From d1af48566145d8e2b83903eb751ec91cd4844cde Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 14 Oct 2011 08:52:21 -0400
Subject: [PATCH] Remove rolemap and per-role template support.

This support was deprecated and unused in Reference Policy November 5 2008.
---
 Changelog              |  1 +
 Makefile               | 44 ------------------------------------------
 README                 |  5 -----
 Rules.modular          | 10 ++--------
 Rules.monolithic       |  6 +-----
 policy/rolemap         | 13 -------------
 support/Makefile.devel | 34 +-------------------------------
 7 files changed, 5 insertions(+), 108 deletions(-)
 delete mode 100644 policy/rolemap

diff --git a/Changelog b/Changelog
index bce84b4c6..7ee0ca1c2 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Remove rolemap and per-role template support.
 - Change corenetwork port declaration to apply the reserved port type
   attribute only, when the type has ports above and below 1024.
 - Change secure_mode_policyload to disable only toggling of this Boolean
diff --git a/Makefile b/Makefile
index 8b6a3f973..6eff493fa 100644
--- a/Makefile
+++ b/Makefile
@@ -130,7 +130,6 @@ endif
 # config file paths
 globaltun = $(poldir)/global_tunables
 globalbool = $(poldir)/global_booleans
-rolemap = $(poldir)/rolemap
 user_files := $(poldir)/users
 policycaps := $(poldir)/policy_capabilities
 
@@ -316,48 +315,6 @@ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
 # Functions
 #
 
-# parse-rolemap-compat modulename,outputfile
-define parse-rolemap-compat
-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# parse-rolemap modulename,outputfile
-define parse-rolemap
-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# perrole-expansion modulename,outputfile
-define perrole-expansion
-	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-	$(call parse-rolemap,$1,$2)
-	$(verbose) echo "')" >> $2
-
-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-	$(call parse-rolemap-compat,$1,$2)
-	$(verbose) echo "')" >> $2
-endef
-
-# create-base-per-role-tmpl modulenames,outputfile
-define create-base-per-role-tmpl
-	$(verbose) echo "define(\`base_per_role_template',\`" >> $2
-
-	$(verbose) for i in $1; do \
-		echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \
-			>> $2 ;\
-	done
-
-	$(verbose) for i in $1; do \
-		echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\
-		echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\
-		echo """$$i""_per_userdomain_template("'$$*'")')"  >> $2 ;\
-	done
-	$(verbose) echo "')" >> $@
-
-endef
-
 # detect-metaxml layer_names
 ifdef LOCAL_ROOT
 define detect-metaxml
@@ -552,7 +509,6 @@ install-headers: $(layerxml) $(tunxml) $(boolxml)
 	@mkdir -p $(headerdir)
 	@echo "Installing $(NAME) policy headers."
 	$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
-	$(verbose) $(M4) $(M4PARAM) $(rolemap) > $(headerdir)/$(notdir $(rolemap))
 	$(verbose) mkdir -p $(headerdir)/support
 	$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
 	$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
diff --git a/README b/README
index 184c6efc6..a3e8082a7 100644
--- a/README
+++ b/README
@@ -214,11 +214,6 @@ policy/modules.conf	This file contains a listing of available modules, and
 			in the base module; those set to "module" will be
 			compiled as individual loadable	modules.
 
-policy/rolemap		This file contains prefix and user domain type that
-			corresponds to each user role.  The contents of this
-			file will be used to expand the per-user domain
-			templates for each module.
-
 policy/support/*	Support macros.
 
 policy/users		This file defines the users included in the policy.
diff --git a/Rules.modular b/Rules.modular
index 168a14fa8..0e1f96025 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -73,8 +73,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
 $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
 	@echo "Compliling $(NAME) $(@F) module"
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
-	$(call perrole-expansion,$(basename $(@F)),$@.role)
-	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 
 $(tmpdir)/%.mod.fc: $(m4support) %.fc
@@ -143,13 +142,8 @@ $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
 	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
 	@echo "divert" >> $@
 
-$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
-$(tmpdir)/rolemap.conf: $(rolemap)
-	$(verbose) echo "" > $@
-	$(call parse-rolemap,base,$@)
-
 $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
-$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files)
 ifeq "$(strip $(base_te_files))" ""
 	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
 endif
diff --git a/Rules.monolithic b/Rules.monolithic
index f6b639deb..1185c8801 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -131,11 +131,7 @@ $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
 	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
 	@echo "divert" >> $@
 
-$(tmpdir)/rolemap.conf: $(rolemap)
-	$(verbose) echo "" > $@
-	$(call parse-rolemap,base,$@)
-
-$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files)
 ifeq "$(strip $(all_te_files))" ""
 	$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
 endif
diff --git a/policy/rolemap b/policy/rolemap
deleted file mode 100644
index c1de37ea5..000000000
--- a/policy/rolemap
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-# This file contains the mappings
-# used for per-role template
-# infrastructure.  Each line describes
-# the prefix and user domain type
-# corresponding to each role.
-#
-# syntax: role prefix user_domain
-#
-
-# This support has been deprecated and
-# will be removed in the future.  Note:  No
-# per-role templates exist in refpolicy.
diff --git a/support/Makefile.devel b/support/Makefile.devel
index c5e3ef354..b96e9b3d1 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -84,8 +84,6 @@ header_layers := $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEA
 header_xml := $(addsuffix .xml,$(header_layers))
 header_interfaces := $(foreach layer,$(header_layers),$(wildcard $(layer)/*.if))
 
-rolemap := $(HEADERDIR)/rolemap
-
 local_layers := $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
 local_xml := $(addprefix tmp/, $(addsuffix .xml,$(local_layers)))
 
@@ -108,35 +106,6 @@ vpath %.te $(local_layers)
 vpath %.if $(local_layers)
 vpath %.fc $(local_layers)
 
-########################################
-#
-# Functions
-#
-
-# parse-rolemap-compat modulename,outputfile
-define parse-rolemap-compat
-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# parse-rolemap modulename,outputfile
-define parse-rolemap
-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# peruser-expansion modulename,outputfile
-define peruser-expansion
-	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-	$(call parse-rolemap,$1,$2)
-	$(verbose) echo "')" >> $2
-
-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-	$(call parse-rolemap-compat,$1,$2)
-	$(verbose) echo "')" >> $2
-endef
-
 .PHONY: clean all xml load reload
 .SUFFIXES:
 .SUFFIXES: .pp
@@ -185,8 +154,7 @@ reload: $(all_packages)
 tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
 	@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
 	@test -d $(@D) || mkdir -p $(@D)
-	$(call peruser-expansion,$(basename $(@F)),$@.role)
-	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 
 tmp/%.mod.fc: $(m4support) %.fc