--- refpolicy-0.0.20070507.orig/support/Makefile.devel
+++ refpolicy-0.0.20070507/support/Makefile.devel
@@ -74,8 +74,8 @@
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
-MLS_CATS ?= 256
-MCS_CATS ?= 256
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
ifeq ($(QUIET),y)
verbose := @
--- refpolicy-0.0.20070507.orig/debian/modules.conf.targeted
+++ refpolicy-0.0.20070507/debian/modules.conf.targeted
@@ -0,0 +1,1821 @@
+# If you edit this file, also edit local-var.mk to define what is or
+# is not a module.
+#
+#
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+#
+acct = module
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+#
+alsa = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+#
+amanda = module
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+#
+anaconda = off
+
+# Layer: admin
+# Module: apt
+#
+# APT advanced package toll.
+#
+apt = base
+
+# Layer: admin
+# Module: backup
+#
+# System backup scripts
+#
+backup = module
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = base
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+#
+# Not in Debian?
+certwatch = off
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+# Not in Debian.
+consoletype = off
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+#
+ddcprobe = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = base
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+#
+dmidecode = module
+
+# Layer: admin
+# Module: dpkg
+#
+# Policy for the Debian package manager.
+#
+dpkg = base
+
+# Layer: admin
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+#
+firstboot = off
+
+# Layer: admin
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+#
+kudzu = module
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+#
+logrotate = base
+
+# Layer: admin
+# Module: logwatch
+#
+# System log analyzer and reporter
+#
+logwatch = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+#
+mrtg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: portage
+#
+# Portage Package Management System. The primary package management and
+# distribution system for Gentoo.
+#
+portage = off
+
+# Layer: admin
+# Module: prelink
+#
+# Prelink ELF shared library mappings.
+#
+prelink = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+#
+quota = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+#
+readahead = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = base
+
+# Layer: admin
+# Module: sxid
+#
+# SUID/SGID program monitoring
+#
+sxid = module
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+#
+tmpreaper = module
+
+# Layer: admin
+# Module: tripwire
+#
+# Tripwire file integrity checker.
+#
+tripwire = module
+
+# Layer: admin
+# Module: tzdata
+#
+# Time zone updater
+#
+tzdata = module
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+#
+updfstab = off
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+#
+usbmodules = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = base
+
+# Layer: admin
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+#
+vbetool = module
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+#
+vpn = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = base
+
+# Layer: apps
+# Module: ada
+#
+# GNAT Ada95 compiler
+#
+ada = module
+
+# Layer: apps
+# Module: authbind
+#
+# Tool for non-root processes to bind to reserved ports
+#
+authbind = module
+
+# Layer: apps
+# Module: calamaris
+#
+# Squid log analysis
+#
+calamaris = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+#
+cdrecord = module
+
+# Layer: apps
+# Module: ethereal
+#
+# Ethereal packet capture tool.
+#
+ethereal = module
+
+# Layer: apps
+# Module: evolution
+#
+# Evolution email client
+#
+evolution = module
+
+# Layer: apps
+# Module: games
+#
+# Games
+#
+games = module
+
+# Layer: apps
+# Module: gift
+#
+# giFT peer to peer file sharing tool
+#
+gift = module
+
+# Layer: apps
+# Module: gnome
+#
+# GNU network object model environment (GNOME)
+#
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+#
+gpg = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+#
+irc = module
+
+# Layer: apps
+# Module: java
+#
+# Java virtual machine
+#
+java = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+#
+loadkeys = module
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+#
+lockdev = module
+
+# Layer: apps
+# Module: mono
+#
+# Run .NET server and client applications on Linux.
+#
+mono = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+#
+mozilla = module
+
+# Layer: apps
+# Module: mplayer
+#
+# Mplayer media player and encoder
+#
+mplayer = module
+
+# Layer: apps
+# Module: rssh
+#
+# Restricted (scp/sftp) only shell
+#
+rssh = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+#
+screen = module
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+#
+slocate = module
+
+# Layer: apps
+# Module: thunderbird
+#
+# Thunderbird email client
+#
+thunderbird = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+#
+tvtime = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+#
+uml = module
+
+# Layer: apps
+# Module: userhelper
+#
+# SELinux utility to run a shell with a new role
+#
+userhelper = base
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+#
+usernetctl = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+#
+vmware = module
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+#
+webalizer = module
+
+# Layer: apps
+# Module: wine
+#
+# Wine Is Not an Emulator. Run Windows programs in Linux.
+#
+wine = module
+
+# Layer: apps
+# Module: yam
+#
+# Yum/Apt Mirroring
+#
+yam = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = base
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = base
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+#
+daemontools = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = base
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = base
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = base
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = base
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = base
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = base
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = base
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = base
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = base
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = base
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+#
+pcmcia = module
+
+# Layer: system
+# Module: pythonsupport
+#
+# Support for precompiling python modules
+#
+pythonsupport = module
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+#
+raid = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = base
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = base
+
+# Layer: system
+# Module: xen
+#
+# Xen hypervisor
+#
+xen = module
+
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+#
+afs = module
+
+# Layer: services
+# Module: aide
+#
+# Aide filesystem integrity checker
+#
+aide = module
+
+# Layer: services
+# Module: amavis
+#
+# Daemon that interfaces mail transfer agents and content
+# checkers, such as virus scanners.
+#
+amavis = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+#
+apache = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+#
+apm = module
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+#
+arpwatch = module
+
+# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
+# Module: audioentropy
+#
+# Generate entropy from audio input
+#
+audioentropy = module
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+#
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+#
+avahi = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+#
+bind = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+#
+bluetooth = module
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+#
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# Cluster Configuration System
+#
+ccs = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+#
+cipe = module
+
+# Layer: services
+# Module: clamav
+#
+# ClamAV Virus Scanner
+#
+clamav = module
+
+# Layer: services
+# Module: clockspeed
+#
+# Clockspeed simple network time protocol client
+#
+# not in debian?
+clockspeed = off
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+#
+comsat = module
+
+# Layer: services
+# Module: consolekit
+#
+# Framework for facilitating multiple user sessions on desktops.
+#
+consolekit = module
+
+# Layer: services
+# Module: courier
+#
+# Courier IMAP and POP3 email servers
+#
+courier = module
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+#
+cpucontrol = module
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+#
+cron = base
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+#
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+#
+cvs = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+#
+cyrus = module
+
+# Layer: services
+# Module: dante
+#
+# Dante msproxy and socks4/5 proxy server
+#
+dante = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+#
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+#
+dbus = module
+
+# Layer: services
+# Module: dcc
+#
+# Distributed checksum clearinghouse spam filtering
+#
+dcc = module
+
+# Layer: services
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+#
+ddclient = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+#
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+#
+dictd = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+#
+distcc = module
+
+# Layer: services
+# Module: djbdns
+#
+# small and secure DNS daemon
+#
+djbdns = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# dnsmasq DNS forwarder and DHCP server
+#
+dnsmasq = module
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+#
+dovecot = module
+
+# Layer: services
+# Module: fail2ban
+#
+# Update firewall filtering to ban IP addresses with too many password failures.
+#
+fail2ban = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+#
+fetchmail = module
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+#
+finger = module
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+#
+ftp = module
+
+# Layer: services
+# Module: gatekeeper
+#
+# OpenH.323 Voice-Over-IP Gatekeeper
+#
+gatekeeper = module
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+#
+gpm = module
+
+# Layer: services
+# Module: hal
+#
+# Hardware abstraction layer
+#
+hal = module
+
+# Layer: services
+# Module: howl
+#
+# Port of Apple Rendezvous multicast DNS
+#
+howl = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+#
+i18n_input = module
+
+# Layer: services
+# Module: imaze
+#
+# iMaze game server
+#
+imaze = module
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+#
+inetd = module
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+#
+inn = module
+
+# Layer: services
+# Module: ircd
+#
+# IRC server
+#
+ircd = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+#
+irqbalance = module
+
+# Layer: services
+# Module: jabber
+#
+# Jabber instant messaging server
+#
+jabber = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+#
+kerberos = module
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+#
+ktalk = module
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+#
+ldap = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+#
+lpd = module
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+#
+mailman = module
+
+# Layer: services
+# Module: monop
+#
+# Monopoly daemon
+#
+monop = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+#
+mta = base
+
+# Layer: services
+# Module: munin
+#
+# Munin network-wide load graphing (formerly LRRD)
+#
+munin = module
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+#
+mysql = module
+
+# Layer: services
+# Module: nagios
+#
+# Net Saint / NAGIOS - network monitoring server
+#
+nagios = module
+
+# Layer: services
+# Module: nessus
+#
+# Nessus network scanning daemon
+#
+nessus = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+#
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+#
+nis = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+#
+nscd = module
+
+# Layer: services
+# Module: nsd
+#
+# Authoritative only name server
+#
+nsd = module
+
+# Layer: services
+# Module: ntop
+#
+# Network Top
+#
+ntop = module
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+#
+ntp = module
+
+# Layer: services
+# Module: nx
+#
+# NX remote desktop
+#
+# Not officially in Debian, but being worked on.
+nx = module
+
+# Layer: services
+# Module: oav
+#
+# Open AntiVirus scannerdaemon and signature update
+#
+oav = module
+
+# Layer: services
+# Module: oddjob
+#
+# Oddjob provides a mechanism by which unprivileged applications can
+# request that specified privileged operations be performed on their
+# behalf.
+#
+oddjob = module
+
+# Layer: services
+# Module: openca
+#
+# OpenCA - Open Certificate Authority
+#
+openca = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+#
+openct = module
+
+# Layer: services
+# Module: openvpn
+#
+# full-featured SSL VPN solution
+#
+openvpn = module
+
+# Layer: services
+# Module: pcscd
+#
+# PCSC smart card service
+#
+pcscd = module
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+#
+# not in Debian?
+pegasus = off
+
+# Layer: services
+# Module: perdition
+#
+# Perdition POP and IMAP proxy
+#
+perdition = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+#
+portmap = module
+
+# Layer: services
+# Module: portslave
+#
+# Portslave terminal server software
+#
+portslave = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+#
+postfix = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: postgrey
+#
+# Postfix grey-listing server
+#
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+#
+ppp = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+#
+privoxy = module
+
+# Layer: services
+# Module: procmail
+#
+# Procmail mail delivery agent
+#
+procmail = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+#
+publicfile = module
+
+# Layer: services
+# Module: pxe
+#
+# Server for the PXE network boot protocol
+#
+pxe = module
+
+# Layer: services
+# Module: pyzor
+#
+# Pyzor is a distributed, collaborative spam detection and filtering network.
+#
+pyzor = module
+
+# Layer: services
+# Module: qmail
+#
+# Qmail Mail Server
+#
+qmail = module
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+#
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+#
+radvd = module
+
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+#
+razor = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+#
+rdisc = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+#
+remotelogin = module
+
+# Layer: services
+# Module: resmgr
+#
+# Resource management daemon
+#
+resmgr = module
+
+# Layer: services
+# Module: rhgb
+#
+# Red Hat Graphical Boot
+#
+rhgb = off
+
+# Layer: services
+# Module: ricci
+#
+# Ricci cluster management agent
+#
+ricci = off
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+#
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+#
+roundup = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+#
+rpc = module
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+#
+rshd = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+#
+rsync = module
+
+# Layer: services
+# Module: samba
+#
+# SMB and CIFS client/server programs for UNIX and
+# name Service Switch daemon for resolving names
+# from Windows NT servers.
+#
+samba = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+#
+sasl = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+#
+sendmail = module
+
+# Layer: services
+# Module: setroubleshoot
+#
+# SELinux troubleshooting service
+#
+setroubleshoot = module
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+#
+slrnpull = module
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+#
+smartmon = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+#
+snmp = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+#
+snort = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc
+#
+soundserver = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+#
+spamassassin = module
+
+# Layer: services
+# Module: speedtouch
+#
+# Alcatel speedtouch USB ADSL modem
+#
+speedtouch = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+#
+squid = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+#
+stunnel = module
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+#
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+#
+tcpd = module
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+#
+telnet = module
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+#
+tftp = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+#
+timidity = module
+
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+#
+tor = module
+
+# Layer: services
+# Module: transproxy
+#
+# HTTP transperant proxy
+#
+transproxy = module
+
+# Layer: services
+# Module: ucspitcp
+#
+# ucspitcp policy
+#
+ucspitcp = module
+
+# Layer: services
+# Module: uptime
+#
+# Uptime daemon
+#
+uptime = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+#
+uucp = module
+
+# Layer: services
+# Module: uwimap
+#
+# University of Washington IMAP toolkit POP3 and IMAP mail server
+#
+uwimap = module
+
+# Layer: services
+# Module: watchdog
+#
+# Software watchdog
+#
+watchdog = module
+
+# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+#
+xfs = module
+
+# Layer: services
+# Module: xprint
+#
+# X print server
+#
+xprint = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: services
+# Module: zabbix
+#
+# Distributed infrastructure monitoring
+#
+zabbix = module
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+#
+zebra = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: system
+# Module: iscsi
+#
+# Establish connections to iSCSI devices
+#
+iscsi = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
--- refpolicy-0.0.20070507.orig/debian/example.if
+++ refpolicy-0.0.20070507/debian/example.if
@@ -0,0 +1,57 @@
+## Myapp example policy
+##
+##
+## More descriptive text about myapp. The
+## tag can also use ,
, and
+## html tags for formatting.
+##
+##
+## This policy supports the following myapp features:
+##
+## - Feature A
+## - Feature B
+## - Feature C
+##
+##
+##
+#
+
+########################################
+##
+## Execute a domain transition to run myapp.
+##
+##
+## Domain allowed to transition.
+##
+#
+interface(`myapp_domtrans',`
+ gen_require(`
+ type myapp_t, myapp_exec_t;
+ ')
+
+ domain_auto_trans($1,myapp_exec_t,myapp_t)
+
+ allow $1 myapp_t:fd use;
+ allow myapp_t $1:fd use;
+ allow $1 myapp_t:fifo_file rw_file_perms;
+ allow $1 myapp_t:process sigchld;
+')
+
+########################################
+##
+## Read myapp log files.
+##
+##
+## Domain allowed to read the log files.
+##
+#
+interface(`myapp_read_log',`
+ gen_require(`
+ type myapp_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 myapp_log_t:file r_file_perms;
+')
+
+# arch-tag: e3624959-d1f4-4546-850b-4a1f22f7018d
--- refpolicy-0.0.20070507.orig/debian/Makefile.src
+++ refpolicy-0.0.20070507/debian/Makefile.src
@@ -0,0 +1,214 @@
+# arch-tag: 2d5f59a8-3b3b-4118-a3ef-4de1ea00d6e4
+# helper tools
+AWK ?= gawk
+INSTALL ?= install
+M4 ?= m4
+SED ?= sed
+EINFO ?= echo
+PYTHON ?= python
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+
+include build.conf
+
+# executables
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMODULE := $(SBINDIR)/semodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+XMLLINT := $(BINDIR)/xmllint
+
+# set default build options if missing
+TYPE ?= strict
+DIRECT_INITRC ?= n
+POLY ?= n
+QUIET ?= y
+
+genxml := $(PYTHON) support/segenxml.py
+
+docs = doc
+polxml = $(docs)/policy.xml
+xmldtd = support/policy.dtd
+layerxml = metadata.xml
+
+globaltun = global_tunables.xml
+globalbool = global_booleans.xml
+
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+ M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+ M4PARAM += -D targeted_policy
+endif
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+# enable polyinstantiation
+ifeq ($(POLY),y)
+ M4PARAM += -D enable_polyinstantiation
+endif
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+ verbose := @
+endif
+
+M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
+
+# policy headers
+m4support = $(wildcard support/*.spt)
+all_layers = $(filter-out support,$(shell find $(wildcard *) -maxdepth 0 -type d))
+all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
+rolemap = rolemap
+
+detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+3rd_party_mods = $(wildcard *.te)
+detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
+detected_ifs = $(detected_mods:.te=.if)
+detected_fcs = $(detected_mods:.te=.fc)
+all_packages = $(notdir $(detected_mods:.te=.pp))
+
+vpath %.te $(detected_layers)
+vpath %.if $(detected_layers)
+vpath %.fc $(detected_layers)
+
+# if there are modules in the current directory, add them into the third party layer
+ifneq "$(3rd_party_mods)" ""
+ genxml += -3 .
+endif
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+ $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+ $(call parse-rolemap,$1,$2)
+ $(verbose) echo "')" >> $2
+
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+ $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+ $(call parse-rolemap-compat,$1,$2)
+ $(verbose) echo "')" >> $2
+endef
+
+.PHONY: clean all xml load
+.SUFFIXES:
+.SUFFIXES: .pp
+# broken in make 3.81:
+#.SECONDARY:
+
+########################################
+#
+# Main targets
+#
+
+all: $(all_packages)
+
+xml: $(polxml)
+
+########################################
+#
+# Load module packages
+#
+load: $(all_packages)
+ @$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $(all_packages)))"
+ $(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod))
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
+ @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
+ @test -d tmp || mkdir -p tmp
+ $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+tmp/%.mod.fc: $(m4support) %.fc
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+%.pp: tmp/%.mod tmp/%.mod.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+# so users dont have to make empty .fc and .if files
+$(detected_ifs) $(detected_fcs):
+ @touch $@
+
+########################################
+#
+# Documentation generation
+#
+
+# minimal dependencies here, because we don't want to rebuild
+# this and its dependents every time the dependencies
+# change. Also use all .if files here, rather then just the
+# enabled modules.
+$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
+ @echo "Creating $@"
+ @mkdir -p doc
+ $(verbose) echo '' > $@
+ $(verbose) echo '' >> $@
+ $(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
+ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+ $(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
+ fi
+
+########################################
+#
+# Clean the environment
+#
+
+clean:
+ rm -fR tmp
+ rm -f *.pp
--- refpolicy-0.0.20070507.orig/debian/local.mk
+++ refpolicy-0.0.20070507/debian/local.mk
@@ -0,0 +1,418 @@
+############################ -*- Mode: Makefile -*- ###########################
+## local.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 10:42:10 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Mon May 7 08:55:23 2007
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 106
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: b07b1015-30ba-4b46-915f-78c776a808f4
+##
+###############################################################################
+
+testdir:
+ $(testdir)
+
+BUILD/selinux-policy-refpolicy-strict:: build/selinux-policy-refpolicy-strict
+INST/selinux-policy-refpolicy-strict:: install/selinux-policy-refpolicy-strict
+BIN/selinux-policy-refpolicy-strict:: binary/selinux-policy-refpolicy-strict
+
+
+BUILD/selinux-policy-refpolicy-targeted:: build/selinux-policy-refpolicy-targeted
+INST/selinux-policy-refpolicy-targeted:: install/selinux-policy-refpolicy-targeted
+BIN/selinux-policy-refpolicy-targeted:: binary/selinux-policy-refpolicy-targeted
+
+BUILD/selinux-policy-refpolicy-dev:: build/selinux-policy-refpolicy-dev
+INST/selinux-policy-refpolicy-dev:: install/selinux-policy-refpolicy-dev
+BIN/selinux-policy-refpolicy-dev:: binary/selinux-policy-refpolicy-dev
+
+
+BUILD/selinux-policy-refpolicy-src:: build/selinux-policy-refpolicy-src
+INST/selinux-policy-refpolicy-src:: install/selinux-policy-refpolicy-src
+BIN/selinux-policy-refpolicy-src:: binary/selinux-policy-refpolicy-src
+
+
+BUILD/selinux-policy-refpolicy-doc:: build/selinux-policy-refpolicy-doc
+INST/selinux-policy-refpolicy-doc:: install/selinux-policy-refpolicy-doc
+BIN/selinux-policy-refpolicy-doc:: binary/selinux-policy-refpolicy-doc
+
+CLEAN/selinux-policy-refpolicy-strict CLEAN/selinux-policy-refpolicy-targeted CLEAN/selinux-policy-refpolicy-src CLEAN/selinux-policy-refpolicy-src::
+ $(REASON)
+ make bare
+ test ! -d $(TMPTOP) || rm -rf $(TMPTOP)
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+
+CONFIG/selinux-policy-refpolicy-strict::
+ $(REASON)
+ test -e debian/stamp-config-strict || \
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-strict || \
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-strict || \
+ cp -lr policy support Makefile Rules.modular doc \
+ Rules.monolithic config VERSION Changelog COPYING INSTALL \
+ README man $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-strict || \
+ cp debian/build.conf.strict $(SRCTOP)/debian/build-$(package)/build.conf
+ test -e debian/stamp-config-strict || \
+ $(MAKE) -C $(SRCTOP)/debian/build-$(package) \
+ NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) bare
+ test -e debian/stamp-config-strict || \
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) conf)
+ cp debian/modules.conf.strict \
+ $(SRCTOP)/debian/build-$(package)/policy/modules.conf
+ echo done > debian/stamp-config-strict
+STAMPS_TO_CLEAN += debian/stamp-config-strict
+DIRS_TO_CLEAN += debian/build-selinux-policy-refpolicy-strict
+
+CONFIG/selinux-policy-refpolicy-targeted::
+ $(REASON)
+ test -e debian/stamp-config-targeted || \
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-targeted || \
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-targeted || \
+ cp -lr policy support Makefile Rules.modular doc \
+ Rules.monolithic config VERSION Changelog COPYING INSTALL \
+ README man $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-targeted || \
+ cp debian/build.conf.targeted $(SRCTOP)/debian/build-$(package)/build.conf
+ test -e debian/stamp-config-targeted || \
+ $(MAKE) -C $(SRCTOP)/debian/build-$(package) \
+ NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) bare
+ test -e debian/stamp-config-targeted || \
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) conf)
+ cp debian/modules.conf.targeted \
+ $(SRCTOP)/debian/build-$(package)/policy/modules.conf
+ echo done > debian/stamp-config-targeted
+STAMPS_TO_CLEAN += debian/stamp-config-targeted
+DIRS_TO_CLEAN += debian/build-selinux-policy-refpolicy-targeted
+
+CONFIG/selinux-policy-refpolicy-src::
+ $(REASON)
+ test -e debian/stamp-config-src || \
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-src || \
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-src || \
+ cp -lr policy support Makefile Rules.modular doc \
+ Rules.monolithic config VERSION Changelog COPYING INSTALL \
+ README man $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-src || \
+ cp debian/build.conf.targeted $(SRCTOP)/debian/build-$(package)/build.conf
+ test -e debian/stamp-config-src || \
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=refpolicy $(OPTIONS) conf)
+ cp debian/modules.conf.* $(SRCTOP)/debian/build-$(package)/policy/
+ cp debian/build.conf.targeted $(SRCTOP)/debian/build-$(package)/policy/
+ echo done > debian/stamp-config-src
+STAMPS_TO_CLEAN += debian/stamp-config-src
+DIRS_TO_CLEAN += debian/build-selinux-policy-refpolicy-src
+
+CONFIG/selinux-policy-refpolicy-dev::
+ $(REASON)
+ test -e debian/stamp-config-dev || \
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-dev || \
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ echo done > debian/stamp-config-dev
+STAMPS_TO_CLEAN += debian/stamp-config-dev
+DIRS_TO_CLEAN += debian/build-selinux-policy-refpolicy-dev
+
+CONFIG/selinux-policy-refpolicy-doc::
+ $(REASON)
+ test -e debian/stamp-config-doc || \
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-doc || \
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-doc || \
+ cp -lr policy support Makefile Rules.modular doc \
+ Rules.monolithic config VERSION Changelog COPYING INSTALL \
+ README man $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-doc || \
+ cp debian/build.conf.targeted $(SRCTOP)/debian/build-$(package)/build.conf
+ test -e debian/stamp-config-doc || \
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=refpolicy $(OPTIONS) conf )
+ echo done > debian/stamp-config-doc
+STAMPS_TO_CLEAN += debian/stamp-config-doc
+DIRS_TO_CLEAN += debian/build-selinux-policy-refpolicy-doc
+
+BUILD-common::
+ perl -wc debian/postinst.policy
+
+build/selinux-policy-refpolicy-strict:
+ $(REASON)
+ test -e debian/stamp-build-strict || \
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) policy all)
+ echo done > debian/stamp-build-strict
+STAMPS_TO_CLEAN += debian/stamp-build-strict
+
+build/selinux-policy-refpolicy-targeted:
+ $(REASON)
+ test -e debian/stamp-build-targeted || \
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) policy all)
+ echo done > debian/stamp-build-targeted
+STAMPS_TO_CLEAN += debian/stamp-build-targeted
+
+build/selinux-policy-refpolicy-src:
+ $(REASON)
+
+build/selinux-policy-refpolicy-dev:
+ $(REASON)
+
+build/selinux-policy-refpolicy-doc:
+ $(REASON)
+
+
+install/selinux-policy-refpolicy-strict:
+ $(REASON)
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)/
+ $(make_directory) $(TMPTOP)/etc/selinux/refpolicy-strict/modules/active
+ $(make_directory) $(TMPTOP)/etc/selinux/refpolicy-strict/policy
+ test -f $(TMPTOP)/etc/selinux/refpolicy-strict/modules/active/file_contexts.local || \
+ touch $(TMPTOP)/etc/selinux/refpolicy-strict/modules/active/file_contexts.local
+ (cd $(SRCTOP)/debian/build-$(package); \
+ $(MAKE) NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) \
+ DESTDIR=$(TMPTOP) install install-headers \
+ $(TMPTOP)/etc/selinux/refpolicy-strict/users/local.users \
+ $(TMPTOP)/etc/selinux/refpolicy-strict/users/system.users)
+ for module in $(NON_MODULES); do \
+ test ! -f $(TMPTOP)/usr/share/selinux/refpolicy-strict/$$module.pp || \
+ rm -f $(TMPTOP)/usr/share/selinux/refpolicy-strict/$$module.pp; \
+ done
+ $(install_file) debian/setrans.conf $(TMPTOP)/etc/selinux/refpolicy-strict/
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) debian/NEWS.Debian $(DOCDIR)/NEWS.Debian
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ gzip -9fqr $(DOCDIR)
+ $(install_file) debian/copyright $(DOCDIR)/
+DIRS_TO_CLEAN += debian/selinux-policy-refpolicy-strict
+
+install/selinux-policy-refpolicy-targeted:
+ $(REASON)
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)/
+ $(make_directory) $(TMPTOP)/etc/selinux/refpolicy-targeted/modules/active
+ $(make_directory) $(TMPTOP)/etc/selinux/refpolicy-targeted/policy
+ test -f $(TMPTOP)/etc/selinux/refpolicy-targeted/modules/active/file_contexts.local || \
+ touch $(TMPTOP)/etc/selinux/refpolicy-targeted/modules/active/file_contexts.local
+ (cd $(SRCTOP)/debian/build-$(package); \
+ $(MAKE) NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) \
+ DESTDIR=$(TMPTOP) install install-headers \
+ $(TMPTOP)/etc/selinux/refpolicy-targeted/users/local.users \
+ $(TMPTOP)/etc/selinux/refpolicy-targeted/users/system.users)
+ for module in $(NON_MODULES); do \
+ test ! -f $(TMPTOP)/usr/share/selinux/refpolicy-targeted/$$module.pp || \
+ rm -f $(TMPTOP)/usr/share/selinux/refpolicy-targeted/$$module.pp; \
+ done
+ rm -f $(TMPTOP)/usr/share/selinux/refpolicy-targeted/unconfined.pp
+ $(install_file) debian/setrans.conf $(TMPTOP)/etc/selinux/refpolicy-targeted/
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ gzip -9fqr $(DOCDIR)
+ $(install_file) debian/copyright $(DOCDIR)/
+DIRS_TO_CLEAN += debian/selinux-policy-refpolicy-targeted
+
+install/selinux-policy-refpolicy-src:
+ $(REASON)
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)
+ $(make_directory) $(TMPTOP)/usr/src
+ (cd $(SRCTOP)/debian/build-$(package); \
+ $(MAKE) NAME=refpolicy $(OPTIONS) DESTDIR=$(TMPTOP) bare conf install-src; )
+ find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf
+ test ! -e $(TMPTOP)/etc/selinux/refpolicy/src/policy/COPYING || \
+ rm -f $(TMPTOP)/etc/selinux/refpolicy/src/policy/COPYING
+ rm -rf $(TMPTOP)/etc/selinux/refpolicy/src/policy/man
+ (cd $(TMPTOP)/etc/selinux/refpolicy/src/policy; \
+ if test -f modules.conf; then \
+ mv modules.conf modules.conf.dist; \
+ fi; \
+ ln -sf modules.conf.strict modules.conf)
+ $(install_file) policy/rolemap \
+ $(TMPTOP)/etc/selinux/refpolicy/src/policy/
+ $(install_file) debian/build.conf.targeted \
+ $(TMPTOP)/etc/selinux/refpolicy/src/policy/build.conf
+ $(install_file) debian/global_booleans.xml \
+ $(TMPTOP)/etc/selinux/refpolicy/src/policy/
+ $(install_file) debian/global_tunables.xml \
+ $(TMPTOP)/etc/selinux/refpolicy/src/policy/
+ $(install_file) debian/Makefile.src \
+ $(TMPTOP)/etc/selinux/refpolicy/src/policy/
+ (cd $(TMPTOP)/etc/selinux/refpolicy/src/; mv policy $(package); \
+ mv support $(package)/; \
+ tar zfc $(TMPTOP)/usr/src/$(package).tar.gz $(package))
+ rm -rf $(TMPTOP)/etc
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ gzip -9fqr $(DOCDIR)
+ $(install_file) debian/copyright $(DOCDIR)/
+DIRS_TO_CLEAN += debian/selinux-policy-refpolicy-src
+
+install/selinux-policy-refpolicy-dev: install/selinux-policy-refpolicy-strict install/selinux-policy-refpolicy-targeted
+ $(REASON)
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)/examples
+ $(make_directory) $(MAN1DIR)
+ $(make_directory) $(TMPTOP)/usr/bin
+ $(make_directory) $(TMPTOP)/usr/share/selinux/refpolicy-strict/include
+ $(make_directory) $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include
+ find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf
+ (cd $(SRCTOP)/debian/selinux-policy-refpolicy-strict/usr/share/selinux/refpolicy-strict; \
+ tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-strict; umask 000; \
+ tar xpsf -))
+ (cd $(SRCTOP)/debian/selinux-policy-refpolicy-targeted/usr/share/selinux/refpolicy-targeted; \
+ tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-targeted; umask 000; \
+ tar xpsf -))
+ rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-strict/usr/share/selinux/refpolicy-strict/include
+ rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-targeted/usr/share/selinux/refpolicy-targeted/include
+ $(install_file) policy/rolemap \
+ $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support
+ $(install_file) debian/global_booleans.xml \
+ $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support
+ $(install_file) debian/global_tunables.xml \
+ $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support
+ $(install_file) debian/build.conf.targeted \
+ $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/build.conf
+ $(install_file) policy/rolemap \
+ $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support
+ $(install_file) debian/global_booleans.xml \
+ $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support
+ $(install_file) debian/global_tunables.xml \
+ $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support
+ $(install_file) debian/build.conf.strict \
+ $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/build.conf
+ chmod +x $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support/segenxml.py
+ chmod +x $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support/segenxml.py
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ gzip -9fqr $(DOCDIR)
+ $(install_file) debian/copyright $(DOCDIR)/
+ $(install_file) debian/example.fc $(DOCDIR)/examples/
+ $(install_file) debian/example.if $(DOCDIR)/examples/
+ $(install_file) debian/example.te $(DOCDIR)/examples/
+ $(install_file) debian/example.mk $(DOCDIR)/examples/Makefile
+ $(install_program) debian/policygentool $(TMPTOP)/usr/bin
+ $(install_file) debian/policygentool.1 $(MAN1DIR)
+ gzip -9fqr $(MAN1DIR)
+DIRS_TO_CLEAN += debian/selinux-policy-refpolicy-dev
+
+install/selinux-policy-refpolicy-doc:
+ $(REASON)
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)
+ $(make_directory) $(DOCBASEDIR)
+ $(make_directory) $(MAN8DIR)
+ cp -a man/man8/*.8 $(MAN8DIR)
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ $(install_file) debian/docentry $(DOCBASEDIR)/$(package)
+ gzip -9fqr $(MANDIR)
+ gzip -9fqr $(DOCDIR)
+ (cd $(SRCTOP)/debian/build-$(package); \
+ $(MAKE) NAME=refpolicy $(OPTIONS) DESTDIR=$(TMPTOP) \
+ PKGNAME=selinux-policy-refpolicy-doc conf html install-docs;)
+ gzip -9fq $(DOCDIR)/example.if $(DOCDIR)/example.fc $(DOCDIR)/Makefile.example
+ $(install_file) debian/copyright $(DOCDIR)/
+ $(install_file) debian/docentry $(DOCBASEDIR)/$(package)
+DIRS_TO_CLEAN += debian/selinux-policy-refpolicy-doc
+
+binary/selinux-policy-refpolicy-strict:
+ $(REASON)
+ $(checkdir)
+ $(make_directory) $(TMPTOP)/DEBIAN
+ (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles)
+ sed -e 's/=T/strict/g' debian/postinst.policy > $(TMPTOP)/DEBIAN/postinst
+ chmod 755 $(TMPTOP)/DEBIAN/postinst
+ $(install_program) debian/strict.postrm $(TMPTOP)/DEBIAN/postrm
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+
+binary/selinux-policy-refpolicy-targeted:
+ $(REASON)
+ $(checkdir)
+ $(make_directory) $(TMPTOP)/DEBIAN
+ (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles)
+ sed -e 's/=T/targeted/g' debian/postinst.policy >$(TMPTOP)/DEBIAN/postinst
+ chmod 755 $(TMPTOP)/DEBIAN/postinst
+ $(install_program) debian/targeted.postrm $(TMPTOP)/DEBIAN/postrm
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+
+binary/selinux-policy-refpolicy-src:
+ $(REASON)
+ $(checkdir)
+ $(make_directory) $(TMPTOP)/DEBIAN
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+
+binary/selinux-policy-refpolicy-dev:
+ $(REASON)
+ $(checkdir)
+ $(make_directory) $(TMPTOP)/DEBIAN
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+
+binary/selinux-policy-refpolicy-doc:
+ $(REASON)
+ $(checkdir)
+ $(make_directory) $(TMPTOP)/DEBIAN
+ (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles)
+ $(install_program) debian/doc.postinst $(TMPTOP)/DEBIAN/postinst
+ $(install_program) debian/doc.prerm $(TMPTOP)/DEBIAN/prerm
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+
+
--- refpolicy-0.0.20070507.orig/debian/local-vars.mk
+++ refpolicy-0.0.20070507/debian/local-vars.mk
@@ -0,0 +1,68 @@
+############################ -*- Mode: Makefile -*- ###########################
+## local-vars.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 10:43:00 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sun Aug 20 21:57:04 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 14
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: 1a76a87e-7af5-424a-a30d-61660c8f243e
+##
+###############################################################################
+
+FILES_TO_CLEAN = debian/files
+STAMPS_TO_CLEAN =
+DIRS_TO_CLEAN = $(TMPTOP)
+
+# Location of the source dir
+SRCTOP := $(shell if [ "$$PWD" != "" ]; then echo $$PWD; else pwd; fi)
+TMPTOP = $(SRCTOP)/debian/$(package)
+LINTIANDIR = $(TMPTOP)/usr/share/lintian/overrides
+DOCBASEDIR = $(TMPTOP)/usr/share/doc-base
+
+BINDIR = $(TMPTOP)$(PREFIX)/bin
+LIBDIR = $(TMPTOP)$(PREFIX)/lib
+# Man Pages
+MANDIR = $(TMPTOP)/usr/share/man
+MAN1DIR = $(MANDIR)/man1
+MAN3DIR = $(MANDIR)/man3
+MAN5DIR = $(MANDIR)/man5
+MAN7DIR = $(MANDIR)/man7
+MAN8DIR = $(MANDIR)/man8
+
+INFODIR = $(TMPTOP)/usr/share/info
+DOCTOP = $(TMPTOP)/usr/share/doc
+DOCDIR = $(DOCTOP)/$(package)
+MENUDIR = $(TMPTOP)/usr/lib/menu/
+
+OPTIONS=DISTRO=debian DIRECT_INITRC=y MONOLITHIC=n
+
+PYDEFAULT =$(strip $(shell pyversions -vd))
+MODULES_DIR=$(TMPTOP)/usr/share/python-support/$(package)
+
+# set this to -mcs, -mls, or -mcs-mls
+MCS_MLS_TYPE=-mcs
+
+# Things we have put into the base for Debian systems.
+# egrep base debian/modules.conf.targeted | grep -v '#' | \
+# sort | sed -e 's/=.*$//g'
+NON_MODULES=apt authlogin bootloader clock corecommands corenetwork \
+ cron devices dmesg domain dpkg files filesystem fstools \
+ getty hostname init iptables kernel libraries locallogin \
+ logging logrotate mcs miscfiles mls modutils mount mta \
+ selinux selinuxutil storage su sudo sysnetwork terminal \
+ userdomain userhelper usermanage
+
+define checkdir
+ @test -f debian/rules -a -f policy/modules/kernel/kernel.fc || \
+ (echo Not in correct source directory; exit 1)
+endef
+
+define checkroot
+ @test $$(id -u) = 0 || (echo need root priviledges; exit 1)
+endef
--- refpolicy-0.0.20070507.orig/debian/global_tunables.xml
+++ refpolicy-0.0.20070507/debian/global_tunables.xml
@@ -0,0 +1,583 @@
+
+
+
+Allow cvs daemon to read shadow
+
+
+
+
+
+
+Allow zebra daemon to write it configuration files
+
+
+
+
+
+
+Allow making the heap executable.
+
+
+
+
+
+
+Allow making anonymous memory executable, e.g.
+for runtime-code generation or executable stack.
+
+
+
+
+
+
+Allow making a modified private file
+mapping executable (text relocation).
+
+
+
+
+
+
+Allow making the stack executable via mprotect.
+Also requires allow_execmem.
+
+
+
+
+
+
+Allow ftp servers to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow ftp servers to use cifs
+used for public file transfer services.
+
+
+
+
+
+
+Allow ftp servers to use nfs
+used for public file transfer services.
+
+
+
+
+
+
+Allow gssd to read temp directory.
+
+
+
+
+
+
+Allow Apache to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow Apache to use mod_auth_pam
+
+
+
+
+
+
+Allow java executable stack
+
+
+
+
+
+
+Allow system to run with kerberos
+
+
+
+
+
+
+Allow nfs servers to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow rsync to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow sasl to read shadow
+
+
+
+
+
+
+Allow samba to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow system to run with NIS
+
+
+
+
+
+
+Enable extra rules in the cron domain
+to support fcron.
+
+
+
+
+
+
+Allow ftp to read and write files in the user home directories
+
+
+
+
+
+
+Allow ftpd to run directly without inetd
+
+
+
+
+
+
+Enable reading of urandom for all domains.
+
+
+This should be enabled when all programs
+are compiled with ProPolice/SSP
+stack smashing protection. All domains will
+be allowed to read from /dev/urandom.
+
+
+
+
+
+
+Allow httpd to use built in scripting (usually php)
+
+
+
+
+
+
+Allow http daemon to tcp connect
+
+
+
+
+
+
+Allow httpd to connect to mysql/posgresql
+
+
+
+
+
+
+Allow httpd to act as a relay
+
+
+
+
+
+
+Allow httpd cgi support
+
+
+
+
+
+
+Allow httpd to act as a FTP server by
+listening on the ftp port.
+
+
+
+
+
+
+Allow httpd to read home directories
+
+
+
+
+
+
+Run SSI execs in system CGI script domain.
+
+
+
+
+
+
+Allow http daemon to communicate with the TTY
+
+
+
+
+
+
+Run CGI in the main httpd domain
+
+
+
+
+
+
+Allow BIND to write the master zone files.
+Generally this is used for dynamic DNS.
+
+
+
+
+
+
+Allow nfs to be exported read/write.
+
+
+
+
+
+
+Allow nfs to be exported read only
+
+
+
+
+
+
+Allow pppd to load kernel modules for certain modems
+
+
+
+
+
+
+Allow reading of default_t files.
+
+
+
+
+
+
+Allow samba to export user home directories.
+
+
+
+
+
+
+Allow samba to export NFS volumes.
+
+
+
+
+
+
+Allow squid to connect to all ports, not just
+HTTP, FTP, and Gopher ports.
+
+
+
+
+
+
+Configure stunnel to be a standalone daemon or
+inetd service.
+
+
+
+
+
+
+Support NFS home directories
+
+
+
+
+
+
+Support SAMBA home directories
+
+
+
+
+
+
+Control users use of ping and traceroute
+
+
+
+
+
+
+Allow gpg executable stack
+
+
+
+
+
+
+Allow mplayer executable stack
+
+
+
+
+
+
+Allow sysadm to ptrace all processes
+
+
+
+
+
+
+allow host key based authentication
+
+
+
+
+
+
+Allow users to connect to mysql
+
+
+
+
+
+
+Allows clients to write to the X server shared
+memory segments.
+
+
+
+
+
+
+Allow cdrecord to read various content.
+nfs, samba, removable devices, user temp
+and untrusted content files
+
+
+
+
+
+
+Allow system cron jobs to relabel filesystem
+for restoring file contexts.
+
+
+
+
+
+
+force to games to run in user_t
+mapping executable (text relocation).
+
+
+
+
+
+
+Disable transitions to evolution domains.
+
+
+
+
+
+
+Disable transitions to user mozilla domains
+
+
+
+
+
+
+Disable transitions to user thunderbird domains
+
+
+
+
+
+
+Allow email client to various content.
+nfs, samba, removable devices, user temp
+and untrusted content files
+
+
+
+
+
+
+Control mozilla content access
+
+
+
+
+
+
+Allow pppd to be run for a regular user
+
+
+
+
+
+
+Allow applications to read untrusted content
+If this is disallowed, Internet content has
+to be manually relabeled for read access to be granted
+
+
+
+
+
+
+Allow ssh to run from inetd instead of as a daemon.
+
+
+
+
+
+
+Allow user spamassassin clients to use the network.
+
+
+
+
+
+
+Allow ssh logins as sysadm_r:sysadm_t
+
+
+
+
+
+
+Allow staff_r users to search the sysadm home
+dir and read files (such as ~/.bashrc)
+
+
+
+
+
+
+Allow regular users direct mouse access
+
+
+
+
+
+
+Allow users to read system messages.
+
+
+
+
+
+
+Allow users to control network interfaces
+(also needs USERCTL=true)
+
+
+
+
+
+
+Allow user to r/w files on filesystems
+that do not have extended attributes (FAT, CDROM, FLOPPY)
+
+
+
+
+
+
+Allow users to run TCP servers (bind to ports and accept connection from
+the same domain and outside users) disabling this forces FTP passive mode
+and may change other protocols.
+
+
+
+
+
+
+Allow w to display everyone
+
+
+
+
+
+
+Allow applications to write untrusted content
+If this is disallowed, no Internet content
+will be stored.
+
+
+
+
+
+
+Allow xdm logins as sysadm
+
+
+
+
+
+
+Allow all daemons the ability to use unallocated ttys
+
+
+
+
+
+
+Allow mount to mount any file
+
+
+
+
+
+
+Allow spammd to read/write user home directories.
+
+
+
+
+
+
+Allow httpd cgi support
+
+
+
+
+
+
+Allow unconfined to dyntrans to unconfined_execmem
+
+
+
--- refpolicy-0.0.20070507.orig/debian/doc.prerm
+++ refpolicy-0.0.20070507/debian/doc.prerm
@@ -0,0 +1,125 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# prerm ---
+# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+# Created On : Fri Nov 14 12:16:39 2003
+# Created On Node : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Fri May 12 02:30:40 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 10
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: a4c1a888-137d-4800-98f8-93d0365422d8
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+#
+
+# Abort if any command returns an error value
+set -e
+
+package_name=selinux-policy-refpolicy-doc
+
+if [ -z "$package_name" ]; then
+ print >&2 "Internal Error. Please report a bug."
+ exit 1;
+fi
+
+
+# This script is called as the first step in removing the package from
+# the system. This includes cases where the user explicitly asked for
+# the package to be removed, upgrade, automatic removal due to conflicts,
+# and deconfiguration due to temporary removal of a depended-on package.
+
+# Info files should be uninstalled from the dir file in any case.
+# install-info --quiet --remove /usr/info/${package_name}
+
+case "$1" in
+ remove)
+ # This package about to be removed.
+ :
+
+ # Remove package-specific directories from /usr/local. Don't try
+ # to remove standard directories such as /usr/local/lib.
+ ##: if test -d /usr/local/lib/${package_name}; then
+ ##: rmdir /usr/local/lib/${package_name} || true
+ ##: fi
+
+ # Deactivate menu-methods script.
+ ##: chmod a-x /etc/menu-methods/${package_name}
+
+ # Withdraw our version of a program.
+ ##: update-alternatives --remove program /usr/bin/alternative
+
+ # Get rid of the installed docs
+ if which install-docs >/dev/null 2>&1; then
+ install-docs -r $package_name
+ fi
+
+ # Get rid of the byte compiled files
+ ##: if [ -x /usr/lib/emacsen-common/emacs-package-remove ]; then
+ ##: /usr/lib/emacsen-common/emacs-package-remove $package_name
+ ##: fi
+
+ # There are two sub-cases:
+ if test "${2+set}" = set; then
+ if test "$2" != in-favour; then
+ echo "$0: undocumented call to \`prerm $*'" 1>&2
+ exit 0
+ fi
+ # We are being removed because of a conflict with package $3
+ # (version $4), which is now being installed.
+ :
+
+ else
+ # The package is being removed in its own right.
+ :
+
+ fi ;;
+ deconfigure)
+ if test "$2" != in-favour || test "$5" != removing; then
+ echo "$0: undocumented call to \`prerm $*'" 1>&2
+ exit 0
+ fi
+ # Package $6 (version $7) which we depend on is being removed due
+ # to a conflict with package $3 (version $4), and this package is
+ # being deconfigured until $6 can be reinstalled.
+ :
+
+ ;;
+ upgrade)
+ # Prepare to upgrade FROM THIS VERSION of this package to version $2.
+ :
+
+ if [ -L /usr/doc/$package_name ]; then
+ rm -f /usr/doc/$package_name
+ fi
+
+ ;;
+ failed-upgrade)
+ # Prepare to upgrade from version $2 of this package TO THIS VERSION.
+ # This is only used if the old version's prerm couldn't handle it,
+ # and returned non-zero. (Fix old prerm bugs here.)
+ :
+
+ ;;
+ *) echo "$0: didn't understand being called with \`$1'" 1>&2
+ exit 0;;
+esac
+
+exit 0
--- refpolicy-0.0.20070507.orig/debian/README.Debian
+++ refpolicy-0.0.20070507/debian/README.Debian
@@ -0,0 +1,8 @@
+It would be useful for most users to be familiar with policycoreutils
+tools in order to manipulate policies installed on the
+system. Specifically, it is useful to be familiar with:
+ semodule(8) - Manage SELinux policy modules.
+ load_policy(8) - load a new policy into the kernel
+
+
+ -- Manoj Srivastava , Tue, 9 May 2006 14:07:31 -0500
--- refpolicy-0.0.20070507.orig/debian/changelog
+++ refpolicy-0.0.20070507/debian/changelog
@@ -0,0 +1,441 @@
+refpolicy (0.0.20070507-3) unstable; urgency=low
+
+ * Add hostfs as a recognized remote file-system. This should allow a
+ UML virtual machine to function in a fully enforcing mode.
+
+ -- Manoj Srivastava Wed, 9 May 2007 15:48:26 -0500
+
+refpolicy (0.0.20070507-2) unstable; urgency=medium
+
+ * Keep track of modules that are really built into the base policy in
+ Debian. We then use this list to remove the modules .pp files from
+ the policy shipped, since they can not be installed along with the
+ base policy anyway. Make sure we don't add such modules hen
+ considering module dependencies either.
+ * Added Module ricci to modules.conf for both strict and targeted.
+
+ -- Manoj Srivastava Mon, 7 May 2007 09:07:36 -0500
+
+refpolicy (0.0.20070507-1) unstable; urgency=low
+
+ * New upstream SVN HEAD.
+ - Miscellaneous consolekit fixes from Dan Walsh.
+ - Patch to have avahi use the nsswitch interface rather than individual
+ permissions from Dan Walsh.
+ - Patch to dontaudit logrotate searching avahi pid directory from Dan
+ Walsh.
+ - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t
+ pipes to handle usage from userhelper from Dan Walsh.
+ - Patch to allow amavis to read spamassassin libraries from Dan Walsh.
+ - Patch to allow slocate to getattr other filesystems and directories
+ on those filesystems from Dan Walsh.
+ - Fixes for RHEL4 from the CLIP project.
+ - Replace the old lrrd fc entries with munin ones.
+ - Move program admin template usage out of
+ userdom_admin_user_template() to sysadm policy in userdomain.te to
+ fix usage of the template for third parties.
+ - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
+ template instead of an interface.
+ - Added modules: rwho (Nalin Dahyabhai)
+ * Updated dependencies, since this refpolicy needs newer toolchain,
+
+ -- Manoj Srivastava Mon, 7 May 2007 01:47:44 -0500
+
+refpolicy (0.0.20070417-1) unstable; urgency=low
+
+ * New upstream release.
+ * Added XS-VCS-Arch and XS-VCS-Browse to debian/control, and updated
+ build dependencies.
+ * Bug fix: "selinux-policy-refpolicy-targeted: need file_contexts for
+ gcj-dbtool-4.1 and /var/log/account", thanks to Russell Coker
+ (Closes: #416910).
+
+ -- Manoj Srivastava Thu, 19 Apr 2007 02:28:29 -0500
+
+refpolicy (0.0.20061018-5) unstable; urgency=high
+
+ * Add policy for log and lock files for aptitude. This is needed for
+ proper function; so one does not need to go into permissive mode to
+ run aptitude. Stolen from Erich. This is a low risk change.
+ * Debian puts grub in /usr/sbin/grub. Reflect that in the initial file
+ context.
+ * Debian creates /dev/xconsole independently of whether or not a xserver
+ has been installed or not. So move the policy related to /dev/sconsole
+ out of the xserver policy, and into places where relevant (init.te,
+ logging.fc), to reflect the status that /dev/console is present
+ anyway.
+ * Add support for /etc/network/run and /dev/shm/network, which seem to
+ be Debian specific as well.
+ * Allow udev to manage configuration files.
+
+ -- Manoj Srivastava Fri, 9 Mar 2007 00:22:19 -0600
+
+refpolicy (0.0.20061018-4) unstable; urgency=low
+
+ * Bug fix: "selinux-policy-refpolicy-targeted: does not suggest a way to
+ fix the 'maybe failing' attempt in postinst", thanks to Eddy Petrisor.
+ While this does not belong in the postinst, I have addedthis to the
+ README.Debian file. This should be a low risk change. (Closes: #407691).
+ * Bug fix: "Default build.conf doesn't match default strict/targeted
+ policy", thanks to Stefan.The build.conf included in the reference
+ source policy describe to build a policy of the type "strict". The
+ default binary policies coming with Debian are build with the policy
+ type "strict-mcs" or "targeted-mcs". Change the build.conf shipped in
+ source to conform to what we really use. (changes TYPE=strict to
+ TYPE=strict-mcs, very low risk change. (Closes: #411256).
+ * Bug fix: "selinux-policy-refpolicy-targeted: openvpn policy do not
+ allow tcp connection mode", thanks to Rafal Kupka. This bug really
+ should be at least important, and we should fully support a class of
+ security product like OpenVPN on machines which are running SELinux,
+ and this is a very low risk change. (Closes: #409041).
+ * Install header files required for policy building for both strict and
+ targeted policies in a new -dev package, so it becomes really useful
+ to work with the source package. Moved the examples from the -src
+ package to this new -dev package, since the example is only useful in
+ with the headers provided. This is a new package, but it contains only
+ files already in the sources (No upstream changes at all), and is the
+ result of make install-headers. This new package has no rdepends, and
+ should be a very low risk addition to Debian.
+ * This release should be a whole lot better for building local policies,
+ including the policygentool for creating a new policy from scratch,
+ and ability to build local policy modular packages. The build.conf
+ files have been cleaned up, and the source policy defaults to targeted
+ policy, which is standard in Debian, as opposed to the strict policy,
+ which has priority optional.
+
+ -- Manoj Srivastava Mon, 26 Feb 2007 22:37:17 -0600
+
+refpolicy (0.0.20061018-3) unstable; urgency=high
+
+ * Bug fix: "refpolicy: FTBFS: /bin/sh: debian/stamp/config-strict: No
+ such file or directory", thanks to Lucas Nussbaum. This was fixed by
+ moving all the stamps into ./debian instead. I'll re-visit the
+ ./debian/stamp/ directory in lenny. This is a pretty minor packaging
+ change. (Closes: #405613).
+ * Bug fix: "selinux-policy-refpolicy-targeted: Policy for dcc misses
+ Debian's FHS paths", thanks to Devin Carraway. From the bug report:
+ Many of the files in these packages are overlooked when labelling
+ files, because refpolicy's dcc module stipulates paths not consistent
+ with the Debian FHS layout. The files go unlabelled and dcc-client
+ (at least) stops working. The two major problems are the references
+ to /usr/libexec/dcc (damons, placed in /usr/sbin by the Debian
+ packages) and to /var/dcc (all sorts of things, placed under
+ /var/lib/dcc). A side effect of the latter is that dccifd_t and
+ probably others need search on var_lib_t, through which it must pass
+ to get to /var/lib/dcc. Fixed the policy; will send upstream.
+ (Closes: #404309).
+ * Bug fix: "selinux-policy-refpolicy-targeted: clamav policy forbids
+ clamd_t search on /var/lib", thanks to Devin Carraway. This is a
+ simple one line change, and obviously an oversight; I think getting
+ clamd to work is fairly important. (Closes: #404895).
+ * Bug fix: "selinux-policy-refpolicy-targeted: Multiple problems with
+ courier policy", thanks to Devin Carraway. There is detailed
+ information of the changes made in the bug report, and in the commit
+ logs. Again, fixing courier daemons seems pretty important; SELinux
+ tends to get used a lot on remote mail servers, and this fixes issues
+ with the policy. (Closes: #405103).
+
+ -- Manoj Srivastava Mon, 15 Jan 2007 13:20:30 -0600
+
+refpolicy (0.0.20061018-2) unstable; urgency=high
+
+ * The This update enables MCS for targeted and strict, uses 1024
+ categories (as Fedora uses - necessary for compatability). Please note
+ that enabling MCS categories is required for compatibility with
+ filesystems created on Fedora Core 5 and above, RHEL 5 and above, and
+ CentOS 5 and above. MCS categories is also a feature that we plan for
+ all future releases of SE Linux and does not have a nice upgrade path
+ - releasing etch without MCS will make things painful for SE Linux
+ users on the upgrade to lenny. This feature has been extensively
+ tested by Russel Coker and myself, and does not otherwise impact the
+ install.
+ * Allow semanage to use the initrd file descriptor in targeted policy.
+ * Fix a bug with restorecon.
+ * Bug fix: "refpolicy: qemu should have execmem permissions", thanks to
+ David Härdeman (Closes: #402293).
+
+ -- Manoj Srivastava Fri, 22 Dec 2006 10:33:22 -0600
+
+refpolicy (0.0.20061018-1) unstable; urgency=low
+
+ * New upstream release
+ * Updated copyright file with the new location of the sources, and added
+ a watch file.
+ * Bug fix: "selinux-policy-refpolicy-targeted: postinst package list
+ retrieval suggestion", thanks to Alexander Buerger. Thanks to the
+ provided suggestion, the selection of policy modules to install is not
+ only faster, it is actually correct :) (Closes: #388744).
+ * Bug fix: "Makefile for building policy modules?", thanks to Uwe
+ Hermann. Provided an intial version, may have bugs. (Closes: #389116).
+
+ -- Manoj Srivastava Tue, 24 Oct 2006 14:31:22 -0500
+
+refpolicy (0.0.20060911-2) unstable; urgency=low
+
+ * Fixed a typo in policy postinst that made all the policies reload at
+ every update.
+
+ -- Manoj Srivastava Tue, 12 Sep 2006 10:28:11 -0500
+
+refpolicy (0.0.20060911-1) unstable; urgency=low
+
+ * New upstream SCM HEAD.
+ * Synched with Erich Schubert
+ + Added first draft of python-support. You'll want to relabel these files.
+ + Build python-support and setroubleshoot modules
+ + Removed modules from guessing hintfile that are included in base.
+
+ * Bug fix: "Defaults should match the strict/targeted policy", thanks to
+ Uwe Hermann. Makde them match strict. (Closes: #386931).
+ * Bug fix: "selinux-policy-refpolicy-src: Duplicate entries in policy
+ files", thanks to Simon Richard Grint (Closes: #386909).
+ * Bug fix: "modules.conf vs. modules.conf.dist", thanks to Uwe Hermann
+ (Closes: #386887).
+ * Bug fix: "OUTPUT_POLICY and policy-version comments", thanks to Uwe
+ Hermann (Closes: #386930).
+ * Bug fix: "s/bzip2/gzip/?", thanks to Uwe Hermann (Closes: #386885).
+ * Bug fix: "selinux-refpolicy-src: include modules.conf files of strict
+ and targeted for -src package", thanks to Erich Schubert
+ (Closes: #386573).
+
+ -- Manoj Srivastava Mon, 11 Sep 2006 17:46:10 -0500
+
+refpolicy (0.0.20060907-3) unstable; urgency=low
+
+ * Updated a few more policy modules to latest versions for Debian.
+
+ -- Manoj Srivastava Fri, 8 Sep 2006 12:42:22 -0500
+
+refpolicy (0.0.20060907-2) unstable; urgency=low
+
+ * Update the module/package mapping.
+ * In the selinux-policy-refpolicy-src package, now ship the
+ modules.conf.strict and the modules.conf.targeted files which are used
+ to build the corresponding policy packages, snce the raw modules.conf
+ package has issues on Debian.
+ * With this version, we no longer ship the selinux-policy-refpolicy-src
+ unpacked into /etc with a gazillion conffiles; instead, we now ship a
+ compressed tarball in /usr/src, which the user may unpack where they
+ wish, and install policies as they wish.
+
+ -- Manoj Srivastava Fri, 8 Sep 2006 10:49:40 -0500
+
+refpolicy (0.0.20060907-1) unstable; urgency=low
+
+ * New upstream SCM HEAD.
+ * Bug fix: "selinux-policy-refpolicy-src: Compile failure of modular
+ targeted policy", thanks to Simon Richard Grint. Put a wrapper around
+ the offending lines to only take effect when running a strict policy.
+ (Closes: #384502).
+ * Bug fix: "make: /usr/sbin/setfiles: Command not found", thanks to Uwe
+ Hermann. Fixed upstream. (Closes: #384850).
+
+ -- Manoj Srivastava Fri, 8 Sep 2006 00:27:39 -0500
+
+refpolicy (0.0.20060813-2) unstable; urgency=low
+
+ * Bug fix: "Needs gawk", thanks to Simon Richard Grint
+ (Closes: #382821).
+ * Bug fix: "Move /etc/selinux/refpolicy/src/policy/man/man8/*
+ manpages?", thanks to Uwe Hermann (Closes: #372789).
+ * Fix errors in post installation initial policy creation process in the
+ postinst.
+ * Add directories required during policy build during postinst. This bug
+ prevented any policies being built when the package was initially
+ installed. Also, create an empty file_contexts.local file if it does
+ not already exist.
+ * Make selinux-policy-refpolicy-targeted provide and replace the
+ obsolete package selinux-policy-default; which should in the future be
+ just a virtual package.
+ * Added postrm packages to strict and targeted policy packages, in order
+ to clean out the directories in which files are created during policy
+ build.
+ * Rewrote the postinst in perl to allow us to do module dependency
+ checks, and to map policy modules to debian packages, in order to
+ better detect the modules that would be necessary for the target
+ machine.
+ * Also, compiling with either MCS or MLS produced errors while
+ installing policy, since we lack setrans daemon. So we are now
+ building with out them, created an easy to modify option to re-enable
+ it later.
+ * Updated modules.conf to use the latest offerings from Erich.
+
+ -- Manoj Srivastava Mon, 21 Aug 2006 14:59:52 -0500
+
+refpolicy (0.0.20060813-1) unstable; urgency=low
+
+ * New upstream SCM HEAD.
+ * Bug fix: "refpolicy: FTBFS: tmp/generated_definitions.conf:597:ERROR
+ 'syntax error' at token '' on line 3416:", thanks to Andreas Jochens
+ (Closes: #379559).
+ * Bug fix: "FTBFS while generating selinux-policy-refpolicy-strict",
+ thanks to Devin Carraway (Closes: #379376).
+ * Python transition (#2): you are building a private python module.
+ (Closes: #380930).
+
+ -- Manoj Srivastava Tue, 15 Aug 2006 09:53:06 -0500
+
+refpolicy (0.0.20060509-2) unstable; urgency=low
+
+ * Modified some paths to be more in line with upstream standards.
+
+ -- Manoj Srivastava Fri, 12 May 2006 08:30:08 -0500
+
+refpolicy (0.0.20060509-1) unstable; urgency=low
+
+ * New upstream release. First packaging for Sid.
+
+ -- Manoj Srivastava Tue, 9 May 2006 13:56:10 -0500
+
+refpolicy (20060506-1) sesarge; urgency=low
+
+ * New upstream checkout from CVS.
+ * Even more new modules.
+
+ -- Erich Schubert Sat, 6 May 2006 21:44:07 +0200
+
+refpolicy (20060418-2) sesarge; urgency=low
+
+ * New upstream checkout from CVS.
+
+ -- Erich Schubert Fri, 21 Apr 2006 19:17:05 +0200
+
+refpolicy (20060417-1) sesarge; urgency=low
+
+ * New upstream checkout from CVS.
+ * Until module linking is fixed, build everything into base.
+ (Sorry, this will result in a much larger policy than necessary.
+ Feel free to use the -src package to build your own!)
+
+ -- Erich Schubert Mon, 17 Apr 2006 21:04:49 +0200
+
+refpolicy (20060414-1) sesarge; urgency=low
+
+ * New upstream version with tons of new policy files
+
+ -- Erich Schubert Mon, 17 Apr 2006 20:48:50 +0200
+
+refpolicy (20060329-2) sesarge; urgency=low
+
+ * Merge upstream 20060329-2
+
+ -- Erich Schubert Mon, 3 Apr 2006 00:44:06 +0200
+
+refpolicy (20060324-2) sesarge; urgency=low
+
+ * Merge upstream 20060324-4
+
+ -- Erich Schubert Sat, 25 Mar 2006 03:34:36 +0100
+
+refpolicy (20060324-1) sesarge; urgency=low
+
+ * Merge upstream 20060323-2
+ * Merge changes by Thomas Bleher
+ * Build with checkpolicy 1.30.1
+ * Sorry, still doesn't work with make > 3.80
+
+ -- Erich Schubert Sat, 25 Mar 2006 02:21:00 +0100
+
+refpolicy (20060315-2) sesarge; urgency=low
+
+ * Make modular policy actually work. Hopefully.
+ (Up to now, optional_policy(`module') in base was not working upstream!)
+ * Revamp build process, don't use CDBS anymore since I didn't figure out
+ how to do two clean runs of the same source tree, and there is little
+ benefit here without any autotools or library magic needed
+
+ -- Erich Schubert Fri, 17 Mar 2006 20:51:55 +0100
+
+refpolicy (20060315-1.1) sesarge; urgency=low
+
+ * Small tweaks and bugfixes to policy
+
+ -- Erich Schubert Thu, 16 Mar 2006 23:13:40 +0100
+
+refpolicy (20060315-1) sesarge; urgency=low
+
+ * Merge with upstream and debian changes as of 20060309, rev 50
+ * Merge with upstream and debian changes as of 20060315, rev 55
+ * Added "netuser" role, similar to user_tcp_server boolean, but
+ you can enable it for single users only.
+
+ -- Erich Schubert Thu, 16 Mar 2006 00:23:54 +0100
+
+refpolicy (20060306-1) sesarge; urgency=low
+
+ * Merge with upstream and debian policy changes as of 20060306, Rev 31
+ * Try to auto-build a policy after a fresh install in postinst
+ * Add inetd module to base for now
+ * Increase policycoreutils build-dep to hopefully solve the users_extra
+ issues by using a newer policycoreutils for building...
+
+ -- Erich Schubert Mon, 6 Mar 2006 17:10:43 +0100
+
+refpolicy (20060227-1) sesarge; urgency=low
+
+ * Merge with upstream and debian policy changes as of 20060227, Rev 20
+
+ -- Erich Schubert Tue, 28 Feb 2006 03:48:48 +0100
+
+refpolicy (20060224-2) sesarge; urgency=low
+
+ * Update build process to not require a tarball, include previous
+ patches into our "branch" of the reference policy instead.
+
+ -- Erich Schubert Tue, 28 Feb 2006 03:13:51 +0100
+
+refpolicy (20060224-1) sesarge; urgency=low
+
+ * New upstream CVS checkout.
+ * Move policy src from /etc to /usr/share/selinux/refpolicy
+ This avoids an apt-get size limitation and follows Fedora.
+ * Ship edited build.conf with policy source.
+ * Use debhelper for installing documentation.
+ * Add dependency for source onto gawk.
+
+ -- Erich Schubert Sat, 25 Feb 2006 01:01:44 +0100
+
+refpolicy (20060222-1) sesarge; urgency=low
+
+ * New upstream CVS checkout.
+ * Thomas also provided a workaround for the make issues in his version.
+ * Update dpkg/apt policy to interface renamings
+ * Remove dpkg_script_exec_t, as supporting this would require bad hacks
+ to dpkg and/or tar. Use dpkg_var_lib_t instead.
+
+ -- Erich Schubert Thu, 23 Feb 2006 02:01:35 +0100
+
+refpolicy (20060217-3) sesarge; urgency=low
+
+ * Create selinux-policy-refpolicy-doc package
+ * DIRECT_INITRC=y
+
+ -- Thomas Bleher Mon, 20 Feb 2006 23:43:53 +0000
+
+refpolicy (20060217-2) sesarge; urgency=low
+
+ * Added first drafts of dpkg, apt policy
+
+ -- Erich Schubert Sat, 18 Feb 2006 03:20:59 +0100
+
+refpolicy (20060217-1) sesarge; urgency=low
+
+ * New upstream CVS checkout
+ * Document make incompaibility via build-dep
+ * Don't build some redhat specific policy modules, minor tweaks
+
+ -- Erich Schubert Tue, 14 Feb 2006 02:35:04 +0100
+
+refpolicy (20060213-1) sesarge; urgency=low
+
+ * New upstream CVS checkout.
+ * Still not really useable
+
+ -- Erich Schubert Tue, 14 Feb 2006 02:35:04 +0100
+
+refpolicy (20060117-1) sesarge; urgency=low
+
+ * Experimental release
+
+ -- Erich Schubert Mon, 13 Feb 2006 22:50:03 +0100
+
--- refpolicy-0.0.20070507.orig/debian/example.mk
+++ refpolicy-0.0.20070507/debian/example.mk
@@ -0,0 +1,26 @@
+# installation paths
+
+AWK ?= gawk
+NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
+
+MLSENABLED := $(shell cat /selinux/mls)
+ifeq ($(MLSENABLED),)
+ MLSENABLED := 1
+endif
+
+ifeq ($(MLSENABLED),1)
+ MCSFLAG=-mcs
+endif
+
+ifeq ($(NAME), mls)
+ NAME = strict
+ MCSFLAG = -mls
+endif
+
+TYPE ?= $(NAME)${MCSFLAG}
+
+# This can also be changed to /usr/share/selinux/refpolicy-strict/include
+HEADERDIR := /usr/share/selinux/refpolicy-targeted/include
+include $(HEADERDIR)/Makefile
+
+# arch-tag: 56a0db1b-e624-4696-9882-9b7147b719f9
--- refpolicy-0.0.20070507.orig/debian/policygentool.1
+++ refpolicy-0.0.20070507/debian/policygentool.1
@@ -0,0 +1,100 @@
+.\" -*- Mode: Nroff -*-
+.\" policygentool.1 ---
+.\" Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+.\" Created On : Mon Feb 26 20:57:11 2007
+.\" Created On Node : glaurung.internal.golden-gryphon.com
+.\" Last Modified By : Manoj Srivastava
+.\" Last Modified On : Mon Feb 26 23:18:43 2007
+.\" Last Machine Used: glaurung.internal.golden-gryphon.com
+.\" Update Count : 12
+.\" Status : Unknown, Use with caution!
+.\" HISTORY :
+.\" Description :
+.\"
+.\" Copyright (c) 20077 Manoj Srivastava
+.\"
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, write to the Free
+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
+.\" USA.
+.\"
+.\" arch-tag: 8236ff3b-4ae2-4591-afa3-298e441e927c
+.\"
+.TH POLICYGENTOOL 1 "Feb 27 2007" "Debian" "Debian GNU/Linux manual"
+.SH NAME
+policygentool \- Interactive SELinux policy generation tool
+.SH SYNOPSIS
+.B policygentool
+.I [options]
+.I
+.I
+.SH DESCRIPTION
+This tool generate three files for policy development, A Type Enforcement (te)
+file, a File Context (fc), and a Interface File(if). Most of the policy rules
+will be written in the te file. Use the File Context file to associate file
+paths with security context. Use the interface rules to allow other protected
+domains to interact with the newly defined domains.
+.PP
+The tool prompts for locations of
+.I pidfiles,
+any
+.I logfiles,
+files in
+.I /var/lib,
+and any
+.I init scripts,
+and whether any network access is desirable for the application. The
+tool then generates the appropriate policy rules for the module.
+After these files have been generated, the make files for the
+appropriate SELinux policy, namely,
+.I /usr/share/selinux/refpolicy-targeted/include/Makefile
+or
+.I /usr/share/selinux/refpolicy-strict/include/Makefile
+can be used to compile the SELinux policy policy package. The
+resulting policy package can be loaded using
+.B semodule.
+.PP
+ # /usr/bin/policygentool myapp /usr/bin/myapp
+ # cat >Makefile
+ > HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include
+ > include $(HEADERDIR)/Makefile
+ > ^D
+ # make
+ # semodule -l myapp.pp
+ # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
+ # setenforce 0
+ # /etc/init.d/myapp start
+ # audit2allow -R -i /var/log/audit/audit.log
+.SH OPTIONS
+.TP
+.B "-h, --help"
+Print a short usage message.
+.SH FILES
+.PP
+.I myapp.te,
+.I myapp.if,
+.I myapp.fc.
+.SH "SEE ALSO"
+semodule(8),
+check_policy(8),
+load_policy(8).
+.SH BUGS
+None known.
+.SH AUTHOR
+This manual page was written by Manoj Srivastava ,
+for the Debian GNU/Linux system.
--- refpolicy-0.0.20070507.orig/debian/common/perlvars.mk
+++ refpolicy-0.0.20070507/debian/common/perlvars.mk
@@ -0,0 +1,27 @@
+############################ -*- Mode: Makefile -*- ###########################
+## perlvars.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 02:55:47 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Dec 13 13:50:58 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count : 3
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: a97a01ba-d08d-404d-aa81-572717c03e6c
+##
+###############################################################################
+
+# Perl variables
+PERL = /usr/bin/perl
+
+INSTALLPRIVLIB = $(TMPTOP)/$(shell \
+ perl -e 'use Config; print "$$Config{'installprivlib'}\n";')
+INSTALLARCHLIB = $(TMPTOP)/$(shell \
+ perl -e 'use Config; print "$$Config{'installarchlib'}\n";')
+INSTALLVENDORLIB =$(TMPTOP)/$(shell \
+ perl -e 'use Config; print "$$Config{'vendorlibexp'}\n";')
+CONFIG = INSTALLDIRS=vendor
--- refpolicy-0.0.20070507.orig/debian/common/checklibs
+++ refpolicy-0.0.20070507/debian/common/checklibs
@@ -0,0 +1,74 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# checklibs.sh ---
+# Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+# Created On : Fri Sep 29 15:36:22 2006
+# Created On Node : glaurung.internal.golden-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Fri Sep 29 22:53:27 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 43
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: 8ba11489-77fa-45a0-92c4-9c5b162ee119
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+# Make sure we abort on error
+set -e
+progname="$(basename \"$0\")"
+
+trap 'rm -f search_patterns.txt;' ALRM HUP INT PIPE TERM ABRT FPE BUS QUIT SEGV ILL EXIT
+
+# Find all undefined symbols in all ELF objects in this tree
+readelf -s -D -W $(find . -type f -print0 | xargs -0r file | grep " ELF" | \
+ awk '{print $1}' | sed -e 's/:$//') | grep UND | grep -v LOCAL |
+ perl -ple 's/.*\s(\S+)\s*$/\^$1\$/g' | sort -u > search_patterns.txt;
+
+# Find all the libraries needed in this tree
+objdump -T --private-headers $(find . -type f -print0 | xargs -0r file | grep " ELF" | \
+ awk '{print $1}' | sed -e 's/:$//') | grep NEEDED | sort -u | awk '{print $2}' |
+ while read lib; do
+ # For each library, see where it lives o the file system
+ LIB=
+ for library_dir in "/lib" "/usr/lib" $EXTRA_LIBRARY_PATHS; do
+ if [ -e "$library_dir/$lib" ]; then
+ LIB="$library_dir/$lib";
+ break
+ fi
+ done
+ if [ -z "$LIB" ]; then
+ echo >&2 "Can't find $lib"
+ continue
+ fi
+ # If we fond the library, find what symbols it defines, and if these symbols
+ # are some that we need
+ if readelf -s -D -W $LIB | grep -v UND | perl -ple 's/.*\s(\S+)\s*$/$1/g' | \
+ sort -u | grep -q -f search_patterns.txt ; then
+ # Library provides at least some symbols we need
+ if [ -n "$DEBUG" ]; then echo "Found $LIB"; fi
+ else
+ # Library does not provide any symbols we need
+ echo "$LIB" ;
+ fi
+done
+
+# Get rid of the intermediate file
+rm -f search_patterns.txt;
+exit 0
+
--- refpolicy-0.0.20070507.orig/debian/common/copt.mk
+++ refpolicy-0.0.20070507/debian/common/copt.mk
@@ -0,0 +1,34 @@
+############################ -*- Mode: Makefile -*- ###########################
+## copt.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 02:48:40 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Nov 15 02:49:07 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count : 1
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: a0045c20-f1b3-4852-9a4b-1a33ebd7c1b8
+##
+###############################################################################
+
+CC = cc
+CFLAGS = -O2
+PREFIX := /usr
+
+# Policy 10.1 says to make this the default
+CFLAGS += -g
+
+## ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
+## endif
+
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+ STRIP += -s
+ LDFLAGS += -s
+ INT_INSTALL_TARGET = install
+else
+ INT_INSTALL_TARGET = install
+endif
--- refpolicy-0.0.20070507.orig/debian/common/debconf.mk
+++ refpolicy-0.0.20070507/debian/common/debconf.mk
@@ -0,0 +1,101 @@
+############################ -*- Mode: Makefile -*- ###########################
+## debconf.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+## Created On : Fri Mar 12 11:11:31 2004
+## Created On Node : glaurung.internal.golden-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Mon Apr 11 13:19:10 2005
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 20
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description : helps with using debconf
+##
+## arch-tag: 32b933a9-05ad-4c03-97a8-8644745b832a
+##
+###############################################################################
+
+# The idea behind this scheme is that the maintainer (or whoever's
+# building the package for upload to unstable) has to build on a
+# machine with po-debconf installed, but nobody else does.
+
+# When building with po-debconf, a format 1 (no encoding specifications,
+# woody-compatible) debian/templates file is generated in the clean target
+# and shipped in the source package, but a format 2 (UTF8-encoded,
+# woody-incompatible) debian/templates file is generated in binary-arch
+# for the binary package only.
+
+# When building without po-debconf, the binary package simply reuses the
+# woody-compatible debian/templates file that was produced by the clean
+# target of the maintainer's build.
+
+# Also, make sure that debian/control has ${debconf-depends} in the
+# appropriate Depends: line., and use the following in the binary
+# target:
+# dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))'
+#
+
+# WARNING!! You need to create the templates.master file before this all works.
+
+ifeq (,$(wildcard /usr/bin/po2debconf))
+ PO2DEBCONF := no
+ MINDEBCONFVER := 0.5
+else
+ PO2DEBCONF := yes
+ MINDEBCONFVER := 1.2.0
+endif
+
+
+# Hack for woody compatibility. This makes sure that the
+# debian/templates file shipped in the source package doesn't specify
+# encodings, which woody's debconf can't handle. If building on a
+# system with po-debconf installed the binary-arch target will
+# generate a better version for sarge. Only do this if there is a
+# templates.master, or else the debian/templates file can get
+# damamged.
+ifeq ($(PO2DEBCONF),yes)
+ ifeq (,$(wildcard debian/templates.master))
+define CREATE_COMPATIBLE_TEMPLATE
+ echo Not modifying templates
+endef
+ else
+define CREATE_COMPATIBLE_TEMPLATE
+ echo 1 > debian/po/output
+ po2debconf debian/templates.master > debian/templates
+ rm -f debian/po/output
+endef
+ endif
+else
+define CREATE_COMPATIBLE_TEMPLATE
+ echo Not modifying templates
+endef
+endif
+
+
+ifeq ($(PO2DEBCONF),yes)
+ ifeq (,$(wildcard debian/templates.master))
+define INSTALL_TEMPLATE
+ echo using old template
+endef
+ else
+define INSTALL_TEMPLATE
+ po2debconf debian/templates.master > debian/templates
+endef
+ endif
+else
+define INSTALL_TEMPLATE
+ echo using old template
+endef
+endif
+
+# the tool podebconf-report-po is also a great friend to have in such
+# circumstances
+define CHECKPO
+ @for i in debian/po/*.po; do \
+ if [ -f $$i ]; then \
+ echo \"Checking: $$i\"; \
+ msgmerge -U $$i debian/po/templates.pot; \
+ msgfmt -o /dev/null -c --statistics $$i; \
+ fi; \
+ done
+endef
--- refpolicy-0.0.20070507.orig/debian/common/targets.mk
+++ refpolicy-0.0.20070507/debian/common/targets.mk
@@ -0,0 +1,362 @@
+############################ -*- Mode: Makefile -*- ###########################
+## targets.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 01:10:05 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Fri Sep 15 12:58:50 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 61
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description : The top level targets mandated by policy, as well as
+## their dependencies.
+##
+## arch-tag: a81086a7-00f7-4355-ac56-8f38396935f4
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+##
+###############################################################################
+
+#######################################################################
+#######################################################################
+############### Miscellaneous ###############
+#######################################################################
+#######################################################################
+source diff:
+ @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false
+
+testroot:
+ @test $$(id -u) = 0 || (echo need root priviledges; exit 1)
+
+checkpo:
+ $(CHECKPO)
+
+# arch-buildpackage likes to call this
+prebuild:
+
+# OK. We have two sets of rules here, one for arch dependent packages,
+# and one for arch independent packages. We have already calculated a
+# list of each of these packages.
+
+# In each set, we may need to do things in five steps: configure,
+# build, install, package, and clean. Now, there can be a common
+# actions to be taken for all the packages, all arch dependent
+# packages, all all independent packages, and each package
+# individually at each stage.
+
+#######################################################################
+#######################################################################
+############### Configuration ###############
+#######################################################################
+#######################################################################
+
+# Work here
+CONFIG-common:: testdir
+ $(REASON)
+ $(checkdir)
+
+stamp-arch-conf: CONFIG-common
+ $(REASON)
+ $(checkdir)
+ @echo done > $@
+stamp-indep-conf: CONFIG-common
+ $(REASON)
+ $(checkdir)
+ @echo done > $@
+
+# Work here
+CONFIG-arch:: stamp-arch-conf
+ $(REASON)
+CONFIG-indep:: stamp-indep-conf
+ $(REASON)
+
+STAMPS_TO_CLEAN += stamp-arch-conf stamp-indep-conf
+# Work here
+$(patsubst %,CONFIG/%,$(DEB_ARCH_PACKAGES)) :: CONFIG/% : CONFIG-arch
+ $(REASON)
+ $(checkdir)
+$(patsubst %,CONFIG/%,$(DEB_INDEP_PACKAGES)) :: CONFIG/% : CONFIG-indep
+ $(REASON)
+ $(checkdir)
+
+stamp-configure-arch: $(patsubst %,CONFIG/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ @echo done > $@
+stamp-configure-indep: $(patsubst %,CONFIG/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ @echo done > $@
+
+configure-arch: stamp-configure-arch
+ $(REASON)
+configure-indep: stamp-configure-indep
+ $(REASON)
+
+stamp-configure: configure-arch configure-indep
+ $(REASON)
+ @echo done > $@
+
+configure: stamp-configure
+ $(REASON)
+
+STAMPS_TO_CLEAN += stamp-configure-arch stamp-configure-indep stamp-configure
+#######################################################################
+#######################################################################
+############### Build ###############
+#######################################################################
+#######################################################################
+
+# Work here
+BUILD-common:: testdir
+ $(REASON)
+ $(checkdir)
+
+stamp-arch-build: BUILD-common $(patsubst %,CONFIG/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ $(checkdir)
+ @echo done > $@
+stamp-indep-build: BUILD-common $(patsubst %,CONFIG/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ $(checkdir)
+ @echo done > $@
+
+STAMPS_TO_CLEAN += stamp-arch-build stamp-indep-build
+# sync. Work here
+BUILD-arch:: stamp-arch-build
+ $(REASON)
+ $(checkdir)
+BUILD-indep:: stamp-indep-build
+ $(REASON)
+ $(checkdir)
+
+# Work here
+$(patsubst %,BUILD/%,$(DEB_ARCH_PACKAGES)) :: BUILD/% : BUILD-arch
+ $(REASON)
+ $(checkdir)
+$(patsubst %,BUILD/%,$(DEB_INDEP_PACKAGES)) :: BUILD/% : BUILD-indep
+ $(REASON)
+ $(checkdir)
+
+stamp-build-arch: $(patsubst %,BUILD/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ @echo done > $@
+stamp-build-indep: $(patsubst %,BUILD/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ @echo done > $@
+
+build-arch: stamp-build-arch
+ $(REASON)
+build-indep: stamp-build-indep
+ $(REASON)
+
+stamp-build: build-arch build-indep
+ $(REASON)
+ @echo done > $@
+
+build: stamp-build
+ $(REASON)
+
+# Work here
+POST-BUILD-arch-stamp::
+ $(REASON)
+POST-BUILD-indep-stamp::
+ $(REASON)
+
+STAMPS_TO_CLEAN += stamp-build-arch stamp-build-indep stamp-build
+#######################################################################
+#######################################################################
+############### Install ###############
+#######################################################################
+#######################################################################
+# Work here
+INST-common:: testdir
+ $(checkdir)
+ $(REASON)
+
+stamp-arch-inst: POST-BUILD-arch-stamp INST-common $(patsubst %,BUILD/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ $(checkdir)
+ @echo done > $@
+stamp-indep-inst: POST-BUILD-indep-stamp INST-common $(patsubst %,BUILD/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ $(checkdir)
+ @echo done > $@
+
+STAMPS_TO_CLEAN += stamp-arch-inst stamp-indep-inst
+# sync. Work here
+INST-arch:: stamp-arch-inst
+ $(REASON)
+ $(checkdir)
+INST-indep:: stamp-indep-inst
+ $(REASON)
+ $(checkdir)
+
+# Work here
+$(patsubst %,INST/%,$(DEB_ARCH_PACKAGES)) :: INST/% : testroot INST-arch
+ $(REASON)
+ $(checkdir)
+$(patsubst %,INST/%,$(DEB_INDEP_PACKAGES)) :: INST/% : testroot INST-indep
+ $(REASON)
+ $(checkdir)
+
+stamp-install-arch: $(patsubst %,INST/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ @echo done > $@
+stamp-install-indep: $(patsubst %,INST/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ @echo done > $@
+
+install-arch: stamp-install-arch
+ $(REASON)
+install-indep: stamp-install-indep
+ $(REASON)
+
+stamp-install: install-indep install-arch
+ $(REASON)
+ @echo done > $@
+
+install: stamp-install
+ $(REASON)
+
+STAMPS_TO_CLEAN += stamp-install stamp-install-arch stamp-install-indep
+#######################################################################
+#######################################################################
+############### Package ###############
+#######################################################################
+#######################################################################
+# Work here
+BIN-common:: testdir testroot
+ $(REASON)
+ $(checkdir)
+
+stamp-arch-bin: testdir testroot BIN-common $(patsubst %,INST/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ $(checkdir)
+ @echo done > $@
+stamp-indep-bin: testdir testroot BIN-common $(patsubst %,INST/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ $(checkdir)
+ @echo done > $@
+
+STAMPS_TO_CLEAN += stamp-arch-bin stamp-indep-bin
+# sync Work here
+BIN-arch:: testroot stamp-arch-bin
+ $(REASON)
+ $(checkdir)
+BIN-indep:: testroot stamp-indep-bin
+ $(REASON)
+ $(checkdir)
+
+# Work here
+$(patsubst %,BIN/%,$(DEB_ARCH_PACKAGES)) :: BIN/% : testroot BIN-arch
+ $(REASON)
+ $(checkdir)
+$(patsubst %,BIN/%,$(DEB_INDEP_PACKAGES)) :: BIN/% : testroot BIN-indep
+ $(REASON)
+ $(checkdir)
+
+
+stamp-binary-arch: $(patsubst %,BIN/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ @echo done > $@
+stamp-binary-indep: $(patsubst %,BIN/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ @echo done > $@
+# required
+binary-arch: stamp-binary-arch
+ $(REASON)
+binary-indep: stamp-binary-indep
+ $(REASON)
+
+stamp-binary: binary-indep binary-arch
+ $(REASON)
+ @echo done > $@
+
+# required
+binary: stamp-binary
+ $(REASON)
+ @echo arch package = $(DEB_ARCH_PACKAGES)
+ @echo indep packages = $(DEB_INDEP_PACKAGES)
+
+STAMPS_TO_CLEAN += stamp-binary stamp-binary-arch stamp-binary-indep
+#######################################################################
+#######################################################################
+############### Clean ###############
+#######################################################################
+#######################################################################
+# Work here
+CLN-common:: testdir
+ $(REASON)
+ $(checkdir)
+# sync Work here
+CLN-arch:: CLN-common
+ $(REASON)
+ $(checkdir)
+CLN-indep:: CLN-common
+ $(REASON)
+ $(checkdir)
+# Work here
+$(patsubst %,CLEAN/%,$(DEB_ARCH_PACKAGES)) :: CLEAN/% : CLN-arch
+ $(REASON)
+ $(checkdir)
+$(patsubst %,CLEAN/%,$(DEB_INDEP_PACKAGES)) :: CLEAN/% : CLN-indep
+ $(REASON)
+ $(checkdir)
+
+clean-arch: $(patsubst %,CLEAN/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+clean-indep: $(patsubst %,CLEAN/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+
+stamp-clean: clean-indep clean-arch
+ $(REASON)
+ $(checkdir)
+ -test -f Makefile && $(MAKE) distclean
+ -rm -f $(FILES_TO_CLEAN) $(STAMPS_TO_CLEAN)
+ -rm -rf $(DIRS_TO_CLEAN)
+ -rm -f core TAGS \
+ `find . ! -regex '.*/\.git/.*' ! -regex '.*/\{arch\}/.*' \
+ ! -regex '.*/CVS/.*' ! -regex '.*/\.arch-ids/.*' \
+ ! -regex '.*/\.svn/.*' \
+ \( -name '*.orig' -o -name '*.rej' -o -name '*~' -o \
+ -name '*.bak' -o -name '#*#' -o -name '.*.orig' -o \
+ -name '.*.rej' -o -name '.SUMS' -o -size 0 \) \
+ -print`
+
+clean: stamp-clean
+ $(REASON)
+
+
+#######################################################################
+#######################################################################
+############### ###############
+#######################################################################
+#######################################################################
+
+.PHONY: CONFIG-common CONFIG-indep CONFIG-arch configure-arch configure-indep configure \
+ BUILD-common BUILD-indep BUILD-arch build-arch build-indep build \
+ INST-common INST-indep INST-arch install-arch install-indep install \
+ BIN-common BIN-indep BIN-arch binary-arch binary-indep binary \
+ CLN-common CLN-indep CLN-arch clean-arch clean-indep clean \
+ $(patsubst %,CONFIG/%,$(DEB_INDEP_PACKAGES)) $(patsubst %,CONFIG/%,$(DEB_ARCH_PACKAGES)) \
+ $(patsubst %,BUILD/%, $(DEB_INDEP_PACKAGES)) $(patsubst %,BUILD/%, $(DEB_ARCH_PACKAGES)) \
+ $(patsubst %,INST/%, $(DEB_INDEP_PACKAGES)) $(patsubst %,INST/%, $(DEB_ARCH_PACKAGES)) \
+ $(patsubst %,BIN/%, $(DEB_INDEP_PACKAGES)) $(patsubst %,BIN/%, $(DEB_ARCH_PACKAGES)) \
+ $(patsubst %,CLEAN/%, $(DEB_INDEP_PACKAGES)) $(patsubst %,CLEAN/%, $(DEB_ARCH_PACKAGES)) \
+ implode explode prebuild checkpo
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/common/install_cmds.mk
+++ refpolicy-0.0.20070507/debian/common/install_cmds.mk
@@ -0,0 +1,54 @@
+######################### -*- Mode: Makefile-Gmake -*- ########################
+## install_cmds.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+## Created On : Fri Jun 16 14:40:20 2006
+## Created On Node : glaurung.internal.golden-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Wed Sep 6 11:43:05 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 9
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: a38b6a93-2539-4034-9060-ae94d5c8a071
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+##
+###############################################################################
+
+# install commands
+install_file = install -p -o root -g root -m 644
+install_script = install -p -o root -g root -m 755
+install_program= install -p -o root -g root -m 755
+make_directory = install -p -d -o root -g root -m 755
+
+define create_md5sum
+ create_md5sums_fn () { \
+ cd $$1 ; \
+ find . -type f \
+ ! -regex './DEBIAN/.*' \
+ ! -regex './etc/.*' $(EXTRA_MD5SUM_EXCLUDE) \
+ -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums ; \
+ if [ -z "DEBIAN/md5sums" ] ; then \
+ rm -f "DEBIAN/md5sums" ; \
+ fi ; \
+ } ; \
+ create_md5sums_fn
+endef
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/common/pkgvars.mk
+++ refpolicy-0.0.20070507/debian/common/pkgvars.mk
@@ -0,0 +1,94 @@
+############################ -*- Mode: Makefile -*- ###########################
+## pkgvars.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 02:56:30 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Thu Jun 15 12:05:46 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 11
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description : This is what allows us toseparate out the top level
+## targets, by determining which packages needto be built.
+##
+## arch-tag: 75fcc720-7389-4eaa-a7ac-c556d3eac331
+##
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+##
+###############################################################################
+
+# The maintainer information.
+maintainer := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Maintainer: | \
+ sed 's/^Maintainer: *//')
+email := srivasta@debian.org
+
+# Priority of this version (or urgency, as dchanges would call it)
+urgency := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Urgency: | \
+ sed 's/^Urgency: *//')
+
+# Common useful variables
+DEB_SOURCE_PACKAGE := $(strip $(shell egrep '^Source: ' debian/control | \
+ cut -f 2 -d ':'))
+DEB_VERSION := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \
+ egrep '^Version:' | cut -f 2 -d ' '))
+DEB_ISNATIVE := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \
+ perl -ne 'print if (m/^Version:/g && ! m/^Version:.*\-/);'))
+DEB_DISTRIBUTION := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \
+ egrep '^Distribution:' | cut -f 2 -d ' '))
+
+DEB_PACKAGES := $(shell perl -e ' \
+ $$/=""; \
+ while(<>){ \
+ $$p=$$1 if m/^Package:\s*(\S+)/; \
+ die "duplicate package $$p" if $$seen{$$p}; \
+ $$seen{$$p}++; print "$$p " if $$p; \
+ }' debian/control )
+
+DEB_INDEP_PACKAGES := $(shell perl -e ' \
+ $$/=""; \
+ while(<>){ \
+ $$p=$$1 if m/^Package:\s*(\S+)/; \
+ die "duplicate package $$p" if $$seen{$$p}; \
+ $$seen{$$p}++; \
+ $$a=$$1 if m/^Architecture:\s*(\S+)/m; \
+ next unless ($$a eq "all"); \
+ print "$$p " if $$p; \
+ }' debian/control )
+
+DEB_ARCH_PACKAGES := $(shell perl -e ' \
+ $$/=""; \
+ while(<>){ \
+ $$p=$$1 if m/^Package:\s*(\S+)/; \
+ die "duplicate package $$p" if $$seen{$$p}; \
+ $$seen{$$p}++; \
+ $$c=""; \
+ if (/^Architecture:\s*(.*?)\s*$$/sm) { \
+ @a = split /\s+/, $$1 }; \
+ for my $$b (@a) { \
+ next unless ($$b eq "$(DEB_HOST_ARCH)" || \
+ $$b eq "any"); \
+ $$c="$$p"; \
+ } \
+ print "$$c " if $$c; \
+ }' debian/control )
+
+# This package is what we get after removing the psuedo dirs we use in rules
+package = $(notdir $@)
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/common/ChangeLog
+++ refpolicy-0.0.20070507/debian/common/ChangeLog
@@ -0,0 +1,28 @@
+2006-10-02 Manoj Srivastava
+
+ * checklibs:
+ srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-15
+ New file, to detect if there are unneeded library
+ dependencies
+
+2006-10-01 Manoj Srivastava
+
+ * archvars.mk (doit):
+ srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-14
+ Add a macro to execute $(shell ...) macos verbosely to
+ help debugging.
+
+2006-09-15 Manoj Srivastava
+
+ * targets.mk (stamp-clean):
+ srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-13
+ Exclude version control directories from the generic
+ clean command.
+
+
+2006-08-23 Manoj Srivastava
+
+ * pkgvars.mk (DEB_DISTRIBUTION):
+ srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-6
+ Add variable that contains the distribution information
+
--- refpolicy-0.0.20070507.orig/debian/common/automake.mk
+++ refpolicy-0.0.20070507/debian/common/automake.mk
@@ -0,0 +1,37 @@
+############################ -*- Mode: Makefile -*- ###########################
+## automake.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 02:47:23 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Nov 15 02:47:53 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count : 1
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: 1fabe69b-7cc8-4ecc-9411-bc5906b19857
+##
+###############################################################################
+
+AUTOCONF_VERSION:=$(shell if [ -e configure ]; then \
+ grep "Generated automatically using autoconf" \
+ configure | sed -e 's/^.*autoconf version //g'; \
+ fi)
+HAVE_NEW_AUTOMAKE:=$(shell if [ "X$(AUTOCONF_VERSION)" != "X2.13" ]; then \
+ echo 'YES' ; fi)
+
+ifneq ($(strip $(HAVE_NEW_AUTOMAKE)),)
+ ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
+ confflags += --build $(DEB_BUILD_GNU_TYPE)
+ else
+ confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
+ endif
+else
+ ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
+ confflags += $(DEB_HOST_GNU_TYPE)
+ else
+ confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
+ endif
+endif
--- refpolicy-0.0.20070507.orig/debian/common/archvars.mk
+++ refpolicy-0.0.20070507/debian/common/archvars.mk
@@ -0,0 +1,118 @@
+############################ -*- Mode: Makefile -*- ###########################
+## archvars.mk ---
+## Author : Manoj Srivastava ( srivasta@golden-gryphon.com )
+## Created On : Sat Nov 15 02:40:56 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Tue Nov 16 23:36:15 2004
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 5
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description : calls dpkg-architecture and sets up various arch
+## related variables
+##
+## arch-tag: e16dd848-0fd6-4c0e-ae66-bef20d1f7c63
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+##
+###############################################################################
+
+
+DPKG_ARCH := dpkg-architecture
+
+ifeq ($(strip $(KPKG_ARCH)),um)
+ MAKING_VIRTUAL_IMAGE:=YES
+endif
+ifeq ($(strip $(KPKG_ARCH)),xen)
+ MAKING_VIRTUAL_IMAGE:=YES
+endif
+
+ifneq ($(strip $(CONFIG_UM)),)
+ MAKING_VIRTUAL_IMAGE:=YES
+ KPKG_ARCH=um
+endif
+
+ifneq ($(strip $(CONFIG_XEN)),)
+ MAKING_VIRTUAL_IMAGE:=YES
+ ifneq ($(strip $(CONFIG_X86_XEN)$(CONFIG_X86_64_XEN)),)
+ KPKG_SUBARCH=xen
+ else
+ KPKG_ARCH=xen
+ ifeq ($(strip $(CONFIG_XEN_PRIVILEGED_GUEST)),)
+ KPKG_SUBARCH=xenu
+ else
+ KPKG_SUBARCH=xen0
+ endif
+ endif
+endif
+
+ifdef KPKG_ARCH
+ ifeq ($(strip $(MAKING_VIRTUAL_IMAGE)),)
+ ifneq ($(CROSS_COMPILE),-)
+ ha:=-a$(KPKG_ARCH)
+ endif
+ endif
+endif
+
+# set the dpkg-architecture vars
+export DEB_BUILD_ARCH := $(shell $(DPKG_ARCH) -qDEB_BUILD_ARCH)
+export DEB_BUILD_GNU_CPU := $(shell $(DPKG_ARCH) -qDEB_BUILD_GNU_CPU)
+export DEB_BUILD_GNU_SYSTEM:= $(shell $(DPKG_ARCH) -qDEB_BUILD_GNU_SYSTEM)
+export DEB_BUILD_GNU_TYPE := $(shell $(DPKG_ARCH) -qDEB_BUILD_GNU_TYPE)
+export DEB_HOST_ARCH := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH)
+export DEB_HOST_ARCH_OS := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH_OS \
+ 2>/dev/null|| true)
+export DEB_HOST_ARCH_CPU := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH_CPU \
+ 2>/dev/null|| true)
+export DEB_HOST_GNU_CPU := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_CPU)
+export DEB_HOST_GNU_SYSTEM := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_SYSTEM)
+export DEB_HOST_GNU_TYPE := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_TYPE)
+
+# arrgh. future proofing
+ifeq ($(DEB_HOST_GNU_SYSTEM), linux)
+ DEB_HOST_GNU_SYSTEM=linux-gnu
+endif
+ifeq ($(DEB_HOST_ARCH_OS),)
+ ifeq ($(DEB_HOST_GNU_SYSTEM), linux-gnu)
+ DEB_HOST_ARCH_OS := linux
+ endif
+ ifeq ($(DEB_HOST_GNU_SYSTEM), kfreebsd-gnu)
+ DEB_HOST_ARCH_OS := kfreebsd
+ endif
+endif
+
+REASON = @if [ -f $@ ]; then \
+ echo "====== making $(notdir $@) because of $(notdir $?) ======";\
+ else \
+ echo "====== making target $@ [new prereqs: $(notdir $?)]======"; \
+ fi
+
+OLDREASON = @if [ -f $@ ]; then \
+ echo "====== making $(notdir $@) because of $(notdir $?) ======";\
+ else \
+ echo "====== making (creating) $(notdir $@) ======"; \
+ fi
+
+LIBREASON = @echo "====== making $(notdir $@)($(notdir $%))because of $(notdir $?)======"
+
+
+# macro outputing $(1) if DEBUG_DEBIAN_RULES is set, and resolving it
+# in all cases usage $(call doit,some shell command)
+doit = $(if $(DEBUG_DEBIAN_RULES),$(warning DEBUG: $(1)))$(shell $(1))
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/example.fc
+++ refpolicy-0.0.20070507/debian/example.fc
@@ -0,0 +1,8 @@
+# myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
+
+# arch-tag: 883e01c8-54bc-4083-83b5-61be97c970fb
--- refpolicy-0.0.20070507.orig/debian/postinst.policy
+++ refpolicy-0.0.20070507/debian/postinst.policy
@@ -0,0 +1,260 @@
+#! /usr/bin/perl
+# -*- Mode: Cperl -*-
+# postinst.pl ---
+# Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+# Created On : Mon Aug 21 01:14:21 2006
+# Created On Node : glaurung.internal.golden-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Mon May 7 11:10:26 2007
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 32
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: 69c85425-4822-4b17-bb54-3b2d22e76687
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+#
+#use strict; #for debugging
+use Cwd 'abs_path';
+$|=1;
+
+# Ignore all invocations except when called on to configure.
+exit 0 if $ARGV[0] =~ /abort-upgrade/;
+exit 0 if $ARGV[0] =~ /abort-remove/;
+exit 0 if $ARGV[0] =~ /abort-deconfigure/;
+exit 0 unless $ARGV[0] =~ /configure/;
+
+my $type = '=T';
+my $package_name= "selinux-policy-refpolicy-$type";
+my $policy_name = "refpolicy-$type";
+my $basedir = "/etc/selinux/$policy_name";
+my $src_dir = "/usr/share/selinux/$policy_name";
+
+# List of all the modules in the policy
+my @all_modules;
+# Full path of all modules in the policy
+my %Module_Path;
+# Dpendencies for policy modules, as determined by semodule_deps
+my %Deps;
+# A hash of all modules already processed
+my %Seen;
+# A hash of all packages installed on this machine
+my %Installed;
+# Policy modules in dependency order (subset of all modules in policy)
+my @ordered;
+# A list of modules already scheduled to be laoded
+my %Loaded;
+# and the order in which the modules should be loaded into policy.
+my @load_order;
+# A mapping of policy modules to Debian package names.
+my %map = (
+ 'amavis' => [ 'amavisd-new' ],
+ 'apache' => [ 'apache*' ],
+ 'apm' => [ 'acpid' ],
+ 'automount' => [ 'autofs*' ],
+ 'avahi' => [ 'avahi-*' ],
+ 'bind' => [ 'bind9' ],
+# 'bootloader' => [ 'grub', 'lilo' ],
+ 'cdrecord' => [ 'wodim' ],
+ 'courier' => [ 'courier*' ],
+ 'cups' => [ 'cupsys*' ],
+ 'cyrus' => [ 'cyrus*' ],
+ 'dhcp' => [ 'dhcp*', 'dhclient*', 'pump' ],
+ 'finger' => [ 'finger', '*fingerd' ],
+ 'ftp' => [ 'ftp', '*ftpd' ],
+ 'gpg' => [ 'gnupg' ],
+ 'hwclock' => [ 'util-linux' ],
+ 'inetd' => [ '*-inetd', 'openbsd-inetd', 'netkit-inetd', 'rinetd', 'rlinetd', 'xinetd' ],
+ 'java' => [ 'sun-java5*', 'cacao', 'gcj*', 'gij*', 'kaffe*',
+ 'java*', 'jvm*', 'jre*', 'jsdk*' ],
+ 'ldap' => [ 'slapd' ],
+ 'lpd' => [ 'lprng', 'rlpr' ],
+ 'loadkeys' => [ 'console-tools' ],
+ 'mono' => [ 'mono*' ],
+ 'munin' => [ 'munin-node' ],
+ 'mysql' => [ 'mysql-server', 'mysql-server*' ],
+ 'mozilla' => [ 'mozilla-browser', 'firefox', 'galeon',
+ 'mozilla-*', 'firefox*', 'epiphany-browser' ],
+ 'netutils' => [ 'arping', 'nmap', '*-ping', 'traceroute*' ],
+ 'pythonsupport' => [ 'python-support' ],
+ 'radius' => [ 'freeradius*', 'radiusd*' ],
+ 'raid' => [ 'mdadm' ],
+ 'rpc' => [ 'nfs-common', 'nfs-kernel-server' ],
+ 'sasl' => [ 'libsasl2' ],
+ 'ssh' => [ 'openssh*' ],
+# 'su' => [ 'login' ],
+ 'sysstat' => [ 'atsar' ],
+ 'telnet' => [ 'telnet', '*telnetd*' ],
+ 'uml' => [ 'linux-uml*' ],
+ 'uptime' => [ 'uptimed' ],
+ 'usbmodules' => [ 'usbutils' ],
+# 'usermanage' => [ 'passwd' ],
+ 'xserver' => [ 'gdm', 'kdm', 'xdm', 'xserver*' ]
+ );
+
+# List all th modules, except the base module, in the policy
+# directory. This sets @all_modules and %Module_Path
+sub list_modules {
+ my $src_dir = shift;
+ print STDERR "Locating modules\n";
+ opendir(DIR, $src_dir) || die "can't opendir $src_dir: $!";
+
+ @all_modules = grep { ! m/^base\.pp$/ && m/\.pp/ && -f "$src_dir/$_" }
+ readdir(DIR);
+ %Module_Path = map { +"$src_dir/$_" => 0 } @all_modules;
+ closedir DIR;
+}
+
+# Using the hash array %Module_Path created in the last step, run
+# semodule_deps to get the dependency relationships. This creates the
+# %Deps dependency hash.
+sub get_dependencies {
+ my $src_dir = shift;
+ print STDERR "Calculating dependencies between modules\n";
+ open(COMMAND, '-|', "semodule_deps -g $src_dir/base.pp " .
+ join(' ', keys %Module_Path)) || die "Could not run semodule_deps";
+ while () {
+ chomp;
+ next unless m/\-\>/;
+ next unless m/\s*(\S+)\s*\-\>\s*(\S+)\s*$/;
+ if (defined $Deps{$1}) {
+ $Deps{$1} = "$Deps{$1} $2";
+ }
+ else {
+ $Deps{$1} = $2;
+ }
+ }
+ close COMMAND;
+}
+
+# In this step, use the dependecy hash %Deps created in the last step,
+# and feed the information to tsort to get an ordered list of
+# modules. This creates the array @ordered
+sub get_ordering {
+ print STDERR "Ordering modules based on dependencies\n";
+ my $tempfile=`tempfile -p tsrt -m 0600`;
+ open(SORT, "| tsort > $tempfile") || die "can't open pipe to tsort: $!";
+ for my $pkg (keys %Deps) {
+ for my $dep (split(/ /, $Deps{$pkg})) {
+ print SORT "$dep $pkg\n";
+ }
+ }
+ close SORT;
+
+ open(RESULTS, $tempfile) || die "can't read $tempfile: $!";
+ while () {
+ chomp;
+ push @ordered, $_;
+ }
+ unlink $tempfile;
+ close RESULTS;
+}
+
+my @Load_Order;
+# Cycle over all the modules installed, starting with the dependency
+# ordered modules, taking care that we only look at a module once. For
+# each module, we look to see a mapping ogf the packages that need
+# this policy module. We then query dpkg to see if any of the package
+# patterns that are associated with a policy module are installed on
+# this system, if so, we schedule the module to be loaded, ensuring
+# that the dependent policy modules are also targeted for installation
+# before the current module is installed. This creates the Seen hash,
+# and the Load_Order array, as well as the Loaded hash.
+sub installed_modules {
+ print STDERR "Selecting modules based on installed packages\n";
+
+ # This suggestion from Alexander Bürger
+ open( my $PACKAGES, "dpkg-query -W |" )
+ or die("Cannot run 'dpkg-query -W'. $!");
+ while( my $p = <$PACKAGES> ) {
+ $Installed{$1} = $2 if( $p =~ /^(.*)\t(.+)$/ );
+ }
+ close($PACKAGES) or die("Could not close pipe.");
+
+ foreach my $module (@ordered, @all_modules) {
+ $module =~ s/\.pp$//o;
+
+ next if $Seen{$module};
+ $Seen{$module}++;
+
+ if (! defined $map{$module}) { $map{$module} = [ $module ]; }
+
+ PACKAGE:
+ for my $pkg (@{ $map{$module} }) {
+ if ($Installed{$pkg}) {
+ if (defined $Deps{$module}) {
+ for my $dep (split(' ', $Deps{$module})) {
+ next if $Loaded{$dep};
+ if (-e "${src_dir}/${dep}.pp") {
+ push @Load_Order, $dep;
+ $Loaded{$dep}++
+ }
+ else {
+ print STDERR "Could not find ${src_dir}/${dep}.pp\n";
+ print STDERR "which is required for module ${module}.pp\n";
+ print STDERR "Assuming ${dep}.pp is built into base.pp\n";
+ }
+ }
+ }
+ push @Load_Order, $module;
+ $Loaded{$module}++;
+ last PACKAGE;
+ }
+ }
+ }
+}
+
+sub main {
+ if (-e "$basedir/modules/active/base.pp" ) {
+ print STDERR "You already have a $policy_name policy installed.\n";
+ print STDERR "I am leaving it alone. Please check and update manually.\n";
+ }
+ elsif (-e "$src_dir/base.pp") {
+ print STDERR "Notice: Trying to link (but not load) a $policy_name policy.\n";
+ print STDERR "This process may fail -- you should check the results, and \n";
+ print STDERR "you need to switch to this policy yourself anyway.\n\n";
+ &list_modules("$src_dir");
+ &get_dependencies("$src_dir");
+ &get_ordering();
+ &installed_modules();
+ if (system("semodule -b $src_dir/base.pp -s $policy_name -n ") == 0) {
+ print STDERR "Loaded base policy\n";
+ for my $mod (@Load_Order) {
+ if (system("semodule -i $src_dir/${mod}.pp -s $policy_name -n ") == 0) {
+ print STDERR "Loaded module ${mod}.pp\n";
+ }
+ else {
+ print STDERR "Failed to load module ${mod}.pp\n";
+ }
+ }
+ }
+ else {
+ print STDERR "Could not load $src_dir/base.pp for $policy_name.\n";
+ print STDERR "Failed to load base policy, please load policy manually.\n";
+ }
+ }
+ else {
+ print STDERR ".\n";
+ }
+}
+
+&main;
+
+exit 0;
+
+__END__
--- refpolicy-0.0.20070507.orig/debian/example.te
+++ refpolicy-0.0.20070507/debian/example.te
@@ -0,0 +1,30 @@
+
+policy_module(myapp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t;
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t)
+
+type myapp_log_t;
+logging_log_file(myapp_log_t)
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file ra_file_perms;
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
+
+# arch-tag: 5a574a9f-92ea-4cc2-becb-9715b6107d1b
--- refpolicy-0.0.20070507.orig/debian/doc.postinst
+++ refpolicy-0.0.20070507/debian/doc.postinst
@@ -0,0 +1,218 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# postinst ---
+# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+# Created On : Fri Nov 14 11:25:07 2003
+# Created On Node : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Sun Aug 20 16:26:45 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 16
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: 4e408b9c-d423-4177-b8a3-2d7b4fe51af7
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+#
+
+# Abort if any command returns an error value
+set -e
+
+package_name=selinux-policy-refpolicy-doc
+
+if [ -z "$package_name" ]; then
+ print >&2 "Internal Error. Please report a bug."
+ exit 1;
+fi
+
+# This script is called as the last step of the installation of the
+# package. All the package's files are in place, dpkg has already done
+# its automatic conffile handling, and all the packages we depend of
+# are already fully installed and configured.
+# summary of how this script can be called:
+# * `configure'
+# * `abort-upgrade'
+# * abort-remove # if prerm fails during removal
+# * `abort-remove' `in-favour'
+#
+# * `abort-deconfigure' `in-favour'
+# `removing'
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+# The following idempotent stuff doesn't generally need protecting
+# against being run in the abort-* cases.
+
+# Install info files into the dir file
+#install-info --quiet --section "Development" "Development" \
+# --description="The GNU make utility." /usr/share/info/$package_name.info.gz
+
+# Create stub directories under /usr/local
+##: if test ! -d /usr/local/lib/${package_name}; then
+##: if test ! -d /usr/local/lib; then
+##: if mkdir /usr/local/lib; then
+##: chown root.staff /usr/local/lib || true
+##: chmod 2775 /usr/local/lib || true
+##: fi
+##: fi
+##: if mkdir /usr/local/lib/${package_name}; then
+##: chown root.staff /usr/local/lib/${package_name} || true
+##: chmod 2775 /usr/local/lib/${package_name} || true
+##: fi
+##: fi
+
+# Ensure the menu system is updated
+##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus
+
+# Arrange for a daemon to be started at system boot time
+##: update-rc.d ${package_name} default >/dev/null
+
+case "$1" in
+ configure)
+ # Configure this package. If the package must prompt the user for
+ # information, do it here.
+ # Install emacs lisp files
+ ##:if [ -x /usr/lib/emacsen-common/emacs-package-install ]; then
+ ##: /usr/lib/emacsen-common/emacs-package-install $package_name
+ ##:fi
+
+
+ # Activate menu-methods script
+ ##: chmod a+x /etc/menu-methods/${package_name}
+
+ # Update ld.so cache
+ ##: ldconfig
+
+ # Make our version of a program available
+ ##: update-alternatives \
+ ##: --install /usr/bin/program program /usr/bin/alternative 50 \
+ ##: --slave /usr/man/man1/program.1.gz program.1.gz \
+ ##: /usr/man/man1/alternative.1.gz
+
+ # Tell ucf that the file in /usr/share/foo is the latest
+ # maintainer version, and let it handle how to manage the real
+ # confuguration file in /etc. This is how a static configuration
+ # file can be handled:
+ ##:if which ucf >/dev/null 2>&1; then
+ ##: ucf /usr/share/${package_name}/configuration /etc/${package_name}.conf
+ ##:fi
+
+ ### We could also do this on the fly. The following is from Tore
+ ### Anderson:
+
+ #. /usr/share/debconf/confmodule
+
+ ### find out what the user answered.
+ # db_get foo/run_on_boot
+ # run_on_boot=$RET
+ # db_stop
+
+ ### safely create a temporary file to generate our suggested
+ ### configuration file.
+ # tempfile=`tempfile`
+ # cat << _eof > $tempfile
+ ### Configuration file for Foo.
+
+ ### this was answered by you, the user in a debconf dialogue
+ # RUNONBOOT=$run_on_boot
+
+ ### this was not, as it has a sane default value.
+ # COLOUROFSKY=blue
+
+ #_eof
+
+ ### Note that some versions of debconf do not release stdin, so
+ ### the following invocation of ucf may not work, since the stdin
+ ### is never coneected to ucfr.
+
+ ### now, invoke ucf, which will take care of the rest, and ask
+ ### the user if he wants to update his file, if it is modified.
+ #ucf $tempfile /etc/foo.conf
+
+ ### done! now we'll just clear up our cruft.
+ #rm -f $tempfile
+
+
+
+ # There are three sub-cases:
+ if test "${2+set}" != set; then
+ # We're being installed by an ancient dpkg which doesn't remember
+ # which version was most recently configured, or even whether
+ # there is a most recently configured version.
+ :
+
+ elif test -z "$2" || test "$2" = ""; then
+ # The package has not ever been configured on this system, or was
+ # purged since it was last configured.
+ :
+
+ else
+ # Version $2 is the most recently configured version of this
+ # package.
+ :
+
+ fi ;;
+ abort-upgrade)
+ # Back out of an attempt to upgrade this package FROM THIS VERSION
+ # to version $2. Undo the effects of "prerm upgrade $2".
+ :
+
+ ;;
+ abort-remove)
+ if test "$2" != in-favour; then
+ echo "$0: undocumented call to \`postinst $*'" 1>&2
+ exit 0
+ fi
+ # Back out of an attempt to remove this package, which was due to
+ # a conflict with package $3 (version $4). Undo the effects of
+ # "prerm remove in-favour $3 $4".
+ :
+
+ ;;
+ abort-deconfigure)
+ if test "$2" != in-favour || test "$5" != removing; then
+ echo "$0: undocumented call to \`postinst $*'" 1>&2
+ exit 0
+ fi
+ # Back out of an attempt to deconfigure this package, which was
+ # due to package $6 (version $7) which we depend on being removed
+ # to make way for package $3 (version $4). Undo the effects of
+ # "prerm deconfigure in-favour $3 $4 removing $6 $7".
+ :
+
+ ;;
+ *) echo "$0: didn't understand being called with \`$1'" 1>&2
+ exit 0;;
+esac
+
+# Install doc base documentation
+if which install-docs >/dev/null 2>&1; then
+ if [ -e /usr/share/doc-base/${package_name} ]; then
+ install-docs -i /usr/share/doc-base/${package_name}
+ fi
+fi
+
+exit 0
--- refpolicy-0.0.20070507.orig/debian/rules
+++ refpolicy-0.0.20070507/debian/rules
@@ -0,0 +1,63 @@
+#! /usr/bin/make -f
+############################ -*- Mode: Makefile; coding: utf-8 -*- ###########################
+## rules ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Fri Nov 14 12:33:34 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Tue Nov 18 17:46:22 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count : 70
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: 9a5063f4-1e20-4fff-b22a-de94c1e3d954
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+##
+###############################################################################
+
+# Include dpkg-architecture generated variables
+include debian/common/archvars.mk
+
+# Set variables with information extracted from control and changelog files
+include debian/common/pkgvars.mk
+
+# variables useful for perl packages
+include debian/common/perlvars.mk
+
+# Install commands
+include debian/common/install_cmds.mk
+
+include debian/local-vars.mk
+
+include debian/common/copt.mk
+
+include debian/common/automake.mk
+
+
+
+all:
+ @echo nothing to be done
+
+include debian/common/targets.mk
+
+include debian/local.mk
+
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/strict.postrm
+++ refpolicy-0.0.20070507/debian/strict.postrm
@@ -0,0 +1,176 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# postrm ---
+# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+# Created On : Fri Nov 14 12:22:20 2003
+# Created On Node : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Sun Aug 20 20:52:23 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 11
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: 56802d51-d980-4822-85c0-28fce19ed430
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+
+# Abort if any command returns an error value
+set -e
+
+TYPE=strict
+package_name=selinux-policy-refpolicy-$TYPE
+POLICYNAME=refpolicy-$TYPE
+BASEDIR=/etc/selinux/$POLICYNAME
+
+
+if [ -z "$package_name" ]; then
+ print >&2 "Internal Error. Please report a bug."
+ exit 1;
+fi
+
+# This script is called twice during the removal of the package; once
+# after the removal of the package's files from the system, and as
+# the final step in the removal of this package, after the package's
+# conffiles have been removed.
+# summary of how this script can be called:
+# * `remove'
+# * `purge'
+# * `upgrade'
+# * `failed-upgrade'
+# * `abort-install'
+# * `abort-install'
+# * `abort-upgrade'
+# * `disappear' overwrit>r>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+# Ensure the menu system is updated
+##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus
+
+case "$1" in
+ remove)
+ # This package is being removed, but its configuration has not yet
+ # been purged.
+ :
+
+ # Remove diversion
+ ##: dpkg-divert --package ${package_name} --remove --rename \
+ ##: --divert /usr/bin/other.real /usr/bin/other
+
+ # ldconfig is NOT needed during removal of a library, only during
+ # installation
+
+ ;;
+ purge)
+ # This package has previously been removed and is now having
+ # its configuration purged from the system.
+ :
+
+ # we mimic dpkg as closely as possible, so we remove configuration
+ # files with dpkg backup extensions too:
+ ### Some of the following is from Tore Anderson:
+ ##: for ext in '~' '%' .bak .dpkg-tmp .dpkg-new .dpkg-old .dpkg-dist; do
+ ##: rm -f /etc/${package_name}.conf$ext
+ ##: done
+
+ # remove the configuration file itself
+ ##: rm -f /etc/${package_name}.conf
+ rm -rf "$BASEDIR"
+
+ # and finally clear it out from the ucf database
+ ##: ucf --purge /etc/${package_name}.conf
+
+ # Remove symlinks from /etc/rc?.d
+ ##: update-rc.d ${package_name} remove >/dev/null
+
+ ##: if [ -e /usr/share/debconf/confmodule ]; then
+ ##: # Purge this package's data from the debconf database.
+ ##: . /usr/share/debconf/confmodule
+ ##: db_purge
+ ##: fi
+
+ # This package has previously been removed and is now having
+ # its configuration purged from the system.
+ ##: for flavour in emacs20 emacs21; do
+ ##: STARTDIR=/etc/$flavour/site-start.d;
+ ##: STARTFILE="${package_name}-init.el";
+ ##: if [ -e "$STARTDIR/20$STARTFILE" ]; then
+ ##: rm -f "$STARTDIR/20$STARTFILE"
+ ##: fi
+ ##: done
+
+ ;;
+ disappear)
+ if test "$2" != overwriter; then
+ echo "$0: undocumented call to \`postrm $*'" 1>&2
+ exit 0
+ fi
+ # This package has been completely overwritten by package $3
+ # (version $4). All our files are already gone from the system.
+ # This is a special case: neither "prerm remove" nor "postrm remove"
+ # have been called, because dpkg didn't know that this package would
+ # disappear until this stage.
+ :
+
+ ;;
+ upgrade)
+ # About to upgrade FROM THIS VERSION to version $2 of this package.
+ # "prerm upgrade" has been called for this version, and "preinst
+ # upgrade" has been called for the new version. Last chance to
+ # clean up.
+ :
+
+ ;;
+ failed-upgrade)
+ # About to upgrade from version $2 of this package TO THIS VERSION.
+ # "prerm upgrade" has been called for the old version, and "preinst
+ # upgrade" has been called for this version. This is only used if
+ # the previous version's "postrm upgrade" couldn't handle it and
+ # returned non-zero. (Fix old postrm bugs here.)
+ :
+
+ ;;
+ abort-install)
+ # Back out of an attempt to install this package. Undo the effects of
+ # "preinst install...". There are two sub-cases.
+ :
+
+ if test "${2+set}" = set; then
+ # When the install was attempted, version $2's configuration
+ # files were still on the system. Undo the effects of "preinst
+ # install $2".
+ :
+
+ else
+ # We were being installed from scratch. Undo the effects of
+ # "preinst install".
+ :
+
+ fi ;;
+ abort-upgrade)
+ # Back out of an attempt to upgrade this package from version $2
+ # TO THIS VERSION. Undo the effects of "preinst upgrade $2".
+ :
+
+ ;;
+ *) echo "$0: didn't understand being called with \`$1'" 1>&2
+ exit 0;;
+esac
+
+exit 0
--- refpolicy-0.0.20070507.orig/debian/control
+++ refpolicy-0.0.20070507/debian/control
@@ -0,0 +1,147 @@
+Source: refpolicy
+XS-VCS-Arch: http://arch.debian.org/arch/private/srivasta/grab/refpolicy
+XS-VCS-Browse: http://arch.debian.org/cgi-bin/archzoom.cgi/srivasta@debian.org--lenny/refpolicy?expand
+Priority: optional
+Section: admin
+Maintainer: Manoj Srivastava
+Uploaders: Erich Schubert
+Standards-Version: 3.7.2.0
+Build-Depends: policycoreutils (>= 2.0.16), checkpolicy (>= 2.0.2), python, m4, bzip2, gawk
+
+Package: selinux-policy-refpolicy-strict
+Architecture: all
+Depends: policycoreutils, libpam-modules (>= 0.77-0.se5), python, libselinux1 (>= 2.0.7)
+Recommends: checkpolicy, setools
+Suggests: logcheck, syslog-summary
+Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1), selinux, procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1), selinux-policy-default
+Description: Strict variant of the SELinux reference policy
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This is the strict variant of the reference policy. This provides
+ the highest level of security, but may not be complete yet.
+
+Package: selinux-policy-refpolicy-targeted
+Architecture: all
+Depends: policycoreutils, libpam-modules (>= 0.77-0.se5), python, libselinux1 (>= 2.0.7)
+Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1), selinux, procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1), selinux-policy-default
+Recommends: checkpolicy, setools
+Suggests: logcheck, syslog-summary
+Description: Targeted variant of the SELinux reference policy
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This is the targeted variant of the reference policy. In this
+ variation, most of the system remain untouched, apart from a few
+ targeted inter-net facing daemons, which are tightly sand boxed.
+
+
+Package: selinux-policy-refpolicy-src
+Architecture: all
+Depends: python, policycoreutils, checkpolicy (>= 2.0.2), gawk
+Conflicts: selinux-policy-default
+Recommends: setools
+Suggests: logcheck, syslog-summary
+Description: Source of the SELinux reference policy for customization
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This is the source of the policy, provided so that local variations of
+ SELinux policy may be created.
+
+Package: selinux-policy-refpolicy-dev
+Architecture: all
+Depends: python, policycoreutils, checkpolicy (>= 2.0.2), gawk
+Recommends: setools
+Description: Headers from the SELinux reference policy for building modules
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This package provides header files for building your own SELinux
+ policy packages compatible with official policy packages.
+
+Package: selinux-policy-refpolicy-doc
+Architecture: all
+Section: doc
+Description: Documentation for the SELinux reference policy
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This package contains the documentation for the reference policy.
+
+
--- refpolicy-0.0.20070507.orig/debian/docentry
+++ refpolicy-0.0.20070507/debian/docentry
@@ -0,0 +1,24 @@
+Document: selinux-policy-refpolicy-doc
+Title: SELinux Reference Policy
+Author: various
+Abstract: The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+Section: Apps/Admin
+
+Format: HTML
+Index: /usr/share/doc/selinux-policy-refpolicy-doc/html/index.html
+Files: /usr/share/doc/selinux-policy-refpolicy-doc/html/*.html
--- refpolicy-0.0.20070507.orig/debian/setrans.conf
+++ refpolicy-0.0.20070507/debian/setrans.conf
@@ -0,0 +1,23 @@
+#
+# Multi-Category Security translation table for SELinux
+#
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023. Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
+
+###############################################################################
+## arch-tag: 2f7ff2f6-a12a-4d8d-94ea-022090bd959e
+###############################################################################
--- refpolicy-0.0.20070507.orig/debian/modules.conf.strict
+++ refpolicy-0.0.20070507/debian/modules.conf.strict
@@ -0,0 +1,1820 @@
+# If you edit this file, also edit local-var.mk to define what is or
+# is not a module.
+#
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+#
+acct = module
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+#
+alsa = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+#
+amanda = module
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+#
+anaconda = off
+
+# Layer: admin
+# Module: apt
+#
+# APT advanced package toll.
+#
+apt = base
+
+# Layer: admin
+# Module: backup
+#
+# System backup scripts
+#
+backup = module
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = base
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+#
+# Not in Debian?
+certwatch = off
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+# Not in Debian.
+consoletype = off
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+#
+ddcprobe = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = base
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+#
+dmidecode = module
+
+# Layer: admin
+# Module: dpkg
+#
+# Policy for the Debian package manager.
+#
+dpkg = base
+
+# Layer: admin
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+#
+firstboot = off
+
+# Layer: admin
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+#
+kudzu = module
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+#
+logrotate = base
+
+# Layer: admin
+# Module: logwatch
+#
+# System log analyzer and reporter
+#
+logwatch = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+#
+mrtg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: portage
+#
+# Portage Package Management System. The primary package management and
+# distribution system for Gentoo.
+#
+portage = off
+
+# Layer: admin
+# Module: prelink
+#
+# Prelink ELF shared library mappings.
+#
+prelink = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+#
+quota = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+#
+readahead = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = base
+
+# Layer: admin
+# Module: sxid
+#
+# SUID/SGID program monitoring
+#
+sxid = module
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+#
+tmpreaper = module
+
+# Layer: admin
+# Module: tripwire
+#
+# Tripwire file integrity checker.
+#
+tripwire = module
+
+# Layer: admin
+# Module: tzdata
+#
+# Time zone updater
+#
+tzdata = module
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+#
+updfstab = off
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+#
+usbmodules = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = base
+
+# Layer: admin
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+#
+vbetool = module
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+#
+vpn = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = base
+
+# Layer: apps
+# Module: ada
+#
+# GNAT Ada95 compiler
+#
+ada = module
+
+# Layer: apps
+# Module: authbind
+#
+# Tool for non-root processes to bind to reserved ports
+#
+authbind = module
+
+# Layer: apps
+# Module: calamaris
+#
+# Squid log analysis
+#
+calamaris = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+#
+cdrecord = module
+
+# Layer: apps
+# Module: ethereal
+#
+# Ethereal packet capture tool.
+#
+ethereal = module
+
+# Layer: apps
+# Module: evolution
+#
+# Evolution email client
+#
+evolution = module
+
+# Layer: apps
+# Module: games
+#
+# Games
+#
+games = module
+
+# Layer: apps
+# Module: gift
+#
+# giFT peer to peer file sharing tool
+#
+gift = module
+
+# Layer: apps
+# Module: gnome
+#
+# GNU network object model environment (GNOME)
+#
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+#
+gpg = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+#
+irc = module
+
+# Layer: apps
+# Module: java
+#
+# Java virtual machine
+#
+java = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+#
+loadkeys = module
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+#
+lockdev = module
+
+# Layer: apps
+# Module: mono
+#
+# Run .NET server and client applications on Linux.
+#
+mono = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+#
+mozilla = module
+
+# Layer: apps
+# Module: mplayer
+#
+# Mplayer media player and encoder
+#
+mplayer = module
+
+# Layer: apps
+# Module: rssh
+#
+# Restricted (scp/sftp) only shell
+#
+rssh = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+#
+screen = module
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+#
+slocate = module
+
+# Layer: apps
+# Module: thunderbird
+#
+# Thunderbird email client
+#
+thunderbird = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+#
+tvtime = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+#
+uml = module
+
+# Layer: apps
+# Module: userhelper
+#
+# SELinux utility to run a shell with a new role
+#
+userhelper = base
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+#
+usernetctl = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+#
+vmware = module
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+#
+webalizer = module
+
+# Layer: apps
+# Module: wine
+#
+# Wine Is Not an Emulator. Run Windows programs in Linux.
+#
+wine = module
+
+# Layer: apps
+# Module: yam
+#
+# Yum/Apt Mirroring
+#
+yam = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = base
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = base
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+#
+daemontools = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = base
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = base
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = base
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = base
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = base
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = base
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = base
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = base
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = base
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = base
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+#
+pcmcia = module
+
+# Layer: system
+# Module: pythonsupport
+#
+# Support for precompiling python modules
+#
+pythonsupport = module
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+#
+raid = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = base
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = base
+
+# Layer: system
+# Module: xen
+#
+# Xen hypervisor
+#
+xen = module
+
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+#
+afs = module
+
+# Layer: services
+# Module: aide
+#
+# Aide filesystem integrity checker
+#
+aide = module
+
+# Layer: services
+# Module: amavis
+#
+# Daemon that interfaces mail transfer agents and content
+# checkers, such as virus scanners.
+#
+amavis = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+#
+apache = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+#
+apm = module
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+#
+arpwatch = module
+
+# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
+# Module: audioentropy
+#
+# Generate entropy from audio input
+#
+audioentropy = module
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+#
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+#
+avahi = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+#
+bind = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+#
+bluetooth = module
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+#
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# Cluster Configuration System
+#
+ccs = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+#
+cipe = module
+
+# Layer: services
+# Module: clamav
+#
+# ClamAV Virus Scanner
+#
+clamav = module
+
+# Layer: services
+# Module: clockspeed
+#
+# Clockspeed simple network time protocol client
+#
+# not in debian?
+clockspeed = off
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+#
+comsat = module
+
+# Layer: services
+# Module: consolekit
+#
+# Framework for facilitating multiple user sessions on desktops.
+#
+consolekit = module
+
+# Layer: services
+# Module: courier
+#
+# Courier IMAP and POP3 email servers
+#
+courier = module
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+#
+cpucontrol = module
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+#
+cron = base
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+#
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+#
+cvs = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+#
+cyrus = module
+
+# Layer: services
+# Module: dante
+#
+# Dante msproxy and socks4/5 proxy server
+#
+dante = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+#
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+#
+dbus = module
+
+# Layer: services
+# Module: dcc
+#
+# Distributed checksum clearinghouse spam filtering
+#
+dcc = module
+
+# Layer: services
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+#
+ddclient = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+#
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+#
+dictd = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+#
+distcc = module
+
+# Layer: services
+# Module: djbdns
+#
+# small and secure DNS daemon
+#
+djbdns = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# dnsmasq DNS forwarder and DHCP server
+#
+dnsmasq = module
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+#
+dovecot = module
+
+# Layer: services
+# Module: fail2ban
+#
+# Update firewall filtering to ban IP addresses with too many password failures.
+#
+fail2ban = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+#
+fetchmail = module
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+#
+finger = module
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+#
+ftp = module
+
+# Layer: services
+# Module: gatekeeper
+#
+# OpenH.323 Voice-Over-IP Gatekeeper
+#
+gatekeeper = module
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+#
+gpm = module
+
+# Layer: services
+# Module: hal
+#
+# Hardware abstraction layer
+#
+hal = module
+
+# Layer: services
+# Module: howl
+#
+# Port of Apple Rendezvous multicast DNS
+#
+howl = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+#
+i18n_input = module
+
+# Layer: services
+# Module: imaze
+#
+# iMaze game server
+#
+imaze = module
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+#
+inetd = module
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+#
+inn = module
+
+# Layer: services
+# Module: ircd
+#
+# IRC server
+#
+ircd = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+#
+irqbalance = module
+
+# Layer: services
+# Module: jabber
+#
+# Jabber instant messaging server
+#
+jabber = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+#
+kerberos = module
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+#
+ktalk = module
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+#
+ldap = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+#
+lpd = module
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+#
+mailman = module
+
+# Layer: services
+# Module: monop
+#
+# Monopoly daemon
+#
+monop = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+#
+mta = base
+
+# Layer: services
+# Module: munin
+#
+# Munin network-wide load graphing (formerly LRRD)
+#
+munin = module
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+#
+mysql = module
+
+# Layer: services
+# Module: nagios
+#
+# Net Saint / NAGIOS - network monitoring server
+#
+nagios = module
+
+# Layer: services
+# Module: nessus
+#
+# Nessus network scanning daemon
+#
+nessus = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+#
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+#
+nis = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+#
+nscd = module
+
+# Layer: services
+# Module: nsd
+#
+# Authoritative only name server
+#
+nsd = module
+
+# Layer: services
+# Module: ntop
+#
+# Network Top
+#
+ntop = module
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+#
+ntp = module
+
+# Layer: services
+# Module: nx
+#
+# NX remote desktop
+#
+# Not officially in Debian, but being worked on.
+nx = module
+
+# Layer: services
+# Module: oav
+#
+# Open AntiVirus scannerdaemon and signature update
+#
+oav = module
+
+# Layer: services
+# Module: oddjob
+#
+# Oddjob provides a mechanism by which unprivileged applications can
+# request that specified privileged operations be performed on their
+# behalf.
+#
+oddjob = module
+
+# Layer: services
+# Module: openca
+#
+# OpenCA - Open Certificate Authority
+#
+openca = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+#
+openct = module
+
+# Layer: services
+# Module: openvpn
+#
+# full-featured SSL VPN solution
+#
+openvpn = module
+
+# Layer: services
+# Module: pcscd
+#
+# PCSC smart card service
+#
+pcscd = module
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+#
+# not in Debian?
+pegasus = off
+
+# Layer: services
+# Module: perdition
+#
+# Perdition POP and IMAP proxy
+#
+perdition = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+#
+portmap = module
+
+# Layer: services
+# Module: portslave
+#
+# Portslave terminal server software
+#
+portslave = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+#
+postfix = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: postgrey
+#
+# Postfix grey-listing server
+#
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+#
+ppp = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+#
+privoxy = module
+
+# Layer: services
+# Module: procmail
+#
+# Procmail mail delivery agent
+#
+procmail = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+#
+publicfile = module
+
+# Layer: services
+# Module: pxe
+#
+# Server for the PXE network boot protocol
+#
+pxe = module
+
+# Layer: services
+# Module: pyzor
+#
+# Pyzor is a distributed, collaborative spam detection and filtering network.
+#
+pyzor = module
+
+# Layer: services
+# Module: qmail
+#
+# Qmail Mail Server
+#
+qmail = module
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+#
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+#
+radvd = module
+
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+#
+razor = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+#
+rdisc = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+#
+remotelogin = module
+
+# Layer: services
+# Module: resmgr
+#
+# Resource management daemon
+#
+resmgr = module
+
+# Layer: services
+# Module: rhgb
+#
+# Red Hat Graphical Boot
+#
+rhgb = off
+
+# Layer: services
+# Module: ricci
+#
+# Ricci cluster management agent
+#
+ricci = off
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+#
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+#
+roundup = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+#
+rpc = module
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+#
+rshd = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+#
+rsync = module
+
+# Layer: services
+# Module: samba
+#
+# SMB and CIFS client/server programs for UNIX and
+# name Service Switch daemon for resolving names
+# from Windows NT servers.
+#
+samba = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+#
+sasl = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+#
+sendmail = module
+
+# Layer: services
+# Module: setroubleshoot
+#
+# SELinux troubleshooting service
+#
+setroubleshoot = module
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+#
+slrnpull = module
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+#
+smartmon = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+#
+snmp = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+#
+snort = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc
+#
+soundserver = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+#
+spamassassin = module
+
+# Layer: services
+# Module: speedtouch
+#
+# Alcatel speedtouch USB ADSL modem
+#
+speedtouch = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+#
+squid = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+#
+stunnel = module
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+#
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+#
+tcpd = module
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+#
+telnet = module
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+#
+tftp = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+#
+timidity = module
+
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+#
+tor = module
+
+# Layer: services
+# Module: transproxy
+#
+# HTTP transperant proxy
+#
+transproxy = module
+
+# Layer: services
+# Module: ucspitcp
+#
+# ucspitcp policy
+#
+ucspitcp = module
+
+# Layer: services
+# Module: uptime
+#
+# Uptime daemon
+#
+uptime = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+#
+uucp = module
+
+# Layer: services
+# Module: uwimap
+#
+# University of Washington IMAP toolkit POP3 and IMAP mail server
+#
+uwimap = module
+
+# Layer: services
+# Module: watchdog
+#
+# Software watchdog
+#
+watchdog = module
+
+# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+#
+xfs = module
+
+# Layer: services
+# Module: xprint
+#
+# X print server
+#
+xprint = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: services
+# Module: zabbix
+#
+# Distributed infrastructure monitoring
+#
+zabbix = module
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+#
+zebra = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: system
+# Module: iscsi
+#
+# Establish connections to iSCSI devices
+#
+iscsi = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
--- refpolicy-0.0.20070507.orig/debian/global_booleans.xml
+++ refpolicy-0.0.20070507/debian/global_booleans.xml
@@ -0,0 +1,25 @@
+
+
+
+Enabling secure mode disallows programs, such as
+newrole, from transitioning to administrative
+user domains.
+
+
+
+
+
+
+Disable transitions to insmod.
+
+
+
+
+
+
+boolean to determine whether the system permits loading policy, setting
+enforcing mode, and changing boolean values. Set this to true and you
+have to reboot to set it back
+
+
+
--- refpolicy-0.0.20070507.orig/debian/watch
+++ refpolicy-0.0.20070507/debian/watch
@@ -0,0 +1,8 @@
+# format version number, currently 2; this line is compulsory!
+version=3
+
+opts="uversionmangle=s/^/0.0./" \
+http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease \
+ /files/refpolicy/refpolicy-(.*)\.tar\.bz2
+
+# arch-tag: cf70b245-38bc-49ea-a6a4-ac970978aea4
--- refpolicy-0.0.20070507.orig/debian/targeted.postrm
+++ refpolicy-0.0.20070507/debian/targeted.postrm
@@ -0,0 +1,176 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# postrm ---
+# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+# Created On : Fri Nov 14 12:22:20 2003
+# Created On Node : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Sun Aug 20 21:01:06 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 11
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: bea9fd02-e287-4245-8009-9023c3333ff3
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+
+# Abort if any command returns an error value
+set -e
+
+TYPE=targeted
+package_name=selinux-policy-refpolicy-$TYPE
+POLICYNAME=refpolicy-$TYPE
+BASEDIR=/etc/selinux/$POLICYNAME
+
+
+if [ -z "$package_name" ]; then
+ print >&2 "Internal Error. Please report a bug."
+ exit 1;
+fi
+
+# This script is called twice during the removal of the package; once
+# after the removal of the package's files from the system, and as
+# the final step in the removal of this package, after the package's
+# conffiles have been removed.
+# summary of how this script can be called:
+# * `remove'
+# * `purge'
+# * `upgrade'
+# * `failed-upgrade'
+# * `abort-install'
+# * `abort-install'
+# * `abort-upgrade'
+# * `disappear' overwrit>r>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+# Ensure the menu system is updated
+##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus
+
+case "$1" in
+ remove)
+ # This package is being removed, but its configuration has not yet
+ # been purged.
+ :
+
+ # Remove diversion
+ ##: dpkg-divert --package ${package_name} --remove --rename \
+ ##: --divert /usr/bin/other.real /usr/bin/other
+
+ # ldconfig is NOT needed during removal of a library, only during
+ # installation
+
+ ;;
+ purge)
+ # This package has previously been removed and is now having
+ # its configuration purged from the system.
+ :
+
+ # we mimic dpkg as closely as possible, so we remove configuration
+ # files with dpkg backup extensions too:
+ ### Some of the following is from Tore Anderson:
+ ##: for ext in '~' '%' .bak .dpkg-tmp .dpkg-new .dpkg-old .dpkg-dist; do
+ ##: rm -f /etc/${package_name}.conf$ext
+ ##: done
+
+ # remove the configuration file itself
+ ##: rm -f /etc/${package_name}.conf
+ rm -rf "$BASEDIR"
+
+ # and finally clear it out from the ucf database
+ ##: ucf --purge /etc/${package_name}.conf
+
+ # Remove symlinks from /etc/rc?.d
+ ##: update-rc.d ${package_name} remove >/dev/null
+
+ ##: if [ -e /usr/share/debconf/confmodule ]; then
+ ##: # Purge this package's data from the debconf database.
+ ##: . /usr/share/debconf/confmodule
+ ##: db_purge
+ ##: fi
+
+ # This package has previously been removed and is now having
+ # its configuration purged from the system.
+ ##: for flavour in emacs20 emacs21; do
+ ##: STARTDIR=/etc/$flavour/site-start.d;
+ ##: STARTFILE="${package_name}-init.el";
+ ##: if [ -e "$STARTDIR/20$STARTFILE" ]; then
+ ##: rm -f "$STARTDIR/20$STARTFILE"
+ ##: fi
+ ##: done
+
+ ;;
+ disappear)
+ if test "$2" != overwriter; then
+ echo "$0: undocumented call to \`postrm $*'" 1>&2
+ exit 0
+ fi
+ # This package has been completely overwritten by package $3
+ # (version $4). All our files are already gone from the system.
+ # This is a special case: neither "prerm remove" nor "postrm remove"
+ # have been called, because dpkg didn't know that this package would
+ # disappear until this stage.
+ :
+
+ ;;
+ upgrade)
+ # About to upgrade FROM THIS VERSION to version $2 of this package.
+ # "prerm upgrade" has been called for this version, and "preinst
+ # upgrade" has been called for the new version. Last chance to
+ # clean up.
+ :
+
+ ;;
+ failed-upgrade)
+ # About to upgrade from version $2 of this package TO THIS VERSION.
+ # "prerm upgrade" has been called for the old version, and "preinst
+ # upgrade" has been called for this version. This is only used if
+ # the previous version's "postrm upgrade" couldn't handle it and
+ # returned non-zero. (Fix old postrm bugs here.)
+ :
+
+ ;;
+ abort-install)
+ # Back out of an attempt to install this package. Undo the effects of
+ # "preinst install...". There are two sub-cases.
+ :
+
+ if test "${2+set}" = set; then
+ # When the install was attempted, version $2's configuration
+ # files were still on the system. Undo the effects of "preinst
+ # install $2".
+ :
+
+ else
+ # We were being installed from scratch. Undo the effects of
+ # "preinst install".
+ :
+
+ fi ;;
+ abort-upgrade)
+ # Back out of an attempt to upgrade this package from version $2
+ # TO THIS VERSION. Undo the effects of "preinst upgrade $2".
+ :
+
+ ;;
+ *) echo "$0: didn't understand being called with \`$1'" 1>&2
+ exit 0;;
+esac
+
+exit 0
--- refpolicy-0.0.20070507.orig/debian/build.conf.targeted
+++ refpolicy-0.0.20070507/debian/build.conf.targeted
@@ -0,0 +1,67 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports. Setting this will
+# override the version. This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 21
+
+# Policy Type
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
+TYPE = targeted-mcs
+
+# Policy Name
+# If set, this will be used as the policy
+# name. Otherwise the policy type will be
+# used for the name.
+NAME = refpolicy-targeted
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution. Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+DISTRO = debian
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC=y
+
+# Build monolithic policy. Putting n here
+# will build a loadable module policy.
+MONOLITHIC=n
+
+# Polyinstantiation
+# Enable polyinstantiated directory support.
+POLY=n
+
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS=16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS=1024
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS=1024
+
+# Set this to y to only display status messages
+# during build.
+QUIET=n
+
+# arch-tag: ec64afa6-f6f8-4b08-b002-6025ada3a269
--- refpolicy-0.0.20070507.orig/debian/ChangeLog
+++ refpolicy-0.0.20070507/debian/ChangeLog
@@ -0,0 +1,32 @@
+2007-05-07 Manoj Srivastava
+
+ * modules.conf.targeted (ricci):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Added module.
+
+ * modules.conf.strict (ricci):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Added module.
+
+ * postinst.policy (installed_modules):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Only add modules to the load order that have already
+ been shipped when considering dependencies for
+ modules. If the module is not shipped, chances are that
+ it was moved into the base policy.
+
+ * local-vars.mk (NON_MODULES):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Added a list of modules that are really built into the
+ base policy in Debian. We then use this list to remove
+ the modules .pp files from the policy shipped, since
+ they can not be installed along with the base policy
+ anyway.
+
+ * local.mk (install/selinux-policy-refpolicy-strict):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Remove the mosules that are built into the base already.
+ (install/selinux-policy-refpolicy-targeted):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Ditto.
+
--- refpolicy-0.0.20070507.orig/debian/policygentool
+++ refpolicy-0.0.20070507/debian/policygentool
@@ -0,0 +1,300 @@
+#! /usr/bin/env python
+# Copyright (C) 2006 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# policygentool is a tool for the initial generation of SELinux policy
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+# 02111-1307 USA
+#
+# arch-tag: 4c33ae23-a363-4ace-bae9-86fb8a792206
+import os, sys, getopt
+import re
+
+########################### Interface File #############################
+interface="""\
+## policy for TEMPLATETYPE
+
+########################################
+##
+## Execute a domain transition to run TEMPLATETYPE.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`TEMPLATETYPE_domtrans',`
+ gen_require(`
+ type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
+ ')
+
+ domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
+
+ allow $1 TEMPLATETYPE_t:fd use;
+ allow TEMPLATETYPE_t $1:fd use;
+ allow TEMPLATETYPE_t $1:fifo_file rw_file_perms;
+ allow TEMPLATETYPE_t $1:process sigchld;
+')
+"""
+
+########################### Type Enforcement File #############################
+te="""\
+policy_module(TEMPLATETYPE,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type TEMPLATETYPE_t;
+type TEMPLATETYPE_exec_t;
+domain_type(TEMPLATETYPE_t)
+init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
+"""
+te_pidfile="""
+# pid files
+type TEMPLATETYPE_var_run_t;
+files_pid_file(TEMPLATETYPE_var_run_t)
+"""
+te_logfile="""
+# log files
+type TEMPLATETYPE_var_log_t;
+logging_log_file(TEMPLATETYPE_var_log_t)
+"""
+te_libfile="""
+# var/lib files
+type TEMPLATETYPE_var_lib_t;
+files_type(TEMPLATETYPE_var_lib_t)
+"""
+te_sep="""
+########################################
+#
+# TEMPLATETYPE local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(TEMPLATETYPE_t)
+libs_use_ld_so(TEMPLATETYPE_t)
+libs_use_shared_libs(TEMPLATETYPE_t)
+miscfiles_read_localization(TEMPLATETYPE_t)
+## internal communication is often done using fifo and unix sockets.
+allow TEMPLATETYPE_t self:fifo_file { read write };
+allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
+"""
+te_pidfile2="""
+# pid file
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
+"""
+te_logfile2="""
+# log files
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
+"""
+te_libfile2="""
+# var/lib files for TEMPLATETYPE
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir sock_file })
+"""
+te_network2="""
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
+corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
+corenet_tcp_connect_http_port(TEMPLATETYPE_t)
+#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
+## if it is a network daemon, consider these:
+#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
+#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
+allow TEMPLATETYPE_t self:tcp_socket { listen accept };
+"""
+te_initsc2="""
+# Init script handling
+init_use_fds(TEMPLATETYPE_t)
+init_use_script_ptys(TEMPLATETYPE_t)
+domain_use_interactive_fds(TEMPLATETYPE_t)
+"""
+
+########################### File Context ##################################
+fc="""\
+# TEMPLATETYPE executable will have:
+# label: system_u:object_r:TEMPLATETYPE_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
+"""
+fc_pidfile="""\
+FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
+"""
+fc_logfile="""\
+FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
+"""
+fc_libfile="""\
+FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
+"""
+def errorExit(error):
+ sys.stderr.write("%s: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+
+def write_te_file(module, pidfile, logfile, libfile, network, initsc):
+ file="%s.te" % module
+ newte=re.sub("TEMPLATETYPE", module, te)
+ if pidfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
+ if logfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
+ if libfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
+ newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
+ if pidfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
+ if logfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
+ if libfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
+ if network:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
+ if initsc:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
+ if os.path.exists(file):
+ errorExit("%s already exists" % file)
+ fd = open(file, 'w')
+ fd.write(newte)
+ fd.close()
+
+def write_if_file(module):
+ file="%s.if" % module
+ newif=re.sub("TEMPLATETYPE", module, interface)
+ if os.path.exists(file):
+ errorExit("%s already exists" % file)
+ fd = open(file, 'w')
+ fd.write(newif)
+ fd.close()
+
+def write_fc_file(module, executable, pidfile, logfile, libfile):
+ file="%s.fc" % module
+ temp=re.sub("TEMPLATETYPE", module, fc)
+ newfc=re.sub("EXECUTABLE", executable, temp)
+ if pidfile:
+ temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
+ newfc=newfc + re.sub("FILENAME", pidfile, temp)
+ if logfile:
+ temp=re.sub("TEMPLATETYPE", module, fc_logfile)
+ newfc=newfc + re.sub("FILENAME", logfile, temp)
+ if libfile:
+ temp=re.sub("TEMPLATETYPE", module, fc_libfile)
+ newfc=newfc + re.sub("FILENAME", libfile, temp)
+ if os.path.exists(file):
+ errorExit("%s already exists" % file)
+ fd = open(file, 'w')
+ fd.write(newfc)
+ fd.close()
+
+def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
+ write_te_file(module, pidfile, logfile, libfile, initsc, network)
+ write_if_file(module)
+ write_fc_file(module, executable, pidfile, logfile, libfile)
+
+if __name__ == '__main__':
+ def usage(message = ""):
+ print '%s ModuleName Executable' % sys.argv[0]
+ sys.exit(1)
+
+ if len(sys.argv) != 3:
+ usage()
+
+ print """\n
+This tool generate three files for policy development, A Type Enforcement (te)
+file, a File Context (fc), and a Interface File(if). Most of the policy rules
+will be written in the te file. Use the File Context file to associate file
+paths with security context. Use the interface rules to allow other protected
+domains to interact with the newly defined domains.
+
+After generating these files use the /usr/share/selinux/POLICY-NAME/include/Makefile to
+compile your policy package. Then use the semodule tool to load it.
+
+# /usr/bin/policygentool myapp /usr/bin/myapp
+# echo 'HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include' >Makefile
+# echo 'include $(HEADERDIR)/Makefile' >> Makefile
+# make
+# semodule -l myapp.pp
+# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
+
+Now you can turn on permissive mode, start your application and avc messages
+will be generated. You can use audit2allow to help translate the avc messages
+into policy.
+
+# setenforce 0
+# /etc/init.d/myapp start
+# audit2allow -R -i /var/log/audit/audit.log
+
+Return to continue:"""
+ sys.stdin.readline().rstrip()
+
+ print 'If the module uses pidfiles, what is the pidfile called?'
+ pidfile = sys.stdin.readline().rstrip()
+ if pidfile == "":
+ pidfile = None
+ print 'If the module uses logfiles, where are they stored?'
+ logfile = sys.stdin.readline().rstrip()
+ if logfile == "":
+ logfile = None
+ print 'If the module has var/lib files, where are they stored?'
+ libfile = sys.stdin.readline().rstrip()
+ if libfile == "":
+ libfile = None
+ print 'Does the module have a init script? [yN]'
+ initsc = sys.stdin.readline().rstrip()
+ if initsc == "" or initsc == "n" or initsc == "N":
+ initsc = False
+ elif initsc == "y" or initsc == "Y":
+ initsc = True
+ else:
+ raise "Please answer with 'y' or 'n'!"
+ print 'Does the module use the network? [yN]'
+ network = sys.stdin.readline().rstrip()
+ if network == "" or network == "n" or network == "N":
+ network = False
+ elif network == "y" or network == "Y":
+ network = True
+ else:
+ raise "Please answer with 'y' or 'n'!"
+
+ gen_policy(
+ module=sys.argv[1],
+ executable=sys.argv[2],
+ pidfile=pidfile,
+ logfile=logfile,
+ libfile=libfile,
+ initsc=initsc,
+ network=network
+ )
+
+
--- refpolicy-0.0.20070507.orig/debian/build.conf.strict
+++ refpolicy-0.0.20070507/debian/build.conf.strict
@@ -0,0 +1,67 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports. Setting this will
+# override the version. This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 21
+
+# Policy Type
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
+TYPE = strict-mcs
+
+# Policy Name
+# If set, this will be used as the policy
+# name. Otherwise the policy type will be
+# used for the name.
+NAME = refpolicy-strict
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution. Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+DISTRO = debian
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC=y
+
+# Build monolithic policy. Putting n here
+# will build a loadable module policy.
+MONOLITHIC=n
+
+# Polyinstantiation
+# Enable polyinstantiated directory support.
+POLY=n
+
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS=16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS=1024
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS=1024
+
+# Set this to y to only display status messages
+# during build.
+QUIET=n
+
+# arch-tag: 6e61abf2-f3d7-42b4-bbb9-7a1b38350518
--- refpolicy-0.0.20070507.orig/debian/copyright
+++ refpolicy-0.0.20070507/debian/copyright
@@ -0,0 +1,49 @@
+This is the Debian package for the SELinux Reference policy, and it is
+built from sources obtained from:
+ http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
+
+This package was originally debianized by Erich Schubert
+ on Mon, 13 Feb 2006 22:50:03 +0100.
+
+The package has since changed maintainers, the current maintainer being
+Manoj Srivastava .
+
+Changes:
+ * added Debian GNU/Linux package maintenance system files
+ * Some Debian specific tweaks and changes to policy also exist
+
+
+The reference policy is
+Copyright (C) 2002 Michael Droettboom
+Copyright (C) 2003 - 2006 Tresys Technology, LLC
+
+
+License:
+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License.
+
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+
+The debian specific changes are Copyright © 2006 Manoj Srivastava, and
+distributed under the terms of the GNU General Public License, version
+2.
+
+On Debian GNU/Linux systems, the complete text of the GNU General
+Public License can be found in `/usr/share/common-licenses/GPL'.
+
+ A copy of the GNU General Public License is also available at
+ . You may also obtain
+ it by writing to the Free Software Foundation, Inc., 51 Franklin
+ St, Fifth Floor, Boston, MA 02110-1301 USA
+
+Manoj Srivastava
+arch-tag: d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27
--- refpolicy-0.0.20070507.orig/debian/NEWS.Debian
+++ refpolicy-0.0.20070507/debian/NEWS.Debian
@@ -0,0 +1,14 @@
+refpolicy (0.0.20061018-2) unstable; urgency=high
+
+
+ * When installing strict policy, the postinst does not check for the
+ contents of /etc/selinux/config to see if SELINUXTYPE is set to
+ refpolicy-strict or not. Ideally, if config does not have SELINUXTYPE
+ set to refpolicy-strict, the installer should be prompted to see if
+ they want to change the policy type and relabel; this is not yet
+ done. Please ensure that the setting for SELINUXTYPE in the
+ configuration file /etc/selinux/config matches what you want it to
+ be.
+
+ -- Manoj Srivastava Fri, 22 Dec 2006 10:40:38 -0600
+
--- refpolicy-0.0.20070507.orig/policy/users
+++ refpolicy-0.0.20070507/policy/users
@@ -29,6 +29,7 @@
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
gen_user(user_u, user, user_r, s0, s0)
+gen_user(netuser_u, netuser, netuser_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
')
--- refpolicy-0.0.20070507.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-0.0.20070507/policy/modules/system/selinuxutil.te
@@ -568,6 +568,10 @@
allow semanage_t semanage_tmp_t:file manage_file_perms;
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+ifdef(`targeted_policy',`
+ allow semanage_t initrc_t:fd use;
+')
+
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
@@ -630,6 +634,10 @@
userdom_read_sysadm_tmp_files(semanage_t)
')
+optional_policy(`
+ pythonsupport_compiled_read(semanage_t)
+')
+
########################################
#
# Setfiles local policy
--- refpolicy-0.0.20070507.orig/policy/modules/system/init.te
+++ refpolicy-0.0.20070507/policy/modules/system/init.te
@@ -357,6 +357,7 @@
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
+logging_setattr_xconsole(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -386,8 +387,13 @@
userdom_use_sysadm_terms(initrc_t)
ifdef(`distro_debian',`
- dev_setattr_generic_dirs(initrc_t)
+ # seed udev /dev
+ dev_create_generic_dirs(initrc_t)
+ # to be able to create /dev/xconsole
+ dev_create_generic_pipes(initrc_t)
+ # for /etc/network/run/ifstate
+ sysnet_manage_config(initrc_t)
fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir)
# for storing state under /dev/shm
@@ -700,6 +706,7 @@
optional_policy(`
postfix_list_spool(initrc_t)
+ postfix_read_config(initrc_t)
')
optional_policy(`
@@ -776,9 +783,6 @@
')
optional_policy(`
- # Set device ownerships/modes.
- xserver_setattr_console_pipes(initrc_t)
-
# init script wants to check if it needs to update windowmanagerlist
xserver_read_xdm_rw_config(initrc_t)
')
--- refpolicy-0.0.20070507.orig/policy/modules/system/pythonsupport.fc
+++ refpolicy-0.0.20070507/policy/modules/system/pythonsupport.fc
@@ -0,0 +1,2 @@
+/usr/sbin/update-python-modules -- gen_context(system_u:object_r:pythoncompile_exec_t,s0)
+/var/lib/python-support(/.*)? gen_context(system_u:object_r:python_compiled_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-0.0.20070507/policy/modules/system/sysnetwork.if
@@ -272,6 +272,7 @@
type net_conf_t;
')
+ allow $1 net_conf_t:dir manage_dir_perms;
allow $1 net_conf_t:file manage_file_perms;
')
--- refpolicy-0.0.20070507.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-0.0.20070507/policy/modules/system/sysnetwork.fc
@@ -22,6 +22,10 @@
/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
')
+ifdef(`distro_debian', `
+/etc/network/run(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+')
#
# /sbin
#
--- refpolicy-0.0.20070507.orig/policy/modules/system/udev.te
+++ refpolicy-0.0.20070507/policy/modules/system/udev.te
@@ -56,16 +56,18 @@
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
-allow udev_t udev_exec_t:file write;
+allow udev_t udev_helper_exec_t:dir list_dir_perms;
can_exec(udev_t, udev_exec_t)
-allow udev_t udev_helper_exec_t:dir list_dir_perms;
+allow udev_t udev_helper_exec_t:dir r_dir_perms;
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
# create udev database in /dev/.udevdb
allow udev_t udev_tbl_t:file manage_file_perms;
+allow udev_t udev_tbl_t:lnk_file manage_file_perms;
+allow udev_t udev_tbl_t:dir manage_dir_perms;
dev_filetrans(udev_t,udev_tbl_t,file)
manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t)
@@ -143,6 +145,7 @@
seutil_domtrans_restorecon(udev_t)
sysnet_domtrans_ifconfig(udev_t)
+sysnet_manage_config(udev_t)
sysnet_domtrans_dhcpc(udev_t)
userdom_use_sysadm_ttys(udev_t)
--- refpolicy-0.0.20070507.orig/policy/modules/system/userdomain.if
+++ refpolicy-0.0.20070507/policy/modules/system/userdomain.if
@@ -900,6 +900,10 @@
')
optional_policy(`
+ pythonsupport_compiled_read($1_t)
+ ')
+
+ optional_policy(`
pcscd_read_pub_files($1_t)
pcscd_stream_connect($1_t)
')
@@ -1068,6 +1072,41 @@
#######################################
##
+## The template for creating a user with network access.
+##
+##
+##
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+##
+##
+## This differs from the unpriv_user_template by allowing non-privileged network access.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., sysadm
+## is the prefix for sysadm_t).
+##
+##
+#
+template(`network_user_template',`
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Inherit rules for ordinary users.
+ userdom_unpriv_user_template($1)
+ # like user_tcp_server
+ corenet_tcp_bind_generic_port($1_t)
+ sysnet_dns_name_resolve($1_t)
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_stream_socket_perms;
+')
+#######################################
+##
## The template for creating an administrative user.
##
##
--- refpolicy-0.0.20070507.orig/policy/modules/system/logging.if
+++ refpolicy-0.0.20070507/policy/modules/system/logging.if
@@ -545,6 +545,41 @@
########################################
##
+## Set the attributes of the xconsole named pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_setattr_xconsole',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+##
+## Read the xconsole named pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_r_xconsole',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file { getattr read };
+')
+########################################
+##
## Create, read, write, and delete
## generic log files.
##
--- refpolicy-0.0.20070507.orig/policy/modules/system/userdomain.te
+++ refpolicy-0.0.20070507/policy/modules/system/userdomain.te
@@ -105,12 +105,19 @@
userdom_admin_user_template(sysadm)
userdom_unpriv_user_template(staff)
userdom_unpriv_user_template(user)
+ userdom_unpriv_user_template(netuser)
# user role change rules:
# sysadm_r can change to user roles
userdom_role_change_template(sysadm, user)
userdom_role_change_template(sysadm, staff)
+ # make netuser reachable
+ userdom_role_change_template(sysadm, netuser)
+ userdom_role_change_template(staff, netuser)
+ userdom_role_change_template(user, netuser)
+ userdom_role_change_template(netuser, user)
+
# only staff_r can change to sysadm_r
userdom_role_change_template(staff, sysadm)
dontaudit staff_t admin_terminal:chr_file { read write };
--- refpolicy-0.0.20070507.orig/policy/modules/system/pythonsupport.if
+++ refpolicy-0.0.20070507/policy/modules/system/pythonsupport.if
@@ -0,0 +1,55 @@
+## Support for precompiling python modules
+##
+##
+## Debians python-support will precompile installed python
+## packages for installed python versions. This way,
+## the python2.3-foobar and python2.4-foobar (and 2.5) packages
+## could be merged into one python-foobar while keeping the
+## dependency information useful.
+##
+##
+#
+
+########################################
+##
+## Execute the python-support utility to precompile modules.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pythonsupport_domtrans',`
+ gen_require(`
+ type pythoncompile_t, pythoncompile_exec_t;
+ ')
+
+ domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t)
+
+ allow $1 pythoncompile_t:fd use;
+ allow pythoncompile_t $1:fd use;
+ allow $1 pythoncompile_t:fifo_file rw_file_perms;
+ allow $1 pythoncompile_t:process sigchld;
+')
+
+########################################
+##
+## Read compiled python modules
+##
+##
+##
+## Domain allowed to read the compiled python modules.
+##
+##
+#
+interface(`pythonsupport_compiled_read',`
+ gen_require(`
+ type python_compiled_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 python_compiled_t:dir r_dir_perms;
+ allow $1 python_compiled_t:file r_file_perms;
+ allow $1 python_compiled_t:lnk_file r_file_perms;
+')
--- refpolicy-0.0.20070507.orig/policy/modules/system/pythonsupport.te
+++ refpolicy-0.0.20070507/policy/modules/system/pythonsupport.te
@@ -0,0 +1,44 @@
+policy_module(pythonsupport,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type pythoncompile_t;
+type pythoncompile_exec_t;
+domain_type(pythoncompile_t)
+domain_entry_file(pythoncompile_t, pythoncompile_exec_t)
+
+role system_r types pythoncompile_t;
+role sysadm_r types pythoncompile_t;
+
+type python_compiled_t;
+files_type(python_compiled_t)
+
+########################################
+#
+# python-support local policy
+#
+
+kernel_read_system_state(pythoncompile_t)
+kernel_read_kernel_sysctls(pythoncompile_t)
+
+corecmd_exec_bin(pythoncompile_t)
+corecmd_exec_sbin(pythoncompile_t)
+
+files_read_etc_files(pythoncompile_t)
+files_read_usr_files(pythoncompile_t)
+
+libs_use_ld_so(pythoncompile_t)
+libs_use_shared_libs(pythoncompile_t)
+libs_use_lib_files(pythoncompile_t)
+
+miscfiles_read_localization(pythoncompile_t)
+
+
+# create compiled python modules
+allow pythoncompile_t python_compiled_t:dir manage_dir_perms;
+allow pythoncompile_t python_compiled_t:file manage_file_perms;
+allow pythoncompile_t python_compiled_t:lnk_file manage_file_perms;
+files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir)
--- refpolicy-0.0.20070507.orig/policy/modules/system/unconfined.fc
+++ refpolicy-0.0.20070507/policy/modules/system/unconfined.fc
@@ -6,8 +6,9 @@
ifdef(`targeted_policy',`
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/gcj-dbtool-4.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
--- refpolicy-0.0.20070507.orig/policy/modules/system/logging.te
+++ refpolicy-0.0.20070507/policy/modules/system/logging.te
@@ -55,6 +55,12 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
@@ -282,6 +288,9 @@
manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
+# log to xconsole
+allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
+
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
@@ -386,8 +395,3 @@
optional_policy(`
udev_read_db(syslogd_t)
')
-
-optional_policy(`
- # log to the xconsole
- xserver_rw_console(syslogd_t)
-')
--- refpolicy-0.0.20070507.orig/policy/modules/system/logging.fc
+++ refpolicy-0.0.20070507/policy/modules/system/logging.fc
@@ -1,5 +1,6 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
--- refpolicy-0.0.20070507.orig/policy/modules/apps/mplayer.fc
+++ refpolicy-0.0.20070507/policy/modules/apps/mplayer.fc
@@ -6,9 +6,9 @@
#
# /usr
#
-/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
-/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
-/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
+/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
ifdef(`strict_policy',`
HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/apps/cdrecord.fc
+++ refpolicy-0.0.20070507/policy/modules/apps/cdrecord.fc
@@ -2,4 +2,4 @@
# /usr
#
/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
-
+/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/dcc.te
+++ refpolicy-0.0.20070507/policy/modules/services/dcc.te
@@ -95,6 +95,9 @@
allow cdcc_t dcc_client_map_t:file rw_file_perms;
# Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(cdcc_t)
+')
allow cdcc_t dcc_var_t:dir list_dir_perms;
read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
@@ -137,6 +140,9 @@
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
# Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(dcc_client_t)
+')
allow dcc_client_t dcc_var_t:dir list_dir_perms;
read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
@@ -177,6 +183,9 @@
manage_files_pattern(dcc_dbclean_t,dcc_dbclean_tmp_t,dcc_dbclean_tmp_t)
files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
+ifdef(`distro_debian',`
+files_search_var_lib(dcc_dbclean_t)
+')
manage_dirs_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
manage_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
manage_lnk_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
@@ -220,6 +229,9 @@
allow dccd_t dcc_client_map_t:file rw_file_perms;
# Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(dccd_t)
+')
allow dccd_t dcc_var_t:dir list_dir_perms;
read_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
@@ -306,6 +318,9 @@
allow dccifd_t dcc_client_map_t:file rw_file_perms;
# Updating dcc_db, flod, ...
+ifdef(`distro_debian',`
+files_search_var_lib(dccifd_t)
+')
manage_dirs_pattern(dccifd_t,dcc_var_t,dcc_var_t)
manage_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
manage_lnk_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
@@ -383,6 +398,9 @@
allow dccm_t dcc_client_map_t:file rw_file_perms;
+ifdef(`distro_debian',`
+files_search_var_lib(dccm_t)
+')
manage_dirs_pattern(dccm_t,dcc_var_t,dcc_var_t)
manage_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
manage_lnk_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
--- refpolicy-0.0.20070507.orig/policy/modules/services/clamav.te
+++ refpolicy-0.0.20070507/policy/modules/services/clamav.te
@@ -103,6 +103,7 @@
files_read_etc_files(clamd_t)
files_read_etc_runtime_files(clamd_t)
files_search_spool(clamd_t)
+files_search_var_lib(clamd_t)
libs_use_ld_so(clamd_t)
libs_use_shared_libs(clamd_t)
--- refpolicy-0.0.20070507.orig/policy/modules/services/cron.te
+++ refpolicy-0.0.20070507/policy/modules/services/cron.te
@@ -220,6 +220,8 @@
optional_policy(`
amavis_search_lib(crond_t)
+ # for bayes maintainance scripts
+ amavis_domtrans(crond_t)
')
optional_policy(`
@@ -253,6 +255,13 @@
udev_read_db(crond_t)
')
+optional_policy(`
+ # allow crond to search logrotate jobs
+ logrotate_search_varlib(crond_t)
+')
+
+
+
########################################
#
# System cron process domain
@@ -437,6 +446,7 @@
optional_policy(`
mysql_read_config(system_crond_t)
+ mysql_stream_connect(system_crond_t)
')
optional_policy(`
--- refpolicy-0.0.20070507.orig/policy/modules/services/courier.te
+++ refpolicy-0.0.20070507/policy/modules/services/courier.te
@@ -35,7 +35,7 @@
#
allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
-allow courier_authdaemon_t self:unix_stream_socket connectto;
+allow courier_authdaemon_t self:unix_stream_socket { connectto listen accept read write };
can_exec(courier_authdaemon_t, courier_exec_t)
@@ -83,7 +83,8 @@
# POP3/IMAP local policy
#
-allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
+allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t courier_authdaemon_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
@@ -102,6 +103,7 @@
# this should also probably be a separate type too instead of
# the regular home dir
userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
+userdom_read_user_home_content_symlinks(user,courier_pop_t)
########################################
#
--- refpolicy-0.0.20070507.orig/policy/modules/services/ldap.fc
+++ refpolicy-0.0.20070507/policy/modules/services/ldap.fc
@@ -1,10 +1,11 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-
-ifdef(`distro_debian',`
+# Debian and Ubunto place slapd in a different location
+ifdef(`distro_debian', `
/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+', `
+/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
')
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/xserver.te
+++ refpolicy-0.0.20070507/policy/modules/services/xserver.te
@@ -34,12 +34,6 @@
type xauth_exec_t;
corecmd_executable_file(xauth_exec_t)
-# this is not actually a device, its a pipe
-type xconsole_device_t;
-files_type(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
type xdm_t;
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
@@ -111,7 +105,8 @@
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+#allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+logging_r_xconsole(xdm_t)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
--- refpolicy-0.0.20070507.orig/policy/modules/services/amavis.fc
+++ refpolicy-0.0.20070507/policy/modules/services/amavis.fc
@@ -2,10 +2,8 @@
/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0)
+ifdef(`strict_policy',`
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
-
-ifdef(`distro_debian',`
-/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
')
/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/courier.fc
+++ refpolicy-0.0.20070507/policy/modules/services/courier.fc
@@ -6,7 +6,7 @@
/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
-/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
@@ -16,6 +16,6 @@
/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
+/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
-/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
+/var/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/xserver.fc
+++ refpolicy-0.0.20070507/policy/modules/services/xserver.fc
@@ -12,11 +12,6 @@
')
#
-# /dev
-#
-/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
-
-#
# /etc
#
--- refpolicy-0.0.20070507.orig/policy/modules/services/dcc.fc
+++ refpolicy-0.0.20070507/policy/modules/services/dcc.fc
@@ -5,13 +5,27 @@
/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
+ifdef(`distro_redhat',`
/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+')
+ifdef(`distro_debian',`
+/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+')
+ifdef(`distro_redhat',`
/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+')
+ifdef(`distro_debian',`
+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+')
/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/xserver.if
+++ refpolicy-0.0.20070507/policy/modules/services/xserver.if
@@ -719,61 +719,25 @@
########################################
##
-## Read all users .Xauthority.
+## Read all users .Xauthority.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`xserver_read_all_users_xauth',`
- gen_require(`
- attribute xauth_home_type;
- ')
-
- ifdef(`strict_policy',`
- allow $1 xauth_home_type:file read_file_perms;
- userdom_search_all_users_home_dirs($1)
- ',`
- userdom_read_generic_user_home_content_files($1)
- ')
-')
-
-########################################
-##
-## Set the attributes of the X windows console named pipes.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`xserver_setattr_console_pipes',`
- gen_require(`
- type xconsole_device_t;
- ')
-
- allow $1 xconsole_device_t:fifo_file setattr;
-')
-
-########################################
-##
-## Read and write the X windows console named pipe.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`xserver_rw_console',`
- gen_require(`
- type xconsole_device_t;
- ')
-
- allow $1 xconsole_device_t:fifo_file { getattr read write };
+ gen_require(`
+ attribute xauth_home_type;
+ ')
+
+ ifdef(`strict_policy',`
+ allow $1 xauth_home_type:file read_file_perms;
+ userdom_search_all_users_home_dirs($1)
+ ',`
+ userdom_read_generic_user_home_content_files($1)
+ ')
')
########################################
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/files.if
+++ refpolicy-0.0.20070507/policy/modules/kernel/files.if
@@ -2578,8 +2578,8 @@
gen_require(`
type mnt_t;
')
-
- allow $1 mnt_t:dir search_dir_perms;
+
+ allow $1 mnt_t:dir search_dir_perms;
')
########################################
@@ -2598,6 +2598,7 @@
')
dontaudit $1 mnt_t:dir search_dir_perms;
+ dontaudit $1 mnt_t:lnk_file r_file_perms;
')
########################################
@@ -2616,6 +2617,7 @@
')
allow $1 mnt_t:dir list_dir_perms;
+ allow $1 mnt_t:lnk_file r_file_perms;
')
########################################
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/filesystem.te
+++ refpolicy-0.0.20070507/policy/modules/kernel/filesystem.te
@@ -186,6 +186,7 @@
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
+genfscon hostfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
########################################
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/kernel.te
+++ refpolicy-0.0.20070507/policy/modules/kernel/kernel.te
@@ -25,6 +25,7 @@
role sysadm_r;
role staff_r;
role user_r;
+role netuser_r;
ifdef(`enable_mls',`
role secadm_r;
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/devices.fc
+++ refpolicy-0.0.20070507/policy/modules/kernel/devices.fc
@@ -1,5 +1,12 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
+ifdef(`distro_debian',`
+# this is a static /dev dir "backup mount"
+# if you want to disable udev, you'll have to boot permissive and relabel!
+/dev/\.static -d gen_context(system_u:object_r:device_t,s0)
+/dev/\.static/dev -d gen_context(system_u:object_r:device_t,s0)
+/dev/\.static/dev/(.*)? <>
+')
/dev/.* gen_context(system_u:object_r:device_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/devices.if
+++ refpolicy-0.0.20070507/policy/modules/kernel/devices.if
@@ -474,6 +474,25 @@
########################################
##
+## Create FIFO pipes in device directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_create_generic_pipes',`
+ gen_require(`
+ type device_t;
+ ')
+ allow $1 device_t:dir add_entry_dir_perms;
+ allow $1 device_t:fifo_file { getattr create };
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 device_t:file setattr_file_perms;
+')
++########################################
+##
## Create, delete, read, and write symbolic links in device directories.
##
##
@@ -524,14 +543,14 @@
type device_t;
')
- manage_dirs_pattern($1,device_t,device_t)
- manage_sock_files_pattern($1,device_t,device_t)
- manage_lnk_files_pattern($1,device_t,device_t)
- manage_chr_files_pattern($1,device_t,{ device_t device_node })
- manage_blk_files_pattern($1,device_t,{ device_t device_node })
- relabel_dirs_pattern($1,device_t,device_t)
- relabel_chr_files_pattern($1,device_t,{ device_t device_node })
- relabel_blk_files_pattern($1,device_t,{ device_t device_node })
+ manage_dirs_pattern($1,device_t,device_t)
+ manage_sock_files_pattern($1,device_t,device_t)
+ manage_lnk_files_pattern($1,device_t,device_t)
+ manage_chr_files_pattern($1,device_t,{ device_t device_node })
+ manage_blk_files_pattern($1,device_t,{ device_t device_node })
+ relabel_dirs_pattern($1,device_t,device_t)
+ relabel_chr_files_pattern($1,device_t,{ device_t device_node })
+ relabel_blk_files_pattern($1,device_t,{ device_t device_node })
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
--- refpolicy-0.0.20070507.orig/policy/modules/admin/bootloader.fc
+++ refpolicy-0.0.20070507/policy/modules/admin/bootloader.fc
@@ -2,6 +2,16 @@
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+# Debian puts grub in /usr/sbin/grub
+ifdef(`distro_debian',`
+/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+')
/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+#/sbin/grub-.* -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
+#/sbin/grubby -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/admin/apt.fc
+++ refpolicy-0.0.20070507/policy/modules/admin/apt.fc
@@ -11,3 +11,8 @@
# package list repository
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# aptitude lock
+/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+# aptitude log
+/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/admin/acct.fc
+++ refpolicy-0.0.20070507/policy/modules/admin/acct.fc
@@ -5,4 +5,9 @@
/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
+ifdef(`distro_debian',`
+/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
+', `
/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
+')
+
--- refpolicy-0.0.20070507.orig/policy/modules/admin/logrotate.te
+++ refpolicy-0.0.20070507/policy/modules/admin/logrotate.te
@@ -121,7 +121,10 @@
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-
+# for logcheck: (Note that this is a design-rule violation for refpolicy,
+# using crond_t in this file directly, should be via an interface!)
+allow crond_t logrotate_var_lib_t:dir search;
+
mta_send_mail(logrotate_t)
ifdef(`distro_debian', `
--- refpolicy-0.0.20070507.orig/policy/modules/admin/logrotate.if
+++ refpolicy-0.0.20070507/policy/modules/admin/logrotate.if
@@ -88,6 +88,24 @@
########################################
##
+## Search logrotate runtime directries
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logrotate_search_varlib',`
+ gen_require(`
+ type logrotate_var_lib_t;
+ ')
+
+ allow $1 logrotate_var_lib_t:dir search;
+')
+
+########################################
+##
## Do not audit attempts to inherit logrotate file descriptors.
##
##
--- refpolicy-0.0.20070507.orig/policy/modules/admin/apt.te
+++ refpolicy-0.0.20070507/policy/modules/admin/apt.te
@@ -26,6 +26,14 @@
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
+# aptitude log file
+type apt_var_log_t alias var_log_apt_t;
+logging_log_file(apt_var_log_t)
+
+# aptitude lock file
+type apt_lock_t;
+files_lock_file(apt_lock_t)
+
########################################
#
# apt Local policy
@@ -65,6 +73,14 @@
manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t)
files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
+# lock files
+allow apt_t apt_lock_t:dir manage_dir_perms;
+allow apt_t apt_lock_t:file manage_file_perms;
+files_lock_filetrans(apt_t,apt_lock_t,{dir file})
+
+# log files
+allow apt_t apt_var_log_t:file manage_file_perms;
+
kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)
@@ -105,9 +121,15 @@
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
+logging_log_filetrans(apt_t, apt_var_log_t, file)
miscfiles_read_localization(apt_t)
+# this isn't particularly nice.
+# maybe add a type for ~/.aptitude instead.
+userdom_manage_all_users_home_content_files(apt_t)
+userdom_manage_all_users_home_content_dirs(apt_t)
+
seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
@@ -122,6 +144,10 @@
#')
optional_policy(`
+ pythonsupport_domtrans(apt_t)
+')
+
+optional_policy(`
# dpkg interaction
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
--- refpolicy-0.0.20070507.orig/Makefile
+++ refpolicy-0.0.20070507/Makefile
@@ -207,8 +207,8 @@
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
-MLS_CATS ?= 256
-MCS_CATS ?= 256
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
ifeq ($(QUIET),y)
verbose = @
--- refpolicy-0.0.20070507.orig/build.conf
+++ refpolicy-0.0.20070507/build.conf
@@ -50,11 +50,11 @@
# Number of MLS Categories
# The categories will be c0 to c(MLS_CATS-1).
-MLS_CATS=256
+MLS_CATS=1024
# Number of MCS Categories
# The categories will be c0 to c(MLS_CATS-1).
-MCS_CATS=256
+MCS_CATS=1024
# Set this to y to only display status messages
# during build.