--- refpolicy-0.0.20070507.orig/support/Makefile.devel
+++ refpolicy-0.0.20070507/support/Makefile.devel
@@ -74,8 +74,8 @@
 
 # default MLS/MCS sensitivity and category settings.
 MLS_SENS ?= 16
-MLS_CATS ?= 256
-MCS_CATS ?= 256
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
 
 ifeq ($(QUIET),y)
 	verbose := @
--- refpolicy-0.0.20070507.orig/debian/modules.conf.targeted
+++ refpolicy-0.0.20070507/debian/modules.conf.targeted
@@ -0,0 +1,1821 @@
+# If you edit this file, also edit local-var.mk to define what is or
+# is not a module.
+#
+#
+#
+# This file contains a listing of available modules.
+# To prevent a module from  being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module.  "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+# 
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+# 
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+# 
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+# 
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+# 
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+# 
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+# 
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+# 
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+# 
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+# 
+acct = module
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+# 
+alsa = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+# 
+amanda = module
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+# 
+anaconda = off
+
+# Layer: admin
+# Module: apt
+#
+# APT advanced package toll.
+# 
+apt = base
+
+# Layer: admin
+# Module: backup
+#
+# System backup scripts
+# 
+backup = module
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = base
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+# 
+# Not in Debian?
+certwatch = off
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+# 
+# Not in Debian.
+consoletype = off
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+# 
+ddcprobe = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+# 
+dmesg = base
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+# 
+dmidecode = module
+
+# Layer: admin
+# Module: dpkg
+#
+# Policy for the Debian package manager.
+# 
+dpkg = base
+
+# Layer: admin
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+# 
+firstboot = off
+
+# Layer: admin
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+# 
+kudzu = module
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+# 
+logrotate = base
+
+# Layer: admin
+# Module: logwatch
+#
+# System log analyzer and reporter
+# 
+logwatch = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+# 
+mrtg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = module
+
+# Layer: admin
+# Module: portage
+#
+# Portage Package Management System. The primary package management and
+# distribution system for Gentoo.
+# 
+portage = off
+
+# Layer: admin
+# Module: prelink
+#
+# Prelink ELF shared library mappings.
+# 
+prelink = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+# 
+quota = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+# 
+readahead = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+# 
+rpm = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+# 
+sudo = base
+
+# Layer: admin
+# Module: sxid
+#
+# SUID/SGID program monitoring
+# 
+sxid = module
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+# 
+tmpreaper = module
+
+# Layer: admin
+# Module: tripwire
+#
+# Tripwire file integrity checker.
+# 
+tripwire = module
+
+# Layer: admin
+# Module: tzdata
+#
+# Time zone updater
+# 
+tzdata = module
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+# 
+updfstab = off
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+# 
+usbmodules = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = base
+
+# Layer: admin
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+# 
+vbetool = module
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+# 
+vpn = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = base
+
+# Layer: apps
+# Module: ada
+#
+# GNAT Ada95 compiler
+# 
+ada = module
+
+# Layer: apps
+# Module: authbind
+#
+# Tool for non-root processes to bind to reserved ports
+# 
+authbind = module
+
+# Layer: apps
+# Module: calamaris
+#
+# Squid log analysis
+# 
+calamaris = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+# 
+cdrecord = module
+
+# Layer: apps
+# Module: ethereal
+#
+# Ethereal packet capture tool.
+# 
+ethereal = module
+
+# Layer: apps
+# Module: evolution
+#
+# Evolution email client
+# 
+evolution = module
+
+# Layer: apps
+# Module: games
+#
+# Games
+# 
+games = module
+
+# Layer: apps
+# Module: gift
+#
+# giFT peer to peer file sharing tool
+# 
+gift = module
+
+# Layer: apps
+# Module: gnome
+#
+# GNU network object model environment (GNOME)
+# 
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+# 
+gpg = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+# 
+irc = module
+
+# Layer: apps
+# Module: java
+#
+# Java virtual machine
+# 
+java = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+# 
+loadkeys = module
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+# 
+lockdev = module
+
+# Layer: apps
+# Module: mono
+#
+# Run .NET server and client applications on Linux.
+# 
+mono = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+# 
+mozilla = module
+
+# Layer: apps
+# Module: mplayer
+#
+# Mplayer media player and encoder
+# 
+mplayer = module
+
+# Layer: apps
+# Module: rssh
+#
+# Restricted (scp/sftp) only shell
+# 
+rssh = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+# 
+screen = module
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+# 
+slocate = module
+
+# Layer: apps
+# Module: thunderbird
+#
+# Thunderbird email client
+# 
+thunderbird = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+# 
+tvtime = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+# 
+uml = module
+
+# Layer: apps
+# Module: userhelper
+#
+# SELinux utility to run a shell with a new role
+# 
+userhelper = base
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+# 
+usernetctl = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+# 
+vmware = module
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+# 
+webalizer = module
+
+# Layer: apps
+# Module: wine
+#
+# Wine Is Not an Emulator.  Run Windows programs in Linux.
+# 
+wine = module
+
+# Layer: apps
+# Module: yam
+#
+# Yum/Apt Mirroring
+# 
+yam = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = base
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = base
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+# 
+daemontools = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = base
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = base
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = base
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+# 
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = base
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+# 
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = base
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = base
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = base
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = base
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+# 
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = base
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = base
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+# 
+pcmcia = module
+
+# Layer: system
+# Module: pythonsupport
+#
+# Support for precompiling python modules
+# 
+pythonsupport = module
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+# 
+raid = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = base
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+# 
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+# 
+unconfined = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = base
+
+# Layer: system
+# Module: xen
+#
+# Xen hypervisor
+# 
+xen = module
+
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+# 
+afs = module
+
+# Layer: services
+# Module: aide
+#
+# Aide filesystem integrity checker
+# 
+aide = module
+
+# Layer: services
+# Module: amavis
+#
+# Daemon that interfaces mail transfer agents and content
+# checkers, such as virus scanners.
+# 
+amavis = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+# 
+apache = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+# 
+apm = module
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+# 
+arpwatch = module
+
+# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+# 
+asterisk = module
+
+# Layer: services
+# Module: audioentropy
+#
+# Generate entropy from audio input
+# 
+audioentropy = module
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+# 
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+# 
+avahi = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+# 
+bind = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+# 
+bluetooth = module
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+# 
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# Cluster Configuration System
+# 
+ccs = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+# 
+cipe = module
+
+# Layer: services
+# Module: clamav
+#
+# ClamAV Virus Scanner
+# 
+clamav = module
+
+# Layer: services
+# Module: clockspeed
+#
+# Clockspeed simple network time protocol client
+# 
+# not in debian?
+clockspeed = off
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+# 
+comsat = module
+
+# Layer: services
+# Module: consolekit
+#
+# Framework for facilitating multiple user sessions on desktops.
+# 
+consolekit = module
+
+# Layer: services
+# Module: courier
+#
+# Courier IMAP and POP3 email servers
+# 
+courier = module
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+# 
+cpucontrol = module
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+# 
+cron = base
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+# 
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+# 
+cvs = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+# 
+cyrus = module
+
+# Layer: services
+# Module: dante
+#
+# Dante msproxy and socks4/5 proxy server
+# 
+dante = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+# 
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+# 
+dbus = module
+
+# Layer: services
+# Module: dcc
+#
+# Distributed checksum clearinghouse spam filtering
+# 
+dcc = module
+
+# Layer: services
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+# 
+ddclient = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+# 
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+# 
+dictd = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+# 
+distcc = module
+
+# Layer: services
+# Module: djbdns
+#
+# small and secure DNS daemon
+# 
+djbdns = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# dnsmasq DNS forwarder and DHCP server
+# 
+dnsmasq = module
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+# 
+dovecot = module
+
+# Layer: services
+# Module: fail2ban
+#
+# Update firewall filtering to ban IP addresses with too many password failures.
+# 
+fail2ban = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+# 
+fetchmail = module
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+# 
+finger = module
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+# 
+ftp = module
+
+# Layer: services
+# Module: gatekeeper
+#
+# OpenH.323 Voice-Over-IP Gatekeeper
+# 
+gatekeeper = module
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+# 
+gpm = module
+
+# Layer: services
+# Module: hal
+#
+# Hardware abstraction layer
+# 
+hal = module
+
+# Layer: services
+# Module: howl
+#
+# Port of Apple Rendezvous multicast DNS
+# 
+howl = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+# 
+i18n_input = module
+
+# Layer: services
+# Module: imaze
+#
+# iMaze game server
+# 
+imaze = module
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+# 
+inetd = module
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+# 
+inn = module
+
+# Layer: services
+# Module: ircd
+#
+# IRC server
+# 
+ircd = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+# 
+irqbalance = module
+
+# Layer: services
+# Module: jabber
+#
+# Jabber instant messaging server
+# 
+jabber = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+# 
+kerberos = module
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+# 
+ktalk = module
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+# 
+ldap = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+# 
+lpd = module
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+# 
+mailman = module
+
+# Layer: services
+# Module: monop
+#
+# Monopoly daemon
+# 
+monop = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+# 
+mta = base
+
+# Layer: services
+# Module: munin
+#
+# Munin network-wide load graphing (formerly LRRD)
+# 
+munin = module
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+# 
+mysql = module
+
+# Layer: services
+# Module: nagios
+#
+# Net Saint / NAGIOS - network monitoring server
+# 
+nagios = module
+
+# Layer: services
+# Module: nessus
+#
+# Nessus network scanning daemon
+# 
+nessus = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+# 
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+# 
+nis = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = module
+
+# Layer: services
+# Module: nsd
+#
+# Authoritative only name server
+# 
+nsd = module
+
+# Layer: services
+# Module: ntop
+#
+# Network Top
+# 
+ntop = module
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+# 
+ntp = module
+
+# Layer: services
+# Module: nx
+#
+# NX remote desktop
+# 
+# Not officially in Debian, but being worked on.
+nx = module
+
+# Layer: services
+# Module: oav
+#
+# Open AntiVirus scannerdaemon and signature update
+# 
+oav = module
+
+# Layer: services
+# Module: oddjob
+#
+# Oddjob provides a mechanism by which unprivileged applications can
+# request that specified privileged operations be performed on their
+# behalf.
+# 
+oddjob = module
+
+# Layer: services
+# Module: openca
+#
+# OpenCA - Open Certificate Authority
+# 
+openca = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+# 
+openct = module
+
+# Layer: services
+# Module: openvpn
+#
+# full-featured SSL VPN solution
+# 
+openvpn = module
+
+# Layer: services
+# Module: pcscd
+#
+# PCSC smart card service
+# 
+pcscd = module
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+# 
+# not in Debian?
+pegasus = off
+
+# Layer: services
+# Module: perdition
+#
+# Perdition POP and IMAP proxy
+# 
+perdition = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+# 
+portmap = module
+
+# Layer: services
+# Module: portslave
+#
+# Portslave terminal server software
+# 
+portslave = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+# 
+postfix = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+# 
+postgresql = module
+
+# Layer: services
+# Module: postgrey
+#
+# Postfix grey-listing server
+# 
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+# 
+ppp = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+# 
+privoxy = module
+
+# Layer: services
+# Module: procmail
+#
+# Procmail mail delivery agent
+# 
+procmail = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+# 
+publicfile = module
+
+# Layer: services
+# Module: pxe
+#
+# Server for the PXE network boot protocol
+# 
+pxe = module
+
+# Layer: services
+# Module: pyzor
+#
+# Pyzor is a distributed, collaborative spam detection and filtering network.
+# 
+pyzor = module
+
+# Layer: services
+# Module: qmail
+#
+# Qmail Mail Server
+# 
+qmail = module
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+# 
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+# 
+radvd = module
+
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+# 
+razor = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+# 
+rdisc = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+# 
+remotelogin = module
+
+# Layer: services
+# Module: resmgr
+#
+# Resource management daemon
+# 
+resmgr = module
+
+# Layer: services
+# Module: rhgb
+#
+# Red Hat Graphical Boot
+# 
+rhgb = off
+
+# Layer: services
+# Module: ricci
+#
+# Ricci cluster management agent
+# 
+ricci = off
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+# 
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+# 
+roundup = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+# 
+rpc = module
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+# 
+rshd = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+# 
+rsync = module
+
+# Layer: services
+# Module: samba
+#
+# SMB and CIFS client/server programs for UNIX and
+# name  Service  Switch  daemon for resolving names
+# from Windows NT servers.
+# 
+samba = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+# 
+sasl = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+# 
+sendmail = module
+
+# Layer: services
+# Module: setroubleshoot
+#
+# SELinux troubleshooting service
+# 
+setroubleshoot = module
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+# 
+slrnpull = module
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+# 
+smartmon = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+# 
+snmp = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+# 
+snort = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc
+# 
+soundserver = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+# 
+spamassassin = module
+
+# Layer: services
+# Module: speedtouch
+#
+# Alcatel speedtouch USB ADSL modem
+# 
+speedtouch = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+# 
+squid = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+# 
+ssh = module
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+# 
+stunnel = module
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+# 
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+# 
+tcpd = module
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+# 
+telnet = module
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+# 
+tftp = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+# 
+timidity = module
+
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+# 
+tor = module
+
+# Layer: services
+# Module: transproxy
+#
+# HTTP transperant proxy
+# 
+transproxy = module
+
+# Layer: services
+# Module: ucspitcp
+#
+# ucspitcp policy
+# 
+ucspitcp = module
+
+# Layer: services
+# Module: uptime
+#
+# Uptime daemon
+# 
+uptime = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+# 
+uucp = module
+
+# Layer: services
+# Module: uwimap
+#
+# University of Washington IMAP toolkit POP3 and IMAP mail server
+# 
+uwimap = module
+
+# Layer: services
+# Module: watchdog
+#
+# Software watchdog
+# 
+watchdog = module
+
+# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+# 
+xfs = module
+
+# Layer: services
+# Module: xprint
+#
+# X print server
+# 
+xprint = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+# 
+xserver = module
+
+# Layer: services
+# Module: zabbix
+#
+# Distributed infrastructure monitoring
+# 
+zabbix = module
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+# 
+zebra = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = module
+
+# Layer: system
+# Module: iscsi
+#
+# Establish connections to iSCSI devices
+# 
+iscsi = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+# 
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = module
+
--- refpolicy-0.0.20070507.orig/debian/example.if
+++ refpolicy-0.0.20070507/debian/example.if
@@ -0,0 +1,57 @@
+## <summary>Myapp example policy</summary>
+## <desc>
+##	<p>
+##		More descriptive text about myapp.  The <desc>
+##		tag can also use <p>, <ul>, and <ol>
+##		html tags for formatting.
+##	</p>
+##	<p>
+##		This policy supports the following myapp features:
+##		<ul>
+##		<li>Feature A</li>
+##		<li>Feature B</li>
+##		<li>Feature C</li>
+##		</ul>
+##	</p>
+## </desc>
+#
+
+########################################
+## <summary>
+##	Execute a domain transition to run myapp.
+## </summary>
+## <param name="domain">
+##	Domain allowed to transition.
+## </param>
+#
+interface(`myapp_domtrans',`
+	gen_require(`
+		type myapp_t, myapp_exec_t;
+	')
+
+	domain_auto_trans($1,myapp_exec_t,myapp_t)
+
+	allow $1 myapp_t:fd use;
+	allow myapp_t $1:fd use;
+	allow $1 myapp_t:fifo_file rw_file_perms;
+	allow $1 myapp_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read myapp log files.
+## </summary>
+## <param name="domain">
+##	Domain allowed to read the log files.
+## </param>
+#
+interface(`myapp_read_log',`
+	gen_require(`
+		type myapp_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 myapp_log_t:file r_file_perms;
+')
+
+# arch-tag: e3624959-d1f4-4546-850b-4a1f22f7018d
--- refpolicy-0.0.20070507.orig/debian/Makefile.src
+++ refpolicy-0.0.20070507/debian/Makefile.src
@@ -0,0 +1,214 @@
+# arch-tag: 2d5f59a8-3b3b-4118-a3ef-4de1ea00d6e4
+# helper tools
+AWK ?= gawk
+INSTALL ?= install
+M4 ?= m4
+SED ?= sed
+EINFO ?= echo
+PYTHON ?= python
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+
+include build.conf
+
+# executables
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMODULE := $(SBINDIR)/semodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+XMLLINT := $(BINDIR)/xmllint
+
+# set default build options if missing
+TYPE ?= strict
+DIRECT_INITRC ?= n
+POLY ?= n
+QUIET ?= y
+
+genxml := $(PYTHON) support/segenxml.py
+
+docs = doc
+polxml = $(docs)/policy.xml
+xmldtd = support/policy.dtd
+layerxml = metadata.xml
+
+globaltun = global_tunables.xml
+globalbool = global_booleans.xml
+
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+	M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+	M4PARAM += -D targeted_policy
+endif
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+	M4PARAM += -D enable_mls
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+	M4PARAM += -D enable_mcs
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+	M4PARAM += -D distro_$(DISTRO)
+endif
+
+# enable polyinstantiation
+ifeq ($(POLY),y)
+	M4PARAM += -D enable_polyinstantiation
+endif
+
+ifeq ($(DIRECT_INITRC),y)
+	M4PARAM += -D direct_sysadm_daemon
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+	verbose := @
+endif
+
+M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
+
+# policy headers
+m4support = $(wildcard support/*.spt)
+all_layers = $(filter-out support,$(shell find $(wildcard *) -maxdepth 0 -type d))
+all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
+rolemap = rolemap
+
+detected_layers =  $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+3rd_party_mods = $(wildcard *.te)
+detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
+detected_ifs = $(detected_mods:.te=.if)
+detected_fcs = $(detected_mods:.te=.fc)
+all_packages = $(notdir $(detected_mods:.te=.pp))
+
+vpath %.te $(detected_layers)
+vpath %.if $(detected_layers)
+vpath %.fc $(detected_layers)
+
+# if there are modules in the current directory, add them into the third party layer
+ifneq "$(3rd_party_mods)" ""
+        genxml += -3 .
+endif
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+	$(call parse-rolemap,$1,$2)
+	$(verbose) echo "')" >> $2
+
+	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+	$(call parse-rolemap-compat,$1,$2)
+	$(verbose) echo "')" >> $2
+endef
+
+.PHONY: clean all xml load
+.SUFFIXES:
+.SUFFIXES: .pp
+# broken in make 3.81:
+#.SECONDARY:
+
+########################################
+#
+# Main targets
+#
+
+all: $(all_packages)
+
+xml: $(polxml)
+
+########################################
+#
+# Load module packages
+#
+load: $(all_packages)
+	@$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $(all_packages)))"
+	$(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod))
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
+	@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
+	@test -d tmp || mkdir -p tmp
+	$(call peruser-expansion,$(basename $(@F)),$@.role)
+	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+tmp/%.mod.fc: $(m4support) %.fc
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+%.pp: tmp/%.mod tmp/%.mod.fc
+	@echo "Creating $(NAME) $(@F) policy package"
+	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
+	@test -d tmp || mkdir -p tmp
+	$(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+# so users dont have to make empty .fc and .if files
+$(detected_ifs) $(detected_fcs):
+	@touch $@
+
+########################################
+#
+# Documentation generation
+#
+
+# minimal dependencies here, because we don't want to rebuild
+# this and its dependents every time the dependencies
+# change.  Also use all .if files here, rather then just the
+# enabled modules.
+$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
+	@echo "Creating $@"
+	@mkdir -p doc
+	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(xmldtd)">' >> $@
+	$(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
+	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+		$(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
+	fi
+
+########################################
+#
+# Clean the environment
+#
+
+clean:
+	rm -fR tmp
+	rm -f *.pp
--- refpolicy-0.0.20070507.orig/debian/local.mk
+++ refpolicy-0.0.20070507/debian/local.mk
@@ -0,0 +1,418 @@
+############################ -*- Mode: Makefile -*- ###########################
+## local.mk --- 
+## Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+## Created On       : Sat Nov 15 10:42:10 2003
+## Created On Node  : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Mon May  7 08:55:23 2007
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count     : 106
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : 
+## 
+## arch-tag: b07b1015-30ba-4b46-915f-78c776a808f4
+## 
+###############################################################################
+
+testdir:
+	$(testdir)
+
+BUILD/selinux-policy-refpolicy-strict::    build/selinux-policy-refpolicy-strict
+INST/selinux-policy-refpolicy-strict::     install/selinux-policy-refpolicy-strict
+BIN/selinux-policy-refpolicy-strict::      binary/selinux-policy-refpolicy-strict
+
+
+BUILD/selinux-policy-refpolicy-targeted::   build/selinux-policy-refpolicy-targeted
+INST/selinux-policy-refpolicy-targeted::    install/selinux-policy-refpolicy-targeted
+BIN/selinux-policy-refpolicy-targeted::     binary/selinux-policy-refpolicy-targeted
+
+BUILD/selinux-policy-refpolicy-dev::    build/selinux-policy-refpolicy-dev
+INST/selinux-policy-refpolicy-dev::     install/selinux-policy-refpolicy-dev
+BIN/selinux-policy-refpolicy-dev::      binary/selinux-policy-refpolicy-dev
+
+
+BUILD/selinux-policy-refpolicy-src::    build/selinux-policy-refpolicy-src
+INST/selinux-policy-refpolicy-src::     install/selinux-policy-refpolicy-src
+BIN/selinux-policy-refpolicy-src::      binary/selinux-policy-refpolicy-src
+
+
+BUILD/selinux-policy-refpolicy-doc::    build/selinux-policy-refpolicy-doc
+INST/selinux-policy-refpolicy-doc::     install/selinux-policy-refpolicy-doc
+BIN/selinux-policy-refpolicy-doc::      binary/selinux-policy-refpolicy-doc
+
+CLEAN/selinux-policy-refpolicy-strict CLEAN/selinux-policy-refpolicy-targeted CLEAN/selinux-policy-refpolicy-src CLEAN/selinux-policy-refpolicy-src::
+	$(REASON)
+	make bare
+	test ! -d $(TMPTOP) || rm -rf $(TMPTOP)
+	test ! -d $(SRCTOP)/debian/build-$(package) || \
+                                      rm -rf $(SRCTOP)/debian/build-$(package)
+
+CONFIG/selinux-policy-refpolicy-strict::
+	$(REASON)
+	test -e debian/stamp-config-strict  ||                             \
+	  test ! -d $(SRCTOP)/debian/build-$(package) ||                   \
+            rm -rf $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-strict  ||                             \
+	  mkdir -p    $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-strict  ||                             \
+	  cp -lr policy support Makefile Rules.modular  doc                \
+               Rules.monolithic config VERSION Changelog COPYING INSTALL   \
+                README man $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-strict  ||                             \
+	  cp debian/build.conf.strict $(SRCTOP)/debian/build-$(package)/build.conf
+	test -e debian/stamp-config-strict  ||                             \
+	  $(MAKE) -C $(SRCTOP)/debian/build-$(package)                     \
+                   NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) bare
+	test -e debian/stamp-config-strict  ||                             \
+	  (cd $(SRCTOP)/debian/build-$(package) ;                          \
+           $(MAKE) NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) conf)
+	cp debian/modules.conf.strict                                      \
+                     $(SRCTOP)/debian/build-$(package)/policy/modules.conf
+	echo done > debian/stamp-config-strict
+STAMPS_TO_CLEAN += debian/stamp-config-strict
+DIRS_TO_CLEAN  += debian/build-selinux-policy-refpolicy-strict
+
+CONFIG/selinux-policy-refpolicy-targeted::
+	$(REASON)
+	test -e debian/stamp-config-targeted  ||                           \
+	  test ! -d $(SRCTOP)/debian/build-$(package) ||                   \
+            rm -rf $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-targeted  ||                           \
+	  mkdir -p    $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-targeted  ||                           \
+	  cp -lr policy support Makefile  Rules.modular  doc               \
+               Rules.monolithic config VERSION Changelog COPYING INSTALL   \
+                README man $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-targeted  ||                           \
+	  cp debian/build.conf.targeted $(SRCTOP)/debian/build-$(package)/build.conf
+	test -e debian/stamp-config-targeted  ||                           \
+	  $(MAKE) -C $(SRCTOP)/debian/build-$(package)                     \
+                 NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) bare
+	test -e debian/stamp-config-targeted  ||                           \
+	  (cd $(SRCTOP)/debian/build-$(package) ;                          \
+           $(MAKE) NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) conf)
+	cp debian/modules.conf.targeted                                    \
+                     $(SRCTOP)/debian/build-$(package)/policy/modules.conf
+	echo done > debian/stamp-config-targeted
+STAMPS_TO_CLEAN += debian/stamp-config-targeted
+DIRS_TO_CLEAN  += debian/build-selinux-policy-refpolicy-targeted
+
+CONFIG/selinux-policy-refpolicy-src::
+	$(REASON)
+	test -e debian/stamp-config-src         ||                        \
+	  test ! -d $(SRCTOP)/debian/build-$(package) ||                  \
+            rm -rf $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-src         ||                        \
+	  mkdir -p    $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-src         ||                        \
+	  cp -lr policy support Makefile Rules.modular  doc               \
+               Rules.monolithic config VERSION Changelog COPYING INSTALL  \
+                README man $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-src         ||                        \
+           cp  debian/build.conf.targeted $(SRCTOP)/debian/build-$(package)/build.conf
+	test -e debian/stamp-config-src         ||                        \
+	  (cd $(SRCTOP)/debian/build-$(package) ;                         \
+           $(MAKE) NAME=refpolicy $(OPTIONS) conf)
+	cp debian/modules.conf.*      $(SRCTOP)/debian/build-$(package)/policy/
+	cp debian/build.conf.targeted $(SRCTOP)/debian/build-$(package)/policy/
+	echo done > debian/stamp-config-src
+STAMPS_TO_CLEAN += debian/stamp-config-src
+DIRS_TO_CLEAN  += debian/build-selinux-policy-refpolicy-src
+
+CONFIG/selinux-policy-refpolicy-dev::
+	$(REASON)
+	test -e debian/stamp-config-dev         ||                        \
+	  test ! -d $(SRCTOP)/debian/build-$(package) ||                  \
+            rm -rf $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-dev         ||                        \
+	  mkdir -p    $(SRCTOP)/debian/build-$(package)
+	echo done > debian/stamp-config-dev
+STAMPS_TO_CLEAN += debian/stamp-config-dev
+DIRS_TO_CLEAN  += debian/build-selinux-policy-refpolicy-dev
+
+CONFIG/selinux-policy-refpolicy-doc::
+	$(REASON)
+	test -e debian/stamp-config-doc         ||                         \
+	  test ! -d $(SRCTOP)/debian/build-$(package) ||                   \
+            rm -rf $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-doc         ||                         \
+	  mkdir -p    $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-doc         ||                         \
+	  cp -lr policy support Makefile Rules.modular  doc                \
+               Rules.monolithic config VERSION Changelog COPYING INSTALL   \
+                README man $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-doc         ||                        \
+           cp  debian/build.conf.targeted $(SRCTOP)/debian/build-$(package)/build.conf
+	test -e debian/stamp-config-doc         ||                         \
+	  (cd $(SRCTOP)/debian/build-$(package) ;                          \
+           $(MAKE) NAME=refpolicy $(OPTIONS) conf )
+	echo done > debian/stamp-config-doc
+STAMPS_TO_CLEAN += debian/stamp-config-doc
+DIRS_TO_CLEAN  += debian/build-selinux-policy-refpolicy-doc
+
+BUILD-common::
+	perl -wc debian/postinst.policy
+
+build/selinux-policy-refpolicy-strict:
+	$(REASON)
+	test -e debian/stamp-build-strict                    ||            \
+	  (cd $(SRCTOP)/debian/build-$(package) ;                          \
+           $(MAKE) NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) policy all)
+	echo done > debian/stamp-build-strict   
+STAMPS_TO_CLEAN += debian/stamp-build-strict   
+
+build/selinux-policy-refpolicy-targeted:
+	$(REASON)
+	test -e debian/stamp-build-targeted                    ||            \
+	  (cd $(SRCTOP)/debian/build-$(package) ;                            \
+           $(MAKE) NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) policy all)
+	echo done > debian/stamp-build-targeted 
+STAMPS_TO_CLEAN += debian/stamp-build-targeted   
+
+build/selinux-policy-refpolicy-src:
+	$(REASON)
+
+build/selinux-policy-refpolicy-dev:
+	$(REASON)
+
+build/selinux-policy-refpolicy-doc:
+	$(REASON)
+
+
+install/selinux-policy-refpolicy-strict:
+	$(REASON)
+	rm -rf               $(TMPTOP) $(TMPTOP).deb
+	$(make_directory)    $(DOCDIR)/
+	$(make_directory)    $(TMPTOP)/etc/selinux/refpolicy-strict/modules/active
+	$(make_directory)    $(TMPTOP)/etc/selinux/refpolicy-strict/policy
+	test -f $(TMPTOP)/etc/selinux/refpolicy-strict/modules/active/file_contexts.local || \
+	touch $(TMPTOP)/etc/selinux/refpolicy-strict/modules/active/file_contexts.local
+	(cd $(SRCTOP)/debian/build-$(package);                                  \
+            $(MAKE) NAME=refpolicy-strict TYPE=strict$(MCS_MLS_TYPE) $(OPTIONS) \
+                    DESTDIR=$(TMPTOP) install  install-headers                  \
+          $(TMPTOP)/etc/selinux/refpolicy-strict/users/local.users              \
+          $(TMPTOP)/etc/selinux/refpolicy-strict/users/system.users)
+	for module in $(NON_MODULES); do                                         \
+           test ! -f $(TMPTOP)/usr/share/selinux/refpolicy-strict/$$module.pp || \
+              rm -f $(TMPTOP)/usr/share/selinux/refpolicy-strict/$$module.pp;    \
+        done
+	$(install_file)      debian/setrans.conf  $(TMPTOP)/etc/selinux/refpolicy-strict/
+	$(install_file)      VERSION              $(DOCDIR)/
+	$(install_file)      README               $(DOCDIR)/
+	$(install_file)      debian/README.Debian $(DOCDIR)/
+	$(install_file)      debian/NEWS.Debian   $(DOCDIR)/NEWS.Debian 
+	$(install_file)      Changelog            $(DOCDIR)/changelog
+	$(install_file)      debian/changelog     $(DOCDIR)/changelog.Debian
+	gzip -9fqr           $(DOCDIR)
+	$(install_file)      debian/copyright     $(DOCDIR)/
+DIRS_TO_CLEAN  += debian/selinux-policy-refpolicy-strict
+
+install/selinux-policy-refpolicy-targeted:
+	$(REASON)
+	rm -rf               $(TMPTOP) $(TMPTOP).deb
+	$(make_directory)    $(DOCDIR)/
+	$(make_directory)    $(TMPTOP)/etc/selinux/refpolicy-targeted/modules/active
+	$(make_directory)    $(TMPTOP)/etc/selinux/refpolicy-targeted/policy
+	test -f $(TMPTOP)/etc/selinux/refpolicy-targeted/modules/active/file_contexts.local || \
+	touch $(TMPTOP)/etc/selinux/refpolicy-targeted/modules/active/file_contexts.local
+	(cd $(SRCTOP)/debian/build-$(package);                                      \
+            $(MAKE) NAME=refpolicy-targeted TYPE=targeted$(MCS_MLS_TYPE) $(OPTIONS) \
+                    DESTDIR=$(TMPTOP) install  install-headers                      \
+          $(TMPTOP)/etc/selinux/refpolicy-targeted/users/local.users                \
+          $(TMPTOP)/etc/selinux/refpolicy-targeted/users/system.users)
+	for module in $(NON_MODULES); do                                           \
+           test ! -f $(TMPTOP)/usr/share/selinux/refpolicy-targeted/$$module.pp || \
+             rm -f $(TMPTOP)/usr/share/selinux/refpolicy-targeted/$$module.pp;     \
+        done
+	rm -f $(TMPTOP)/usr/share/selinux/refpolicy-targeted/unconfined.pp
+	$(install_file)      debian/setrans.conf  $(TMPTOP)/etc/selinux/refpolicy-targeted/
+	$(install_file)      VERSION              $(DOCDIR)/
+	$(install_file)      README               $(DOCDIR)/
+	$(install_file)      debian/README.Debian $(DOCDIR)/
+	$(install_file)      Changelog            $(DOCDIR)/changelog
+	$(install_file)      debian/changelog     $(DOCDIR)/changelog.Debian
+	gzip -9fqr           $(DOCDIR)
+	$(install_file)      debian/copyright     $(DOCDIR)/
+DIRS_TO_CLEAN  += debian/selinux-policy-refpolicy-targeted
+
+install/selinux-policy-refpolicy-src:
+	$(REASON)
+	rm -rf               $(TMPTOP) $(TMPTOP).deb
+	$(make_directory)    $(DOCDIR)
+	$(make_directory)    $(TMPTOP)/usr/src
+	(cd $(SRCTOP)/debian/build-$(package);                                 \
+         $(MAKE) NAME=refpolicy $(OPTIONS) DESTDIR=$(TMPTOP) bare conf install-src; )
+	find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf
+	test ! -e $(TMPTOP)/etc/selinux/refpolicy/src/policy/COPYING || \
+           rm -f $(TMPTOP)/etc/selinux/refpolicy/src/policy/COPYING
+	rm -rf   $(TMPTOP)/etc/selinux/refpolicy/src/policy/man
+	(cd $(TMPTOP)/etc/selinux/refpolicy/src/policy;                   \
+          if test -f modules.conf; then                                   \
+              mv modules.conf modules.conf.dist;                          \
+          fi;                                                             \
+          ln -sf modules.conf.strict modules.conf)
+	$(install_file)      policy/rolemap                               \
+			     $(TMPTOP)/etc/selinux/refpolicy/src/policy/
+	$(install_file)      debian/build.conf.targeted                   \
+			     $(TMPTOP)/etc/selinux/refpolicy/src/policy/build.conf
+	$(install_file)      debian/global_booleans.xml                   \
+			     $(TMPTOP)/etc/selinux/refpolicy/src/policy/
+	$(install_file)      debian/global_tunables.xml                   \
+			     $(TMPTOP)/etc/selinux/refpolicy/src/policy/
+	$(install_file)      debian/Makefile.src                          \
+                             $(TMPTOP)/etc/selinux/refpolicy/src/policy/
+	(cd $(TMPTOP)/etc/selinux/refpolicy/src/; mv policy $(package);   \
+                                                  mv support $(package)/; \
+	  tar zfc $(TMPTOP)/usr/src/$(package).tar.gz $(package))
+	rm -rf               $(TMPTOP)/etc
+	$(install_file)      VERSION              $(DOCDIR)/
+	$(install_file)      README               $(DOCDIR)/
+	$(install_file)      debian/README.Debian $(DOCDIR)/
+	$(install_file)      Changelog            $(DOCDIR)/changelog
+	$(install_file)      debian/changelog     $(DOCDIR)/changelog.Debian
+	gzip -9fqr           $(DOCDIR)
+	$(install_file)      debian/copyright     $(DOCDIR)/
+DIRS_TO_CLEAN  += debian/selinux-policy-refpolicy-src
+
+install/selinux-policy-refpolicy-dev: install/selinux-policy-refpolicy-strict install/selinux-policy-refpolicy-targeted
+	$(REASON)
+	rm -rf               $(TMPTOP) $(TMPTOP).deb
+	$(make_directory)    $(DOCDIR)/examples
+	$(make_directory)    $(MAN1DIR)
+	$(make_directory)    $(TMPTOP)/usr/bin
+	$(make_directory)    $(TMPTOP)/usr/share/selinux/refpolicy-strict/include
+	$(make_directory)    $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include
+	find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf
+	(cd $(SRCTOP)/debian/selinux-policy-refpolicy-strict/usr/share/selinux/refpolicy-strict; \
+         tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-strict; umask 000;        \
+           tar xpsf -))
+	(cd $(SRCTOP)/debian/selinux-policy-refpolicy-targeted/usr/share/selinux/refpolicy-targeted; \
+         tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-targeted; umask 000;      \
+             tar xpsf -))
+	rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-strict/usr/share/selinux/refpolicy-strict/include
+	rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-targeted/usr/share/selinux/refpolicy-targeted/include
+	$(install_file)      policy/rolemap                                                   \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support
+	$(install_file)      debian/global_booleans.xml                                       \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support
+	$(install_file)      debian/global_tunables.xml                                       \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support
+	$(install_file)      debian/build.conf.targeted                                       \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/build.conf
+	$(install_file)      policy/rolemap                                                   \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support
+	$(install_file)      debian/global_booleans.xml                                       \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support
+	$(install_file)      debian/global_tunables.xml                                       \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support
+	$(install_file)      debian/build.conf.strict                                         \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/build.conf
+	chmod +x             $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support/segenxml.py
+	chmod +x             $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support/segenxml.py
+	$(install_file)      VERSION                $(DOCDIR)/
+	$(install_file)      README                 $(DOCDIR)/
+	$(install_file)      debian/README.Debian   $(DOCDIR)/
+	$(install_file)      Changelog              $(DOCDIR)/changelog
+	$(install_file)      debian/changelog       $(DOCDIR)/changelog.Debian
+	gzip -9fqr           $(DOCDIR)
+	$(install_file)      debian/copyright       $(DOCDIR)/
+	$(install_file)      debian/example.fc      $(DOCDIR)/examples/
+	$(install_file)      debian/example.if      $(DOCDIR)/examples/
+	$(install_file)      debian/example.te      $(DOCDIR)/examples/
+	$(install_file)      debian/example.mk      $(DOCDIR)/examples/Makefile
+	$(install_program)   debian/policygentool   $(TMPTOP)/usr/bin
+	$(install_file)      debian/policygentool.1 $(MAN1DIR)
+	gzip -9fqr           $(MAN1DIR)
+DIRS_TO_CLEAN  += debian/selinux-policy-refpolicy-dev
+
+install/selinux-policy-refpolicy-doc:
+	$(REASON)
+	rm -rf               $(TMPTOP) $(TMPTOP).deb
+	$(make_directory)    $(DOCDIR)
+	$(make_directory)    $(DOCBASEDIR)
+	$(make_directory)    $(MAN8DIR)
+	cp -a man/man8/*.8   $(MAN8DIR)
+	$(install_file)      VERSION              $(DOCDIR)/
+	$(install_file)      README               $(DOCDIR)/
+	$(install_file)      debian/README.Debian $(DOCDIR)/
+	$(install_file)      Changelog            $(DOCDIR)/changelog
+	$(install_file)      debian/changelog     $(DOCDIR)/changelog.Debian
+	$(install_file)      debian/docentry      $(DOCBASEDIR)/$(package)
+	gzip -9fqr           $(MANDIR)
+	gzip -9fqr           $(DOCDIR)
+	(cd $(SRCTOP)/debian/build-$(package);                                   \
+         $(MAKE) NAME=refpolicy $(OPTIONS) DESTDIR=$(TMPTOP)                     \
+                 PKGNAME=selinux-policy-refpolicy-doc conf html install-docs;)
+	gzip -9fq $(DOCDIR)/example.if $(DOCDIR)/example.fc $(DOCDIR)/Makefile.example 
+	$(install_file)      debian/copyright     $(DOCDIR)/
+	$(install_file)      debian/docentry         $(DOCBASEDIR)/$(package)
+DIRS_TO_CLEAN  += debian/selinux-policy-refpolicy-doc
+
+binary/selinux-policy-refpolicy-strict:
+	$(REASON)
+	$(checkdir)
+	$(make_directory)    $(TMPTOP)/DEBIAN
+	(cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles)
+	sed -e 's/=T/strict/g' debian/postinst.policy  > $(TMPTOP)/DEBIAN/postinst
+	chmod 755                                      $(TMPTOP)/DEBIAN/postinst
+	$(install_program)   debian/strict.postrm      $(TMPTOP)/DEBIAN/postrm
+	dpkg-gencontrol    -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+                              -p$(package) -isp   -P$(TMPTOP)
+	$(create_md5sum)     $(TMPTOP)
+	chown -R root:root $(TMPTOP)
+	chmod -R u+w,go=rX $(TMPTOP)
+	dpkg --build       $(TMPTOP) ..
+
+binary/selinux-policy-refpolicy-targeted:
+	$(REASON)
+	$(checkdir)
+	$(make_directory)    $(TMPTOP)/DEBIAN
+	(cd $(TMPTOP); find etc -type f | sed 's,^,/,'  > DEBIAN/conffiles)
+	sed -e 's/=T/targeted/g' debian/postinst.policy >$(TMPTOP)/DEBIAN/postinst
+	chmod 755                                       $(TMPTOP)/DEBIAN/postinst
+	$(install_program)   debian/targeted.postrm     $(TMPTOP)/DEBIAN/postrm
+	dpkg-gencontrol    -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+                              -p$(package) -isp   -P$(TMPTOP)
+	$(create_md5sum)   $(TMPTOP)
+	chown -R root:root $(TMPTOP)
+	chmod -R u+w,go=rX $(TMPTOP)
+	dpkg --build       $(TMPTOP) ..
+
+binary/selinux-policy-refpolicy-src:
+	$(REASON)
+	$(checkdir)
+	$(make_directory)    $(TMPTOP)/DEBIAN
+	dpkg-gencontrol    -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+                              -p$(package) -isp   -P$(TMPTOP)
+	$(create_md5sum)   $(TMPTOP)
+	chown -R root:root $(TMPTOP)
+	chmod -R u+w,go=rX $(TMPTOP)
+	dpkg --build       $(TMPTOP) ..
+
+binary/selinux-policy-refpolicy-dev:
+	$(REASON)
+	$(checkdir)
+	$(make_directory)    $(TMPTOP)/DEBIAN
+	dpkg-gencontrol    -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+                              -p$(package) -isp   -P$(TMPTOP)
+	$(create_md5sum)   $(TMPTOP)
+	chown -R root:root $(TMPTOP)
+	chmod -R u+w,go=rX $(TMPTOP)
+	dpkg --build       $(TMPTOP) ..
+
+binary/selinux-policy-refpolicy-doc:
+	$(REASON)
+	$(checkdir)
+	$(make_directory)    $(TMPTOP)/DEBIAN
+	(cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles)
+	$(install_program)   debian/doc.postinst      $(TMPTOP)/DEBIAN/postinst
+	$(install_program)   debian/doc.prerm         $(TMPTOP)/DEBIAN/prerm
+	dpkg-gencontrol    -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+                              -p$(package) -isp   -P$(TMPTOP)
+	$(create_md5sum)   $(TMPTOP)
+	chown -R root:root $(TMPTOP)
+	chmod -R u+w,go=rX $(TMPTOP)
+	dpkg --build       $(TMPTOP) ..
+
+
--- refpolicy-0.0.20070507.orig/debian/local-vars.mk
+++ refpolicy-0.0.20070507/debian/local-vars.mk
@@ -0,0 +1,68 @@
+############################ -*- Mode: Makefile -*- ###########################
+## local-vars.mk --- 
+## Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+## Created On       : Sat Nov 15 10:43:00 2003
+## Created On Node  : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sun Aug 20 21:57:04 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count     : 14
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : 
+## 
+## arch-tag: 1a76a87e-7af5-424a-a30d-61660c8f243e
+## 
+###############################################################################
+
+FILES_TO_CLEAN  = debian/files
+STAMPS_TO_CLEAN = 
+DIRS_TO_CLEAN   = $(TMPTOP)
+
+# Location of the source dir
+SRCTOP    := $(shell if [ "$$PWD" != "" ]; then echo $$PWD; else pwd; fi)
+TMPTOP     = $(SRCTOP)/debian/$(package)
+LINTIANDIR = $(TMPTOP)/usr/share/lintian/overrides
+DOCBASEDIR = $(TMPTOP)/usr/share/doc-base
+
+BINDIR  = $(TMPTOP)$(PREFIX)/bin
+LIBDIR  = $(TMPTOP)$(PREFIX)/lib
+# Man Pages
+MANDIR    = $(TMPTOP)/usr/share/man
+MAN1DIR   = $(MANDIR)/man1
+MAN3DIR   = $(MANDIR)/man3
+MAN5DIR   = $(MANDIR)/man5
+MAN7DIR   = $(MANDIR)/man7
+MAN8DIR   = $(MANDIR)/man8
+
+INFODIR = $(TMPTOP)/usr/share/info
+DOCTOP  = $(TMPTOP)/usr/share/doc
+DOCDIR  = $(DOCTOP)/$(package)
+MENUDIR   = $(TMPTOP)/usr/lib/menu/
+
+OPTIONS=DISTRO=debian DIRECT_INITRC=y MONOLITHIC=n
+
+PYDEFAULT  =$(strip $(shell pyversions -vd))
+MODULES_DIR=$(TMPTOP)/usr/share/python-support/$(package)
+
+# set this to -mcs, -mls, or -mcs-mls
+MCS_MLS_TYPE=-mcs
+
+# Things we have put into the base for Debian systems.
+# egrep base debian/modules.conf.targeted | grep -v '#' | \
+#     sort | sed -e 's/=.*$//g'
+NON_MODULES=apt authlogin bootloader clock corecommands corenetwork  \
+            cron devices dmesg domain dpkg files filesystem fstools  \
+            getty hostname init iptables kernel libraries locallogin \
+            logging logrotate mcs miscfiles mls modutils mount mta   \
+            selinux selinuxutil storage su sudo sysnetwork terminal  \
+            userdomain userhelper usermanage
+
+define checkdir
+	@test -f debian/rules -a -f policy/modules/kernel/kernel.fc || \
+          (echo Not in correct source directory; exit 1)
+endef
+
+define checkroot
+	@test $$(id -u) = 0 || (echo need root priviledges; exit 1)
+endef
--- refpolicy-0.0.20070507.orig/debian/global_tunables.xml
+++ refpolicy-0.0.20070507/debian/global_tunables.xml
@@ -0,0 +1,583 @@
+<tunable name="allow_cvs_read_shadow" dftval="false">
+<desc>
+<p>
+Allow cvs daemon to read shadow
+</p>
+</desc>
+</tunable>
+<tunable name="allow_zebra_write_config" dftval="false">
+<desc>
+<p>
+Allow zebra daemon to write it configuration files
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execheap" dftval="false">
+<desc>
+<p>
+Allow making the heap executable.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmem" dftval="false">
+<desc>
+<p>
+Allow making anonymous memory executable, e.g.
+for runtime-code generation or executable stack.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execmod" dftval="false">
+<desc>
+<p>
+Allow making a modified private file
+mapping executable (text relocation).
+</p>
+</desc>
+</tunable>
+<tunable name="allow_execstack" dftval="false">
+<desc>
+<p>
+Allow making the stack executable via mprotect.
+Also requires allow_execmem.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ftpd_anon_write" dftval="false">
+<desc>
+<p>
+Allow ftp servers to modify public files
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ftpd_use_cifs" dftval="false">
+<desc>
+<p>
+Allow ftp servers to use cifs
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ftpd_use_nfs" dftval="false">
+<desc>
+<p>
+Allow ftp servers to use nfs
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_gssd_read_tmp" dftval="true">
+<desc>
+<p>
+Allow gssd to read temp directory.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_httpd_anon_write" dftval="false">
+<desc>
+<p>
+Allow Apache to modify public files
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_httpd_mod_auth_pam" dftval="false">
+<desc>
+<p>
+Allow Apache to use mod_auth_pam
+</p>
+</desc>
+</tunable>
+<tunable name="allow_java_execstack" dftval="false">
+<desc>
+<p>
+Allow java executable stack
+</p>
+</desc>
+</tunable>
+<tunable name="allow_kerberos" dftval="false">
+<desc>
+<p>
+Allow system to run with kerberos
+</p>
+</desc>
+</tunable>
+<tunable name="allow_nfsd_anon_write" dftval="false">
+<desc>
+<p>
+Allow nfs servers to modify public files
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_rsync_anon_write" dftval="false">
+<desc>
+<p>
+Allow rsync to modify public files
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_saslauthd_read_shadow" dftval="false">
+<desc>
+<p>
+Allow sasl to read shadow
+</p>
+</desc>
+</tunable>
+<tunable name="allow_smbd_anon_write" dftval="false">
+<desc>
+<p>
+Allow samba to modify public files
+used for public file transfer services.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ypbind" dftval="false">
+<desc>
+<p>
+Allow system to run with NIS
+</p>
+</desc>
+</tunable>
+<tunable name="fcron_crond" dftval="false">
+<desc>
+<p>
+Enable extra rules in the cron domain
+to support fcron.
+</p>
+</desc>
+</tunable>
+<tunable name="ftp_home_dir" dftval="false">
+<desc>
+<p>
+Allow ftp to read and write files in the user home directories
+</p>
+</desc>
+</tunable>
+<tunable name="ftpd_is_daemon" dftval="false">
+<desc>
+<p>
+Allow ftpd to run directly without inetd
+</p>
+</desc>
+</tunable>
+<tunable name="global_ssp" dftval="false">
+<desc>
+<p>
+Enable reading of urandom for all domains.
+</p>
+<p>
+This should be enabled when all programs
+are compiled with ProPolice/SSP
+stack smashing protection.  All domains will
+be allowed to read from /dev/urandom.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_builtin_scripting" dftval="false">
+<desc>
+<p>
+Allow httpd to use built in scripting (usually php)
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_network_connect" dftval="false">
+<desc>
+<p>
+Allow http daemon to tcp connect
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_network_connect_db" dftval="false">
+<desc>
+<p>
+Allow httpd to connect to mysql/posgresql
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_can_network_relay" dftval="false">
+<desc>
+<p>
+Allow httpd to act as a relay
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_enable_cgi" dftval="false">
+<desc>
+<p>
+Allow httpd cgi support
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_enable_ftp_server" dftval="false">
+<desc>
+<p>
+Allow httpd to act as a FTP server by
+listening on the ftp port.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_enable_homedirs" dftval="false">
+<desc>
+<p>
+Allow httpd to read home directories
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_ssi_exec" dftval="false">
+<desc>
+<p>
+Run SSI execs in system CGI script domain.
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_tty_comm" dftval="false">
+<desc>
+<p>
+Allow http daemon to communicate with the TTY
+</p>
+</desc>
+</tunable>
+<tunable name="httpd_unified" dftval="false">
+<desc>
+<p>
+Run CGI in the main httpd domain
+</p>
+</desc>
+</tunable>
+<tunable name="named_write_master_zones" dftval="false">
+<desc>
+<p>
+Allow BIND to write the master zone files.
+Generally this is used for dynamic DNS.
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_rw" dftval="false">
+<desc>
+<p>
+Allow nfs to be exported read/write.
+</p>
+</desc>
+</tunable>
+<tunable name="nfs_export_all_ro" dftval="false">
+<desc>
+<p>
+Allow nfs to be exported read only
+</p>
+</desc>
+</tunable>
+<tunable name="pppd_can_insmod" dftval="false">
+<desc>
+<p>
+Allow pppd to load kernel modules for certain modems
+</p>
+</desc>
+</tunable>
+<tunable name="read_default_t" dftval="false">
+<desc>
+<p>
+Allow reading of default_t files.
+</p>
+</desc>
+</tunable>
+<tunable name="samba_enable_home_dirs" dftval="false">
+<desc>
+<p>
+Allow samba to export user home directories.
+</p>
+</desc>
+</tunable>
+<tunable name="samba_share_nfs" dftval="false">
+<desc>
+<p>
+Allow samba to export NFS volumes.
+</p>
+</desc>
+</tunable>
+<tunable name="squid_connect_any" dftval="false">
+<desc>
+<p>
+Allow squid to connect to all ports, not just
+HTTP, FTP, and Gopher ports.
+</p>
+</desc>
+</tunable>
+<tunable name="stunnel_is_daemon" dftval="false">
+<desc>
+<p>
+Configure stunnel to be a standalone daemon or
+inetd service.
+</p>
+</desc>
+</tunable>
+<tunable name="use_nfs_home_dirs" dftval="false">
+<desc>
+<p>
+Support NFS home directories
+</p>
+</desc>
+</tunable>
+<tunable name="use_samba_home_dirs" dftval="false">
+<desc>
+<p>
+Support SAMBA home directories
+</p>
+</desc>
+</tunable>
+<tunable name="user_ping" dftval="false">
+<desc>
+<p>
+Control users use of ping and traceroute
+</p>
+</desc>
+</tunable>
+<tunable name="allow_gpg_execstack" dftval="false">
+<desc>
+<p>
+Allow gpg executable stack
+</p>
+</desc>
+</tunable>
+<tunable name="allow_mplayer_execstack" dftval="false">
+<desc>
+<p>
+Allow mplayer executable stack
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ptrace" dftval="false">
+<desc>
+<p>
+Allow sysadm to ptrace all processes
+</p>
+</desc>
+</tunable>
+<tunable name="allow_ssh_keysign" dftval="false">
+<desc>
+<p>
+allow host key based authentication
+</p>
+</desc>
+</tunable>
+<tunable name="allow_user_mysql_connect" dftval="false">
+<desc>
+<p>
+Allow users to connect to mysql
+</p>
+</desc>
+</tunable>
+<tunable name="allow_write_xshm" dftval="false">
+<desc>
+<p>
+Allows clients to write to the X server shared
+memory segments.
+</p>
+</desc>
+</tunable>
+<tunable name="cdrecord_read_content" dftval="false">
+<desc>
+<p>
+Allow cdrecord to read various content.
+nfs, samba, removable devices, user temp
+and untrusted content files
+</p>
+</desc>
+</tunable>
+<tunable name="cron_can_relabel" dftval="false">
+<desc>
+<p>
+Allow system cron jobs to relabel filesystem
+for restoring file contexts.
+</p>
+</desc>
+</tunable>
+<tunable name="disable_games_trans" dftval="false">
+<desc>
+<p>
+force to games to run in user_t
+mapping executable (text relocation).
+</p>
+</desc>
+</tunable>
+<tunable name="disable_evolution_trans" dftval="false">
+<desc>
+<p>
+Disable transitions to evolution domains.
+</p>
+</desc>
+</tunable>
+<tunable name="disable_mozilla_trans" dftval="false">
+<desc>
+<p>
+Disable transitions to user mozilla domains
+</p>
+</desc>
+</tunable>
+<tunable name="disable_thunderbird_trans" dftval="false">
+<desc>
+<p>
+Disable transitions to user thunderbird domains
+</p>
+</desc>
+</tunable>
+<tunable name="mail_read_content" dftval="false">
+<desc>
+<p>
+Allow email client to various content.
+nfs, samba, removable devices, user temp
+and untrusted content files
+</p>
+</desc>
+</tunable>
+<tunable name="mozilla_read_content" dftval="false">
+<desc>
+<p>
+Control mozilla content access
+</p>
+</desc>
+</tunable>
+<tunable name="pppd_for_user" dftval="false">
+<desc>
+<p>
+Allow pppd to be run for a regular user
+</p>
+</desc>
+</tunable>
+<tunable name="read_untrusted_content" dftval="false">
+<desc>
+<p>
+Allow applications to read untrusted content
+If this is disallowed, Internet content has
+to be manually relabeled for read access to be granted
+</p>
+</desc>
+</tunable>
+<tunable name="run_ssh_inetd" dftval="false">
+<desc>
+<p>
+Allow ssh to run from inetd instead of as a daemon.
+</p>
+</desc>
+</tunable>
+<tunable name="spamassassin_can_network" dftval="false">
+<desc>
+<p>
+Allow user spamassassin clients to use the network.
+</p>
+</desc>
+</tunable>
+<tunable name="ssh_sysadm_login" dftval="false">
+<desc>
+<p>
+Allow ssh logins as sysadm_r:sysadm_t
+</p>
+</desc>
+</tunable>
+<tunable name="staff_read_sysadm_file" dftval="false">
+<desc>
+<p>
+Allow staff_r users to search the sysadm home
+dir and read files (such as ~/.bashrc)
+</p>
+</desc>
+</tunable>
+<tunable name="user_direct_mouse" dftval="false">
+<desc>
+<p>
+Allow regular users direct mouse access
+</p>
+</desc>
+</tunable>
+<tunable name="user_dmesg" dftval="false">
+<desc>
+<p>
+Allow users to read system messages.
+</p>
+</desc>
+</tunable>
+<tunable name="user_net_control" dftval="false">
+<desc>
+<p>
+Allow users to control network interfaces
+(also needs USERCTL=true)
+</p>
+</desc>
+</tunable>
+<tunable name="user_rw_noexattrfile" dftval="false">
+<desc>
+<p>
+Allow user to r/w files on filesystems
+that do not have extended attributes (FAT, CDROM, FLOPPY)
+</p>
+</desc>
+</tunable>
+<tunable name="user_tcp_server" dftval="false">
+<desc>
+<p>
+Allow users to run TCP servers (bind to ports and accept connection from
+the same domain and outside users)  disabling this forces FTP passive mode
+and may change other protocols.
+</p>
+</desc>
+</tunable>
+<tunable name="user_ttyfile_stat" dftval="false">
+<desc>
+<p>
+Allow w to display everyone
+</p>
+</desc>
+</tunable>
+<tunable name="write_untrusted_content" dftval="false">
+<desc>
+<p>
+Allow applications to write untrusted content
+If this is disallowed, no Internet content
+will be stored.
+</p>
+</desc>
+</tunable>
+<tunable name="xdm_sysadm_login" dftval="false">
+<desc>
+<p>
+Allow xdm logins as sysadm
+</p>
+</desc>
+</tunable>
+<tunable name="allow_daemons_use_tty" dftval="false">
+<desc>
+<p>
+Allow all daemons the ability to use unallocated ttys
+</p>
+</desc>
+</tunable>
+<tunable name="allow_mount_anyfile" dftval="false">
+<desc>
+<p>
+Allow mount to mount any file
+</p>
+</desc>
+</tunable>
+<tunable name="spamd_enable_home_dirs" dftval="true">
+<desc>
+<p>
+Allow spammd to read/write user home directories.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_polyinstantiation" dftval="false">
+<desc>
+<p>
+Allow httpd cgi support
+</p>
+</desc>
+</tunable>
+<tunable name="allow_unconfined_execmem_dyntrans" dftval="false">
+<desc>
+<p>
+Allow unconfined to dyntrans to unconfined_execmem
+</p>
+</desc>
+</tunable>
--- refpolicy-0.0.20070507.orig/debian/doc.prerm
+++ refpolicy-0.0.20070507/debian/doc.prerm
@@ -0,0 +1,125 @@
+#! /bin/sh
+#                               -*- Mode: Sh -*- 
+# prerm --- 
+# Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+# Created On       : Fri Nov 14 12:16:39 2003
+# Created On Node  : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Fri May 12 02:30:40 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count     : 10
+# Status           : Unknown, Use with caution!
+# HISTORY          : 
+# Description      : 
+#
+# arch-tag: a4c1a888-137d-4800-98f8-93d0365422d8 
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# 
+
+# Abort if any command returns an error value
+set -e
+
+package_name=selinux-policy-refpolicy-doc
+
+if [ -z "$package_name" ]; then
+    print >&2 "Internal Error. Please report a bug."
+    exit 1;
+fi
+
+
+# This script is called as the first step in removing the package from
+# the system.  This includes cases where the user explicitly asked for
+# the package to be removed, upgrade, automatic removal due to conflicts,
+# and deconfiguration due to temporary removal of a depended-on package.
+
+# Info files should be uninstalled from the dir file in any case.
+# install-info --quiet --remove /usr/info/${package_name}
+
+case "$1" in
+  remove)
+    # This package about to be removed.
+    :
+
+    # Remove package-specific directories from /usr/local.  Don't try
+    # to remove standard directories such as /usr/local/lib.
+    ##: if test -d /usr/local/lib/${package_name}; then
+    ##:   rmdir /usr/local/lib/${package_name} || true
+    ##: fi
+
+    # Deactivate menu-methods script.
+    ##: chmod a-x /etc/menu-methods/${package_name}
+
+    # Withdraw our version of a program.
+    ##: update-alternatives --remove program /usr/bin/alternative
+
+    # Get rid of the installed docs
+    if which install-docs >/dev/null 2>&1; then
+        install-docs -r $package_name
+    fi
+    
+    # Get rid of the byte compiled files
+    ##: if [ -x /usr/lib/emacsen-common/emacs-package-remove ]; then
+    ##:      /usr/lib/emacsen-common/emacs-package-remove $package_name
+    ##: fi
+
+    # There are two sub-cases:
+    if test "${2+set}" = set; then
+      if test "$2" != in-favour; then
+        echo "$0: undocumented call to \`prerm $*'" 1>&2
+        exit 0
+      fi
+      # We are being removed because of a conflict with package $3
+      # (version $4), which is now being installed.
+      :
+
+    else
+      # The package is being removed in its own right.
+      :
+
+    fi ;;
+  deconfigure)
+    if test "$2" != in-favour || test "$5" != removing; then
+      echo "$0: undocumented call to \`prerm $*'" 1>&2
+      exit 0
+    fi
+    # Package $6 (version $7) which we depend on is being removed due
+    # to a conflict with package $3 (version $4), and this package is
+    # being deconfigured until $6 can be reinstalled.
+    :
+
+    ;;
+  upgrade)
+    # Prepare to upgrade FROM THIS VERSION of this package to version $2.
+    :
+
+    if [ -L /usr/doc/$package_name ]; then
+        rm -f /usr/doc/$package_name
+    fi
+
+    ;;
+  failed-upgrade)
+    # Prepare to upgrade from version $2 of this package TO THIS VERSION.
+    # This is only used if the old version's prerm couldn't handle it,
+    # and returned non-zero.  (Fix old prerm bugs here.)
+    :
+
+    ;;
+  *) echo "$0: didn't understand being called with \`$1'" 1>&2
+     exit 0;;
+esac
+
+exit 0
--- refpolicy-0.0.20070507.orig/debian/README.Debian
+++ refpolicy-0.0.20070507/debian/README.Debian
@@ -0,0 +1,8 @@
+It would be useful for most users to be familiar with policycoreutils
+tools in order to manipulate policies installed on the
+system. Specifically, it is useful to be familiar with:
+ semodule(8)    - Manage SELinux policy modules.
+ load_policy(8) - load a new policy into the kernel
+
+
+ -- Manoj Srivastava <srivasta@debian.org>, Tue,  9 May 2006 14:07:31 -0500
--- refpolicy-0.0.20070507.orig/debian/changelog
+++ refpolicy-0.0.20070507/debian/changelog
@@ -0,0 +1,441 @@
+refpolicy (0.0.20070507-3) unstable; urgency=low
+
+  * Add hostfs as a recognized remote file-system. This should allow a
+    UML virtual machine to function in a fully enforcing mode.
+
+ -- Manoj Srivastava <srivasta@debian.org>  Wed,  9 May 2007 15:48:26 -0500
+
+refpolicy (0.0.20070507-2) unstable; urgency=medium
+
+  * Keep track of modules that are really  built into the base policy in
+    Debian.  We then use this list to remove  the modules .pp files from
+    the policy shipped, since they can not be installed along with the
+    base policy anyway. Make sure we don't add such modules hen
+    considering module dependencies either.
+  * Added Module ricci to modules.conf for both strict and targeted.
+
+ -- Manoj Srivastava <srivasta@debian.org>  Mon,  7 May 2007 09:07:36 -0500
+
+refpolicy (0.0.20070507-1) unstable; urgency=low
+
+  * New upstream SVN HEAD.
+    - Miscellaneous consolekit fixes from Dan Walsh.
+    - Patch to have avahi use the nsswitch interface rather than individual
+      permissions from Dan Walsh.
+    - Patch to dontaudit logrotate searching avahi pid directory from Dan
+      Walsh. 
+    - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t
+      pipes to handle usage from userhelper from Dan Walsh.
+    - Patch to allow amavis to read spamassassin libraries from Dan Walsh.
+    - Patch to allow slocate to getattr other filesystems and directories
+      on those filesystems from Dan Walsh.
+    - Fixes for RHEL4 from the CLIP project.
+    - Replace the old lrrd fc entries with munin ones.
+    - Move program admin template usage out of
+      userdom_admin_user_template() to sysadm policy in userdomain.te to
+      fix usage of the template for third parties.
+    - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
+      template instead of an interface.
+    - Added modules: rwho (Nalin Dahyabhai)
+  * Updated dependencies, since this refpolicy needs newer toolchain,
+
+ -- Manoj Srivastava <srivasta@debian.org>  Mon,  7 May 2007 01:47:44 -0500
+
+refpolicy (0.0.20070417-1) unstable; urgency=low
+
+  * New upstream release.
+  * Added XS-VCS-Arch and XS-VCS-Browse to debian/control, and updated
+    build dependencies.
+  * Bug fix: "selinux-policy-refpolicy-targeted: need file_contexts for
+    gcj-dbtool-4.1 and /var/log/account", thanks to Russell Coker
+                                                           (Closes: #416910).
+
+ -- Manoj Srivastava <srivasta@debian.org>  Thu, 19 Apr 2007 02:28:29 -0500
+
+refpolicy (0.0.20061018-5) unstable; urgency=high
+
+  * Add policy for log and lock files for aptitude. This is needed for
+    proper function; so one does not need to go into permissive mode to
+    run aptitude.  Stolen from Erich. This is a low risk change.
+  * Debian puts grub in /usr/sbin/grub. Reflect that in the initial file
+    context. 
+  * Debian creates /dev/xconsole independently of whether or not a xserver
+    has been installed or not. So move the policy related to /dev/sconsole
+    out of the xserver policy, and into places where relevant (init.te,
+    logging.fc), to reflect the status that /dev/console is present
+    anyway.
+  * Add support for /etc/network/run  and /dev/shm/network, which seem to
+    be Debian specific as well.
+  * Allow udev to manage configuration files.
+
+ -- Manoj Srivastava <srivasta@debian.org>  Fri,  9 Mar 2007 00:22:19 -0600
+
+refpolicy (0.0.20061018-4) unstable; urgency=low
+
+  * Bug fix: "selinux-policy-refpolicy-targeted: does not suggest a way to
+    fix the 'maybe failing' attempt in postinst", thanks to Eddy Petrisor.
+    While this does not belong in the postinst, I have addedthis to the 
+    README.Debian file. This should be a low risk change. (Closes: #407691).
+  * Bug fix: "Default build.conf doesn't match default strict/targeted
+    policy", thanks to Stefan.The build.conf included in the reference
+    source policy describe to build a policy of the type "strict". The
+    default binary policies coming with Debian are build with the policy
+    type "strict-mcs" or "targeted-mcs". Change the build.conf shipped in
+    source to conform to what we really use. (changes TYPE=strict to 
+    TYPE=strict-mcs, very low risk change.                (Closes: #411256).
+  * Bug fix: "selinux-policy-refpolicy-targeted: openvpn policy do not
+    allow tcp connection mode", thanks to Rafal Kupka. This bug really
+    should be at least important, and we should fully support a class of
+    security product like OpenVPN on machines which are running SELinux,
+    and this is a very low risk change.                    (Closes: #409041).
+  * Install header files required for policy building for both strict and
+    targeted policies in a new -dev package, so it becomes really useful
+    to work with the source package. Moved the examples from the -src
+    package to this new -dev package, since the example is only useful in
+    with the headers provided. This is a new package, but it contains only
+    files already in the sources (No upstream changes at all), and is the
+    result of make install-headers. This new package has no rdepends, and
+    should be a very low risk addition to Debian.
+  * This release should be a whole lot better for building local policies,
+    including the policygentool for creating a new policy from scratch,
+    and ability to build local policy modular packages. The build.conf
+    files have been cleaned up, and the source policy defaults to targeted
+    policy, which is standard in Debian, as opposed to the strict policy,
+    which has priority optional.
+
+ -- Manoj Srivastava <srivasta@debian.org>  Mon, 26 Feb 2007 22:37:17 -0600
+
+refpolicy (0.0.20061018-3) unstable; urgency=high
+
+  * Bug fix: "refpolicy: FTBFS: /bin/sh: debian/stamp/config-strict: No
+    such file or directory", thanks to Lucas Nussbaum. This was fixed by
+    moving all the stamps into ./debian instead. I'll re-visit the
+    ./debian/stamp/ directory in lenny. This is a pretty minor packaging
+    change.                                                 (Closes: #405613).
+  * Bug fix: "selinux-policy-refpolicy-targeted: Policy for dcc misses
+    Debian's FHS paths", thanks to Devin Carraway. From the bug report:
+    Many of the files in these packages are overlooked when labelling
+    files, because refpolicy's dcc module stipulates paths not consistent
+    with the Debian FHS layout.  The files go unlabelled and dcc-client
+    (at least) stops working. The two major problems  are the references
+    to /usr/libexec/dcc (damons, placed in /usr/sbin by the Debian
+    packages) and to /var/dcc (all sorts of things, placed under
+    /var/lib/dcc).  A side effect of the latter is that dccifd_t and
+    probably others need search on var_lib_t, through which it must pass
+    to get to /var/lib/dcc.  Fixed the policy; will send upstream.
+                                                             (Closes: #404309).
+  * Bug fix: "selinux-policy-refpolicy-targeted: clamav policy forbids
+    clamd_t search on /var/lib", thanks to Devin Carraway.  This is a
+    simple one line change, and obviously an oversight; I think getting
+    clamd to work is fairly important.                        (Closes: #404895).
+  * Bug fix: "selinux-policy-refpolicy-targeted: Multiple problems with
+    courier policy", thanks to Devin Carraway.  There is detailed
+    information of the changes made in the bug report, and in the commit
+    logs. Again, fixing courier daemons seems pretty important; SELinux
+    tends to get used a lot on remote mail servers, and this fixes issues
+    with the policy.                                          (Closes: #405103).
+
+ -- Manoj Srivastava <srivasta@debian.org>  Mon, 15 Jan 2007 13:20:30 -0600
+
+refpolicy (0.0.20061018-2) unstable; urgency=high
+
+  * The This update enables MCS for targeted and strict, uses 1024
+    categories (as Fedora uses - necessary for compatability). Please note
+    that enabling MCS categories is required for compatibility with
+    filesystems created on Fedora Core 5 and above, RHEL 5 and above, and
+    CentOS 5 and above.  MCS categories is also a feature that we plan for
+    all future releases of SE Linux and does not have a nice upgrade path
+    - releasing etch without MCS will make things painful for SE Linux
+    users on the upgrade to lenny. This feature has been extensively
+    tested by Russel Coker and myself, and does not otherwise impact the
+    install. 
+  * Allow semanage to use the initrd file descriptor in targeted policy.
+  * Fix a bug with restorecon.
+  * Bug fix: "refpolicy: qemu should have execmem permissions", thanks to
+    David Härdeman                                       (Closes: #402293).
+
+ -- Manoj Srivastava <srivasta@debian.org>  Fri, 22 Dec 2006 10:33:22 -0600
+
+refpolicy (0.0.20061018-1) unstable; urgency=low
+
+  * New upstream release
+  * Updated copyright file with the new location of the sources, and added
+    a watch file.
+  * Bug fix: "selinux-policy-refpolicy-targeted: postinst package list
+    retrieval suggestion", thanks to Alexander Buerger. Thanks to the
+    provided suggestion, the selection of policy modules to install is not
+    only faster, it is actually correct :)                 (Closes: #388744).
+  * Bug fix: "Makefile for building policy modules?", thanks to Uwe
+    Hermann.  Provided an intial version, may have bugs.   (Closes: #389116).
+
+ -- Manoj Srivastava <srivasta@debian.org>  Tue, 24 Oct 2006 14:31:22 -0500
+
+refpolicy (0.0.20060911-2) unstable; urgency=low
+
+  * Fixed a typo in policy postinst that made all the policies reload at
+    every update.
+
+ -- Manoj Srivastava <srivasta@debian.org>  Tue, 12 Sep 2006 10:28:11 -0500
+
+refpolicy (0.0.20060911-1) unstable; urgency=low
+
+  * New upstream SCM HEAD.
+  * Synched with Erich Schubert <erich@debian.org>
+    + Added first draft of python-support. You'll want to relabel these files.
+    + Build python-support and setroubleshoot modules
+    + Removed modules from guessing hintfile that are included in base.
+
+  * Bug fix: "Defaults should match the strict/targeted policy", thanks to
+    Uwe Hermann. Makde them match strict.                     (Closes: #386931).
+  * Bug fix: "selinux-policy-refpolicy-src: Duplicate entries in policy
+    files", thanks to Simon Richard Grint                     (Closes: #386909).
+  * Bug fix: "modules.conf vs. modules.conf.dist", thanks to Uwe Hermann
+                                                              (Closes: #386887).
+  * Bug fix: "OUTPUT_POLICY and policy-version comments", thanks to Uwe
+    Hermann                                                  (Closes: #386930).
+  * Bug fix: "s/bzip2/gzip/?", thanks to Uwe Hermann         (Closes: #386885).
+  * Bug fix: "selinux-refpolicy-src: include modules.conf files of strict
+    and targeted for -src package", thanks to Erich Schubert
+                                                              (Closes: #386573).
+
+ -- Manoj Srivastava <srivasta@debian.org>  Mon, 11 Sep 2006 17:46:10 -0500
+
+refpolicy (0.0.20060907-3) unstable; urgency=low
+
+  * Updated a few more policy modules to latest versions for Debian.
+
+ -- Manoj Srivastava <srivasta@debian.org>  Fri,  8 Sep 2006 12:42:22 -0500
+
+refpolicy (0.0.20060907-2) unstable; urgency=low
+
+  * Update the module/package mapping.
+  * In the selinux-policy-refpolicy-src package, now ship the
+    modules.conf.strict and the modules.conf.targeted files which are used
+    to build the corresponding policy packages, snce the raw modules.conf
+    package has issues on Debian.
+  * With this version, we no longer ship the selinux-policy-refpolicy-src
+    unpacked into /etc with a gazillion conffiles; instead, we now ship a
+    compressed tarball in /usr/src, which the user may unpack where they
+    wish, and install policies as they wish.
+
+ -- Manoj Srivastava <srivasta@debian.org>  Fri,  8 Sep 2006 10:49:40 -0500
+
+refpolicy (0.0.20060907-1) unstable; urgency=low
+
+  * New upstream SCM HEAD.
+  * Bug fix: "selinux-policy-refpolicy-src: Compile failure of modular
+    targeted policy", thanks to Simon Richard Grint. Put a wrapper around
+    the offending lines to only take effect when running a strict policy.
+                                                            (Closes: #384502).
+  * Bug fix: "make: /usr/sbin/setfiles: Command not found", thanks to Uwe
+    Hermann. Fixed upstream.                                (Closes: #384850).
+
+ -- Manoj Srivastava <srivasta@debian.org>  Fri,  8 Sep 2006 00:27:39 -0500
+
+refpolicy (0.0.20060813-2) unstable; urgency=low
+
+  * Bug fix: "Needs gawk", thanks to Simon Richard Grint
+                                                         (Closes: #382821).
+  * Bug fix: "Move /etc/selinux/refpolicy/src/policy/man/man8/*
+    manpages?", thanks to Uwe Hermann                    (Closes: #372789).
+  * Fix errors in post installation initial policy creation process in the
+    postinst. 
+  * Add directories required during policy build during postinst. This bug
+    prevented any policies being built when the package was initially
+    installed. Also, create an empty  file_contexts.local file if it does
+    not already exist. 
+  * Make selinux-policy-refpolicy-targeted provide and replace the
+    obsolete package selinux-policy-default; which should in the future be
+    just a virtual package. 
+  * Added postrm packages to strict and targeted policy packages, in order
+    to clean out the directories in which files are created during policy
+    build. 
+  * Rewrote the postinst in perl to allow us to do module dependency
+    checks, and to map policy modules to debian packages, in order to
+    better detect the modules that would be necessary for the target
+    machine. 
+  * Also, compiling with either MCS or MLS produced errors while
+    installing policy, since we lack setrans daemon. So we are now
+    building with out them, created an easy to modify option to re-enable
+    it later.
+  * Updated modules.conf to use the latest offerings from Erich.
+
+ -- Manoj Srivastava <srivasta@debian.org>  Mon, 21 Aug 2006 14:59:52 -0500
+
+refpolicy (0.0.20060813-1) unstable; urgency=low
+
+  * New upstream SCM HEAD.
+  * Bug fix: "refpolicy: FTBFS: tmp/generated_definitions.conf:597:ERROR
+    'syntax error' at token '' on line 3416:", thanks to Andreas Jochens
+                                                        (Closes: #379559).
+  * Bug fix: "FTBFS while generating selinux-policy-refpolicy-strict",
+    thanks to Devin Carraway                            (Closes: #379376).
+  * Python transition (#2): you are building a private python module.
+                                                        (Closes: #380930).
+
+ -- Manoj Srivastava <srivasta@debian.org>  Tue, 15 Aug 2006 09:53:06 -0500
+
+refpolicy (0.0.20060509-2) unstable; urgency=low
+
+  * Modified some paths to be more in line with upstream standards.
+
+ -- Manoj Srivastava <srivasta@debian.org>  Fri, 12 May 2006 08:30:08 -0500
+
+refpolicy (0.0.20060509-1) unstable; urgency=low
+
+  * New upstream release. First packaging for Sid. 
+
+ -- Manoj Srivastava <srivasta@debian.org>  Tue,  9 May 2006 13:56:10 -0500
+
+refpolicy (20060506-1) sesarge; urgency=low
+
+  * New upstream checkout from CVS.
+  * Even more new modules.
+
+ -- Erich Schubert <erich@debian.org>  Sat,  6 May 2006 21:44:07 +0200
+
+refpolicy (20060418-2) sesarge; urgency=low
+
+  * New upstream checkout from CVS.
+
+ -- Erich Schubert <erich@debian.org>  Fri, 21 Apr 2006 19:17:05 +0200
+
+refpolicy (20060417-1) sesarge; urgency=low
+
+  * New upstream checkout from CVS.
+  * Until module linking is fixed, build everything into base.
+    (Sorry, this will result in a much larger policy than necessary.
+     Feel free to use the -src package to build your own!)
+
+ -- Erich Schubert <erich@debian.org>  Mon, 17 Apr 2006 21:04:49 +0200
+
+refpolicy (20060414-1) sesarge; urgency=low
+
+  * New upstream version with tons of new policy files
+
+ -- Erich Schubert <erich@debian.org>  Mon, 17 Apr 2006 20:48:50 +0200
+
+refpolicy (20060329-2) sesarge; urgency=low
+
+  * Merge upstream 20060329-2
+
+ -- Erich Schubert <erich@debian.org>  Mon,  3 Apr 2006 00:44:06 +0200
+
+refpolicy (20060324-2) sesarge; urgency=low
+
+  * Merge upstream 20060324-4
+
+ -- Erich Schubert <erich@debian.org>  Sat, 25 Mar 2006 03:34:36 +0100
+
+refpolicy (20060324-1) sesarge; urgency=low
+
+  * Merge upstream 20060323-2
+  * Merge changes by Thomas Bleher
+  * Build with checkpolicy 1.30.1
+  * Sorry, still doesn't work with make > 3.80
+
+ -- Erich Schubert <erich@debian.org>  Sat, 25 Mar 2006 02:21:00 +0100
+
+refpolicy (20060315-2) sesarge; urgency=low
+
+  * Make modular policy actually work. Hopefully.
+    (Up to now, optional_policy(`module') in base was not working upstream!)
+  * Revamp build process, don't use CDBS anymore since I didn't figure out
+    how to do two clean runs of the same source tree, and there is little
+    benefit here without any autotools or library magic needed
+
+ -- Erich Schubert <erich@debian.org>  Fri, 17 Mar 2006 20:51:55 +0100
+
+refpolicy (20060315-1.1) sesarge; urgency=low
+
+  * Small tweaks and bugfixes to policy
+
+ -- Erich Schubert <erich@debian.org>  Thu, 16 Mar 2006 23:13:40 +0100
+
+refpolicy (20060315-1) sesarge; urgency=low
+
+  * Merge with upstream and debian changes as of 20060309, rev 50
+  * Merge with upstream and debian changes as of 20060315, rev 55
+  * Added "netuser" role, similar to user_tcp_server boolean, but
+    you can enable it for single users only.
+
+ -- Erich Schubert <erich@debian.org>  Thu, 16 Mar 2006 00:23:54 +0100
+
+refpolicy (20060306-1) sesarge; urgency=low
+
+  * Merge with upstream and debian policy changes as of 20060306, Rev 31
+  * Try to auto-build a policy after a fresh install in postinst
+  * Add inetd module to base for now
+  * Increase policycoreutils build-dep to hopefully solve the users_extra
+    issues by using a newer policycoreutils for building...
+
+ -- Erich Schubert <erich@debian.org>  Mon,  6 Mar 2006 17:10:43 +0100
+
+refpolicy (20060227-1) sesarge; urgency=low
+
+  * Merge with upstream and debian policy changes as of 20060227, Rev 20
+
+ -- Erich Schubert <erich@debian.org>  Tue, 28 Feb 2006 03:48:48 +0100
+
+refpolicy (20060224-2) sesarge; urgency=low
+
+  * Update build process to not require a tarball, include previous
+    patches into our "branch" of the reference policy instead.
+
+ -- Erich Schubert <erich@debian.org>  Tue, 28 Feb 2006 03:13:51 +0100
+
+refpolicy (20060224-1) sesarge; urgency=low
+
+  * New upstream CVS checkout.
+  * Move policy src from /etc to /usr/share/selinux/refpolicy
+    This avoids an apt-get size limitation and follows Fedora.
+  * Ship edited build.conf with policy source.
+  * Use debhelper for installing documentation.
+  * Add dependency for source onto gawk.
+
+ -- Erich Schubert <erich@debian.org>  Sat, 25 Feb 2006 01:01:44 +0100
+
+refpolicy (20060222-1) sesarge; urgency=low
+
+  * New upstream CVS checkout.
+  * Thomas also provided a workaround for the make issues in his version.
+  * Update dpkg/apt policy to interface renamings
+  * Remove dpkg_script_exec_t, as supporting this would require bad hacks
+    to dpkg and/or tar. Use dpkg_var_lib_t instead.
+
+ -- Erich Schubert <erich@debian.org>  Thu, 23 Feb 2006 02:01:35 +0100
+
+refpolicy (20060217-3) sesarge; urgency=low
+
+  * Create selinux-policy-refpolicy-doc package
+  * DIRECT_INITRC=y
+
+ -- Thomas Bleher <ThomasBleher@gmx.de>  Mon, 20 Feb 2006 23:43:53 +0000
+
+refpolicy (20060217-2) sesarge; urgency=low
+
+  * Added first drafts of dpkg, apt policy
+
+ -- Erich Schubert <erich@debian.org>  Sat, 18 Feb 2006 03:20:59 +0100
+
+refpolicy (20060217-1) sesarge; urgency=low
+
+  * New upstream CVS checkout
+  * Document make incompaibility via build-dep
+  * Don't build some redhat specific policy modules, minor tweaks
+
+ -- Erich Schubert <erich@debian.org>  Tue, 14 Feb 2006 02:35:04 +0100
+
+refpolicy (20060213-1) sesarge; urgency=low
+
+  * New upstream CVS checkout.
+  * Still not really useable
+
+ -- Erich Schubert <erich@debian.org>  Tue, 14 Feb 2006 02:35:04 +0100
+
+refpolicy (20060117-1) sesarge; urgency=low
+
+  * Experimental release
+
+ -- Erich Schubert <erich@debian.org>  Mon, 13 Feb 2006 22:50:03 +0100
+
--- refpolicy-0.0.20070507.orig/debian/example.mk
+++ refpolicy-0.0.20070507/debian/example.mk
@@ -0,0 +1,26 @@
+# installation paths
+
+AWK ?= gawk
+NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
+
+MLSENABLED := $(shell cat /selinux/mls)
+ifeq ($(MLSENABLED),)
+	MLSENABLED := 1
+endif
+
+ifeq ($(MLSENABLED),1)
+	MCSFLAG=-mcs
+endif
+
+ifeq ($(NAME), mls)
+	NAME = strict
+	MCSFLAG = -mls
+endif
+
+TYPE ?= $(NAME)${MCSFLAG}
+
+# This can also be changed to /usr/share/selinux/refpolicy-strict/include
+HEADERDIR := /usr/share/selinux/refpolicy-targeted/include
+include $(HEADERDIR)/Makefile
+
+# arch-tag: 56a0db1b-e624-4696-9882-9b7147b719f9
--- refpolicy-0.0.20070507.orig/debian/policygentool.1
+++ refpolicy-0.0.20070507/debian/policygentool.1
@@ -0,0 +1,100 @@
+.\"                             -*- Mode: Nroff -*- 
+.\" policygentool.1 --- 
+.\" Author           : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com ) 
+.\" Created On       : Mon Feb 26 20:57:11 2007
+.\" Created On Node  : glaurung.internal.golden-gryphon.com
+.\" Last Modified By : Manoj Srivastava
+.\" Last Modified On : Mon Feb 26 23:18:43 2007
+.\" Last Machine Used: glaurung.internal.golden-gryphon.com
+.\" Update Count     : 12
+.\" Status           : Unknown, Use with caution!
+.\" HISTORY          : 
+.\" Description      : 
+.\" 
+.\" Copyright (c) 20077 Manoj Srivastava <srivasta@debian.org>
+.\"
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, write to the Free
+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
+.\" USA.
+.\"
+.\" arch-tag: 8236ff3b-4ae2-4591-afa3-298e441e927c
+.\"
+.TH POLICYGENTOOL 1 "Feb 27 2007" "Debian" "Debian GNU/Linux manual"
+.SH NAME
+policygentool \- Interactive SELinux policy generation tool
+.SH SYNOPSIS
+.B policygentool
+.I [options]
+.I <Module Name>
+.I <full path for application binary file>
+.SH DESCRIPTION
+This tool generate three files for policy development, A Type Enforcement (te)
+file, a File Context (fc), and a Interface File(if).  Most of the policy rules
+will be written in the te file.  Use the File Context file to associate file
+paths with security context.  Use the interface rules to allow other protected
+domains to interact with the newly defined domains.
+.PP
+The tool prompts for locations of
+.I pidfiles,
+any 
+.I logfiles,
+files in 
+.I /var/lib,
+and any
+.I init scripts,
+and whether any network access is desirable for the application. The
+tool then generates the appropriate policy rules for the module.
+After these files have been generated, the make files for the
+appropriate SELinux policy, namely,
+.I /usr/share/selinux/refpolicy-targeted/include/Makefile
+or
+.I /usr/share/selinux/refpolicy-strict/include/Makefile
+can be used to compile the SELinux policy policy package.  The
+resulting policy package can be loaded using
+.B semodule.
+.PP
+  # /usr/bin/policygentool myapp /usr/bin/myapp
+  # cat >Makefile
+  > HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include
+  > include $(HEADERDIR)/Makefile
+  > ^D
+  # make
+  # semodule -l myapp.pp
+  # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
+  # setenforce 0
+  # /etc/init.d/myapp start
+  # audit2allow -R -i /var/log/audit/audit.log
+.SH OPTIONS
+.TP
+.B "-h, --help"
+Print a short usage message.
+.SH FILES
+.PP
+.I myapp.te,
+.I myapp.if,
+.I myapp.fc.
+.SH "SEE ALSO"
+semodule(8),
+check_policy(8),
+load_policy(8).
+.SH BUGS
+None known.
+.SH AUTHOR
+This manual page was written by Manoj Srivastava <srivasta@debian.org>,
+for the Debian GNU/Linux system.
--- refpolicy-0.0.20070507.orig/debian/common/perlvars.mk
+++ refpolicy-0.0.20070507/debian/common/perlvars.mk
@@ -0,0 +1,27 @@
+############################ -*- Mode: Makefile -*- ###########################
+## perlvars.mk --- 
+## Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+## Created On       : Sat Nov 15 02:55:47 2003
+## Created On Node  : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Dec 13 13:50:58 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count     : 3
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : 
+## 
+## arch-tag: a97a01ba-d08d-404d-aa81-572717c03e6c
+## 
+###############################################################################
+
+# Perl variables
+PERL = /usr/bin/perl
+
+INSTALLPRIVLIB  = $(TMPTOP)/$(shell \
+                 perl -e 'use Config; print "$$Config{'installprivlib'}\n";')
+INSTALLARCHLIB  = $(TMPTOP)/$(shell \
+                 perl -e 'use Config; print "$$Config{'installarchlib'}\n";')
+INSTALLVENDORLIB =$(TMPTOP)/$(shell \
+                 perl -e 'use Config; print "$$Config{'vendorlibexp'}\n";')
+CONFIG           = INSTALLDIRS=vendor 
--- refpolicy-0.0.20070507.orig/debian/common/checklibs
+++ refpolicy-0.0.20070507/debian/common/checklibs
@@ -0,0 +1,74 @@
+#! /bin/sh 
+#                               -*- Mode: Sh -*- 
+# checklibs.sh --- 
+# Author           : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com ) 
+# Created On       : Fri Sep 29 15:36:22 2006
+# Created On Node  : glaurung.internal.golden-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Fri Sep 29 22:53:27 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count     : 43
+# Status           : Unknown, Use with caution!
+# HISTORY          : 
+# Description      : 
+# 
+# arch-tag: 8ba11489-77fa-45a0-92c4-9c5b162ee119
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+# 
+
+# Make sure we abort on error
+set -e
+progname="$(basename \"$0\")"
+
+trap 'rm -f search_patterns.txt;' ALRM HUP INT PIPE TERM ABRT FPE BUS QUIT SEGV ILL EXIT
+
+# Find all undefined symbols in all ELF objects in this tree
+readelf -s -D -W $(find . -type f -print0 | xargs -0r  file | grep " ELF" | \
+ awk '{print $1}' | sed -e 's/:$//') | grep UND | grep -v LOCAL |
+  perl -ple 's/.*\s(\S+)\s*$/\^$1\$/g' | sort -u > search_patterns.txt;
+
+# Find all the libraries needed in this tree 
+objdump -T --private-headers $(find . -type f -print0  | xargs -0r file | grep " ELF" | \
+  awk '{print $1}' | sed -e 's/:$//') | grep NEEDED | sort -u | awk '{print $2}' | 
+    while read lib; do
+        # For each library, see where it lives o the file system
+        LIB=
+        for library_dir in "/lib" "/usr/lib" $EXTRA_LIBRARY_PATHS; do
+            if [ -e "$library_dir/$lib" ]; then
+                 LIB="$library_dir/$lib";
+                 break
+            fi
+        done
+        if [ -z "$LIB" ]; then
+            echo >&2 "Can't find $lib"
+            continue
+        fi
+        # If we fond the library, find what symbols it defines, and if these symbols
+        # are some that we need
+        if readelf -s -D -W $LIB | grep -v UND | perl -ple 's/.*\s(\S+)\s*$/$1/g' | \
+            sort -u | grep -q -f search_patterns.txt ; then
+            # Library provides at least some symbols we need
+            if [ -n "$DEBUG" ]; then echo "Found $LIB"; fi
+        else
+            # Library does not provide any symbols we need
+            echo "$LIB" ;
+        fi
+done
+
+# Get rid of the intermediate file
+rm -f search_patterns.txt;
+exit 0
+
--- refpolicy-0.0.20070507.orig/debian/common/copt.mk
+++ refpolicy-0.0.20070507/debian/common/copt.mk
@@ -0,0 +1,34 @@
+############################ -*- Mode: Makefile -*- ###########################
+## copt.mk --- 
+## Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+## Created On       : Sat Nov 15 02:48:40 2003
+## Created On Node  : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Nov 15 02:49:07 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count     : 1
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : 
+## 
+## arch-tag: a0045c20-f1b3-4852-9a4b-1a33ebd7c1b8
+## 
+###############################################################################
+
+CC = cc
+CFLAGS = -O2
+PREFIX    := /usr
+
+# Policy 10.1 says to make this the default
+CFLAGS += -g
+
+## ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
+## endif
+
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+  STRIP += -s
+  LDFLAGS += -s
+  INT_INSTALL_TARGET = install 
+else
+  INT_INSTALL_TARGET = install
+endif
--- refpolicy-0.0.20070507.orig/debian/common/debconf.mk
+++ refpolicy-0.0.20070507/debian/common/debconf.mk
@@ -0,0 +1,101 @@
+############################ -*- Mode: Makefile -*- ###########################
+## debconf.mk --- 
+## Author           : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com ) 
+## Created On       : Fri Mar 12 11:11:31 2004
+## Created On Node  : glaurung.internal.golden-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Mon Apr 11 13:19:10 2005
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count     : 20
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : helps with using debconf
+## 
+## arch-tag: 32b933a9-05ad-4c03-97a8-8644745b832a
+##
+###############################################################################
+
+# The idea behind this scheme is that the maintainer (or whoever's
+# building the package for upload to unstable) has to build on a
+# machine with po-debconf installed, but nobody else does.
+
+# When building with po-debconf, a format 1 (no encoding specifications,
+# woody-compatible) debian/templates file is generated in the clean target
+# and shipped in the source package, but a format 2 (UTF8-encoded,
+# woody-incompatible) debian/templates file is generated in binary-arch
+# for the binary package only.
+
+# When building without po-debconf, the binary package simply reuses the
+# woody-compatible debian/templates file that was produced by the clean
+# target of the maintainer's build.
+
+# Also, make sure that debian/control has ${debconf-depends} in the
+# appropriate Depends: line., and use the following in the binary
+# target:
+#  dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))'
+#
+
+# WARNING!! You need to create the templates.master file before this all works.
+
+ifeq (,$(wildcard /usr/bin/po2debconf))
+ PO2DEBCONF    := no
+ MINDEBCONFVER := 0.5
+else
+ PO2DEBCONF    := yes
+ MINDEBCONFVER := 1.2.0
+endif
+
+
+# Hack for woody compatibility. This makes sure that the
+# debian/templates file shipped in the source package doesn't specify
+# encodings, which woody's debconf can't handle. If building on a
+# system with po-debconf installed the binary-arch target will
+# generate a better version for sarge. Only do this if there is a
+# templates.master, or else the debian/templates file can get
+# damamged. 
+ifeq ($(PO2DEBCONF),yes)
+  ifeq (,$(wildcard debian/templates.master))
+define CREATE_COMPATIBLE_TEMPLATE
+	echo Not modifying templates
+endef
+  else
+define CREATE_COMPATIBLE_TEMPLATE
+	echo 1 > debian/po/output
+	po2debconf debian/templates.master > debian/templates
+	rm -f debian/po/output
+endef
+  endif
+else
+define CREATE_COMPATIBLE_TEMPLATE
+	echo Not modifying templates
+endef
+endif
+
+
+ifeq ($(PO2DEBCONF),yes)
+  ifeq (,$(wildcard debian/templates.master))
+define INSTALL_TEMPLATE
+	echo using old template
+endef
+  else
+define INSTALL_TEMPLATE
+	po2debconf debian/templates.master > debian/templates
+endef
+  endif
+else
+define INSTALL_TEMPLATE
+	echo using old template
+endef
+endif
+
+# the tool podebconf-report-po is also a great friend to have in such
+# circumstances 
+define CHECKPO
+	@for i in debian/po/*.po; do                         \
+	  if [ -f $$i ]; then                        \
+	    echo \"Checking: $$i\";                  \
+	    msgmerge -U $$i debian/po/templates.pot;        \
+	    msgfmt -o /dev/null -c --statistics $$i; \
+	  fi;                                        \
+	done
+endef
--- refpolicy-0.0.20070507.orig/debian/common/targets.mk
+++ refpolicy-0.0.20070507/debian/common/targets.mk
@@ -0,0 +1,362 @@
+############################ -*- Mode: Makefile -*- ###########################
+## targets.mk --- 
+## Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+## Created On       : Sat Nov 15 01:10:05 2003
+## Created On Node  : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Fri Sep 15 12:58:50 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count     : 61
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : The top level targets mandated by policy, as well as
+##                    their dependencies.
+## 
+## arch-tag: a81086a7-00f7-4355-ac56-8f38396935f4
+## 
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+##
+###############################################################################
+
+#######################################################################
+#######################################################################
+###############             Miscellaneous               ###############
+#######################################################################
+#######################################################################
+source diff:
+	@echo >&2 'source and diff are obsolete - use dpkg-source -b'; false
+
+testroot:
+	@test $$(id -u) = 0 || (echo need root priviledges; exit 1)
+
+checkpo:
+	$(CHECKPO)
+
+# arch-buildpackage likes to call this
+prebuild: 
+
+# OK. We have two sets of rules here, one for arch dependent packages,
+# and one for arch independent packages. We have already calculated a
+# list of each of these packages.
+
+# In each set, we may need to do things in five steps: configure,
+# build, install, package, and clean. Now, there can be a common
+# actions to be taken for all the packages, all arch dependent
+# packages, all all independent packages, and each package
+# individually at each stage.
+
+#######################################################################
+#######################################################################
+###############             Configuration               ###############
+#######################################################################
+#######################################################################
+
+# Work here
+CONFIG-common:: testdir
+	$(REASON)
+	$(checkdir)
+
+stamp-arch-conf:  CONFIG-common
+	$(REASON)
+	$(checkdir)
+	@echo done > $@
+stamp-indep-conf: CONFIG-common
+	$(REASON)
+	$(checkdir)
+	@echo done > $@
+
+# Work here
+CONFIG-arch::  stamp-arch-conf
+	$(REASON)
+CONFIG-indep:: stamp-indep-conf
+	$(REASON)
+
+STAMPS_TO_CLEAN += stamp-arch-conf stamp-indep-conf
+# Work here
+$(patsubst %,CONFIG/%,$(DEB_ARCH_PACKAGES))  :: CONFIG/% : CONFIG-arch  
+	$(REASON)
+	$(checkdir)
+$(patsubst %,CONFIG/%,$(DEB_INDEP_PACKAGES)) :: CONFIG/% : CONFIG-indep 
+	$(REASON)
+	$(checkdir)
+
+stamp-configure-arch:  $(patsubst %,CONFIG/%,$(DEB_ARCH_PACKAGES))
+	$(REASON)
+	@echo done > $@
+stamp-configure-indep: $(patsubst %,CONFIG/%,$(DEB_INDEP_PACKAGES))
+	$(REASON)
+	@echo done > $@
+
+configure-arch:  stamp-configure-arch
+	$(REASON)
+configure-indep: stamp-configure-indep
+	$(REASON)
+
+stamp-configure: configure-arch configure-indep
+	$(REASON)
+	@echo done > $@
+
+configure: stamp-configure
+	$(REASON)
+
+STAMPS_TO_CLEAN += stamp-configure-arch stamp-configure-indep stamp-configure
+#######################################################################
+#######################################################################
+###############                 Build                   ###############
+#######################################################################
+#######################################################################
+
+# Work here
+BUILD-common:: testdir
+	$(REASON)
+	$(checkdir)
+
+stamp-arch-build:  BUILD-common $(patsubst %,CONFIG/%,$(DEB_ARCH_PACKAGES))  
+	$(REASON)
+	$(checkdir)
+	@echo done > $@
+stamp-indep-build: BUILD-common $(patsubst %,CONFIG/%,$(DEB_INDEP_PACKAGES)) 
+	$(REASON)
+	$(checkdir)
+	@echo done > $@
+
+STAMPS_TO_CLEAN += stamp-arch-build stamp-indep-build
+# sync. Work here
+BUILD-arch::  stamp-arch-build
+	$(REASON)
+	$(checkdir)
+BUILD-indep:: stamp-indep-build
+	$(REASON)
+	$(checkdir)
+
+# Work here
+$(patsubst %,BUILD/%,$(DEB_ARCH_PACKAGES))  :: BUILD/% : BUILD-arch  
+	$(REASON)
+	$(checkdir)
+$(patsubst %,BUILD/%,$(DEB_INDEP_PACKAGES)) :: BUILD/% : BUILD-indep 
+	$(REASON)
+	$(checkdir)
+
+stamp-build-arch:  $(patsubst %,BUILD/%,$(DEB_ARCH_PACKAGES))
+	$(REASON)
+	@echo done > $@
+stamp-build-indep: $(patsubst %,BUILD/%,$(DEB_INDEP_PACKAGES))
+	$(REASON)
+	@echo done > $@
+
+build-arch:  stamp-build-arch
+	$(REASON)
+build-indep: stamp-build-indep
+	$(REASON)
+
+stamp-build: build-arch build-indep 
+	$(REASON)
+	@echo done > $@
+
+build: stamp-build
+	$(REASON)
+
+# Work here
+POST-BUILD-arch-stamp::
+	$(REASON)
+POST-BUILD-indep-stamp::
+	$(REASON)
+
+STAMPS_TO_CLEAN += stamp-build-arch stamp-build-indep stamp-build
+#######################################################################
+#######################################################################
+###############                Install                  ###############
+#######################################################################
+#######################################################################
+# Work here
+INST-common:: testdir
+	$(checkdir)
+	$(REASON)
+
+stamp-arch-inst: POST-BUILD-arch-stamp INST-common $(patsubst %,BUILD/%,$(DEB_ARCH_PACKAGES))    
+	$(REASON)
+	$(checkdir)
+	@echo done > $@
+stamp-indep-inst: POST-BUILD-indep-stamp INST-common $(patsubst %,BUILD/%,$(DEB_INDEP_PACKAGES)) 
+	$(REASON)
+	$(checkdir)
+	@echo done > $@
+
+STAMPS_TO_CLEAN += stamp-arch-inst stamp-indep-inst
+# sync. Work here
+INST-arch::  stamp-arch-inst
+	$(REASON)
+	$(checkdir)
+INST-indep:: stamp-indep-inst
+	$(REASON)
+	$(checkdir)
+
+# Work here
+$(patsubst %,INST/%,$(DEB_ARCH_PACKAGES))  :: INST/% : testroot INST-arch  
+	$(REASON)
+	$(checkdir)
+$(patsubst %,INST/%,$(DEB_INDEP_PACKAGES)) :: INST/% : testroot INST-indep 
+	$(REASON)
+	$(checkdir)
+
+stamp-install-arch:  $(patsubst %,INST/%,$(DEB_ARCH_PACKAGES))
+	$(REASON)
+	@echo done > $@
+stamp-install-indep: $(patsubst %,INST/%,$(DEB_INDEP_PACKAGES))
+	$(REASON)
+	@echo done > $@
+
+install-arch:  stamp-install-arch
+	$(REASON)
+install-indep: stamp-install-indep
+	$(REASON)
+
+stamp-install: install-indep install-arch
+	$(REASON)
+	@echo done > $@
+
+install: stamp-install
+	$(REASON)
+
+STAMPS_TO_CLEAN += stamp-install stamp-install-arch stamp-install-indep
+#######################################################################
+#######################################################################
+###############                Package                  ###############
+#######################################################################
+#######################################################################
+# Work here
+BIN-common:: testdir testroot 
+	$(REASON)
+	$(checkdir)
+
+stamp-arch-bin:  testdir testroot BIN-common  $(patsubst %,INST/%,$(DEB_ARCH_PACKAGES))
+	$(REASON)
+	$(checkdir)
+	@echo done > $@
+stamp-indep-bin: testdir testroot BIN-common  $(patsubst %,INST/%,$(DEB_INDEP_PACKAGES))
+	$(REASON)
+	$(checkdir)
+	@echo done > $@
+
+STAMPS_TO_CLEAN += stamp-arch-bin stamp-indep-bin
+# sync Work here
+BIN-arch::  testroot  stamp-arch-bin
+	$(REASON)
+	$(checkdir)
+BIN-indep:: testroot  stamp-indep-bin
+	$(REASON)
+	$(checkdir)
+
+# Work here
+$(patsubst %,BIN/%,$(DEB_ARCH_PACKAGES))  :: BIN/% : testroot BIN-arch  
+	$(REASON)
+	$(checkdir)
+$(patsubst %,BIN/%,$(DEB_INDEP_PACKAGES)) :: BIN/% : testroot BIN-indep 
+	$(REASON)
+	$(checkdir)
+
+
+stamp-binary-arch:  $(patsubst %,BIN/%,$(DEB_ARCH_PACKAGES))
+	$(REASON)
+	@echo done > $@
+stamp-binary-indep: $(patsubst %,BIN/%,$(DEB_INDEP_PACKAGES))
+	$(REASON)
+	@echo done > $@
+# required
+binary-arch:  stamp-binary-arch
+	$(REASON)
+binary-indep: stamp-binary-indep
+	$(REASON)
+
+stamp-binary: binary-indep binary-arch
+	$(REASON)
+	@echo done > $@
+
+# required
+binary: stamp-binary
+	$(REASON)
+	@echo arch package   = $(DEB_ARCH_PACKAGES)
+	@echo indep packages = $(DEB_INDEP_PACKAGES)
+
+STAMPS_TO_CLEAN += stamp-binary stamp-binary-arch stamp-binary-indep
+#######################################################################
+#######################################################################
+###############                 Clean                   ###############
+#######################################################################
+#######################################################################
+# Work here
+CLN-common:: testdir 
+	$(REASON)
+	$(checkdir)
+# sync Work here
+CLN-arch::  CLN-common
+	$(REASON)
+	$(checkdir)
+CLN-indep:: CLN-common
+	$(REASON)
+	$(checkdir)
+# Work here
+$(patsubst %,CLEAN/%,$(DEB_ARCH_PACKAGES))  :: CLEAN/% : CLN-arch
+	$(REASON)
+	$(checkdir)
+$(patsubst %,CLEAN/%,$(DEB_INDEP_PACKAGES)) :: CLEAN/% : CLN-indep
+	$(REASON)
+	$(checkdir)
+
+clean-arch:  $(patsubst %,CLEAN/%,$(DEB_ARCH_PACKAGES))
+	$(REASON)
+clean-indep: $(patsubst %,CLEAN/%,$(DEB_INDEP_PACKAGES))
+	$(REASON)
+
+stamp-clean: clean-indep clean-arch
+	$(REASON)
+	$(checkdir)
+	-test -f Makefile && $(MAKE) distclean
+	-rm -f  $(FILES_TO_CLEAN) $(STAMPS_TO_CLEAN)
+	-rm -rf $(DIRS_TO_CLEAN)
+	-rm -f core TAGS                                                     \
+               `find . ! -regex '.*/\.git/.*' ! -regex '.*/\{arch\}/.*'      \
+                       ! -regex '.*/CVS/.*'   ! -regex '.*/\.arch-ids/.*'    \
+                       ! -regex '.*/\.svn/.*'                                \
+                   \( -name '*.orig' -o -name '*.rej' -o -name '*~'       -o \
+                      -name '*.bak'  -o -name '#*#'   -o -name '.*.orig'  -o \
+		      -name '.*.rej' -o -name '.SUMS' -o -size 0 \)          \
+                -print`
+
+clean: stamp-clean
+	$(REASON)
+
+
+#######################################################################
+#######################################################################
+###############                                         ###############
+#######################################################################
+#######################################################################
+
+.PHONY: CONFIG-common  CONFIG-indep  CONFIG-arch  configure-arch  configure-indep  configure     \
+        BUILD-common   BUILD-indep   BUILD-arch   build-arch      build-indep      build         \
+        INST-common    INST-indep    INST-arch    install-arch    install-indep    install       \
+        BIN-common     BIN-indep     BIN-arch     binary-arch     binary-indep     binary        \
+        CLN-common     CLN-indep     CLN-arch     clean-arch      clean-indep      clean         \
+        $(patsubst %,CONFIG/%,$(DEB_INDEP_PACKAGES)) $(patsubst %,CONFIG/%,$(DEB_ARCH_PACKAGES)) \
+        $(patsubst %,BUILD/%, $(DEB_INDEP_PACKAGES)) $(patsubst %,BUILD/%, $(DEB_ARCH_PACKAGES)) \
+        $(patsubst %,INST/%,  $(DEB_INDEP_PACKAGES)) $(patsubst %,INST/%,  $(DEB_ARCH_PACKAGES)) \
+        $(patsubst %,BIN/%,   $(DEB_INDEP_PACKAGES)) $(patsubst %,BIN/%,   $(DEB_ARCH_PACKAGES)) \
+        $(patsubst %,CLEAN/%, $(DEB_INDEP_PACKAGES)) $(patsubst %,CLEAN/%, $(DEB_ARCH_PACKAGES)) \
+        implode explode prebuild checkpo
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/common/install_cmds.mk
+++ refpolicy-0.0.20070507/debian/common/install_cmds.mk
@@ -0,0 +1,54 @@
+######################### -*- Mode: Makefile-Gmake -*- ########################
+## install_cmds.mk ---
+## Author           : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+## Created On       : Fri Jun 16 14:40:20 2006
+## Created On Node  : glaurung.internal.golden-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Wed Sep  6 11:43:05 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count     : 9
+## Status           : Unknown, Use with caution!
+## HISTORY          :
+## Description      :
+##
+## arch-tag: a38b6a93-2539-4034-9060-ae94d5c8a071
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+##
+###############################################################################
+
+# install commands
+install_file   = install -p    -o root -g root -m 644
+install_script = install -p    -o root -g root -m 755
+install_program= install -p    -o root -g root -m 755
+make_directory = install -p -d -o root -g root -m 755
+
+define create_md5sum
+    create_md5sums_fn () {                                         \
+        cd $$1 ;                                                   \
+       find . -type f                                              \
+              ! -regex './DEBIAN/.*'                               \
+              ! -regex './etc/.*'     $(EXTRA_MD5SUM_EXCLUDE)      \
+              -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums ; \
+       if [ -z "DEBIAN/md5sums" ] ; then                           \
+           rm -f "DEBIAN/md5sums" ;                                \
+       fi ;                                                        \
+    } ;                                                            \
+    create_md5sums_fn 
+endef
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/common/pkgvars.mk
+++ refpolicy-0.0.20070507/debian/common/pkgvars.mk
@@ -0,0 +1,94 @@
+############################ -*- Mode: Makefile -*- ###########################
+## pkgvars.mk --- 
+## Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+## Created On       : Sat Nov 15 02:56:30 2003
+## Created On Node  : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Thu Jun 15 12:05:46 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count     : 11
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : This is what allows us toseparate out the top level
+##                    targets, by determining which packages needto be built.
+## 
+## arch-tag: 75fcc720-7389-4eaa-a7ac-c556d3eac331
+## 
+## 
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+##
+###############################################################################
+
+# The maintainer information.
+maintainer := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Maintainer: | \
+                sed 's/^Maintainer: *//')
+email := srivasta@debian.org
+
+# Priority of this version (or urgency, as dchanges would call it)
+urgency := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Urgency: | \
+             sed 's/^Urgency: *//')
+
+# Common useful variables
+DEB_SOURCE_PACKAGE := $(strip $(shell egrep '^Source: ' debian/control      |       \
+                                      cut -f 2 -d ':'))
+DEB_VERSION        := $(strip $(shell LC_ALL=C dpkg-parsechangelog          |       \
+                                      egrep '^Version:' | cut -f 2 -d ' '))
+DEB_ISNATIVE       := $(strip $(shell LC_ALL=C dpkg-parsechangelog          |       \
+                       perl -ne 'print if (m/^Version:/g && ! m/^Version:.*\-/);'))
+DEB_DISTRIBUTION  := $(strip $(shell LC_ALL=C dpkg-parsechangelog          |        \
+                                      egrep '^Distribution:' | cut -f 2 -d ' '))
+
+DEB_PACKAGES := $(shell perl -e '                                                    \
+                  $$/="";                                                            \
+                  while(<>){                                                         \
+                     $$p=$$1 if m/^Package:\s*(\S+)/;                                \
+                     die "duplicate package $$p" if $$seen{$$p};                     \
+                     $$seen{$$p}++; print "$$p " if $$p;                             \
+                  }' debian/control )
+
+DEB_INDEP_PACKAGES := $(shell perl -e '                                              \
+                         $$/="";                                                     \
+                         while(<>){                                                  \
+                            $$p=$$1 if m/^Package:\s*(\S+)/;                         \
+                            die "duplicate package $$p" if $$seen{$$p};              \
+                            $$seen{$$p}++;                                           \
+                            $$a=$$1 if m/^Architecture:\s*(\S+)/m;                   \
+                            next unless ($$a eq "all");                              \
+                            print "$$p " if $$p;                                     \
+                         }' debian/control )
+
+DEB_ARCH_PACKAGES := $(shell perl -e '                                               \
+                         $$/="";                                                     \
+                         while(<>){                                                  \
+                            $$p=$$1 if m/^Package:\s*(\S+)/;                         \
+                            die "duplicate package $$p" if $$seen{$$p};              \
+                            $$seen{$$p}++;                                           \
+                            $$c="";                                                  \
+	                    if (/^Architecture:\s*(.*?)\s*$$/sm) {                   \
+                              @a = split /\s+/, $$1 };                               \
+	                      for my $$b (@a) {                                      \
+                                next unless ($$b eq "$(DEB_HOST_ARCH)" ||            \
+                                             $$b eq "any");                          \
+                                $$c="$$p";                                           \
+                            }                                                        \
+                            print "$$c " if $$c;                                     \
+                         }' debian/control )
+
+# This package is what we get after removing the psuedo dirs we use in rules
+package = $(notdir $@)
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/common/ChangeLog
+++ refpolicy-0.0.20070507/debian/common/ChangeLog
@@ -0,0 +1,28 @@
+2006-10-02  Manoj Srivastava  <srivasta@debian.org>
+
+	* checklibs:
+		  srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-15
+		  New file, to detect if there are unneeded library
+		  dependencies
+
+2006-10-01  Manoj Srivastava  <srivasta@debian.org>
+
+	* archvars.mk (doit):
+		  srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-14
+		  Add a macro to execute $(shell ...) macos verbosely to
+		  help debugging.
+
+2006-09-15  Manoj Srivastava  <srivasta@debian.org>
+
+	* targets.mk (stamp-clean):
+		  srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-13
+		  Exclude version control directories from the generic
+		  clean command.
+
+
+2006-08-23  Manoj Srivastava  <srivasta@debian.org>
+
+	* pkgvars.mk (DEB_DISTRIBUTION):
+		  srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-6
+		  Add variable that contains the distribution information 
+
--- refpolicy-0.0.20070507.orig/debian/common/automake.mk
+++ refpolicy-0.0.20070507/debian/common/automake.mk
@@ -0,0 +1,37 @@
+############################ -*- Mode: Makefile -*- ###########################
+## automake.mk --- 
+## Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+## Created On       : Sat Nov 15 02:47:23 2003
+## Created On Node  : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Nov 15 02:47:53 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count     : 1
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : 
+## 
+## arch-tag: 1fabe69b-7cc8-4ecc-9411-bc5906b19857
+## 
+###############################################################################
+
+AUTOCONF_VERSION:=$(shell if [ -e configure ]; then                       \
+                       grep "Generated automatically using autoconf"      \
+                       configure | sed -e 's/^.*autoconf version //g';    \
+                      fi)
+HAVE_NEW_AUTOMAKE:=$(shell if [ "X$(AUTOCONF_VERSION)" != "X2.13" ]; then \
+                             echo 'YES' ; fi)
+
+ifneq ($(strip $(HAVE_NEW_AUTOMAKE)),)
+  ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
+       confflags += --build $(DEB_BUILD_GNU_TYPE) 
+  else
+       confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
+  endif
+else
+  ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
+       confflags += $(DEB_HOST_GNU_TYPE)
+  else
+       confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
+  endif
+endif
--- refpolicy-0.0.20070507.orig/debian/common/archvars.mk
+++ refpolicy-0.0.20070507/debian/common/archvars.mk
@@ -0,0 +1,118 @@
+############################ -*- Mode: Makefile -*- ###########################
+## archvars.mk --- 
+## Author           : Manoj Srivastava ( srivasta@golden-gryphon.com ) 
+## Created On       : Sat Nov 15 02:40:56 2003
+## Created On Node  : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Tue Nov 16 23:36:15 2004
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count     : 5
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : calls dpkg-architecture and sets up various arch
+##                    related variables
+## 
+## arch-tag: e16dd848-0fd6-4c0e-ae66-bef20d1f7c63
+## 
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+##
+###############################################################################
+
+
+DPKG_ARCH := dpkg-architecture
+
+ifeq ($(strip $(KPKG_ARCH)),um)
+  MAKING_VIRTUAL_IMAGE:=YES
+endif
+ifeq ($(strip $(KPKG_ARCH)),xen)
+  MAKING_VIRTUAL_IMAGE:=YES
+endif
+
+ifneq ($(strip $(CONFIG_UM)),)
+  MAKING_VIRTUAL_IMAGE:=YES
+  KPKG_ARCH=um
+endif
+
+ifneq ($(strip $(CONFIG_XEN)),)
+  MAKING_VIRTUAL_IMAGE:=YES
+  ifneq ($(strip $(CONFIG_X86_XEN)$(CONFIG_X86_64_XEN)),)
+    KPKG_SUBARCH=xen
+  else
+    KPKG_ARCH=xen
+    ifeq ($(strip $(CONFIG_XEN_PRIVILEGED_GUEST)),)
+      KPKG_SUBARCH=xenu
+    else
+      KPKG_SUBARCH=xen0
+    endif
+  endif
+endif
+
+ifdef KPKG_ARCH
+  ifeq ($(strip $(MAKING_VIRTUAL_IMAGE)),)
+    ifneq ($(CROSS_COMPILE),-)
+      ha:=-a$(KPKG_ARCH)
+    endif
+  endif
+endif
+
+# set the dpkg-architecture vars
+export DEB_BUILD_ARCH      := $(shell $(DPKG_ARCH)       -qDEB_BUILD_ARCH)
+export DEB_BUILD_GNU_CPU   := $(shell $(DPKG_ARCH)       -qDEB_BUILD_GNU_CPU)
+export DEB_BUILD_GNU_SYSTEM:= $(shell $(DPKG_ARCH)       -qDEB_BUILD_GNU_SYSTEM)
+export DEB_BUILD_GNU_TYPE  := $(shell $(DPKG_ARCH)       -qDEB_BUILD_GNU_TYPE)
+export DEB_HOST_ARCH       := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH)
+export DEB_HOST_ARCH_OS    := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH_OS      \
+                                2>/dev/null|| true)
+export DEB_HOST_ARCH_CPU   := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH_CPU     \
+                                2>/dev/null|| true)
+export DEB_HOST_GNU_CPU    := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_CPU)
+export DEB_HOST_GNU_SYSTEM := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_SYSTEM)
+export DEB_HOST_GNU_TYPE   := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_TYPE)
+
+# arrgh. future proofing
+ifeq ($(DEB_HOST_GNU_SYSTEM), linux)
+  DEB_HOST_GNU_SYSTEM=linux-gnu
+endif
+ifeq ($(DEB_HOST_ARCH_OS),)
+  ifeq ($(DEB_HOST_GNU_SYSTEM), linux-gnu)
+    DEB_HOST_ARCH_OS := linux
+  endif
+  ifeq ($(DEB_HOST_GNU_SYSTEM), kfreebsd-gnu)
+    DEB_HOST_ARCH_OS := kfreebsd
+  endif
+endif
+
+REASON = @if [ -f $@ ]; then \
+ echo "====== making $(notdir $@) because of $(notdir $?) ======";\
+ else \
+   echo "====== making target $@ [new prereqs: $(notdir $?)]======"; \
+ fi
+
+OLDREASON = @if [ -f $@ ]; then \
+ echo "====== making $(notdir $@) because of $(notdir $?) ======";\
+ else \
+   echo "====== making (creating) $(notdir $@) ======"; \
+ fi
+
+LIBREASON = @echo "====== making $(notdir $@)($(notdir $%))because of $(notdir $?)======"
+
+
+# macro outputing $(1) if DEBUG_DEBIAN_RULES is set, and resolving it
+# in all cases usage $(call doit,some shell command)
+doit = $(if $(DEBUG_DEBIAN_RULES),$(warning DEBUG: $(1)))$(shell $(1))
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/example.fc
+++ refpolicy-0.0.20070507/debian/example.fc
@@ -0,0 +1,8 @@
+# myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/myapp		--	gen_context(system_u:object_r:myapp_exec_t,s0)
+
+# arch-tag: 883e01c8-54bc-4083-83b5-61be97c970fb
--- refpolicy-0.0.20070507.orig/debian/postinst.policy
+++ refpolicy-0.0.20070507/debian/postinst.policy
@@ -0,0 +1,260 @@
+#! /usr/bin/perl
+#                              -*- Mode: Cperl -*-
+# postinst.pl ---
+# Author           : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+# Created On       : Mon Aug 21 01:14:21 2006
+# Created On Node  : glaurung.internal.golden-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Mon May  7 11:10:26 2007
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count     : 32
+# Status           : Unknown, Use with caution!
+# HISTORY          :
+# Description      :
+#
+# arch-tag: 69c85425-4822-4b17-bb54-3b2d22e76687
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+#
+#use strict; #for debugging
+use Cwd 'abs_path';
+$|=1;
+
+# Ignore all invocations except when called on to configure.
+exit 0 if $ARGV[0] =~ /abort-upgrade/;
+exit 0 if $ARGV[0] =~ /abort-remove/;
+exit 0 if $ARGV[0] =~ /abort-deconfigure/;
+exit 0 unless $ARGV[0] =~ /configure/;
+
+my $type        = '=T';
+my $package_name= "selinux-policy-refpolicy-$type";
+my $policy_name = "refpolicy-$type";
+my $basedir     = "/etc/selinux/$policy_name";
+my $src_dir     = "/usr/share/selinux/$policy_name";
+
+# List of all the modules in the policy
+my @all_modules;
+# Full path of all modules in the policy
+my %Module_Path;
+# Dpendencies for policy modules, as determined by semodule_deps
+my %Deps;
+# A hash of all modules already processed
+my %Seen;
+# A hash of all packages installed on this machine
+my %Installed;
+# Policy modules in dependency order (subset of all modules in policy)
+my @ordered;
+# A list of modules already scheduled to be laoded
+my %Loaded;
+# and the order in which the modules should be loaded into policy.
+my @load_order;
+# A mapping of policy modules to Debian package names.
+my %map = (
+           'amavis'        => [ 'amavisd-new' ],
+           'apache'        => [ 'apache*' ],
+           'apm'           => [ 'acpid' ],
+           'automount'     => [ 'autofs*' ],
+           'avahi'         => [ 'avahi-*' ],
+           'bind'          => [ 'bind9' ],
+#           'bootloader'    => [ 'grub', 'lilo' ],
+           'cdrecord'      => [ 'wodim' ],
+           'courier'       => [ 'courier*' ],
+           'cups'          => [ 'cupsys*' ],
+           'cyrus'         => [ 'cyrus*' ],
+           'dhcp'          => [ 'dhcp*', 'dhclient*', 'pump' ],
+           'finger'        => [ 'finger', '*fingerd' ],
+           'ftp'           => [ 'ftp', '*ftpd' ],
+           'gpg'           => [ 'gnupg' ],
+           'hwclock'       => [ 'util-linux' ],
+           'inetd'         => [ '*-inetd', 'openbsd-inetd', 'netkit-inetd', 'rinetd', 'rlinetd', 'xinetd' ],
+           'java'          => [ 'sun-java5*', 'cacao', 'gcj*', 'gij*', 'kaffe*',
+                                'java*', 'jvm*', 'jre*', 'jsdk*' ],
+           'ldap'          => [ 'slapd' ],
+           'lpd'           => [ 'lprng', 'rlpr' ],
+           'loadkeys'      => [ 'console-tools' ],
+           'mono'          => [ 'mono*' ],
+           'munin'         => [ 'munin-node' ],
+           'mysql'         => [ 'mysql-server', 'mysql-server*' ],
+           'mozilla'       => [ 'mozilla-browser', 'firefox', 'galeon',
+                                'mozilla-*', 'firefox*', 'epiphany-browser' ],
+           'netutils'      => [ 'arping', 'nmap', '*-ping', 'traceroute*' ],
+           'pythonsupport' => [ 'python-support' ],
+           'radius'        => [ 'freeradius*', 'radiusd*' ],
+           'raid'          => [ 'mdadm' ],
+           'rpc'           => [ 'nfs-common', 'nfs-kernel-server' ],
+           'sasl'          => [ 'libsasl2' ],
+           'ssh'           => [ 'openssh*' ],
+#           'su'            => [ 'login' ],
+           'sysstat'       => [ 'atsar' ],
+           'telnet'        => [ 'telnet', '*telnetd*' ],
+           'uml'           => [ 'linux-uml*' ],
+           'uptime'        => [ 'uptimed' ],
+           'usbmodules'    => [ 'usbutils' ],
+#           'usermanage'    => [ 'passwd' ],
+           'xserver'       => [ 'gdm', 'kdm', 'xdm', 'xserver*' ]
+          );
+
+#  List all th modules, except the base module, in the policy
+#  directory. This sets @all_modules and %Module_Path
+sub list_modules {
+  my $src_dir = shift;
+  print STDERR "Locating modules\n";
+  opendir(DIR, $src_dir) || die "can't opendir $src_dir: $!";
+
+  @all_modules = grep { ! m/^base\.pp$/ && m/\.pp/ && -f "$src_dir/$_" }
+    readdir(DIR);
+  %Module_Path = map { +"$src_dir/$_" => 0 } @all_modules;
+  closedir DIR;
+}
+
+# Using the hash array %Module_Path created in the last step, run
+# semodule_deps to get the dependency relationships. This creates the
+# %Deps dependency hash.
+sub get_dependencies {
+  my $src_dir = shift;
+  print STDERR "Calculating dependencies between modules\n";
+  open(COMMAND, '-|', "semodule_deps -g  $src_dir/base.pp " .
+       join(' ', keys %Module_Path)) || die "Could not run semodule_deps";
+  while (<COMMAND>) {
+    chomp;
+    next unless m/\-\>/;
+    next unless m/\s*(\S+)\s*\-\>\s*(\S+)\s*$/;
+    if (defined $Deps{$1}) {
+      $Deps{$1} = "$Deps{$1} $2";
+    }
+    else {
+      $Deps{$1} = $2;
+    }
+  }
+  close COMMAND;
+}
+
+# In this step, use the dependecy hash %Deps created in the last step,
+# and feed the information to tsort to get an ordered list of
+# modules. This creates the array @ordered
+sub get_ordering {
+  print STDERR "Ordering modules based on dependencies\n";
+  my $tempfile=`tempfile -p tsrt -m 0600`;
+  open(SORT, "| tsort > $tempfile") || die "can't open pipe to tsort: $!";
+  for my $pkg (keys %Deps) {
+    for my $dep (split(/ /, $Deps{$pkg})) {
+      print SORT "$dep $pkg\n";
+    }
+  }
+  close SORT;
+
+  open(RESULTS, $tempfile) || die "can't read $tempfile: $!";
+  while (<RESULTS>) {
+    chomp;
+    push @ordered, $_;
+  }
+  unlink $tempfile;
+  close RESULTS;
+}
+
+my @Load_Order;
+# Cycle over all the modules installed, starting with the dependency
+# ordered modules, taking care that we only look at a module once. For
+# each module, we look to see a mapping ogf the packages that need
+# this policy module. We then query dpkg to see if any of the package
+# patterns that are associated with a policy module are installed on
+# this system, if so, we schedule the module to be loaded, ensuring
+# that the dependent policy modules are also targeted for installation
+# before the current module is installed. This creates the Seen hash,
+# and the Load_Order array, as well as the Loaded hash.
+sub installed_modules {
+  print STDERR "Selecting modules based on installed packages\n";
+
+  # This suggestion from Alexander Bürger <buerger@iskp.uni-bonn.de>
+  open( my $PACKAGES, "dpkg-query -W |" )
+    or die("Cannot run 'dpkg-query -W'. $!");
+  while( my $p = <$PACKAGES> ) {
+    $Installed{$1} = $2 if( $p =~ /^(.*)\t(.+)$/ );
+  }
+ close($PACKAGES) or die("Could not close pipe.");
+
+  foreach my $module (@ordered, @all_modules) {
+    $module =~ s/\.pp$//o;
+
+    next if $Seen{$module};
+    $Seen{$module}++;
+
+    if (! defined $map{$module}) { $map{$module} = [ $module ]; }
+
+  PACKAGE:
+    for my $pkg (@{ $map{$module} }) {
+      if ($Installed{$pkg}) {
+        if (defined $Deps{$module}) {
+          for my $dep (split(' ', $Deps{$module})) {
+            next if $Loaded{$dep};
+            if (-e "${src_dir}/${dep}.pp") {
+              push @Load_Order, $dep;
+              $Loaded{$dep}++
+            }
+            else {
+              print STDERR "Could not find ${src_dir}/${dep}.pp\n";
+              print STDERR "which is required for module ${module}.pp\n";
+              print STDERR "Assuming ${dep}.pp is built into base.pp\n";
+            }
+          }
+        }
+        push @Load_Order, $module;
+        $Loaded{$module}++;
+        last PACKAGE;
+      }
+    }
+  }
+}
+
+sub main {
+  if (-e "$basedir/modules/active/base.pp" ) {
+    print STDERR "You already have a $policy_name policy installed.\n";
+    print STDERR "I am leaving it alone. Please check and update manually.\n";
+  }
+  elsif (-e "$src_dir/base.pp") {
+    print STDERR "Notice: Trying to link (but not load) a $policy_name policy.\n";
+    print STDERR "This process may fail -- you should check the results, and \n";
+    print STDERR "you need to switch to this policy yourself anyway.\n\n";
+    &list_modules("$src_dir");
+    &get_dependencies("$src_dir");
+    &get_ordering();
+    &installed_modules();
+    if (system("semodule -b $src_dir/base.pp -s $policy_name -n ") == 0) {
+      print STDERR "Loaded base policy\n";
+      for my $mod (@Load_Order) {
+        if (system("semodule -i $src_dir/${mod}.pp -s $policy_name -n ") == 0) {
+          print STDERR "Loaded module ${mod}.pp\n";
+        }
+        else {
+          print STDERR "Failed to load module ${mod}.pp\n";
+        }
+      }
+    }
+    else {
+      print STDERR "Could not load $src_dir/base.pp for $policy_name.\n";
+      print STDERR "Failed to load base policy, please load policy manually.\n";
+    }
+  }
+  else {
+    print STDERR ".\n";
+  }
+}
+
+&main;
+
+exit 0;
+
+__END__
--- refpolicy-0.0.20070507.orig/debian/example.te
+++ refpolicy-0.0.20070507/debian/example.te
@@ -0,0 +1,30 @@
+
+policy_module(myapp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t;
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t)
+
+type myapp_log_t;
+logging_log_file(myapp_log_t)
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file ra_file_perms;
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
+
+# arch-tag: 5a574a9f-92ea-4cc2-becb-9715b6107d1b
--- refpolicy-0.0.20070507.orig/debian/doc.postinst
+++ refpolicy-0.0.20070507/debian/doc.postinst
@@ -0,0 +1,218 @@
+#! /bin/sh
+#                           -*- Mode: Sh -*- 
+# postinst --- 
+# Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+# Created On       : Fri Nov 14 11:25:07 2003
+# Created On Node  : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Sun Aug 20 16:26:45 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count     : 16
+# Status           : Unknown, Use with caution!
+# HISTORY          : 
+# Description      : 
+# 
+# arch-tag: 4e408b9c-d423-4177-b8a3-2d7b4fe51af7
+#  
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# 
+
+# Abort if any command returns an error value
+set -e
+
+package_name=selinux-policy-refpolicy-doc
+
+if [ -z "$package_name" ]; then
+    print >&2 "Internal Error. Please report a bug."
+    exit 1;
+fi
+
+# This script is called as the last step of the installation of the
+# package.  All the package's files are in place, dpkg has already done
+# its automatic conffile handling, and all the packages we depend of
+# are already fully installed and configured.
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <old-postinst> abort-remove  # if prerm fails during removal
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+
+# The following idempotent stuff doesn't generally need protecting
+# against being run in the abort-* cases.
+
+# Install info files into the dir file
+#install-info --quiet --section "Development" "Development" \
+# --description="The GNU make utility."  /usr/share/info/$package_name.info.gz
+
+# Create stub directories under /usr/local
+##: if test ! -d /usr/local/lib/${package_name}; then
+##:   if test ! -d /usr/local/lib; then
+##:     if mkdir /usr/local/lib; then
+##:       chown root.staff /usr/local/lib || true
+##:       chmod 2775 /usr/local/lib || true
+##:     fi
+##:   fi
+##:   if mkdir /usr/local/lib/${package_name}; then
+##:     chown root.staff /usr/local/lib/${package_name} || true
+##:     chmod 2775 /usr/local/lib/${package_name} || true
+##:   fi
+##: fi
+
+# Ensure the menu system is updated
+##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus
+
+# Arrange for a daemon to be started at system boot time
+##: update-rc.d ${package_name} default >/dev/null
+
+case "$1" in
+  configure)
+    # Configure this package.  If the package must prompt the user for
+    # information, do it here.
+    # Install emacs lisp files
+    ##:if [ -x  /usr/lib/emacsen-common/emacs-package-install ]; then
+    ##:    /usr/lib/emacsen-common/emacs-package-install $package_name
+    ##:fi
+
+
+    # Activate menu-methods script
+    ##: chmod a+x /etc/menu-methods/${package_name}
+
+    # Update ld.so cache
+    ##: ldconfig
+
+    # Make our version of a program available
+    ##: update-alternatives \
+    ##:       --install /usr/bin/program program /usr/bin/alternative 50 \
+    ##:       --slave /usr/man/man1/program.1.gz program.1.gz \
+    ##:               /usr/man/man1/alternative.1.gz
+
+    # Tell ucf that the file in /usr/share/foo is the latest
+    # maintainer version, and let it handle how to manage the real
+    # confuguration file in /etc. This is how a static configuration
+    # file can be handled:
+    ##:if which ucf >/dev/null 2>&1; then
+    ##:  ucf /usr/share/${package_name}/configuration /etc/${package_name}.conf
+    ##:fi
+
+    ### We could also do this on the fly. The following is from Tore
+    ### Anderson:
+    
+    #. /usr/share/debconf/confmodule
+
+    ### find out what the user answered.
+    #  db_get foo/run_on_boot
+    #  run_on_boot=$RET
+    #  db_stop
+
+    ### safely create a temporary file to generate our suggested
+    ### configuration file.
+    #    tempfile=`tempfile`
+    #    cat << _eof > $tempfile
+    ### Configuration file for Foo.
+
+    ### this was answered by you, the user in a debconf dialogue
+    #  RUNONBOOT=$run_on_boot
+
+    ### this was not, as it has a sane default value.
+    #  COLOUROFSKY=blue
+
+    #_eof
+
+    ### Note that some versions of debconf do not release stdin, so
+    ### the following invocation of ucf may not work, since the stdin
+    ### is never coneected to ucfr.
+
+    ### now, invoke ucf, which will take care of the rest, and ask
+    ### the user if he wants to update his file, if it is modified.
+    #ucf $tempfile /etc/foo.conf
+
+    ### done! now we'll just clear up our cruft.
+    #rm -f $tempfile
+
+
+
+    # There are three sub-cases:
+    if test "${2+set}" != set; then
+      # We're being installed by an ancient dpkg which doesn't remember
+      # which version was most recently configured, or even whether
+      # there is a most recently configured version.
+      :
+
+    elif test -z "$2" || test "$2" = "<unknown>"; then
+      # The package has not ever been configured on this system, or was
+      # purged since it was last configured.
+      :
+
+    else
+      # Version $2 is the most recently configured version of this
+      # package.
+      :
+
+    fi ;;
+  abort-upgrade)
+    # Back out of an attempt to upgrade this package FROM THIS VERSION
+    # to version $2.  Undo the effects of "prerm upgrade $2".
+    :
+
+    ;;
+  abort-remove)
+    if test "$2" != in-favour; then
+      echo "$0: undocumented call to \`postinst $*'" 1>&2
+      exit 0
+    fi
+    # Back out of an attempt to remove this package, which was due to
+    # a conflict with package $3 (version $4).  Undo the effects of
+    # "prerm remove in-favour $3 $4".
+    :
+
+    ;;
+  abort-deconfigure)
+    if test "$2" != in-favour || test "$5" != removing; then
+      echo "$0: undocumented call to \`postinst $*'" 1>&2
+      exit 0
+    fi
+    # Back out of an attempt to deconfigure this package, which was
+    # due to package $6 (version $7) which we depend on being removed
+    # to make way for package $3 (version $4).  Undo the effects of
+    # "prerm deconfigure in-favour $3 $4 removing $6 $7".
+    :
+
+    ;;
+  *) echo "$0: didn't understand being called with \`$1'" 1>&2
+     exit 0;;
+esac
+
+# Install doc base documentation
+if which install-docs >/dev/null 2>&1; then
+  if [ -e /usr/share/doc-base/${package_name} ]; then
+    install-docs -i /usr/share/doc-base/${package_name}
+  fi
+fi
+
+exit 0
--- refpolicy-0.0.20070507.orig/debian/rules
+++ refpolicy-0.0.20070507/debian/rules
@@ -0,0 +1,63 @@
+#! /usr/bin/make -f
+############################ -*- Mode: Makefile; coding: utf-8 -*- ###########################
+## rules --- 
+## Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+## Created On       : Fri Nov 14 12:33:34 2003
+## Created On Node  : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Tue Nov 18 17:46:22 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count     : 70
+## Status           : Unknown, Use with caution!
+## HISTORY          : 
+## Description      : 
+## 
+## arch-tag: 9a5063f4-1e20-4fff-b22a-de94c1e3d954
+## 
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+##
+###############################################################################
+
+# Include dpkg-architecture generated variables
+include debian/common/archvars.mk
+
+# Set variables with information extracted from control and changelog files
+include debian/common/pkgvars.mk
+
+# variables useful for perl packages
+include debian/common/perlvars.mk
+
+# Install commands
+include debian/common/install_cmds.mk
+
+include debian/local-vars.mk
+
+include debian/common/copt.mk
+
+include debian/common/automake.mk
+
+
+
+all:
+	@echo nothing to be done
+
+include debian/common/targets.mk
+
+include debian/local.mk
+
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-0.0.20070507.orig/debian/strict.postrm
+++ refpolicy-0.0.20070507/debian/strict.postrm
@@ -0,0 +1,176 @@
+#! /bin/sh
+#                               -*- Mode: Sh -*- 
+# postrm --- 
+# Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+# Created On       : Fri Nov 14 12:22:20 2003
+# Created On Node  : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Sun Aug 20 20:52:23 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count     : 11
+# Status           : Unknown, Use with caution!
+# HISTORY          : 
+# Description      : 
+# 
+# arch-tag: 56802d51-d980-4822-85c0-28fce19ed430
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+# 
+
+
+# Abort if any command returns an error value
+set -e
+
+TYPE=strict
+package_name=selinux-policy-refpolicy-$TYPE
+POLICYNAME=refpolicy-$TYPE
+BASEDIR=/etc/selinux/$POLICYNAME
+
+
+if [ -z "$package_name" ]; then
+    print >&2 "Internal Error. Please report a bug."
+    exit 1;
+fi
+
+# This script is called twice during the removal of the package; once
+# after the removal of the package's files from the system, and as
+# the final step in the removal of this package, after the package's
+# conffiles have been removed.
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+# Ensure the menu system is updated
+##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus
+
+case "$1" in
+  remove)
+    # This package is being removed, but its configuration has not yet
+    # been purged.
+    :
+
+    # Remove diversion
+    ##: dpkg-divert --package ${package_name} --remove --rename \
+    ##:             --divert /usr/bin/other.real /usr/bin/other
+
+    # ldconfig is NOT needed during removal of a library, only during
+    # installation
+
+    ;;
+  purge)
+    # This package has previously been removed and is now having
+    # its configuration purged from the system.
+    :
+
+    # we mimic dpkg as closely as possible, so we remove configuration
+    # files with dpkg backup extensions too:
+    ### Some of the following is from Tore Anderson:
+    ##: for ext in '~' '%' .bak .dpkg-tmp .dpkg-new .dpkg-old .dpkg-dist;  do
+    ##:     rm -f /etc/${package_name}.conf$ext
+    ##: done
+ 
+    # remove the configuration file itself
+    ##: rm -f /etc/${package_name}.conf
+    rm -rf "$BASEDIR"
+
+    # and finally clear it out from the ucf database
+    ##: ucf --purge /etc/${package_name}.conf
+
+    # Remove symlinks from /etc/rc?.d
+    ##: update-rc.d ${package_name} remove >/dev/null
+
+    ##: if [ -e /usr/share/debconf/confmodule ]; then
+    ##:     # Purge this package's data from the debconf database.
+    ##:     . /usr/share/debconf/confmodule
+    ##:     db_purge
+    ##: fi
+
+    # This package has previously been removed and is now having
+    # its configuration purged from the system. 
+    ##: for flavour in emacs20 emacs21; do
+    ##:     STARTDIR=/etc/$flavour/site-start.d;
+    ##:     STARTFILE="${package_name}-init.el";
+    ##:     if [ -e "$STARTDIR/20$STARTFILE" ]; then
+    ##:         rm -f "$STARTDIR/20$STARTFILE"
+    ##:     fi
+    ##: done
+
+    ;;
+  disappear)
+    if test "$2" != overwriter; then
+      echo "$0: undocumented call to \`postrm $*'" 1>&2
+      exit 0
+    fi
+    # This package has been completely overwritten by package $3
+    # (version $4).  All our files are already gone from the system.
+    # This is a special case: neither "prerm remove" nor "postrm remove"
+    # have been called, because dpkg didn't know that this package would
+    # disappear until this stage.
+    :
+
+    ;;
+  upgrade)
+    # About to upgrade FROM THIS VERSION to version $2 of this package.
+    # "prerm upgrade" has been called for this version, and "preinst
+    # upgrade" has been called for the new version.  Last chance to
+    # clean up.
+    :
+
+    ;;
+  failed-upgrade)
+    # About to upgrade from version $2 of this package TO THIS VERSION.
+    # "prerm upgrade" has been called for the old version, and "preinst
+    # upgrade" has been called for this version.  This is only used if
+    # the previous version's "postrm upgrade" couldn't handle it and
+    # returned non-zero. (Fix old postrm bugs here.)
+    :
+
+    ;;
+  abort-install)
+    # Back out of an attempt to install this package.  Undo the effects of
+    # "preinst install...".  There are two sub-cases.
+    :
+
+    if test "${2+set}" = set; then
+      # When the install was attempted, version $2's configuration
+      # files were still on the system.  Undo the effects of "preinst
+      # install $2".
+      :
+
+    else
+      # We were being installed from scratch.  Undo the effects of
+      # "preinst install".
+      :
+
+    fi ;;
+  abort-upgrade)
+    # Back out of an attempt to upgrade this package from version $2
+    # TO THIS VERSION.  Undo the effects of "preinst upgrade $2".
+    :
+
+    ;;
+  *) echo "$0: didn't understand being called with \`$1'" 1>&2
+     exit 0;;
+esac
+
+exit 0
--- refpolicy-0.0.20070507.orig/debian/control
+++ refpolicy-0.0.20070507/debian/control
@@ -0,0 +1,147 @@
+Source: refpolicy
+XS-VCS-Arch: http://arch.debian.org/arch/private/srivasta/grab/refpolicy
+XS-VCS-Browse: http://arch.debian.org/cgi-bin/archzoom.cgi/srivasta@debian.org--lenny/refpolicy?expand
+Priority: optional
+Section: admin
+Maintainer: Manoj Srivastava <srivasta@debian.org>
+Uploaders: Erich Schubert <erich@debian.org>
+Standards-Version: 3.7.2.0
+Build-Depends: policycoreutils (>= 2.0.16), checkpolicy (>= 2.0.2), python, m4, bzip2, gawk
+
+Package: selinux-policy-refpolicy-strict
+Architecture: all
+Depends: policycoreutils, libpam-modules (>= 0.77-0.se5), python, libselinux1 (>= 2.0.7)
+Recommends: checkpolicy, setools
+Suggests: logcheck, syslog-summary
+Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1), selinux, procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1), selinux-policy-default
+Description: Strict variant of the SELinux reference policy
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+  + Strong Modularity
+  + Clearly stated security Goals
+  + Documentation
+  + Development Tool Support
+  + Forward Looking
+  + Configurability
+  + Flexible Base Policy
+  + Application Policy Variations
+  + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This is the strict variant of the reference policy. This provides 
+ the highest level of security, but may not be complete yet.
+
+Package: selinux-policy-refpolicy-targeted
+Architecture: all
+Depends: policycoreutils, libpam-modules (>= 0.77-0.se5), python, libselinux1 (>= 2.0.7)
+Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1), selinux, procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1), selinux-policy-default
+Recommends: checkpolicy, setools
+Suggests: logcheck, syslog-summary
+Description: Targeted variant of the SELinux reference policy
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+  + Strong Modularity
+  + Clearly stated security Goals
+  + Documentation
+  + Development Tool Support
+  + Forward Looking
+  + Configurability
+  + Flexible Base Policy
+  + Application Policy Variations
+  + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This is the targeted variant of the reference policy.  In this
+ variation, most of the system remain untouched, apart from a few
+ targeted inter-net facing daemons, which are tightly sand boxed.
+
+
+Package: selinux-policy-refpolicy-src
+Architecture: all
+Depends: python, policycoreutils, checkpolicy (>= 2.0.2), gawk
+Conflicts: selinux-policy-default
+Recommends: setools
+Suggests: logcheck, syslog-summary
+Description: Source of the SELinux reference policy for customization
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+  + Strong Modularity
+  + Clearly stated security Goals
+  + Documentation
+  + Development Tool Support
+  + Forward Looking
+  + Configurability
+  + Flexible Base Policy
+  + Application Policy Variations
+  + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This is the source of the policy, provided so that local variations of
+ SELinux policy may be created.
+
+Package: selinux-policy-refpolicy-dev
+Architecture: all
+Depends: python, policycoreutils, checkpolicy (>= 2.0.2), gawk
+Recommends: setools
+Description: Headers from the SELinux reference policy for building modules
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+  + Strong Modularity
+  + Clearly stated security Goals
+  + Documentation
+  + Development Tool Support
+  + Forward Looking
+  + Configurability
+  + Flexible Base Policy
+  + Application Policy Variations
+  + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This package provides header files for building your own SELinux
+ policy packages compatible with official policy packages.
+
+Package: selinux-policy-refpolicy-doc
+Architecture: all
+Section: doc
+Description: Documentation for the SELinux reference policy
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+  + Strong Modularity
+  + Clearly stated security Goals
+  + Documentation
+  + Development Tool Support
+  + Forward Looking
+  + Configurability
+  + Flexible Base Policy
+  + Application Policy Variations
+  + Multi-Level Security
+ Homepage: http://serefpolicy.sourceforge.net/
+ .
+ This package contains the documentation for the reference policy.
+
+
--- refpolicy-0.0.20070507.orig/debian/docentry
+++ refpolicy-0.0.20070507/debian/docentry
@@ -0,0 +1,24 @@
+Document: selinux-policy-refpolicy-doc
+Title: SELinux Reference Policy
+Author: various
+Abstract: The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+  + Strong Modularity
+  + Clearly stated security Goals
+  + Documentation
+  + Development Tool Support
+  + Forward Looking
+  + Configurability
+  + Flexible Base Policy
+  + Application Policy Variations
+  + Multi-Level Security
+Section: Apps/Admin
+
+Format: HTML
+Index: /usr/share/doc/selinux-policy-refpolicy-doc/html/index.html
+Files: /usr/share/doc/selinux-policy-refpolicy-doc/html/*.html
--- refpolicy-0.0.20070507.orig/debian/setrans.conf
+++ refpolicy-0.0.20070507/debian/setrans.conf
@@ -0,0 +1,23 @@
+#
+# Multi-Category Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023.  Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
+
+###############################################################################
+## arch-tag: 2f7ff2f6-a12a-4d8d-94ea-022090bd959e
+###############################################################################
--- refpolicy-0.0.20070507.orig/debian/modules.conf.strict
+++ refpolicy-0.0.20070507/debian/modules.conf.strict
@@ -0,0 +1,1820 @@
+# If you edit this file, also edit local-var.mk to define what is or
+# is not a module.
+#
+#
+# This file contains a listing of available modules.
+# To prevent a module from  being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module.  "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+# 
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+# 
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+# 
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+# 
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+# 
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+# 
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+# 
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+# 
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+# 
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+# 
+acct = module
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+# 
+alsa = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+# 
+amanda = module
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+# 
+anaconda = off
+
+# Layer: admin
+# Module: apt
+#
+# APT advanced package toll.
+# 
+apt = base
+
+# Layer: admin
+# Module: backup
+#
+# System backup scripts
+# 
+backup = module
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = base
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+# 
+# Not in Debian?
+certwatch = off
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+# 
+# Not in Debian.
+consoletype = off
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+# 
+ddcprobe = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+# 
+dmesg = base
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+# 
+dmidecode = module
+
+# Layer: admin
+# Module: dpkg
+#
+# Policy for the Debian package manager.
+# 
+dpkg = base
+
+# Layer: admin
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+# 
+firstboot = off
+
+# Layer: admin
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+# 
+kudzu = module
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+# 
+logrotate = base
+
+# Layer: admin
+# Module: logwatch
+#
+# System log analyzer and reporter
+# 
+logwatch = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+# 
+mrtg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = module
+
+# Layer: admin
+# Module: portage
+#
+# Portage Package Management System. The primary package management and
+# distribution system for Gentoo.
+# 
+portage = off
+
+# Layer: admin
+# Module: prelink
+#
+# Prelink ELF shared library mappings.
+# 
+prelink = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+# 
+quota = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+# 
+readahead = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+# 
+rpm = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+# 
+sudo = base
+
+# Layer: admin
+# Module: sxid
+#
+# SUID/SGID program monitoring
+# 
+sxid = module
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+# 
+tmpreaper = module
+
+# Layer: admin
+# Module: tripwire
+#
+# Tripwire file integrity checker.
+# 
+tripwire = module
+
+# Layer: admin
+# Module: tzdata
+#
+# Time zone updater
+# 
+tzdata = module
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+# 
+updfstab = off
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+# 
+usbmodules = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = base
+
+# Layer: admin
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+# 
+vbetool = module
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+# 
+vpn = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = base
+
+# Layer: apps
+# Module: ada
+#
+# GNAT Ada95 compiler
+# 
+ada = module
+
+# Layer: apps
+# Module: authbind
+#
+# Tool for non-root processes to bind to reserved ports
+# 
+authbind = module
+
+# Layer: apps
+# Module: calamaris
+#
+# Squid log analysis
+# 
+calamaris = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+# 
+cdrecord = module
+
+# Layer: apps
+# Module: ethereal
+#
+# Ethereal packet capture tool.
+# 
+ethereal = module
+
+# Layer: apps
+# Module: evolution
+#
+# Evolution email client
+# 
+evolution = module
+
+# Layer: apps
+# Module: games
+#
+# Games
+# 
+games = module
+
+# Layer: apps
+# Module: gift
+#
+# giFT peer to peer file sharing tool
+# 
+gift = module
+
+# Layer: apps
+# Module: gnome
+#
+# GNU network object model environment (GNOME)
+# 
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+# 
+gpg = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+# 
+irc = module
+
+# Layer: apps
+# Module: java
+#
+# Java virtual machine
+# 
+java = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+# 
+loadkeys = module
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+# 
+lockdev = module
+
+# Layer: apps
+# Module: mono
+#
+# Run .NET server and client applications on Linux.
+# 
+mono = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+# 
+mozilla = module
+
+# Layer: apps
+# Module: mplayer
+#
+# Mplayer media player and encoder
+# 
+mplayer = module
+
+# Layer: apps
+# Module: rssh
+#
+# Restricted (scp/sftp) only shell
+# 
+rssh = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+# 
+screen = module
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+# 
+slocate = module
+
+# Layer: apps
+# Module: thunderbird
+#
+# Thunderbird email client
+# 
+thunderbird = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+# 
+tvtime = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+# 
+uml = module
+
+# Layer: apps
+# Module: userhelper
+#
+# SELinux utility to run a shell with a new role
+# 
+userhelper = base
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+# 
+usernetctl = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+# 
+vmware = module
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+# 
+webalizer = module
+
+# Layer: apps
+# Module: wine
+#
+# Wine Is Not an Emulator.  Run Windows programs in Linux.
+# 
+wine = module
+
+# Layer: apps
+# Module: yam
+#
+# Yum/Apt Mirroring
+# 
+yam = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = base
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = base
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+# 
+daemontools = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = base
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = base
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = base
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+# 
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = base
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+# 
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = base
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = base
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = base
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = base
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+# 
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = base
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = base
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+# 
+pcmcia = module
+
+# Layer: system
+# Module: pythonsupport
+#
+# Support for precompiling python modules
+# 
+pythonsupport = module
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+# 
+raid = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = base
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+# 
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+# 
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = base
+
+# Layer: system
+# Module: xen
+#
+# Xen hypervisor
+# 
+xen = module
+
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+# 
+afs = module
+
+# Layer: services
+# Module: aide
+#
+# Aide filesystem integrity checker
+# 
+aide = module
+
+# Layer: services
+# Module: amavis
+#
+# Daemon that interfaces mail transfer agents and content
+# checkers, such as virus scanners.
+# 
+amavis = module
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+# 
+apache = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+# 
+apm = module
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+# 
+arpwatch = module
+
+# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+# 
+asterisk = module
+
+# Layer: services
+# Module: audioentropy
+#
+# Generate entropy from audio input
+# 
+audioentropy = module
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+# 
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+# 
+avahi = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+# 
+bind = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+# 
+bluetooth = module
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+# 
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# Cluster Configuration System
+# 
+ccs = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+# 
+cipe = module
+
+# Layer: services
+# Module: clamav
+#
+# ClamAV Virus Scanner
+# 
+clamav = module
+
+# Layer: services
+# Module: clockspeed
+#
+# Clockspeed simple network time protocol client
+# 
+# not in debian?
+clockspeed = off
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+# 
+comsat = module
+
+# Layer: services
+# Module: consolekit
+#
+# Framework for facilitating multiple user sessions on desktops.
+# 
+consolekit = module
+
+# Layer: services
+# Module: courier
+#
+# Courier IMAP and POP3 email servers
+# 
+courier = module
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+# 
+cpucontrol = module
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+# 
+cron = base
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+# 
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+# 
+cvs = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+# 
+cyrus = module
+
+# Layer: services
+# Module: dante
+#
+# Dante msproxy and socks4/5 proxy server
+# 
+dante = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+# 
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+# 
+dbus = module
+
+# Layer: services
+# Module: dcc
+#
+# Distributed checksum clearinghouse spam filtering
+# 
+dcc = module
+
+# Layer: services
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+# 
+ddclient = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+# 
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+# 
+dictd = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+# 
+distcc = module
+
+# Layer: services
+# Module: djbdns
+#
+# small and secure DNS daemon
+# 
+djbdns = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# dnsmasq DNS forwarder and DHCP server
+# 
+dnsmasq = module
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+# 
+dovecot = module
+
+# Layer: services
+# Module: fail2ban
+#
+# Update firewall filtering to ban IP addresses with too many password failures.
+# 
+fail2ban = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+# 
+fetchmail = module
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+# 
+finger = module
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+# 
+ftp = module
+
+# Layer: services
+# Module: gatekeeper
+#
+# OpenH.323 Voice-Over-IP Gatekeeper
+# 
+gatekeeper = module
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+# 
+gpm = module
+
+# Layer: services
+# Module: hal
+#
+# Hardware abstraction layer
+# 
+hal = module
+
+# Layer: services
+# Module: howl
+#
+# Port of Apple Rendezvous multicast DNS
+# 
+howl = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+# 
+i18n_input = module
+
+# Layer: services
+# Module: imaze
+#
+# iMaze game server
+# 
+imaze = module
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+# 
+inetd = module
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+# 
+inn = module
+
+# Layer: services
+# Module: ircd
+#
+# IRC server
+# 
+ircd = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+# 
+irqbalance = module
+
+# Layer: services
+# Module: jabber
+#
+# Jabber instant messaging server
+# 
+jabber = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+# 
+kerberos = module
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+# 
+ktalk = module
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+# 
+ldap = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+# 
+lpd = module
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+# 
+mailman = module
+
+# Layer: services
+# Module: monop
+#
+# Monopoly daemon
+# 
+monop = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+# 
+mta = base
+
+# Layer: services
+# Module: munin
+#
+# Munin network-wide load graphing (formerly LRRD)
+# 
+munin = module
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+# 
+mysql = module
+
+# Layer: services
+# Module: nagios
+#
+# Net Saint / NAGIOS - network monitoring server
+# 
+nagios = module
+
+# Layer: services
+# Module: nessus
+#
+# Nessus network scanning daemon
+# 
+nessus = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+# 
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+# 
+nis = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = module
+
+# Layer: services
+# Module: nsd
+#
+# Authoritative only name server
+# 
+nsd = module
+
+# Layer: services
+# Module: ntop
+#
+# Network Top
+# 
+ntop = module
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+# 
+ntp = module
+
+# Layer: services
+# Module: nx
+#
+# NX remote desktop
+# 
+# Not officially in Debian, but being worked on.
+nx = module
+
+# Layer: services
+# Module: oav
+#
+# Open AntiVirus scannerdaemon and signature update
+# 
+oav = module
+
+# Layer: services
+# Module: oddjob
+#
+# Oddjob provides a mechanism by which unprivileged applications can
+# request that specified privileged operations be performed on their
+# behalf.
+# 
+oddjob = module
+
+# Layer: services
+# Module: openca
+#
+# OpenCA - Open Certificate Authority
+# 
+openca = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+# 
+openct = module
+
+# Layer: services
+# Module: openvpn
+#
+# full-featured SSL VPN solution
+# 
+openvpn = module
+
+# Layer: services
+# Module: pcscd
+#
+# PCSC smart card service
+# 
+pcscd = module
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+# 
+# not in Debian?
+pegasus = off
+
+# Layer: services
+# Module: perdition
+#
+# Perdition POP and IMAP proxy
+# 
+perdition = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+# 
+portmap = module
+
+# Layer: services
+# Module: portslave
+#
+# Portslave terminal server software
+# 
+portslave = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+# 
+postfix = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+# 
+postgresql = module
+
+# Layer: services
+# Module: postgrey
+#
+# Postfix grey-listing server
+# 
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+# 
+ppp = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+# 
+privoxy = module
+
+# Layer: services
+# Module: procmail
+#
+# Procmail mail delivery agent
+# 
+procmail = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+# 
+publicfile = module
+
+# Layer: services
+# Module: pxe
+#
+# Server for the PXE network boot protocol
+# 
+pxe = module
+
+# Layer: services
+# Module: pyzor
+#
+# Pyzor is a distributed, collaborative spam detection and filtering network.
+# 
+pyzor = module
+
+# Layer: services
+# Module: qmail
+#
+# Qmail Mail Server
+# 
+qmail = module
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+# 
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+# 
+radvd = module
+
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+# 
+razor = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+# 
+rdisc = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+# 
+remotelogin = module
+
+# Layer: services
+# Module: resmgr
+#
+# Resource management daemon
+# 
+resmgr = module
+
+# Layer: services
+# Module: rhgb
+#
+# Red Hat Graphical Boot
+# 
+rhgb = off
+
+# Layer: services
+# Module: ricci
+#
+# Ricci cluster management agent
+# 
+ricci = off
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+# 
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+# 
+roundup = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+# 
+rpc = module
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+# 
+rshd = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+# 
+rsync = module
+
+# Layer: services
+# Module: samba
+#
+# SMB and CIFS client/server programs for UNIX and
+# name  Service  Switch  daemon for resolving names
+# from Windows NT servers.
+# 
+samba = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+# 
+sasl = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+# 
+sendmail = module
+
+# Layer: services
+# Module: setroubleshoot
+#
+# SELinux troubleshooting service
+# 
+setroubleshoot = module
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+# 
+slrnpull = module
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+# 
+smartmon = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+# 
+snmp = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+# 
+snort = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc
+# 
+soundserver = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+# 
+spamassassin = module
+
+# Layer: services
+# Module: speedtouch
+#
+# Alcatel speedtouch USB ADSL modem
+# 
+speedtouch = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+# 
+squid = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+# 
+ssh = module
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+# 
+stunnel = module
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+# 
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+# 
+tcpd = module
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+# 
+telnet = module
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+# 
+tftp = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+# 
+timidity = module
+
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+# 
+tor = module
+
+# Layer: services
+# Module: transproxy
+#
+# HTTP transperant proxy
+# 
+transproxy = module
+
+# Layer: services
+# Module: ucspitcp
+#
+# ucspitcp policy
+# 
+ucspitcp = module
+
+# Layer: services
+# Module: uptime
+#
+# Uptime daemon
+# 
+uptime = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+# 
+uucp = module
+
+# Layer: services
+# Module: uwimap
+#
+# University of Washington IMAP toolkit POP3 and IMAP mail server
+# 
+uwimap = module
+
+# Layer: services
+# Module: watchdog
+#
+# Software watchdog
+# 
+watchdog = module
+
+# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+# 
+xfs = module
+
+# Layer: services
+# Module: xprint
+#
+# X print server
+# 
+xprint = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+# 
+xserver = module
+
+# Layer: services
+# Module: zabbix
+#
+# Distributed infrastructure monitoring
+# 
+zabbix = module
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+# 
+zebra = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = module
+
+# Layer: system
+# Module: iscsi
+#
+# Establish connections to iSCSI devices
+# 
+iscsi = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+# 
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = module
+
--- refpolicy-0.0.20070507.orig/debian/global_booleans.xml
+++ refpolicy-0.0.20070507/debian/global_booleans.xml
@@ -0,0 +1,25 @@
+<bool name="secure_mode" dftval="false">
+<desc>
+<p>
+Enabling secure mode disallows programs, such as
+newrole, from transitioning to administrative
+user domains.
+</p>
+</desc>
+</bool>
+<bool name="secure_mode_insmod" dftval="false">
+<desc>
+<p>
+Disable transitions to insmod.
+</p>
+</desc>
+</bool>
+<bool name="secure_mode_policyload" dftval="false">
+<desc>
+<p>
+boolean to determine whether the system permits loading policy, setting
+enforcing mode, and changing boolean values.  Set this to true and you
+have to reboot to set it back
+</p>
+</desc>
+</bool>
--- refpolicy-0.0.20070507.orig/debian/watch
+++ refpolicy-0.0.20070507/debian/watch
@@ -0,0 +1,8 @@
+# format version number, currently 2; this line is compulsory!
+version=3
+
+opts="uversionmangle=s/^/0.0./" \
+http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease \
+ /files/refpolicy/refpolicy-(.*)\.tar\.bz2 
+
+# arch-tag: cf70b245-38bc-49ea-a6a4-ac970978aea4
--- refpolicy-0.0.20070507.orig/debian/targeted.postrm
+++ refpolicy-0.0.20070507/debian/targeted.postrm
@@ -0,0 +1,176 @@
+#! /bin/sh
+#                               -*- Mode: Sh -*- 
+# postrm --- 
+# Author           : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) 
+# Created On       : Fri Nov 14 12:22:20 2003
+# Created On Node  : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Sun Aug 20 21:01:06 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count     : 11
+# Status           : Unknown, Use with caution!
+# HISTORY          : 
+# Description      : 
+# 
+# arch-tag: bea9fd02-e287-4245-8009-9023c3333ff3
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+# 
+
+
+# Abort if any command returns an error value
+set -e
+
+TYPE=targeted
+package_name=selinux-policy-refpolicy-$TYPE
+POLICYNAME=refpolicy-$TYPE
+BASEDIR=/etc/selinux/$POLICYNAME
+
+
+if [ -z "$package_name" ]; then
+    print >&2 "Internal Error. Please report a bug."
+    exit 1;
+fi
+
+# This script is called twice during the removal of the package; once
+# after the removal of the package's files from the system, and as
+# the final step in the removal of this package, after the package's
+# conffiles have been removed.
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+# Ensure the menu system is updated
+##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus
+
+case "$1" in
+  remove)
+    # This package is being removed, but its configuration has not yet
+    # been purged.
+    :
+
+    # Remove diversion
+    ##: dpkg-divert --package ${package_name} --remove --rename \
+    ##:             --divert /usr/bin/other.real /usr/bin/other
+
+    # ldconfig is NOT needed during removal of a library, only during
+    # installation
+
+    ;;
+  purge)
+    # This package has previously been removed and is now having
+    # its configuration purged from the system.
+    :
+
+    # we mimic dpkg as closely as possible, so we remove configuration
+    # files with dpkg backup extensions too:
+    ### Some of the following is from Tore Anderson:
+    ##: for ext in '~' '%' .bak .dpkg-tmp .dpkg-new .dpkg-old .dpkg-dist;  do
+    ##:     rm -f /etc/${package_name}.conf$ext
+    ##: done
+ 
+    # remove the configuration file itself
+    ##: rm -f /etc/${package_name}.conf
+    rm -rf "$BASEDIR"
+
+    # and finally clear it out from the ucf database
+    ##: ucf --purge /etc/${package_name}.conf
+
+    # Remove symlinks from /etc/rc?.d
+    ##: update-rc.d ${package_name} remove >/dev/null
+
+    ##: if [ -e /usr/share/debconf/confmodule ]; then
+    ##:     # Purge this package's data from the debconf database.
+    ##:     . /usr/share/debconf/confmodule
+    ##:     db_purge
+    ##: fi
+
+    # This package has previously been removed and is now having
+    # its configuration purged from the system. 
+    ##: for flavour in emacs20 emacs21; do
+    ##:     STARTDIR=/etc/$flavour/site-start.d;
+    ##:     STARTFILE="${package_name}-init.el";
+    ##:     if [ -e "$STARTDIR/20$STARTFILE" ]; then
+    ##:         rm -f "$STARTDIR/20$STARTFILE"
+    ##:     fi
+    ##: done
+
+    ;;
+  disappear)
+    if test "$2" != overwriter; then
+      echo "$0: undocumented call to \`postrm $*'" 1>&2
+      exit 0
+    fi
+    # This package has been completely overwritten by package $3
+    # (version $4).  All our files are already gone from the system.
+    # This is a special case: neither "prerm remove" nor "postrm remove"
+    # have been called, because dpkg didn't know that this package would
+    # disappear until this stage.
+    :
+
+    ;;
+  upgrade)
+    # About to upgrade FROM THIS VERSION to version $2 of this package.
+    # "prerm upgrade" has been called for this version, and "preinst
+    # upgrade" has been called for the new version.  Last chance to
+    # clean up.
+    :
+
+    ;;
+  failed-upgrade)
+    # About to upgrade from version $2 of this package TO THIS VERSION.
+    # "prerm upgrade" has been called for the old version, and "preinst
+    # upgrade" has been called for this version.  This is only used if
+    # the previous version's "postrm upgrade" couldn't handle it and
+    # returned non-zero. (Fix old postrm bugs here.)
+    :
+
+    ;;
+  abort-install)
+    # Back out of an attempt to install this package.  Undo the effects of
+    # "preinst install...".  There are two sub-cases.
+    :
+
+    if test "${2+set}" = set; then
+      # When the install was attempted, version $2's configuration
+      # files were still on the system.  Undo the effects of "preinst
+      # install $2".
+      :
+
+    else
+      # We were being installed from scratch.  Undo the effects of
+      # "preinst install".
+      :
+
+    fi ;;
+  abort-upgrade)
+    # Back out of an attempt to upgrade this package from version $2
+    # TO THIS VERSION.  Undo the effects of "preinst upgrade $2".
+    :
+
+    ;;
+  *) echo "$0: didn't understand being called with \`$1'" 1>&2
+     exit 0;;
+esac
+
+exit 0
--- refpolicy-0.0.20070507.orig/debian/build.conf.targeted
+++ refpolicy-0.0.20070507/debian/build.conf.targeted
@@ -0,0 +1,67 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports.  Setting this will
+# override the version.  This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 21
+
+# Policy Type
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
+TYPE = targeted-mcs
+
+# Policy Name
+# If set, this will be used as the policy
+# name.  Otherwise the policy type will be
+# used for the name.
+NAME = refpolicy-targeted
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution.  Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+DISTRO = debian
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC=y
+
+# Build monolithic policy.  Putting n here
+# will build a loadable module policy.
+MONOLITHIC=n
+
+# Polyinstantiation
+# Enable polyinstantiated directory support.
+POLY=n
+
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS=16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS=1024
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS=1024
+
+# Set this to y to only display status messages
+# during build.
+QUIET=n
+
+# arch-tag: ec64afa6-f6f8-4b08-b002-6025ada3a269
--- refpolicy-0.0.20070507.orig/debian/ChangeLog
+++ refpolicy-0.0.20070507/debian/ChangeLog
@@ -0,0 +1,32 @@
+2007-05-07  Manoj Srivastava  <srivasta@debian.org>
+
+	* modules.conf.targeted (ricci):
+		  srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+		  Added module.
+
+	* modules.conf.strict (ricci):
+		  srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+		  Added module.
+
+	* postinst.policy (installed_modules):
+		  srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+		  Only add modules to the load order that have already
+		  been shipped when considering dependencies for
+		  modules. If the module is not shipped, chances are that
+		  it was moved into the base policy.
+
+	* local-vars.mk (NON_MODULES):
+		  srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+		  Added a list of modules that are really built into the
+		  base policy in Debian.  We then use this list to remove
+		  the modules .pp files from the policy shipped, since
+		  they can not be installed along with the base policy
+		  anyway. 
+
+	* local.mk (install/selinux-policy-refpolicy-strict):
+		  srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+		  Remove the mosules that are built into the base already.
+		(install/selinux-policy-refpolicy-targeted):
+		  srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+			  Ditto. 
+
--- refpolicy-0.0.20070507.orig/debian/policygentool
+++ refpolicy-0.0.20070507/debian/policygentool
@@ -0,0 +1,300 @@
+#! /usr/bin/env python
+# Copyright (C) 2006 Red Hat 
+# see file 'COPYING' for use and warranty information
+#
+# policygentool is a tool for the initial generation of SELinux policy
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of the GNU General Public License as
+#    published by the Free Software Foundation; either version 2 of
+#    the License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA     
+#                                        02111-1307  USA
+#
+# arch-tag: 4c33ae23-a363-4ace-bae9-86fb8a792206 
+import os, sys, getopt
+import re
+
+########################### Interface File #############################
+interface="""\
+## <summary>policy for TEMPLATETYPE</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run TEMPLATETYPE.
+## </summary>
+## <param name=\"domain\">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`TEMPLATETYPE_domtrans',`
+	gen_require(`
+		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
+	')
+
+	domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
+
+	allow $1 TEMPLATETYPE_t:fd use;
+	allow TEMPLATETYPE_t $1:fd use;
+	allow TEMPLATETYPE_t $1:fifo_file rw_file_perms;
+	allow TEMPLATETYPE_t $1:process sigchld;
+')
+"""
+
+########################### Type Enforcement File #############################
+te="""\
+policy_module(TEMPLATETYPE,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type TEMPLATETYPE_t;
+type TEMPLATETYPE_exec_t;
+domain_type(TEMPLATETYPE_t)
+init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
+"""
+te_pidfile="""
+# pid files
+type TEMPLATETYPE_var_run_t;
+files_pid_file(TEMPLATETYPE_var_run_t)
+"""
+te_logfile="""
+# log files
+type TEMPLATETYPE_var_log_t;
+logging_log_file(TEMPLATETYPE_var_log_t)
+"""
+te_libfile="""
+# var/lib files
+type TEMPLATETYPE_var_lib_t;
+files_type(TEMPLATETYPE_var_lib_t)
+"""
+te_sep="""
+########################################
+#
+# TEMPLATETYPE local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(TEMPLATETYPE_t)
+libs_use_ld_so(TEMPLATETYPE_t)
+libs_use_shared_libs(TEMPLATETYPE_t)
+miscfiles_read_localization(TEMPLATETYPE_t)
+## internal communication is often done using fifo and unix sockets.
+allow TEMPLATETYPE_t self:fifo_file { read write };
+allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
+"""
+te_pidfile2="""
+# pid file
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
+"""
+te_logfile2="""
+# log files
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
+"""
+te_libfile2="""
+# var/lib files for TEMPLATETYPE
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir sock_file })
+"""
+te_network2="""
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
+corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
+corenet_tcp_connect_http_port(TEMPLATETYPE_t)
+#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
+## if it is a network daemon, consider these:
+#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
+#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
+allow TEMPLATETYPE_t self:tcp_socket { listen accept };
+"""
+te_initsc2="""
+# Init script handling
+init_use_fds(TEMPLATETYPE_t)
+init_use_script_ptys(TEMPLATETYPE_t)
+domain_use_interactive_fds(TEMPLATETYPE_t)
+"""
+
+########################### File Context ##################################
+fc="""\
+# TEMPLATETYPE executable will have:
+# label: system_u:object_r:TEMPLATETYPE_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
+"""
+fc_pidfile="""\
+FILENAME			gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
+"""
+fc_logfile="""\
+FILENAME			gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
+"""
+fc_libfile="""\
+FILENAME			gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
+"""
+def errorExit(error):
+	sys.stderr.write("%s: " % sys.argv[0])
+	sys.stderr.write("%s\n" % error)
+	sys.stderr.flush()
+	sys.exit(1)
+
+
+def write_te_file(module, pidfile, logfile, libfile, network, initsc):
+	file="%s.te" % module
+	newte=re.sub("TEMPLATETYPE", module, te)
+	if pidfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
+	if logfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
+	if libfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
+	newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
+	if pidfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
+	if logfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
+	if libfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
+	if network:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
+	if initsc:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
+	if os.path.exists(file):
+		errorExit("%s already exists" % file)
+	fd = open(file, 'w')
+	fd.write(newte)
+	fd.close()
+
+def write_if_file(module):
+	file="%s.if" % module
+	newif=re.sub("TEMPLATETYPE", module, interface)
+	if os.path.exists(file):
+		errorExit("%s already exists" % file)
+	fd = open(file, 'w')
+	fd.write(newif)
+	fd.close()
+
+def write_fc_file(module, executable, pidfile, logfile, libfile):
+	file="%s.fc" % module
+	temp=re.sub("TEMPLATETYPE", module, fc)
+	newfc=re.sub("EXECUTABLE", executable, temp)
+	if pidfile:
+		temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
+		newfc=newfc + re.sub("FILENAME", pidfile, temp)
+	if logfile:
+		temp=re.sub("TEMPLATETYPE", module, fc_logfile)
+		newfc=newfc + re.sub("FILENAME", logfile, temp)
+	if libfile:
+		temp=re.sub("TEMPLATETYPE", module, fc_libfile)
+		newfc=newfc + re.sub("FILENAME", libfile, temp)
+	if os.path.exists(file):
+		errorExit("%s already exists" % file)
+	fd = open(file, 'w')
+	fd.write(newfc)
+	fd.close()
+
+def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
+	write_te_file(module, pidfile, logfile, libfile, initsc, network)
+	write_if_file(module)
+	write_fc_file(module, executable, pidfile, logfile, libfile)
+	
+if __name__ == '__main__':
+	def usage(message = ""):
+		print '%s ModuleName Executable' % sys.argv[0]
+		sys.exit(1)
+		
+	if len(sys.argv) != 3:
+		usage()
+
+	print """\n
+This tool generate three files for policy development, A Type Enforcement (te)
+file, a File Context (fc), and a Interface File(if).  Most of the policy rules
+will be written in the te file.  Use the File Context file to associate file
+paths with security context.  Use the interface rules to allow other protected
+domains to interact with the newly defined domains.
+
+After generating these files use the /usr/share/selinux/POLICY-NAME/include/Makefile to
+compile your policy package.  Then use the semodule tool to load it.
+
+# /usr/bin/policygentool myapp /usr/bin/myapp
+# echo 'HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include' >Makefile
+# echo 'include $(HEADERDIR)/Makefile' >> Makefile
+# make
+# semodule -l myapp.pp
+# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
+
+Now you can turn on permissive mode, start your application and avc messages
+will be generated.  You can use audit2allow to help translate the avc messages
+into policy.
+
+# setenforce 0
+# /etc/init.d/myapp start
+# audit2allow -R -i /var/log/audit/audit.log
+
+Return to continue:"""
+        sys.stdin.readline().rstrip()
+
+	print 'If the module uses pidfiles, what is the pidfile called?'
+	pidfile = sys.stdin.readline().rstrip()
+	if pidfile == "":
+		pidfile = None
+	print 'If the module uses logfiles, where are they stored?'
+	logfile = sys.stdin.readline().rstrip()
+	if logfile == "":
+		logfile = None
+	print 'If the module has var/lib files, where are they stored?'
+	libfile = sys.stdin.readline().rstrip()
+	if libfile == "":
+		libfile = None
+	print 'Does the module have a init script? [yN]'
+	initsc = sys.stdin.readline().rstrip()
+	if initsc == "" or initsc == "n" or initsc == "N":
+		initsc = False
+	elif initsc == "y" or initsc == "Y":
+		initsc = True
+	else:
+		raise "Please answer with 'y' or 'n'!"
+	print 'Does the module use the network? [yN]'
+	network = sys.stdin.readline().rstrip()
+	if network == "" or network == "n" or network == "N":
+		network = False
+	elif network == "y" or network == "Y":
+		network = True
+	else:
+		raise "Please answer with 'y' or 'n'!"
+
+	gen_policy(
+		module=sys.argv[1],
+		executable=sys.argv[2],
+		pidfile=pidfile,
+		logfile=logfile,
+		libfile=libfile,
+		initsc=initsc,
+		network=network
+	)
+
+	
--- refpolicy-0.0.20070507.orig/debian/build.conf.strict
+++ refpolicy-0.0.20070507/debian/build.conf.strict
@@ -0,0 +1,67 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports.  Setting this will
+# override the version.  This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 21
+
+# Policy Type
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
+TYPE = strict-mcs
+
+# Policy Name
+# If set, this will be used as the policy
+# name.  Otherwise the policy type will be
+# used for the name.
+NAME = refpolicy-strict
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution.  Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+DISTRO = debian
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC=y
+
+# Build monolithic policy.  Putting n here
+# will build a loadable module policy.
+MONOLITHIC=n
+
+# Polyinstantiation
+# Enable polyinstantiated directory support.
+POLY=n
+
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS=16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS=1024
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS=1024
+
+# Set this to y to only display status messages
+# during build.
+QUIET=n
+
+# arch-tag: 6e61abf2-f3d7-42b4-bbb9-7a1b38350518
--- refpolicy-0.0.20070507.orig/debian/copyright
+++ refpolicy-0.0.20070507/debian/copyright
@@ -0,0 +1,49 @@
+This is the Debian package for the SELinux Reference policy, and it is
+built from sources obtained from:
+ http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
+
+This package was originally debianized by Erich Schubert
+<erich@debian.org> on Mon, 13 Feb 2006 22:50:03 +0100.
+
+The package has since changed maintainers, the current maintainer being 
+Manoj Srivastava <srivasta@debian.org>.
+
+Changes:
+ * added Debian GNU/Linux package maintenance system files
+ * Some Debian specific tweaks and changes to policy also exist
+
+
+The reference policy is
+Copyright (C) 2002 Michael Droettboom
+Copyright (C) 2003 - 2006 Tresys Technology, LLC
+
+
+License:
+
+   This package is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License.
+
+   This package is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this package; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+
+The debian specific changes are Copyright © 2006 Manoj Srivastava, and
+distributed under the terms of the GNU General Public License, version
+2.
+
+On Debian GNU/Linux systems, the complete text of the GNU General
+Public License can be found in `/usr/share/common-licenses/GPL'. 
+
+    A copy of the GNU General Public License is also available at
+    <URL:http://www.gnu.org/copyleft/gpl.html>.  You may also obtain
+    it by writing to the Free Software Foundation, Inc., 51 Franklin
+    St, Fifth Floor, Boston, MA 02110-1301 USA
+
+Manoj Srivastava <srivasta@debian.org>
+arch-tag: d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27
--- refpolicy-0.0.20070507.orig/debian/NEWS.Debian
+++ refpolicy-0.0.20070507/debian/NEWS.Debian
@@ -0,0 +1,14 @@
+refpolicy (0.0.20061018-2) unstable; urgency=high
+
+
+  * When installing strict policy, the postinst does not check for the
+    contents of /etc/selinux/config to see if SELINUXTYPE is set to
+    refpolicy-strict or not.  Ideally, if config does not have SELINUXTYPE
+    set to refpolicy-strict, the installer should be prompted to see if
+    they want to change the policy type and relabel; this is not yet
+    done.  Please ensure that the setting for  SELINUXTYPE in the
+    configuration file /etc/selinux/config matches what you want it to
+    be. 
+
+ -- Manoj Srivastava <srivasta@debian.org>  Fri, 22 Dec 2006 10:40:38 -0600
+
--- refpolicy-0.0.20070507.orig/policy/users
+++ refpolicy-0.0.20070507/policy/users
@@ -29,6 +29,7 @@
 gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
+gen_user(netuser_u, netuser, netuser_r, s0, s0)
 gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ')
--- refpolicy-0.0.20070507.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-0.0.20070507/policy/modules/system/selinuxutil.te
@@ -568,6 +568,10 @@
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
+ifdef(`targeted_policy',`
+	allow semanage_t initrc_t:fd use;
+')
+
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 
@@ -630,6 +634,10 @@
 	userdom_read_sysadm_tmp_files(semanage_t)
 ')
 
+optional_policy(`
+	pythonsupport_compiled_read(semanage_t)
+')
+
 ########################################
 #
 # Setfiles local policy
--- refpolicy-0.0.20070507.orig/policy/modules/system/init.te
+++ refpolicy-0.0.20070507/policy/modules/system/init.te
@@ -357,6 +357,7 @@
 logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
+logging_setattr_xconsole(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@@ -386,8 +387,13 @@
 userdom_use_sysadm_terms(initrc_t)
 
 ifdef(`distro_debian',`
-	dev_setattr_generic_dirs(initrc_t)
+        # seed udev /dev
+	dev_create_generic_dirs(initrc_t)
+	# to be able to create /dev/xconsole
+	dev_create_generic_pipes(initrc_t)
 
+	# for /etc/network/run/ifstate
+	sysnet_manage_config(initrc_t)
 	fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir)
 
 	# for storing state under /dev/shm
@@ -700,6 +706,7 @@
 
 optional_policy(`
 	postfix_list_spool(initrc_t)
+	postfix_read_config(initrc_t)
 ')
 
 optional_policy(`
@@ -776,9 +783,6 @@
 ')
 
 optional_policy(`
-	# Set device ownerships/modes.
-	xserver_setattr_console_pipes(initrc_t)
-
 	# init script wants to check if it needs to update windowmanagerlist
 	xserver_read_xdm_rw_config(initrc_t)
 ')
--- refpolicy-0.0.20070507.orig/policy/modules/system/pythonsupport.fc
+++ refpolicy-0.0.20070507/policy/modules/system/pythonsupport.fc
@@ -0,0 +1,2 @@
+/usr/sbin/update-python-modules	--	gen_context(system_u:object_r:pythoncompile_exec_t,s0)
+/var/lib/python-support(/.*)?		gen_context(system_u:object_r:python_compiled_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-0.0.20070507/policy/modules/system/sysnetwork.if
@@ -272,6 +272,7 @@
 		type net_conf_t;
 	')
 
+	allow $1 net_conf_t:dir manage_dir_perms;
 	allow $1 net_conf_t:file manage_file_perms;
 ')
 
--- refpolicy-0.0.20070507.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-0.0.20070507/policy/modules/system/sysnetwork.fc
@@ -22,6 +22,10 @@
 /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
+ifdef(`distro_debian', `
+/etc/network/run(/.*)?			gen_context(system_u:object_r:net_conf_t,s0)
+/dev/shm/network(/.*)?			gen_context(system_u:object_r:net_conf_t,s0)
+')
 #
 # /sbin
 #
--- refpolicy-0.0.20070507.orig/policy/modules/system/udev.te
+++ refpolicy-0.0.20070507/policy/modules/system/udev.te
@@ -56,16 +56,18 @@
 allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
 
-allow udev_t udev_exec_t:file write;
+allow udev_t udev_helper_exec_t:dir list_dir_perms;
 can_exec(udev_t, udev_exec_t)
 
-allow udev_t udev_helper_exec_t:dir list_dir_perms;
+allow udev_t udev_helper_exec_t:dir r_dir_perms;
 
 # read udev config
 allow udev_t udev_etc_t:file read_file_perms;
 
 # create udev database in /dev/.udevdb
 allow udev_t udev_tbl_t:file manage_file_perms;
+allow udev_t udev_tbl_t:lnk_file manage_file_perms;
+allow udev_t udev_tbl_t:dir manage_dir_perms;
 dev_filetrans(udev_t,udev_tbl_t,file)
 
 manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t)
@@ -143,6 +145,7 @@
 seutil_domtrans_restorecon(udev_t)
 
 sysnet_domtrans_ifconfig(udev_t)
+sysnet_manage_config(udev_t)
 sysnet_domtrans_dhcpc(udev_t)
 
 userdom_use_sysadm_ttys(udev_t)
--- refpolicy-0.0.20070507.orig/policy/modules/system/userdomain.if
+++ refpolicy-0.0.20070507/policy/modules/system/userdomain.if
@@ -900,6 +900,10 @@
 	')
 
 	optional_policy(`
+		pythonsupport_compiled_read($1_t)
+	')
+
+	optional_policy(`
 		pcscd_read_pub_files($1_t)
 		pcscd_stream_connect($1_t)
 	')
@@ -1068,6 +1072,41 @@
 
 #######################################
 ## <summary>
+##	The template for creating a user with network access.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a user domain, types, and
+##	rules for the user's tty, pty, home directories,
+##	tmp, and tmpfs files.
+##	</p>
+##	<p>
+##	This differs from the unpriv_user_template by allowing non-privileged network access.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., sysadm
+##	is the prefix for sysadm_t).
+##	</summary>
+## </param>
+#
+template(`network_user_template',`
+	##############################
+	#
+	# Declarations
+	#
+
+	# Inherit rules for ordinary users.
+	userdom_unpriv_user_template($1)
+	# like user_tcp_server
+	corenet_tcp_bind_generic_port($1_t)
+	sysnet_dns_name_resolve($1_t)
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket create_stream_socket_perms;
+')
+#######################################
+## <summary>
 ##	The template for creating an administrative user.
 ## </summary>
 ## <desc>
--- refpolicy-0.0.20070507.orig/policy/modules/system/logging.if
+++ refpolicy-0.0.20070507/policy/modules/system/logging.if
@@ -545,6 +545,41 @@
 
 ########################################
 ## <summary>
+##	Set the attributes of the xconsole named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_setattr_xconsole',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+## <summary>
+##	Read the xconsole named pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_r_xconsole',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file { getattr read };
+')
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	generic log files.
 ## </summary>
--- refpolicy-0.0.20070507.orig/policy/modules/system/userdomain.te
+++ refpolicy-0.0.20070507/policy/modules/system/userdomain.te
@@ -105,12 +105,19 @@
 	userdom_admin_user_template(sysadm)
 	userdom_unpriv_user_template(staff)
 	userdom_unpriv_user_template(user)
+	userdom_unpriv_user_template(netuser)
 
 	# user role change rules:
 	# sysadm_r can change to user roles
 	userdom_role_change_template(sysadm, user)
 	userdom_role_change_template(sysadm, staff)
 
+	# make netuser reachable
+	userdom_role_change_template(sysadm, netuser)
+	userdom_role_change_template(staff, netuser)
+	userdom_role_change_template(user, netuser)
+	userdom_role_change_template(netuser, user)
+
 	# only staff_r can change to sysadm_r
 	userdom_role_change_template(staff, sysadm)
 	dontaudit staff_t admin_terminal:chr_file { read write };
--- refpolicy-0.0.20070507.orig/policy/modules/system/pythonsupport.if
+++ refpolicy-0.0.20070507/policy/modules/system/pythonsupport.if
@@ -0,0 +1,55 @@
+## <summary>Support for precompiling python modules</summary>
+## <desc>
+##	<p>
+##		Debians python-support will precompile installed python
+##		packages for installed python versions. This way,
+##		the python2.3-foobar and python2.4-foobar (and 2.5) packages
+##		could be merged into one python-foobar while keeping the
+##		dependency information useful.
+##	</p>
+## </desc>
+#
+
+########################################
+## <summary>
+##	Execute the python-support utility to precompile modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pythonsupport_domtrans',`
+	gen_require(`
+		type pythoncompile_t, pythoncompile_exec_t;
+	')
+
+	domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t)
+
+	allow $1 pythoncompile_t:fd use;
+	allow pythoncompile_t $1:fd use;
+	allow $1 pythoncompile_t:fifo_file rw_file_perms;
+	allow $1 pythoncompile_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read compiled python modules
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to read the compiled python modules.
+##	</summary>
+## </param>
+#
+interface(`pythonsupport_compiled_read',`
+	gen_require(`
+		type python_compiled_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 python_compiled_t:dir r_dir_perms;
+	allow $1 python_compiled_t:file r_file_perms;
+	allow $1 python_compiled_t:lnk_file r_file_perms;
+')
--- refpolicy-0.0.20070507.orig/policy/modules/system/pythonsupport.te
+++ refpolicy-0.0.20070507/policy/modules/system/pythonsupport.te
@@ -0,0 +1,44 @@
+policy_module(pythonsupport,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type pythoncompile_t;
+type pythoncompile_exec_t;
+domain_type(pythoncompile_t)
+domain_entry_file(pythoncompile_t, pythoncompile_exec_t)
+
+role system_r types pythoncompile_t;
+role sysadm_r types pythoncompile_t;
+
+type python_compiled_t;
+files_type(python_compiled_t)
+
+########################################
+#
+# python-support local policy
+#
+
+kernel_read_system_state(pythoncompile_t)
+kernel_read_kernel_sysctls(pythoncompile_t)
+
+corecmd_exec_bin(pythoncompile_t)
+corecmd_exec_sbin(pythoncompile_t)
+
+files_read_etc_files(pythoncompile_t)
+files_read_usr_files(pythoncompile_t)
+
+libs_use_ld_so(pythoncompile_t)
+libs_use_shared_libs(pythoncompile_t)
+libs_use_lib_files(pythoncompile_t)
+
+miscfiles_read_localization(pythoncompile_t)
+
+
+# create compiled python modules
+allow pythoncompile_t python_compiled_t:dir manage_dir_perms;
+allow pythoncompile_t python_compiled_t:file manage_file_perms;
+allow pythoncompile_t python_compiled_t:lnk_file manage_file_perms;
+files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir)
--- refpolicy-0.0.20070507.orig/policy/modules/system/unconfined.fc
+++ refpolicy-0.0.20070507/policy/modules/system/unconfined.fc
@@ -6,8 +6,9 @@
 
 ifdef(`targeted_policy',`
 /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/qemu.*			--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/valgrind 		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/qemu.*                       --      gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/local/RealPlayer/realplay\.bin --        gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/gcj-dbtool-4.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)                              
 ')
--- refpolicy-0.0.20070507.orig/policy/modules/system/logging.te
+++ refpolicy-0.0.20070507/policy/modules/system/logging.te
@@ -55,6 +55,12 @@
 logging_log_file(var_log_t)
 files_mountpoint(var_log_t)
 
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
 ')
@@ -282,6 +288,9 @@
 manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
 files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
 
+# log to xconsole
+allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
+
 kernel_read_kernel_sysctls(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng
@@ -386,8 +395,3 @@
 optional_policy(`
 	udev_read_db(syslogd_t)
 ')
-
-optional_policy(`
-	# log to the xconsole
-	xserver_rw_console(syslogd_t)
-')
--- refpolicy-0.0.20070507.orig/policy/modules/system/logging.fc
+++ refpolicy-0.0.20070507/policy/modules/system/logging.fc
@@ -1,5 +1,6 @@
 
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,s0)
+/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
 
 /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
 
--- refpolicy-0.0.20070507.orig/policy/modules/apps/mplayer.fc
+++ refpolicy-0.0.20070507/policy/modules/apps/mplayer.fc
@@ -6,9 +6,9 @@
 #
 # /usr
 #
-/usr/bin/mplayer	--	gen_context(system_u:object_r:mplayer_exec_t,s0)
-/usr/bin/mencoder	--	gen_context(system_u:object_r:mencoder_exec_t,s0)
-/usr/bin/xine		--	gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mplayer        --      gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mencoder       --      gen_context(system_u:object_r:mencoder_exec_t,s0)
+/usr/bin/xine           --      gen_context(system_u:object_r:mplayer_exec_t,s0)
 
 ifdef(`strict_policy',`
 HOME_DIR/\.mplayer(/.*)?        gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/apps/cdrecord.fc
+++ refpolicy-0.0.20070507/policy/modules/apps/cdrecord.fc
@@ -2,4 +2,4 @@
 # /usr
 #
 /usr/bin/cdrecord	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
-
+/usr/bin/wodim	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/dcc.te
+++ refpolicy-0.0.20070507/policy/modules/services/dcc.te
@@ -95,6 +95,9 @@
 allow cdcc_t dcc_client_map_t:file rw_file_perms;
 
 # Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(cdcc_t)
+')
 allow cdcc_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
 read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
@@ -137,6 +140,9 @@
 files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
 
 # Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(dcc_client_t)
+')
 allow dcc_client_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
 read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
@@ -177,6 +183,9 @@
 manage_files_pattern(dcc_dbclean_t,dcc_dbclean_tmp_t,dcc_dbclean_tmp_t)
 files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
 
+ifdef(`distro_debian',`
+files_search_var_lib(dcc_dbclean_t)
+')
 manage_dirs_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
 manage_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
 manage_lnk_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
@@ -220,6 +229,9 @@
 allow dccd_t dcc_client_map_t:file rw_file_perms;
 
 # Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(dccd_t)
+')
 allow dccd_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
 read_lnk_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
@@ -306,6 +318,9 @@
 allow dccifd_t dcc_client_map_t:file rw_file_perms;
 
 # Updating dcc_db, flod, ...
+ifdef(`distro_debian',`
+files_search_var_lib(dccifd_t)
+')
 manage_dirs_pattern(dccifd_t,dcc_var_t,dcc_var_t)
 manage_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
 manage_lnk_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
@@ -383,6 +398,9 @@
 
 allow dccm_t dcc_client_map_t:file rw_file_perms;
 
+ifdef(`distro_debian',`
+files_search_var_lib(dccm_t)
+')
 manage_dirs_pattern(dccm_t,dcc_var_t,dcc_var_t)
 manage_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
 manage_lnk_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
--- refpolicy-0.0.20070507.orig/policy/modules/services/clamav.te
+++ refpolicy-0.0.20070507/policy/modules/services/clamav.te
@@ -103,6 +103,7 @@
 files_read_etc_files(clamd_t)
 files_read_etc_runtime_files(clamd_t)
 files_search_spool(clamd_t)
+files_search_var_lib(clamd_t)
 
 libs_use_ld_so(clamd_t)
 libs_use_shared_libs(clamd_t)
--- refpolicy-0.0.20070507.orig/policy/modules/services/cron.te
+++ refpolicy-0.0.20070507/policy/modules/services/cron.te
@@ -220,6 +220,8 @@
 
 optional_policy(`
 	amavis_search_lib(crond_t)
+	# for bayes maintainance scripts
+	amavis_domtrans(crond_t)
 ')
 
 optional_policy(`
@@ -253,6 +255,13 @@
 	udev_read_db(crond_t)
 ')
 
+optional_policy(`
+        #  allow crond to search logrotate jobs
+	logrotate_search_varlib(crond_t)
+')
+
+
+
 ########################################
 #
 # System cron process domain
@@ -437,6 +446,7 @@
 
 	optional_policy(`
 		mysql_read_config(system_crond_t)
+                mysql_stream_connect(system_crond_t)
 	')
 
 	optional_policy(`
--- refpolicy-0.0.20070507.orig/policy/modules/services/courier.te
+++ refpolicy-0.0.20070507/policy/modules/services/courier.te
@@ -35,7 +35,7 @@
 #
 
 allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
-allow courier_authdaemon_t self:unix_stream_socket connectto;
+allow courier_authdaemon_t self:unix_stream_socket { connectto listen accept read write };
 
 can_exec(courier_authdaemon_t, courier_exec_t)
 
@@ -83,7 +83,8 @@
 # POP3/IMAP local policy
 #
 
-allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
+allow courier_pop_t self:capability { setgid setuid }; 
+allow courier_pop_t courier_authdaemon_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
@@ -102,6 +103,7 @@
 # this should also probably be a separate type too instead of
 # the regular home dir
 userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
+userdom_read_user_home_content_symlinks(user,courier_pop_t)
 
 ########################################
 #
--- refpolicy-0.0.20070507.orig/policy/modules/services/ldap.fc
+++ refpolicy-0.0.20070507/policy/modules/services/ldap.fc
@@ -1,10 +1,11 @@
 
 /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
 
-/usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
-
-ifdef(`distro_debian',`
+# Debian and Ubunto place slapd in a different location
+ifdef(`distro_debian', `
 /usr/lib/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
+', `
+/usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
 ')
 
 /var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/xserver.te
+++ refpolicy-0.0.20070507/policy/modules/services/xserver.te
@@ -34,12 +34,6 @@
 type xauth_exec_t;
 corecmd_executable_file(xauth_exec_t)
 
-# this is not actually a device, its a pipe
-type xconsole_device_t;
-files_type(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
 type xdm_t;
 type xdm_exec_t;
 auth_login_pgm_domain(xdm_t)
@@ -111,7 +105,8 @@
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+#allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+logging_r_xconsole(xdm_t)
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
--- refpolicy-0.0.20070507.orig/policy/modules/services/amavis.fc
+++ refpolicy-0.0.20070507/policy/modules/services/amavis.fc
@@ -2,10 +2,8 @@
 /etc/amavis\.conf		--	gen_context(system_u:object_r:amavis_etc_t,s0)
 /etc/amavisd(/.*)?		--	gen_context(system_u:object_r:amavis_etc_t,s0)
 
+ifdef(`strict_policy',`
 /usr/sbin/amavisd.*		--	gen_context(system_u:object_r:amavis_exec_t,s0)
-
-ifdef(`distro_debian',`
-/usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
 ')
 
 /var/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/courier.fc
+++ refpolicy-0.0.20070507/policy/modules/services/courier.fc
@@ -6,7 +6,7 @@
 /usr/sbin/courierldapaliasd		--	gen_context(system_u:object_r:courier_exec_t,s0)
 /usr/sbin/couriertcpd			--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
 
-/usr/lib(64)?/courier/authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/lib(64)?/courier/(courier-)?authlib/.* --	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
 /usr/lib(64)?/courier/courier/.*	--	gen_context(system_u:object_r:courier_exec_t,s0)
 /usr/lib(64)?/courier/courier/courierpop.* --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib(64)?/courier/courier/imaplogin --	gen_context(system_u:object_r:courier_pop_exec_t,s0)
@@ -16,6 +16,6 @@
 /usr/lib(64)?/courier/rootcerts(/.*)?		gen_context(system_u:object_r:courier_etc_t,s0)
 /usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
 
-/var/lib/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_lib_t,s0)
+/var/lib/courier(/.*)?				gen_context(system_u:object_r:courier_var_lib_t,s0)
 
-/var/run/courier(/.*)?			--	gen_context(system_u:object_r:courier_var_run_t,s0)
+/var/run/courier(/.*)?				gen_context(system_u:object_r:courier_var_run_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/xserver.fc
+++ refpolicy-0.0.20070507/policy/modules/services/xserver.fc
@@ -12,11 +12,6 @@
 ')
 
 #
-# /dev
-#
-/dev/xconsole		-p	gen_context(system_u:object_r:xconsole_device_t,s0)
-
-#
 # /etc
 #
 
--- refpolicy-0.0.20070507.orig/policy/modules/services/dcc.fc
+++ refpolicy-0.0.20070507/policy/modules/services/dcc.fc
@@ -5,13 +5,27 @@
 /usr/bin/cdcc			--	gen_context(system_u:object_r:cdcc_exec_t,s0)
 /usr/bin/dccproc		--	gen_context(system_u:object_r:dcc_client_exec_t,s0)
 
+ifdef(`distro_redhat',`
 /usr/libexec/dcc/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
 /usr/libexec/dcc/dccd		--	gen_context(system_u:object_r:dccd_exec_t,s0)
 /usr/libexec/dcc/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
 /usr/libexec/dcc/dccm		--	gen_context(system_u:object_r:dccm_exec_t,s0)
+')
+ifdef(`distro_debian',`
+/usr/sbin/dbclean               --	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/sbin/dccd		        --	gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/sbin/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/sbin/dccm		        --	gen_context(system_u:object_r:dccm_exec_t,s0)
+')
 
+ifdef(`distro_redhat',`
 /var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
 /var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+')
+ifdef(`distro_debian',`
+/var/lib/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
+')
 
 /var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
 /var/run/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/services/xserver.if
+++ refpolicy-0.0.20070507/policy/modules/services/xserver.if
@@ -719,61 +719,25 @@
 
 ########################################
 ## <summary>
-##	Read all users .Xauthority.
+##    Read all users .Xauthority.
 ## </summary>
 ## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
+##    <summary>
+##    Domain allowed access.
+##    </summary>
 ## </param>
 #
 interface(`xserver_read_all_users_xauth',`
-	gen_require(`
-		attribute xauth_home_type;
-	')
-
-	ifdef(`strict_policy',`
-		allow $1 xauth_home_type:file read_file_perms;
-		userdom_search_all_users_home_dirs($1)
-	',`
-		userdom_read_generic_user_home_content_files($1)
-	')
-')
-
-########################################
-## <summary>
-##	Set the attributes of the X windows console named pipes.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_setattr_console_pipes',`
-	gen_require(`
-		type xconsole_device_t;
-	')
-
-	allow $1 xconsole_device_t:fifo_file setattr;
-')
-
-########################################
-## <summary>
-##	Read and write the X windows console named pipe.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_rw_console',`
-	gen_require(`
-		type xconsole_device_t;
-	')
-
-	allow $1 xconsole_device_t:fifo_file { getattr read write };
+      gen_require(`
+              attribute xauth_home_type;
+      ')
+
+      ifdef(`strict_policy',`
+              allow $1 xauth_home_type:file read_file_perms;
+              userdom_search_all_users_home_dirs($1)
+      ',`
+              userdom_read_generic_user_home_content_files($1)
+      ')
 ')
 
 ########################################
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/files.if
+++ refpolicy-0.0.20070507/policy/modules/kernel/files.if
@@ -2578,8 +2578,8 @@
 	gen_require(`
 		type mnt_t;
 	')
-
-	allow $1 mnt_t:dir search_dir_perms;
+        
+        allow $1 mnt_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -2598,6 +2598,7 @@
 	')
 
 	dontaudit $1 mnt_t:dir search_dir_perms;
+	dontaudit $1 mnt_t:lnk_file r_file_perms;
 ')
 
 ########################################
@@ -2616,6 +2617,7 @@
 	')
 
 	allow $1 mnt_t:dir list_dir_perms;
+	allow $1 mnt_t:lnk_file r_file_perms;
 ')
 
 ########################################
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/filesystem.te
+++ refpolicy-0.0.20070507/policy/modules/kernel/filesystem.te
@@ -186,6 +186,7 @@
 genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
+genfscon hostfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/kernel.te
+++ refpolicy-0.0.20070507/policy/modules/kernel/kernel.te
@@ -25,6 +25,7 @@
 role sysadm_r;
 role staff_r;
 role user_r;
+role netuser_r;
 
 ifdef(`enable_mls',`
 	role secadm_r;
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/devices.fc
+++ refpolicy-0.0.20070507/policy/modules/kernel/devices.fc
@@ -1,5 +1,12 @@
 
 /dev			-d	gen_context(system_u:object_r:device_t,s0)
+ifdef(`distro_debian',`
+# this is a static /dev dir "backup mount"
+# if you want to disable udev, you'll have to boot permissive and relabel!
+/dev/\.static	-d		gen_context(system_u:object_r:device_t,s0)
+/dev/\.static/dev	-d		gen_context(system_u:object_r:device_t,s0)
+/dev/\.static/dev/(.*)?		<<none>>
+')
 /dev/.*				gen_context(system_u:object_r:device_t,s0)
 
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/kernel/devices.if
+++ refpolicy-0.0.20070507/policy/modules/kernel/devices.if
@@ -474,6 +474,25 @@
 
 ########################################
 ## <summary>
+##	Create FIFO pipes in device directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_generic_pipes',`
+	gen_require(`
+		type device_t;
+	')
+       allow $1 device_t:dir add_entry_dir_perms;
+       allow $1 device_t:fifo_file { getattr create };
+       allow $1 device_t:dir search_dir_perms;
+       allow $1 device_t:file setattr_file_perms;
+')
++########################################
+## <summary>
 ##	Create, delete, read, and write symbolic links in device directories.
 ## </summary>
 ## <param name="domain">
@@ -524,14 +543,14 @@
 		type device_t;
 	')
 
-	manage_dirs_pattern($1,device_t,device_t)
-	manage_sock_files_pattern($1,device_t,device_t)
-	manage_lnk_files_pattern($1,device_t,device_t)
-	manage_chr_files_pattern($1,device_t,{ device_t device_node })
-	manage_blk_files_pattern($1,device_t,{ device_t device_node })
-	relabel_dirs_pattern($1,device_t,device_t)
-	relabel_chr_files_pattern($1,device_t,{ device_t device_node })
-	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
+        manage_dirs_pattern($1,device_t,device_t)
+        manage_sock_files_pattern($1,device_t,device_t)
+        manage_lnk_files_pattern($1,device_t,device_t)
+        manage_chr_files_pattern($1,device_t,{ device_t device_node })
+        manage_blk_files_pattern($1,device_t,{ device_t device_node })
+        relabel_dirs_pattern($1,device_t,device_t)
+        relabel_chr_files_pattern($1,device_t,{ device_t device_node })
+        relabel_blk_files_pattern($1,device_t,{ device_t device_node })
 
 	# these next rules are to satisfy assertions broken by the above lines.
 	# the permissions hopefully can be cut back a lot
--- refpolicy-0.0.20070507.orig/policy/modules/admin/bootloader.fc
+++ refpolicy-0.0.20070507/policy/modules/admin/bootloader.fc
@@ -2,6 +2,16 @@
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
+
+# Debian puts grub in /usr/sbin/grub
+ifdef(`distro_debian',`
+/usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/etc/mkinitrd/scripts/.* --	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/mkinitrd	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/mkinitrd		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+')
 /sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+#/sbin/grub-.*		--	gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
+#/sbin/grubby		--	gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
 /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/admin/apt.fc
+++ refpolicy-0.0.20070507/policy/modules/admin/apt.fc
@@ -11,3 +11,8 @@
 # package list repository
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# aptitude lock
+/var/lock/aptitude			gen_context(system_u:object_r:apt_lock_t,s0)
+# aptitude log
+/var/log/aptitude			gen_context(system_u:object_r:apt_var_log_t,s0)
--- refpolicy-0.0.20070507.orig/policy/modules/admin/acct.fc
+++ refpolicy-0.0.20070507/policy/modules/admin/acct.fc
@@ -5,4 +5,9 @@
 
 /usr/sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
 
+ifdef(`distro_debian',`
+/var/log/account(/.*)?  gen_context(system_u:object_r:acct_data_t,s0)
+', `
 /var/account(/.*)?		gen_context(system_u:object_r:acct_data_t,s0)
+')
+
--- refpolicy-0.0.20070507.orig/policy/modules/admin/logrotate.te
+++ refpolicy-0.0.20070507/policy/modules/admin/logrotate.te
@@ -121,7 +121,10 @@
 
 cron_system_entry(logrotate_t, logrotate_exec_t)
 cron_search_spool(logrotate_t)
-
+# for logcheck: (Note that this is a design-rule violation for refpolicy,
+# using crond_t in this file directly, should be via an interface!)
+allow crond_t logrotate_var_lib_t:dir search;
+ 
 mta_send_mail(logrotate_t)
 
 ifdef(`distro_debian', `
--- refpolicy-0.0.20070507.orig/policy/modules/admin/logrotate.if
+++ refpolicy-0.0.20070507/policy/modules/admin/logrotate.if
@@ -88,6 +88,24 @@
 
 ########################################
 ## <summary>
+##	Search logrotate runtime directries
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logrotate_search_varlib',`
+	gen_require(`
+		type logrotate_var_lib_t;
+	')
+
+	allow $1 logrotate_var_lib_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to inherit logrotate file descriptors.
 ## </summary>
 ## <param name="domain">
--- refpolicy-0.0.20070507.orig/policy/modules/admin/apt.te
+++ refpolicy-0.0.20070507/policy/modules/admin/apt.te
@@ -26,6 +26,14 @@
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
+# aptitude log file
+type apt_var_log_t alias var_log_apt_t;
+logging_log_file(apt_var_log_t)
+
+# aptitude lock file
+type apt_lock_t;
+files_lock_file(apt_lock_t)
+
 ########################################
 #
 # apt Local policy
@@ -65,6 +73,14 @@
 manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t)
 files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
 
+# lock files
+allow apt_t apt_lock_t:dir manage_dir_perms;
+allow apt_t apt_lock_t:file manage_file_perms;
+files_lock_filetrans(apt_t,apt_lock_t,{dir file})
+
+# log files
+allow apt_t apt_var_log_t:file manage_file_perms;
+
 kernel_read_system_state(apt_t)
 kernel_read_kernel_sysctls(apt_t)
 
@@ -105,9 +121,15 @@
 libs_exec_lib_files(apt_t)
 
 logging_send_syslog_msg(apt_t)
+logging_log_filetrans(apt_t, apt_var_log_t, file)
 
 miscfiles_read_localization(apt_t)
 
+# this isn't particularly nice.
+# maybe add a type for ~/.aptitude instead.
+userdom_manage_all_users_home_content_files(apt_t)
+userdom_manage_all_users_home_content_dirs(apt_t)
+
 seutil_use_newrole_fds(apt_t)
 
 sysnet_read_config(apt_t)
@@ -122,6 +144,10 @@
 #')
 
 optional_policy(`
+	pythonsupport_domtrans(apt_t)
+')
+
+optional_policy(`
 	# dpkg interaction
 	dpkg_read_db(apt_t)
 	dpkg_domtrans(apt_t)
--- refpolicy-0.0.20070507.orig/Makefile
+++ refpolicy-0.0.20070507/Makefile
@@ -207,8 +207,8 @@
 
 # default MLS/MCS sensitivity and category settings.
 MLS_SENS ?= 16
-MLS_CATS ?= 256
-MCS_CATS ?= 256
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
 
 ifeq ($(QUIET),y)
 	verbose = @
--- refpolicy-0.0.20070507.orig/build.conf
+++ refpolicy-0.0.20070507/build.conf
@@ -50,11 +50,11 @@
 
 # Number of MLS Categories
 # The categories will be c0 to c(MLS_CATS-1).
-MLS_CATS=256
+MLS_CATS=1024
 
 # Number of MCS Categories
 # The categories will be c0 to c(MLS_CATS-1).
-MCS_CATS=256
+MCS_CATS=1024
 
 # Set this to y to only display status messages
 # during build.