This patch removes every macro and interface that was deprecated in 20190201.
Some of them date back to 2016 or 2017. I chose 20190201 as that is the one
that is in the previous release of Debian. For any distribution I don't
think it makes sense to carry interfaces that were deprecated in version N
to version N+1.
One thing that particularly annoys me is when audit2allow -R gives deprecated
interfaces in it's output. Removing some of these should reduce the
incidence of that.
I believe this is worthy of merging.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/dphysswapfile.if
+++ refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if
@@ -2,26 +2,6 @@
########################################
## <summary>
-## Dontaudit access to the swap file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dphysswapfile_dontaudit_read_swap',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type dphysswapfile_swap_t;
- ')
-
- dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an dphys-swapfile environment.
## </summary>
Index: refpolicy-2.20210120/policy/modules/admin/fakehwclock.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/fakehwclock.if
+++ refpolicy-2.20210120/policy/modules/admin/fakehwclock.if
@@ -2,55 +2,6 @@
########################################
## <summary>
-## Execute a domain transition to run fake-hwclock.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`fakehwclock_domtrans',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type fakehwclock_t, fakehwclock_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, fakehwclock_exec_t, fakehwclock_t)
-')
-
-########################################
-## <summary>
-## Execute fake-hwclock in the fake-hwclock domain,
-## and allow the specified role
-## the fake-hwclock domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`fakehwclock_run',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- attribute_role fakehwclock_roles;
- ')
-
- fakehwclock_domtrans($1)
- roleattribute $2 fakehwclock_roles;
-')
-
-########################################
-## <summary>
## All the rules required to
## administrate an fake-hwclock environment.
## </summary>
Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if
+++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if
@@ -238,22 +238,6 @@ interface(`corecmd_dontaudit_write_bin_f
########################################
## <summary>
-## Read symbolic links in bin directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corecmd_read_bin_symlinks',`
- refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
-
- corecmd_search_bin($1)
-')
-
-########################################
-## <summary>
## Read pipes in bin directories.
## </summary>
## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20210120/policy/modules/kernel/devices.if
@@ -3631,20 +3631,6 @@ interface(`dev_rw_pmqos',`
########################################
## <summary>
-## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
-## </summary>
-## <param name="domain" unused="true">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`dev_read_printk',`
- refpolicywarn(`$0() has been deprecated.')
-')
-
-########################################
-## <summary>
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
Index: refpolicy-2.20210120/policy/modules/kernel/mls.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/mls.if
+++ refpolicy-2.20210120/policy/modules/kernel/mls.if
@@ -849,22 +849,6 @@ interface(`mls_fd_share_all_levels',`
########################################
## <summary>
## Make specified domain MLS trusted
-## for translating contexts at all levels. (Deprecated)
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`mls_context_translate_all_levels',`
- refpolicywarn(`$0($*) has been deprecated')
-')
-
-########################################
-## <summary>
-## Make specified domain MLS trusted
## for reading from databases at any level.
## </summary>
## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/services/vnstatd.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/vnstatd.if
+++ refpolicy-2.20210120/policy/modules/services/vnstatd.if
@@ -47,113 +47,6 @@ interface(`vnstatd_run_vnstat',`
########################################
## <summary>
-## Execute a domain transition to run vnstatd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`vnstatd_domtrans',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_t, vnstatd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
-')
-
-########################################
-## <summary>
-## Search vnstatd lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_search_lib',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 vnstatd_var_lib_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## vnstatd lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_manage_lib_dirs',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-')
-
-########################################
-## <summary>
-## Read vnstatd lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_read_lib_files',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## vnstatd lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`vnstatd_manage_lib_files',`
- refpolicywarn(`$0($*) has been deprecated')
-
- gen_require(`
- type vnstatd_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
-')
-
-########################################
-## <summary>
## All of the rules required to
## administrate an vnstatd environment.
## </summary>
Index: refpolicy-2.20210120/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210120/policy/modules/services/xserver.if
@@ -866,21 +866,6 @@ interface(`xserver_setsched_xdm',`
########################################
## <summary>
-## Create, read, write, and delete
-## xdm_spool files.
-## </summary>
-## <param name="domain" unused="true">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_manage_xdm_spool_files',`
- refpolicywarn(`$0() has been deprecated.')
-')
-
-########################################
-## <summary>
## Connect to XDM over a unix domain
## stream socket.
## </summary>
Index: refpolicy-2.20210120/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/init.if
+++ refpolicy-2.20210120/policy/modules/system/init.if
@@ -3038,22 +3038,6 @@ interface(`init_relabel_utmp',`
## </summary>
## </param>
#
-interface(`init_pid_filetrans_utmp',`
- refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans_utmp() instead.')
- init_runtime_filetrans_utmp($1)
-')
-
-########################################
-## <summary>
-## Create files in /var/run with the
-## utmp file type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`init_runtime_filetrans_utmp',`
gen_require(`
type initrc_runtime_t;
@@ -3072,21 +3056,6 @@ interface(`init_runtime_filetrans_utmp',
## </summary>
## </param>
#
-interface(`init_create_pid_dirs',`
- refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_dirs() instead.')
- init_create_runtime_dirs($1)
-')
-
-#######################################
-## <summary>
-## Create a directory in the /run/systemd directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`init_create_runtime_dirs',`
gen_require(`
type init_runtime_t;
@@ -3124,21 +3093,6 @@ interface(`init_read_runtime_files',`
## </summary>
## </param>
#
-interface(`init_rename_pid_files',`
- refpolicywarn(`$0($*) has been deprecated, please use init_rename_runtime_files() instead.')
- init_rename_runtime_files($1)
-')
-
-########################################
-## <summary>
-## Rename init_runtime_t files
-## </summary>
-## <param name="domain">
-## <summary>
-## domain
-## </summary>
-## </param>
-#
interface(`init_rename_runtime_files',`
gen_require(`
type init_runtime_t;
@@ -3175,21 +3129,6 @@ interface(`init_setattr_runtime_files',`
## </summary>
## </param>
#
-interface(`init_delete_pid_files',`
- refpolicywarn(`$0($*) has been deprecated, please use init_delete_runtime_files() instead.')
- init_delete_runtime_files($1)
-')
-
-########################################
-## <summary>
-## Delete init_runtime_t files
-## </summary>
-## <param name="domain">
-## <summary>
-## domain
-## </summary>
-## </param>
-#
interface(`init_delete_runtime_files',`
gen_require(`
type init_runtime_t;
@@ -3209,22 +3148,6 @@ interface(`init_delete_runtime_files',`
## </summary>
## </param>
#
-interface(`init_write_pid_socket',`
- refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_socket() instead.')
- init_write_runtime_socket($1)
-')
-
-#######################################
-## <summary>
-## Allow the specified domain to write to
-## init sock file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
interface(`init_write_runtime_socket',`
gen_require(`
type init_runtime_t;
@@ -3234,21 +3157,6 @@ interface(`init_write_runtime_socket',`
')
########################################
-## <summary>
-## Read init unnamed pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`init_read_pid_pipes',`
- refpolicywarn(`$0($*) has been deprecated, please use init_read_runtime_pipes() instead.')
- init_read_runtime_pipes($1)
-')
-
-########################################
## <summary>
## Read init unnamed pipes.
## </summary>
Index: refpolicy-2.20210120/policy/modules/system/modutils.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/modutils.if
+++ refpolicy-2.20210120/policy/modules/system/modutils.if
@@ -207,190 +207,3 @@ interface(`modutils_exec',`
corecmd_search_bin($1)
can_exec($1, kmod_exec_t)
')
-
-########################################
-## <summary>
-## Unconditionally execute insmod in the insmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-# cjp: this is added for pppd, due to nested
-# conditionals not working.
-interface(`modutils_domtrans_insmod_uncond',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute insmod in the insmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_insmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute insmod in the insmod domain, and
-## allow the specified role the insmod domain,
-## and use the caller's terminal. Has a sigchld
-## backchannel.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_run_insmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
- modutils_run($1, $2)
-')
-
-########################################
-## <summary>
-## Execute insmod in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_insmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
- modutils_exec($1)
-')
-
-########################################
-## <summary>
-## Execute depmod in the depmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_depmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute depmod in the depmod domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_run_depmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
- modutils_run($1, $2)
-')
-
-########################################
-## <summary>
-## Execute depmod in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_depmod',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
- modutils_exec($1)
-')
-
-########################################
-## <summary>
-## Execute update_modules in the update_modules domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`modutils_domtrans_update_mods',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
- modutils_domtrans($1)
-')
-
-########################################
-## <summary>
-## Execute update_modules in the update_modules domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`modutils_run_update_mods',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
- modutils_run($1, $2)
-')
-
-########################################
-## <summary>
-## Execute update_modules in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_exec_update_mods',`
- refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
- modutils_exec($1)
-')
-
-########################################
-## <summary>
-## Read kmod lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`modutils_read_var_run_files',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
Index: refpolicy-2.20210120/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210120/policy/modules/system/systemd.if
@@ -376,21 +376,6 @@ interface(`systemd_dbus_chat_logind',`
########################################
## <summary>
-## Allow process to write to systemd_kmod_conf_t.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`systemd_write_kmod_files',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
-
-########################################
-## <summary>
## Get the system status information from systemd_login
## </summary>
## <param name="domain">
Index: refpolicy-2.20210120/policy/support/file_patterns.spt
===================================================================
--- refpolicy-2.20210120.orig/policy/support/file_patterns.spt
+++ refpolicy-2.20210120/policy/support/file_patterns.spt
@@ -104,13 +104,6 @@ define(`mmap_read_files_pattern',`
allow $1 $3:file mmap_read_file_perms;
')
-define(`mmap_files_pattern',`
- # deprecated 20171213
- refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
- allow $1 $2:dir search_dir_perms;
- allow $1 $3:file mmap_exec_file_perms;
-')
-
define(`mmap_exec_files_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:file mmap_exec_file_perms;
Index: refpolicy-2.20210120/policy/support/misc_patterns.spt
===================================================================
--- refpolicy-2.20210120.orig/policy/support/misc_patterns.spt
+++ refpolicy-2.20210120/policy/support/misc_patterns.spt
@@ -12,12 +12,6 @@ define(`domain_transition_pattern',`
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
')
-# compatibility: Deprecated (20161201)
-define(`domain_trans',`
- refpolicywarn(`$0() has been deprecated, please use domain_transition_pattern() instead.')
- domain_transition_pattern($*)
-')
-
#
# Specified domain transition patterns
@@ -49,12 +43,6 @@ define(`domain_auto_transition_pattern',
type_transition $1 $2:process $3;
')
-# compatibility: Deprecated (20161201)
-define(`domain_auto_trans',`
- refpolicywarn(`$0() has been deprecated, please use domain_auto_transition_pattern() instead.')
- domain_auto_transition_pattern($*)
-')
-
#
# Automatic domain transition patterns
# with feedback permissions
Index: refpolicy-2.20210120/policy/support/obj_perm_sets.spt
===================================================================
--- refpolicy-2.20210120.orig/policy/support/obj_perm_sets.spt
+++ refpolicy-2.20210120/policy/support/obj_perm_sets.spt
@@ -150,11 +150,6 @@ define(`getattr_file_perms',`{ getattr }
define(`setattr_file_perms',`{ setattr }')
define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
-# deprecated 20171213
-define(`mmap_file_perms',`
- { getattr open map read execute ioctl }
- refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')
-')
define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
On 1/22/21 8:10 AM, Russell Coker wrote:
> This patch removes every macro and interface that was deprecated in 20190201.
>
> Some of them date back to 2016 or 2017. I chose 20190201 as that is the one
> that is in the previous release of Debian. For any distribution I don't
> think it makes sense to carry interfaces that were deprecated in version N
> to version N+1.
>
> One thing that particularly annoys me is when audit2allow -R gives deprecated
> interfaces in it's output. Removing some of these should reduce the
> incidence of that.
>
> I believe this is worthy of merging.
>
> Signed-off-by: Russell Coker <[email protected]>
Merged.
> Index: refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/dphysswapfile.if
> +++ refpolicy-2.20210120/policy/modules/admin/dphysswapfile.if
> @@ -2,26 +2,6 @@
>
> ########################################
> ## <summary>
> -## Dontaudit access to the swap file.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain to not audit.
> -## </summary>
> -## </param>
> -#
> -interface(`dphysswapfile_dontaudit_read_swap',`
> - refpolicywarn(`$0($*) has been deprecated')
> -
> - gen_require(`
> - type dphysswapfile_swap_t;
> - ')
> -
> - dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
> -')
> -
> -########################################
> -## <summary>
> ## All of the rules required to
> ## administrate an dphys-swapfile environment.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/admin/fakehwclock.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/fakehwclock.if
> +++ refpolicy-2.20210120/policy/modules/admin/fakehwclock.if
> @@ -2,55 +2,6 @@
>
> ########################################
> ## <summary>
> -## Execute a domain transition to run fake-hwclock.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -#
> -interface(`fakehwclock_domtrans',`
> - refpolicywarn(`$0($*) has been deprecated')
> -
> - gen_require(`
> - type fakehwclock_t, fakehwclock_exec_t;
> - ')
> -
> - corecmd_search_bin($1)
> - domtrans_pattern($1, fakehwclock_exec_t, fakehwclock_t)
> -')
> -
> -########################################
> -## <summary>
> -## Execute fake-hwclock in the fake-hwclock domain,
> -## and allow the specified role
> -## the fake-hwclock domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -## <param name="role">
> -## <summary>
> -## Role allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`fakehwclock_run',`
> - refpolicywarn(`$0($*) has been deprecated')
> -
> - gen_require(`
> - attribute_role fakehwclock_roles;
> - ')
> -
> - fakehwclock_domtrans($1)
> - roleattribute $2 fakehwclock_roles;
> -')
> -
> -########################################
> -## <summary>
> ## All the rules required to
> ## administrate an fake-hwclock environment.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if
> +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if
> @@ -238,22 +238,6 @@ interface(`corecmd_dontaudit_write_bin_f
>
> ########################################
> ## <summary>
> -## Read symbolic links in bin directories.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`corecmd_read_bin_symlinks',`
> - refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
> -
> - corecmd_search_bin($1)
> -')
> -
> -########################################
> -## <summary>
> ## Read pipes in bin directories.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210120/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20210120/policy/modules/kernel/devices.if
> @@ -3631,20 +3631,6 @@ interface(`dev_rw_pmqos',`
>
> ########################################
> ## <summary>
> -## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
> -## </summary>
> -## <param name="domain" unused="true">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`dev_read_printk',`
> - refpolicywarn(`$0() has been deprecated.')
> -')
> -
> -########################################
> -## <summary>
> ## Get the attributes of the QEMU
> ## microcode and id interfaces.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/kernel/mls.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/mls.if
> +++ refpolicy-2.20210120/policy/modules/kernel/mls.if
> @@ -849,22 +849,6 @@ interface(`mls_fd_share_all_levels',`
> ########################################
> ## <summary>
> ## Make specified domain MLS trusted
> -## for translating contexts at all levels. (Deprecated)
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -## <rolecap/>
> -#
> -interface(`mls_context_translate_all_levels',`
> - refpolicywarn(`$0($*) has been deprecated')
> -')
> -
> -########################################
> -## <summary>
> -## Make specified domain MLS trusted
> ## for reading from databases at any level.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210120/policy/modules/services/vnstatd.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/vnstatd.if
> +++ refpolicy-2.20210120/policy/modules/services/vnstatd.if
> @@ -47,113 +47,6 @@ interface(`vnstatd_run_vnstat',`
>
> ########################################
> ## <summary>
> -## Execute a domain transition to run vnstatd.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -#
> -interface(`vnstatd_domtrans',`
> - refpolicywarn(`$0($*) has been deprecated')
> -
> - gen_require(`
> - type vnstatd_t, vnstatd_exec_t;
> - ')
> -
> - corecmd_search_bin($1)
> - domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
> -')
> -
> -########################################
> -## <summary>
> -## Search vnstatd lib directories.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`vnstatd_search_lib',`
> - refpolicywarn(`$0($*) has been deprecated')
> -
> - gen_require(`
> - type vnstatd_var_lib_t;
> - ')
> -
> - files_search_var_lib($1)
> - allow $1 vnstatd_var_lib_t:dir search_dir_perms;
> -')
> -
> -########################################
> -## <summary>
> -## Create, read, write, and delete
> -## vnstatd lib directories.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`vnstatd_manage_lib_dirs',`
> - refpolicywarn(`$0($*) has been deprecated')
> -
> - gen_require(`
> - type vnstatd_var_lib_t;
> - ')
> -
> - files_search_var_lib($1)
> - manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
> -')
> -
> -########################################
> -## <summary>
> -## Read vnstatd lib files.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`vnstatd_read_lib_files',`
> - refpolicywarn(`$0($*) has been deprecated')
> -
> - gen_require(`
> - type vnstatd_var_lib_t;
> - ')
> -
> - files_search_var_lib($1)
> - read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
> -')
> -
> -########################################
> -## <summary>
> -## Create, read, write, and delete
> -## vnstatd lib files.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`vnstatd_manage_lib_files',`
> - refpolicywarn(`$0($*) has been deprecated')
> -
> - gen_require(`
> - type vnstatd_var_lib_t;
> - ')
> -
> - files_search_var_lib($1)
> - manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
> -')
> -
> -########################################
> -## <summary>
> ## All of the rules required to
> ## administrate an vnstatd environment.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20210120/policy/modules/services/xserver.if
> @@ -866,21 +866,6 @@ interface(`xserver_setsched_xdm',`
>
> ########################################
> ## <summary>
> -## Create, read, write, and delete
> -## xdm_spool files.
> -## </summary>
> -## <param name="domain" unused="true">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`xserver_manage_xdm_spool_files',`
> - refpolicywarn(`$0() has been deprecated.')
> -')
> -
> -########################################
> -## <summary>
> ## Connect to XDM over a unix domain
> ## stream socket.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/init.if
> +++ refpolicy-2.20210120/policy/modules/system/init.if
> @@ -3038,22 +3038,6 @@ interface(`init_relabel_utmp',`
> ## </summary>
> ## </param>
> #
> -interface(`init_pid_filetrans_utmp',`
> - refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans_utmp() instead.')
> - init_runtime_filetrans_utmp($1)
> -')
> -
> -########################################
> -## <summary>
> -## Create files in /var/run with the
> -## utmp file type.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> interface(`init_runtime_filetrans_utmp',`
> gen_require(`
> type initrc_runtime_t;
> @@ -3072,21 +3056,6 @@ interface(`init_runtime_filetrans_utmp',
> ## </summary>
> ## </param>
> #
> -interface(`init_create_pid_dirs',`
> - refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_dirs() instead.')
> - init_create_runtime_dirs($1)
> -')
> -
> -#######################################
> -## <summary>
> -## Create a directory in the /run/systemd directory.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> interface(`init_create_runtime_dirs',`
> gen_require(`
> type init_runtime_t;
> @@ -3124,21 +3093,6 @@ interface(`init_read_runtime_files',`
> ## </summary>
> ## </param>
> #
> -interface(`init_rename_pid_files',`
> - refpolicywarn(`$0($*) has been deprecated, please use init_rename_runtime_files() instead.')
> - init_rename_runtime_files($1)
> -')
> -
> -########################################
> -## <summary>
> -## Rename init_runtime_t files
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## domain
> -## </summary>
> -## </param>
> -#
> interface(`init_rename_runtime_files',`
> gen_require(`
> type init_runtime_t;
> @@ -3175,21 +3129,6 @@ interface(`init_setattr_runtime_files',`
> ## </summary>
> ## </param>
> #
> -interface(`init_delete_pid_files',`
> - refpolicywarn(`$0($*) has been deprecated, please use init_delete_runtime_files() instead.')
> - init_delete_runtime_files($1)
> -')
> -
> -########################################
> -## <summary>
> -## Delete init_runtime_t files
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## domain
> -## </summary>
> -## </param>
> -#
> interface(`init_delete_runtime_files',`
> gen_require(`
> type init_runtime_t;
> @@ -3209,22 +3148,6 @@ interface(`init_delete_runtime_files',`
> ## </summary>
> ## </param>
> #
> -interface(`init_write_pid_socket',`
> - refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_socket() instead.')
> - init_write_runtime_socket($1)
> -')
> -
> -#######################################
> -## <summary>
> -## Allow the specified domain to write to
> -## init sock file.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> interface(`init_write_runtime_socket',`
> gen_require(`
> type init_runtime_t;
> @@ -3234,21 +3157,6 @@ interface(`init_write_runtime_socket',`
> ')
>
> ########################################
> -## <summary>
> -## Read init unnamed pipes.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`init_read_pid_pipes',`
> - refpolicywarn(`$0($*) has been deprecated, please use init_read_runtime_pipes() instead.')
> - init_read_runtime_pipes($1)
> -')
> -
> -########################################
> ## <summary>
> ## Read init unnamed pipes.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/system/modutils.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/modutils.if
> +++ refpolicy-2.20210120/policy/modules/system/modutils.if
> @@ -207,190 +207,3 @@ interface(`modutils_exec',`
> corecmd_search_bin($1)
> can_exec($1, kmod_exec_t)
> ')
> -
> -########################################
> -## <summary>
> -## Unconditionally execute insmod in the insmod domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -#
> -# cjp: this is added for pppd, due to nested
> -# conditionals not working.
> -interface(`modutils_domtrans_insmod_uncond',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
> - modutils_domtrans($1)
> -')
> -
> -########################################
> -## <summary>
> -## Execute insmod in the insmod domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -#
> -interface(`modutils_domtrans_insmod',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
> - modutils_domtrans($1)
> -')
> -
> -########################################
> -## <summary>
> -## Execute insmod in the insmod domain, and
> -## allow the specified role the insmod domain,
> -## and use the caller's terminal. Has a sigchld
> -## backchannel.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -## <param name="role">
> -## <summary>
> -## Role allowed access.
> -## </summary>
> -## </param>
> -## <rolecap/>
> -#
> -interface(`modutils_run_insmod',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
> - modutils_run($1, $2)
> -')
> -
> -########################################
> -## <summary>
> -## Execute insmod in the caller domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`modutils_exec_insmod',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
> - modutils_exec($1)
> -')
> -
> -########################################
> -## <summary>
> -## Execute depmod in the depmod domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -#
> -interface(`modutils_domtrans_depmod',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
> - modutils_domtrans($1)
> -')
> -
> -########################################
> -## <summary>
> -## Execute depmod in the depmod domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -## <param name="role">
> -## <summary>
> -## Role allowed access.
> -## </summary>
> -## </param>
> -## <rolecap/>
> -#
> -interface(`modutils_run_depmod',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
> - modutils_run($1, $2)
> -')
> -
> -########################################
> -## <summary>
> -## Execute depmod in the caller domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`modutils_exec_depmod',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
> - modutils_exec($1)
> -')
> -
> -########################################
> -## <summary>
> -## Execute update_modules in the update_modules domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -#
> -interface(`modutils_domtrans_update_mods',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.')
> - modutils_domtrans($1)
> -')
> -
> -########################################
> -## <summary>
> -## Execute update_modules in the update_modules domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed to transition.
> -## </summary>
> -## </param>
> -## <param name="role">
> -## <summary>
> -## Role allowed access.
> -## </summary>
> -## </param>
> -## <rolecap/>
> -#
> -interface(`modutils_run_update_mods',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.')
> - modutils_run($1, $2)
> -')
> -
> -########################################
> -## <summary>
> -## Execute update_modules in the caller domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`modutils_exec_update_mods',`
> - refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.')
> - modutils_exec($1)
> -')
> -
> -########################################
> -## <summary>
> -## Read kmod lib files.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`modutils_read_var_run_files',`
> - refpolicywarn(`$0($*) has been deprecated.')
> -')
> Index: refpolicy-2.20210120/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20210120/policy/modules/system/systemd.if
> @@ -376,21 +376,6 @@ interface(`systemd_dbus_chat_logind',`
>
> ########################################
> ## <summary>
> -## Allow process to write to systemd_kmod_conf_t.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -## <rolecap/>
> -#
> -interface(`systemd_write_kmod_files',`
> - refpolicywarn(`$0($*) has been deprecated.')
> -')
> -
> -########################################
> -## <summary>
> ## Get the system status information from systemd_login
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210120/policy/support/file_patterns.spt
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/support/file_patterns.spt
> +++ refpolicy-2.20210120/policy/support/file_patterns.spt
> @@ -104,13 +104,6 @@ define(`mmap_read_files_pattern',`
> allow $1 $3:file mmap_read_file_perms;
> ')
>
> -define(`mmap_files_pattern',`
> - # deprecated 20171213
> - refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead')
> - allow $1 $2:dir search_dir_perms;
> - allow $1 $3:file mmap_exec_file_perms;
> -')
> -
> define(`mmap_exec_files_pattern',`
> allow $1 $2:dir search_dir_perms;
> allow $1 $3:file mmap_exec_file_perms;
> Index: refpolicy-2.20210120/policy/support/misc_patterns.spt
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/support/misc_patterns.spt
> +++ refpolicy-2.20210120/policy/support/misc_patterns.spt
> @@ -12,12 +12,6 @@ define(`domain_transition_pattern',`
> dontaudit $1 $3:process { noatsecure siginh rlimitinh };
> ')
>
> -# compatibility: Deprecated (20161201)
> -define(`domain_trans',`
> - refpolicywarn(`$0() has been deprecated, please use domain_transition_pattern() instead.')
> - domain_transition_pattern($*)
> -')
> -
>
> #
> # Specified domain transition patterns
> @@ -49,12 +43,6 @@ define(`domain_auto_transition_pattern',
> type_transition $1 $2:process $3;
> ')
>
> -# compatibility: Deprecated (20161201)
> -define(`domain_auto_trans',`
> - refpolicywarn(`$0() has been deprecated, please use domain_auto_transition_pattern() instead.')
> - domain_auto_transition_pattern($*)
> -')
> -
> #
> # Automatic domain transition patterns
> # with feedback permissions
> Index: refpolicy-2.20210120/policy/support/obj_perm_sets.spt
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/support/obj_perm_sets.spt
> +++ refpolicy-2.20210120/policy/support/obj_perm_sets.spt
> @@ -150,11 +150,6 @@ define(`getattr_file_perms',`{ getattr }
> define(`setattr_file_perms',`{ setattr }')
> define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
> define(`read_file_perms',`{ getattr open read lock ioctl }')
> -# deprecated 20171213
> -define(`mmap_file_perms',`
> - { getattr open map read execute ioctl }
> - refpolicywarn(`mmap_file_perms is deprecated, please use mmap_exec_file_perms instead')
> -')
> define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }')
> define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
> define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
>
--
Chris PeBenito