From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C82BC433E0 for ; Fri, 22 Jan 2021 13:12:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EFA91223C8 for ; Fri, 22 Jan 2021 13:12:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727478AbhAVNL6 (ORCPT ); Fri, 22 Jan 2021 08:11:58 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:52110 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726900AbhAVNLs (ORCPT ); Fri, 22 Jan 2021 08:11:48 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id A4BCF16BE4 for ; Sat, 23 Jan 2021 00:10:59 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611321060; bh=kIk8OdlprtPkexJ6wpySTAGoO+RKkas7AToA7qDgQAk=; l=21354; h=Date:From:To:Subject:From; b=GyuPeItUZ3qoOqUcnMPS1Bi922imaPJL/Kf9wjriSdX5/Unz8E4LvGnZtKxnKPezY /UWtDV+3jv/ovbfbG91vY1pfYPMfIiJAgF3v85uOIvbTDrn6kZXhhDCoQEH3asvwIV QTUMpGx26EZjFW30T6OH2vSYPY/umYcbQddWzPQ8= Received: by xev.coker.com.au (Postfix, from userid 1001) id DF5541328A2E; Sat, 23 Jan 2021 00:10:54 +1100 (AEDT) Date: Sat, 23 Jan 2021 00:10:54 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] remove deprecated from 20190201 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch removes every macro and interface that was deprecated in 20190201. Some of them date back to 2016 or 2017. I chose 20190201 as that is the one that is in the previous release of Debian. For any distribution I don't think it makes sense to carry interfaces that were deprecated in version N to version N+1. One thing that particularly annoys me is when audit2allow -R gives deprecated interfaces in it's output. Removing some of these should reduce the incidence of that. I believe this is worthy of merging. Signed-off-by: Russell Coker Index: refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/admin/dphysswapfile.if +++ refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if @@ -2,26 +2,6 @@ ######################################## ## -## Dontaudit access to the swap file. -## -## -## -## Domain to not audit. -## -## -# -interface(`dphysswapfile_dontaudit_read_swap',` - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type dphysswapfile_swap_t; - ') - - dontaudit $1 dphysswapfile_swap_t:file read_file_perms; -') - -######################################## -## ## All of the rules required to ## administrate an dphys-swapfile environment. ## Index: refpolicy-2.20210120/policy/modules/admin/fakehwclock.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/admin/fakehwclock.if +++ refpolicy-2.20210120/policy/modules/admin/fakehwclock.if @@ -2,55 +2,6 @@ ######################################## ## -## Execute a domain transition to run fake-hwclock. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`fakehwclock_domtrans',` - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type fakehwclock_t, fakehwclock_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fakehwclock_exec_t, fakehwclock_t) -') - -######################################## -## -## Execute fake-hwclock in the fake-hwclock domain, -## and allow the specified role -## the fake-hwclock domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`fakehwclock_run',` - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - attribute_role fakehwclock_roles; - ') - - fakehwclock_domtrans($1) - roleattribute $2 fakehwclock_roles; -') - -######################################## -## ## All the rules required to ## administrate an fake-hwclock environment. ## Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if @@ -238,22 +238,6 @@ interface(`corecmd_dontaudit_write_bin_f ######################################## ## -## Read symbolic links in bin directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`corecmd_read_bin_symlinks',` - refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.') - - corecmd_search_bin($1) -') - -######################################## -## ## Read pipes in bin directories. ## ## Index: refpolicy-2.20210120/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20210120/policy/modules/kernel/devices.if @@ -3631,20 +3631,6 @@ interface(`dev_rw_pmqos',` ######################################## ## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_read_printk',` - refpolicywarn(`$0() has been deprecated.') -') - -######################################## -## ## Get the attributes of the QEMU ## microcode and id interfaces. ## Index: refpolicy-2.20210120/policy/modules/kernel/mls.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/mls.if +++ refpolicy-2.20210120/policy/modules/kernel/mls.if @@ -849,22 +849,6 @@ interface(`mls_fd_share_all_levels',` ######################################## ## ## Make specified domain MLS trusted -## for translating contexts at all levels. (Deprecated) -## -## -## -## Domain allowed access. -## -## -## -# -interface(`mls_context_translate_all_levels',` - refpolicywarn(`$0($*) has been deprecated') -') - -######################################## -## -## Make specified domain MLS trusted ## for reading from databases at any level. ## ## Index: refpolicy-2.20210120/policy/modules/services/vnstatd.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/services/vnstatd.if +++ refpolicy-2.20210120/policy/modules/services/vnstatd.if @@ -47,113 +47,6 @@ interface(`vnstatd_run_vnstat',` ######################################## ## -## Execute a domain transition to run vnstatd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`vnstatd_domtrans',` - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_t, vnstatd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) -') - -######################################## -## -## Search vnstatd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_search_lib',` - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 vnstatd_var_lib_t:dir search_dir_perms; -') - -######################################## -## -## Create, read, write, and delete -## vnstatd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_manage_lib_dirs',` - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## -## Read vnstatd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_read_lib_files',` - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## vnstatd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`vnstatd_manage_lib_files',` - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) -') - -######################################## -## ## All of the rules required to ## administrate an vnstatd environment. ## Index: refpolicy-2.20210120/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/services/xserver.if +++ refpolicy-2.20210120/policy/modules/services/xserver.if @@ -866,21 +866,6 @@ interface(`xserver_setsched_xdm',` ######################################## ## -## Create, read, write, and delete -## xdm_spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_manage_xdm_spool_files',` - refpolicywarn(`$0() has been deprecated.') -') - -######################################## -## ## Connect to XDM over a unix domain ## stream socket. ## Index: refpolicy-2.20210120/policy/modules/system/init.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/init.if +++ refpolicy-2.20210120/policy/modules/system/init.if @@ -3038,22 +3038,6 @@ interface(`init_relabel_utmp',` ## ## # -interface(`init_pid_filetrans_utmp',` - refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans_utmp() instead.') - init_runtime_filetrans_utmp($1) -') - -######################################## -## -## Create files in /var/run with the -## utmp file type. -## -## -## -## Domain allowed access. -## -## -# interface(`init_runtime_filetrans_utmp',` gen_require(` type initrc_runtime_t; @@ -3072,21 +3056,6 @@ interface(`init_runtime_filetrans_utmp', ## ## # -interface(`init_create_pid_dirs',` - refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_dirs() instead.') - init_create_runtime_dirs($1) -') - -####################################### -## -## Create a directory in the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# interface(`init_create_runtime_dirs',` gen_require(` type init_runtime_t; @@ -3124,21 +3093,6 @@ interface(`init_read_runtime_files',` ## ## # -interface(`init_rename_pid_files',` - refpolicywarn(`$0($*) has been deprecated, please use init_rename_runtime_files() instead.') - init_rename_runtime_files($1) -') - -######################################## -## -## Rename init_runtime_t files -## -## -## -## domain -## -## -# interface(`init_rename_runtime_files',` gen_require(` type init_runtime_t; @@ -3175,21 +3129,6 @@ interface(`init_setattr_runtime_files',` ## ## # -interface(`init_delete_pid_files',` - refpolicywarn(`$0($*) has been deprecated, please use init_delete_runtime_files() instead.') - init_delete_runtime_files($1) -') - -######################################## -## -## Delete init_runtime_t files -## -## -## -## domain -## -## -# interface(`init_delete_runtime_files',` gen_require(` type init_runtime_t; @@ -3209,22 +3148,6 @@ interface(`init_delete_runtime_files',` ## ## # -interface(`init_write_pid_socket',` - refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_socket() instead.') - init_write_runtime_socket($1) -') - -####################################### -## -## Allow the specified domain to write to -## init sock file. -## -## -## -## Domain allowed access. -## -## -# interface(`init_write_runtime_socket',` gen_require(` type init_runtime_t; @@ -3234,21 +3157,6 @@ interface(`init_write_runtime_socket',` ') ######################################## -## -## Read init unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# -interface(`init_read_pid_pipes',` - refpolicywarn(`$0($*) has been deprecated, please use init_read_runtime_pipes() instead.') - init_read_runtime_pipes($1) -') - -######################################## ## ## Read init unnamed pipes. ## Index: refpolicy-2.20210120/policy/modules/system/modutils.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/modutils.if +++ refpolicy-2.20210120/policy/modules/system/modutils.if @@ -207,190 +207,3 @@ interface(`modutils_exec',` corecmd_search_bin($1) can_exec($1, kmod_exec_t) ') - -######################################## -## -## Unconditionally execute insmod in the insmod domain. -## -## -## -## Domain allowed to transition. -## -## -# -# cjp: this is added for pppd, due to nested -# conditionals not working. -interface(`modutils_domtrans_insmod_uncond',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.') - modutils_domtrans($1) -') - -######################################## -## -## Execute insmod in the insmod domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`modutils_domtrans_insmod',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.') - modutils_domtrans($1) -') - -######################################## -## -## Execute insmod in the insmod domain, and -## allow the specified role the insmod domain, -## and use the caller's terminal. Has a sigchld -## backchannel. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`modutils_run_insmod',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.') - modutils_run($1, $2) -') - -######################################## -## -## Execute insmod in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_exec_insmod',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.') - modutils_exec($1) -') - -######################################## -## -## Execute depmod in the depmod domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`modutils_domtrans_depmod',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.') - modutils_domtrans($1) -') - -######################################## -## -## Execute depmod in the depmod domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`modutils_run_depmod',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.') - modutils_run($1, $2) -') - -######################################## -## -## Execute depmod in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_exec_depmod',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.') - modutils_exec($1) -') - -######################################## -## -## Execute update_modules in the update_modules domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`modutils_domtrans_update_mods',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.') - modutils_domtrans($1) -') - -######################################## -## -## Execute update_modules in the update_modules domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`modutils_run_update_mods',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.') - modutils_run($1, $2) -') - -######################################## -## -## Execute update_modules in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_exec_update_mods',` - refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.') - modutils_exec($1) -') - -######################################## -## -## Read kmod lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`modutils_read_var_run_files',` - refpolicywarn(`$0($*) has been deprecated.') -') Index: refpolicy-2.20210120/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/systemd.if +++ refpolicy-2.20210120/policy/modules/system/systemd.if @@ -376,21 +376,6 @@ interface(`systemd_dbus_chat_logind',` ######################################## ## -## Allow process to write to systemd_kmod_conf_t. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`systemd_write_kmod_files',` - refpolicywarn(`$0($*) has been deprecated.') -') - -######################################## -## ## Get the system status information from systemd_login ## ## Index: refpolicy-2.20210120/policy/support/file_patterns.spt =================================================================== --- refpolicy-2.20210120.orig/policy/support/file_patterns.spt +++ refpolicy-2.20210120/policy/support/file_patterns.spt @@ -104,13 +104,6 @@ define(`mmap_read_files_pattern',` allow $1 $3:file mmap_read_file_perms; ') -define(`mmap_files_pattern',` - # deprecated 20171213 - refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead') - allow $1 $2:dir search_dir_perms; - allow $1 $3:file mmap_exec_file_perms; -') - define(`mmap_exec_files_pattern',` allow $1 $2:dir search_dir_perms; allow $1 $3:file mmap_exec_file_perms; Index: refpolicy-2.20210120/policy/support/misc_patterns.spt =================================================================== --- refpolicy-2.20210120.orig/policy/support/misc_patterns.spt +++ refpolicy-2.20210120/policy/support/misc_patterns.spt @@ -12,12 +12,6 @@ define(`domain_transition_pattern',` dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ') -# compatibility: Deprecated (20161201) -define(`domain_trans',` - refpolicywarn(`$0() has been deprecated, please use domain_transition_pattern() instead.') - domain_transition_pattern($*) -') - # # Specified domain transition patterns @@ -49,12 +43,6 @@ define(`domain_auto_transition_pattern', type_transition $1 $2:process $3; ') -# compatibility: Deprecated (20161201) -define(`domain_auto_trans',` - refpolicywarn(`$0() has been deprecated, please use domain_auto_transition_pattern() instead.') - domain_auto_transition_pattern($*) -') - # # Automatic domain transition patterns # with feedback permissions Index: refpolicy-2.20210120/policy/support/obj_perm_sets.spt =================================================================== --- refpolicy-2.20210120.orig/policy/support/obj_perm_sets.spt +++ refpolicy-2.20210120/policy/support/obj_perm_sets.spt @@ -150,11 +150,6 @@ define(`getattr_file_perms',`{ getattr } define(`setattr_file_perms',`{ setattr }') define(`read_inherited_file_perms',`{ getattr read lock ioctl }') define(`read_file_perms',`{ getattr open read lock ioctl }') -# deprecated 20171213 -define(`mmap_file_perms',` - { getattr open map read execute ioctl } - refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead') -') define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }') define(`mmap_read_file_perms',`{ getattr open map read ioctl }') define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')