid_files',`
- refpolicywarn(`$0($*) has been deprecated, please use init_rename_runtime_files() instead.')
- init_rename_runtime_files($1)
-')
-
-########################################
-## <summary>
-## Rename init_runtime_t files
-## </summary>
-## <param name="domain">
-## <summary>
-## domain
-## </summary>
-## </param>
-#
interface(`init_rename_runtime_files',`
gen_require(`
type init_runtime_t;
@@ -3175,21 +3129,6 @@ interface(`init_setattr_runtime_files',`
## </summary>
## </param>
#
-interface(`init_delete_pid_files',`
- refpolicywarn(`$0($*) has been deprecated, please use init_delete_runtime_files() instead.')
- init_delete_runtime_files($1)
-')
-
-########################################
-## <summary>
-## Delete init_runtime_t files
-## </summary>
-## <param name="domain">
-## <summary>
-## domain
-## </summary>
-## </param>
-#
interface(`init_delete_runtime_files',`
gen_require(`
type init_runtime_t;
@@ -3209,22 +3148,6 @@ interface(`init_delete_runtime_files',`
## </summary>
## </param>
#
-interface(`init_write_pid_socket',`
- refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_socket() instead.')
- init_write_runtime_socket($1)
-')
-
-#######################################
-## <summary>
-## Allow the specified domain to write to
-## init sock file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`init_write_runtime_socket',`
gen_require(`
type init_runtime_t;
@@ -3234,21 +3157,6 @@ interface(`init_write_runtime_socket',`
')
########################################
-## <summary>
-## Read init unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_read_pid_pipes',`
- refpolicywarn(`$0($*) has been deprecated, please use init_read_runtime_pipes() instead.')
- init_read_runtime_pipes($1)
-')
-
-########################################
## <summary>
## Read init unnamed pipes.
## </summary>
Index: refpolicy-2.20210120/policy/modules/system/modutils.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/modutils.if
+++ refpolicy-2.20210120/policy/modules/system/modutils.if
@@ -207,190 +207,3 @@ interface(`modutils_exec',`
corecmd_search_bin($1)
can_exec($1, kmod_exec_t)
')
-
-########################################
-## <summary>
-## Unconditionally execute insmod in the insmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-# cjp: this is added for pppd, due to nested
-# conditionals not working.
-interface(`modutils_domtrans_insmod_uncond',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute insmod in the insmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_insmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute insmod in the insmod domain, and
-## allow the specified role the insmod domain,
-## and use the caller's terminal. Has a sigchld
-## backchannel.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_run_insmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
- modutils_run($1, $2)
-')
-
-########################################
-## <summary>
-## Execute insmod in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_insmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
- modutils_exec($1)
-')
-
-########################################
-## <summary>
-## Execute depmod in the depmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_depmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute depmod in the depmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_run_depmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
- modutils_run($1, $2)
-')
-
-########################################
-## <summary>
-## Execute depmod in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_depmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
- modutils_exec($1)
-')
-
-########################################
-## <summary>
-## Execute update_modules in the update_modules domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_update_mods',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute update_modules in the update_modules domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_run_update_mods',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
- modutils_run($1, $2)
-')
-
-########################################
-## <summary>
-## Execute update_modules in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_update_mods',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
- modutils_exec($1)
-')
-
-########################################
-## <summary>
-## Read kmod lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_read_var_run_files',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
Index: refpolicy-2.20210120/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210120/policy/modules/system/systemd.if
@@ -376,21 +376,6 @@ interface(`systemd_dbus_chat_logind',`
########################################
## <summary>
-## Allow process to write to systemd_kmod_conf_t.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`systemd_write_kmod_files',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Get the system status information from systemd_login
## </summary>
## <param name="domain">
Index: refpolicy-2.20210120/policy/support/file_patterns.spt
===================================================================
--- refpolicy-2.20210120.orig/policy/support/file_patterns.spt
+++ refpolicy-2.20210120/policy/support/file_patterns.spt
@@ -104,13 +104,6 @@ define(`mmap_read_files_pattern',`
allow $1 $3:file mmap_read_file_perms;
')
-define(`mmap_files_pattern',`
- # deprecated 20171213
- refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
- allow $1 $2:dir search_dir_perms;
- allow $1 $3:file mmap_exec_file_perms;
-')
-
define(`mmap_exec_files_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:file mmap_exec_file_perms;
Index: refpolicy-2.20210120/policy/support/misc_patterns.spt
===================================================================
--- refpolicy-2.20210120.orig/policy/support/misc_patterns.spt
+++ refpolicy-2.20210120/policy/support/misc_patterns.spt
@@ -12,12 +12,6 @@ define(`domain_transition_pattern',`
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
-# compatibility: Deprecated (20161201)
-define(`domain_trans',`
- refpolicywarn(`$0() has been deprecated, please use domain_transition_pattern() instead.')
- domain_transition_pattern($*)
-')
-
#
# Specified domain transition patterns
@@ -49,12 +43,6 @@ define(`domain_auto_transition_pattern',
type_transition $1 $2:process $3;
')
-# compatibility: Deprecated (20161201)
-define(`domain_auto_trans',`
- refpolicywarn(`$0() has been deprecated, please use domain_auto_transition_pattern() instead.')
- domain_auto_transition_pattern($*)
-')
-
#
# Automatic domain transition patterns
# with feedback permissions
Index: refpolicy-2.20210120/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy-2.20210120.orig/policy/support/obj_perm_sets.spt
+++ refpolicy-2.20210120/policy/support/obj_perm_sets.spt
@@ -150,11 +150,6 @@ define(`getattr_file_perms',`{ getattr }
define(`setattr_file_perms',`{ setattr }')
define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
-# deprecated 20171213
-define(`mmap_file_perms',`
- { getattr open map read execute ioctl }
- refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')
-')
define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
next reply other threads:[~2021-01-22 13:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 13:10 Russell Coker [this message]
2021-01-25 14:00 ` [PATCH] remove deprecated from 20190201 Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YArO3ukOO0Laj5du@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.