--- refpolicy-2.20110726.orig/build.conf
+++ refpolicy-2.20110726/build.conf
@@ -50,7 +50,7 @@
# User-based access control (UBAC)
# Enable UBAC for role separations.
-UBAC = y
+UBAC = n
# Custom build options. This field enables custom
# build options. Putting foo here will enable
--- refpolicy-2.20110726.orig/config/appconfig-mcs/seusers
+++ refpolicy-2.20110726/config/appconfig-mcs/seusers
@@ -1,3 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh
--- refpolicy-2.20110726.orig/policy/users
+++ refpolicy-2.20110726/policy/users
@@ -29,7 +29,7 @@
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
--- refpolicy-2.20110726.orig/policy/constraints
+++ refpolicy-2.20110726/policy/constraints
@@ -28,7 +28,7 @@
define(`basic_ubac_conditions',`
ifdef(`enable_ubac',`
u1 == u2
- or u1 == system_u
+ or u1 == system_u or u1 == unconfined_u
or u2 == system_u
or t1 != ubac_constrained_type
or t2 != ubac_constrained_type
--- refpolicy-2.20110726.orig/policy/global_tunables
+++ refpolicy-2.20110726/policy/global_tunables
@@ -111,3 +111,10 @@
##
##
gen_tunable(user_tcp_server,false)
+
+##
+##
+## Allow users to manage files on dosfs_t devices, usually removable media
+##
+##
+gen_tunable(user_manage_dos_files,true)
--- refpolicy-2.20110726.orig/policy/mcs
+++ refpolicy-2.20110726/policy/mcs
@@ -71,32 +71,59 @@
mlsconstrain file { read ioctl lock execute execute_no_trans }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
-mlsconstrain file { write setattr append unlink link rename }
+mlsconstrain file { write setattr append link rename }
+ifdef(`distro_debian', `
+ ((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 == mcswriteall ) or (t2 == mcstrustedobject) or ( t2 == domain ));
+', `
(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+')
+
+mlsconstrain file { unlink }
+ifdef(`distro_debian', `
+ ((( h1 dom h2 ) and ( l1 domby l2 )) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or (t2 == mcstrustedobject) or ( t2 == domain ));
+', `
+ (( h1 dom h2 ) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or ( t2 == domain ));
+')
mlsconstrain dir { search read ioctl lock }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t1 == mcsdeleteall ) or ( t2 == domain ));
-mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+mlsconstrain dir { setattr append link rename add_name }
(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+mlsconstrain dir { write unlink remove_name }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t1 == mcsdeleteall ) or ( t2 == domain ));
+
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
+ifdef(`distro_debian', `
+ (( h1 dom h2 ) and ( l2 eq h2 ) and ((l1 domby l2) or (t2 == mcstrustedobject)));
+', `
(( h1 dom h2 ) and ( l2 eq h2 ));
+')
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
( h1 dom h2 );
+# not mandatory at this time - can write down
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
+ifdef(`distro_debian', `
+ (( ( h1 dom h2 ) and ((l1 domby l2) or (t1 == mcssetlow)) ) or ( t1 == mcssetcats ));
+', `
(( h1 dom h2 ) or ( t1 == mcssetcats ));
+')
mlsconstrain process { ptrace }
+ifdef(`distro_debian', `
+ ( (h1 dom h2) and ((l1 domby l2) or ( t1 == mcsptraceall )) );
+', `
(( h1 dom h2) or ( t1 == mcsptraceall ));
+')
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
--- refpolicy-2.20110726.orig/policy/support/loadable_module.spt
+++ refpolicy-2.20110726/policy/support/loadable_module.spt
@@ -95,7 +95,7 @@
#
define(`optional_policy',`
ifelse(regexp(`$1',`\W'),`-1',`
- refpolicywarn(`deprecated use of module name ($1) as first parameter of optional_policy() block.')
+ refpolicyerr(`deprecated use of module name ($1) as first parameter of optional_policy() block.')
optional_policy(shift($*))
',`
optional {`'pushdef(`__in_optional_policy')
--- refpolicy-2.20110726.orig/policy/support/misc_patterns.spt
+++ refpolicy-2.20110726/policy/support/misc_patterns.spt
@@ -51,7 +51,7 @@
# Other process permissions
#
define(`send_audit_msgs_pattern',`
- refpolicywarn(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.')
+ refpolicyerr(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.')
allow $1 self:capability audit_write;
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
')
--- refpolicy-2.20110726.orig/policy/support/obj_perm_sets.spt
+++ refpolicy-2.20110726/policy/support/obj_perm_sets.spt
@@ -54,47 +54,47 @@
#
# Permissions for getting file attributes.
#
-define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')')
+define(`stat_file_perms', `{ getattr } refpolicyerr(`$0 is deprecated please use getattr_file_perms instead.')')
#
# Permissions for executing files.
#
-define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
+define(`x_file_perms', `{ getattr open execute } refpolicyerr(`$0 is deprecated please use { getattr execute } instead.')')
#
# Permissions for reading files and their attributes.
#
-define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
+define(`r_file_perms', `{ open read getattr lock ioctl } refpolicyerr(`$0 is deprecated please use read_file_perms instead.')')
#
# Permissions for reading and executing files.
#
-define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
+define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicyerr(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
#
# Permissions for reading and appending to files.
#
-define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
+define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicyerr(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
#
# Permissions for linking, unlinking and renaming files.
#
-define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')')
+define(`link_file_perms', `{ getattr link unlink rename } refpolicyerr(`$0 is deprecated please use { getattr link unlink rename } instead.')')
#
# Permissions for creating lnk_files.
#
-define(`create_lnk_perms', `{ create read write getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')')
+define(`create_lnk_perms', `{ create read write getattr setattr link unlink rename } refpolicyerr(`$0 is deprecated please use manage_lnk_file_perms instead.')')
#
# Permissions for reading directories and their attributes.
#
-define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
+define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicyerr(`$0 is deprecated please use list_dir_perms instead.')')
#
# Permissions for reading and adding names to directories.
#
-define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
+define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicyerr(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
#
--- refpolicy-2.20110726.orig/policy/modules/apps/gpg.te
+++ refpolicy-2.20110726/policy/modules/apps/gpg.te
@@ -53,6 +53,7 @@
typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
+files_read_var_lib_files(gpg_pinentry_t)
type gpg_pinentry_tmp_t;
files_tmp_file(gpg_pinentry_tmp_t)
@@ -222,6 +223,9 @@
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file)
+files_read_etc_files(gpg_agent_t)
+kernel_read_crypto_sysctls(gpg_agent_t)
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
@@ -272,6 +276,10 @@
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
+optional_policy(`
+ xdm_sigchld(gpg_agent_t)
+')
+
##############################
#
# Pinentry local policy
--- refpolicy-2.20110726.orig/policy/modules/apps/gpg.fc
+++ refpolicy-2.20110726/policy/modules/apps/gpg.fc
@@ -1,6 +1,9 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/gpg.conf gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/apps/gitosis.fc
+++ refpolicy-2.20110726/policy/modules/apps/gitosis.fc
@@ -1,5 +1,9 @@
/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+ifdef(`distro_debian', `
+/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+', `
/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+')
/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/apps/screen.fc
+++ refpolicy-2.20110726/policy/modules/apps/screen.fc
@@ -13,3 +13,6 @@
# /var
#
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/apps/mono.te
+++ refpolicy-2.20110726/policy/modules/apps/mono.te
@@ -45,6 +45,7 @@
unconfined_domain(mono_t)
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
+ in_unconfined_r(mono_t)
')
optional_policy(`
--- refpolicy-2.20110726.orig/policy/modules/apps/pulseaudio.fc
+++ refpolicy-2.20110726/policy/modules/apps/pulseaudio.fc
@@ -5,3 +5,6 @@
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/apps/webalizer.fc
+++ refpolicy-2.20110726/policy/modules/apps/webalizer.fc
@@ -3,6 +3,7 @@
# /usr
#
/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0)
+/usr/bin/awffull -- gen_context(system_u:object_r:webalizer_exec_t,s0)
#
# /var
--- refpolicy-2.20110726.orig/policy/modules/apps/uml.fc
+++ refpolicy-2.20110726/policy/modules/apps/uml.fc
@@ -12,3 +12,6 @@
# /var
#
/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/apps/mozilla.if
+++ refpolicy-2.20110726/policy/modules/apps/mozilla.if
@@ -17,16 +17,16 @@
#
interface(`mozilla_role',`
gen_require(`
- type mozilla_t, mozilla_exec_t, mozilla_home_t;
+ type mozilla_t, chrome_sandbox_t, mozilla_exec_t, chrome_browser_exec_t, mozilla_home_t;
')
- role $1 types mozilla_t;
+ role $1 types { mozilla_t chrome_sandbox_t };
- domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+ domain_auto_trans($2, { mozilla_exec_t chrome_browser_exec_t }, mozilla_t)
# Unrestricted inheritance from the caller.
allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
- allow mozilla_t $2:fd use;
- allow mozilla_t $2:process { sigchld signull };
+ allow { mozilla_t chrome_sandbox_t } $2:fd use;
+ allow { mozilla_t chrome_sandbox_t } $2:process { sigchld signull };
allow mozilla_t $2:unix_stream_socket connectto;
# Allow the user domain to signal/ps.
@@ -179,10 +179,10 @@
#
interface(`mozilla_domtrans',`
gen_require(`
- type mozilla_t, mozilla_exec_t;
+ type mozilla_t, mozilla_exec_t, chrome_browser_exec_t;
')
- domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+ domtrans_pattern($1, { mozilla_exec_t chrome_browser_exec_t }, mozilla_t)
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/apps/mozilla.fc
+++ refpolicy-2.20110726/policy/modules/apps/mozilla.fc
@@ -3,6 +3,7 @@
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
@@ -14,6 +15,9 @@
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ifdef(`distro_debian', `
+/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+')
#
# /lib
@@ -27,3 +31,6 @@
/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/chromium(-browser)?/chromium(-browser)?-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+/usr/lib/chromium(-browser)?/chromium(-browser)? -- gen_context(system_u:object_r:chrome_browser_exec_t,s0)
+/usr/lib/xulrunner-1.9.1/xulrunner-stub -- gen_context(system_u:object_r:mozilla_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/apps/awstats.te
+++ refpolicy-2.20110726/policy/modules/apps/awstats.te
@@ -17,6 +17,7 @@
type awstats_var_lib_t;
files_type(awstats_var_lib_t)
+apache_script_exec_domain(awstats)
apache_content_template(awstats)
########################################
--- refpolicy-2.20110726.orig/policy/modules/apps/webalizer.te
+++ refpolicy-2.20110726/policy/modules/apps/webalizer.te
@@ -13,17 +13,13 @@
type webalizer_etc_t;
files_config_file(webalizer_etc_t)
-type webalizer_usage_t;
-files_type(webalizer_usage_t)
-
type webalizer_tmp_t;
files_tmp_file(webalizer_tmp_t)
type webalizer_var_lib_t;
files_type(webalizer_var_lib_t)
-type webalizer_write_t;
-files_type(webalizer_write_t)
+typealias webalizer_var_lib_t alias { webalizer_write_t webalizer_usage_t };
########################################
#
@@ -71,6 +67,7 @@
files_read_etc_files(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+files_read_usr_files(webalizer_t)
logging_list_logs(webalizer_t)
logging_send_syslog_msg(webalizer_t)
--- refpolicy-2.20110726.orig/policy/modules/apps/mozilla.te
+++ refpolicy-2.20110726/policy/modules/apps/mozilla.te
@@ -19,6 +19,46 @@
application_domain(mozilla_t, mozilla_exec_t)
ubac_constrained(mozilla_t)
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+type chrome_browser_exec_t;
+application_domain(mozilla_t, chrome_browser_exec_t)
+domain_auto_trans(chrome_sandbox_t, chrome_browser_exec_t, mozilla_t)
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+ubac_constrained(chrome_sandbox_t)
+fs_getattr_xattr_fs(chrome_sandbox_t)
+fs_getattr_xattr_fs(mozilla_t)
+
+allow chrome_sandbox_t mozilla_t:dir list_dir_perms;
+allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms;
+allow chrome_sandbox_t mozilla_t:file read_file_perms;
+allow chrome_sandbox_t mozilla_t:lnk_file read_lnk_file_perms;
+allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write };
+allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write };
+allow chrome_sandbox_t mozilla_t:fd use;
+allow chrome_sandbox_t mozilla_t:file write;
+allow chrome_sandbox_t proc_t:dir read;
+allow chrome_sandbox_t self:process setrlimit;
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+ubac_constrained(chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { file dir })
+allow chrome_sandbox_t chrome_sandbox_tmp_t:dir manage_dir_perms;
+allow mozilla_t self:unix_dgram_socket sendto;
+allow mozilla_t chrome_browser_exec_t:file execute_no_trans;
+# for V8
+allow mozilla_t self:process execmem;
+
+
+allow mozilla_t chrome_sandbox_t:shm { write unix_read getattr unix_write associate read };
+allow mozilla_t chrome_sandbox_t:unix_dgram_socket { read write };
+
+
+ifdef(`distro_debian', `
+# bug in chromium
+allow mozilla_t chrome_browser_exec_t:file execmod;
+')
+
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
@@ -55,6 +95,19 @@
# Local policy
#
+dontaudit chrome_sandbox_t domain:dir getattr;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+domain_auto_trans(mozilla_t, chrome_sandbox_exec_t, chrome_sandbox_t)
+allow mozilla_t mozilla_home_t:sock_file manage_sock_file_perms;
+allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms;
+allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write };
+allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write };
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid net_raw net_raw sys_chroot sys_ptrace sys_admin };
+allow chrome_sandbox_t mozilla_t:process { share sigchld };
+allow mozilla_t chrome_sandbox_t:fd use;
+allow mozilla_t chrome_sandbox_t:unix_stream_socket { read write };
+dev_read_sysfs(mozilla_t)
+
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
--- refpolicy-2.20110726.orig/policy/modules/apps/gpg.if
+++ refpolicy-2.20110726/policy/modules/apps/gpg.if
@@ -22,6 +22,7 @@
type gpg_agent_tmp_t;
type gpg_helper_t, gpg_pinentry_t;
type gpg_pinentry_tmp_t;
+ type gpg_secret_t;
')
role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
@@ -54,6 +55,8 @@
manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ allow $2 gpg_secret_t:dir list_dir_perms;
+
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
@@ -67,6 +70,49 @@
')
')
+############################################################
+##
+## Transition to gpg_agent_t from another domain
+## Used for ssh_agent_t to launch the gpg agent for X logins
+##
+##
+##
+## domain to run the gpg agent
+##
+##
+#
+interface(`run_gpg_agent',`
+ gen_require(`
+ type gpg_agent_t, gpg_agent_exec_t;
+ ')
+ domtrans_pattern($1, gpg_agent_exec_t, gpg_agent_t)
+')
+
+########################################
+##
+## Transition to a user domain from gpg_agent_t
+##
+##
+##
+## Domain to transition to
+##
+##
+##
+##
+## Type of file for log data - usually a home type
+##
+##
+#
+interface(`gpg_agent_domtrans_user',`
+ gen_require(`
+ type gpg_agent_t, shell_exec_t, bin_t;
+ ')
+ allow $1 gpg_agent_t:fd use;
+ allow gpg_agent_t $1:process signull;
+ allow gpg_agent_t $2:file { getattr append };
+ domain_auto_trans(gpg_agent_t, { shell_exec_t bin_t }, $1)
+')
+
########################################
##
## Transition to a user gpg domain.
--- refpolicy-2.20110726.orig/policy/modules/admin/rpm.fc
+++ refpolicy-2.20110726/policy/modules/admin/rpm.fc
@@ -37,7 +37,13 @@
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+')
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+')
# SuSE
ifdef(`distro_suse', `
--- refpolicy-2.20110726.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20110726/policy/modules/admin/logrotate.te
@@ -103,9 +103,12 @@
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
-# cjp: why is this needed?
+# logrotate has to restart some daemons
init_domtrans_script(logrotate_t)
+# for runlevel
+init_dontaudit_write_utmp(logrotate_t)
+
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
@@ -122,7 +125,7 @@
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-
+
mta_send_mail(logrotate_t)
ifdef(`distro_debian', `
@@ -142,6 +145,10 @@
')
optional_policy(`
+ unconfined_dontaudit_search_home_dirs(logrotate_t)
+')
+
+optional_policy(`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
@@ -162,6 +169,10 @@
')
optional_policy(`
+ webalizer_domtrans(logrotate_t)
+')
+
+optional_policy(`
consoletype_exec(logrotate_t)
')
--- refpolicy-2.20110726.orig/policy/modules/admin/alsa.fc
+++ refpolicy-2.20110726/policy/modules/admin/alsa.fc
@@ -2,10 +2,16 @@
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+ifdef(`distro_debian', `
+/var/lib/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+', `
+/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+')
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/admin/certwatch.if
+++ refpolicy-2.20110726/policy/modules/admin/certwatch.if
@@ -73,6 +73,6 @@
##
#
interface(`certwatach_run',`
- refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.')
+ refpolicyerr(`$0($*) has been deprecated, please use certwatch_run() instead.')
certwatch_run($*)
')
--- refpolicy-2.20110726.orig/policy/modules/admin/kismet.fc
+++ refpolicy-2.20110726/policy/modules/admin/kismet.fc
@@ -4,3 +4,6 @@
/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/admin/vbetool.te
+++ refpolicy-2.20110726/policy/modules/admin/vbetool.te
@@ -30,6 +30,7 @@
dev_rw_sysfs(vbetool_t)
dev_rw_xserver_misc(vbetool_t)
dev_rw_mtrr(vbetool_t)
+fs_list_inotifyfs(vbetool_t)
domain_mmap_low(vbetool_t)
--- refpolicy-2.20110726.orig/policy/modules/admin/tmpreaper.te
+++ refpolicy-2.20110726/policy/modules/admin/tmpreaper.te
@@ -30,8 +30,7 @@
files_getattr_all_dirs(tmpreaper_t)
files_getattr_all_files(tmpreaper_t)
-mls_file_read_all_levels(tmpreaper_t)
-mls_file_write_all_levels(tmpreaper_t)
+mcs_file_delete_all(tmpreaper_t)
logging_send_syslog_msg(tmpreaper_t)
@@ -39,6 +38,7 @@
miscfiles_delete_man_pages(tmpreaper_t)
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+init_system_domain(tmpreaper_t, tmpreaper_exec_t)
ifdef(`distro_redhat',`
userdom_list_user_home_content(tmpreaper_t)
--- refpolicy-2.20110726.orig/policy/modules/admin/quota.te
+++ refpolicy-2.20110726/policy/modules/admin/quota.te
@@ -20,6 +20,7 @@
# Local policy
#
+kernel_request_load_module(quota_t)
allow quota_t self:capability { sys_admin dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
--- refpolicy-2.20110726.orig/policy/modules/admin/logrotate.if
+++ refpolicy-2.20110726/policy/modules/admin/logrotate.if
@@ -84,6 +84,24 @@
########################################
##
+## Search logrotate runtime directries
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logrotate_search_varlib',`
+ gen_require(`
+ type logrotate_var_lib_t;
+ ')
+
+ allow $1 logrotate_var_lib_t:dir search;
+')
+
+########################################
+##
## Do not audit attempts to inherit logrotate file descriptors.
##
##
--- refpolicy-2.20110726.orig/policy/modules/admin/tmpreaper.fc
+++ refpolicy-2.20110726/policy/modules/admin/tmpreaper.fc
@@ -1,2 +1,6 @@
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+ifdef(`distro_debian', `
+/etc/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/etc/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20110726/policy/modules/admin/apt.fc
@@ -14,8 +14,12 @@
# aptitude lock
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+ifdef(`distro_debian', `
+/var/run/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+/run/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+')
# aptitude log
-/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
+/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
# dpkg terminal log
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/admin/sudo.if
+++ refpolicy-2.20110726/policy/modules/admin/sudo.if
@@ -177,3 +177,29 @@
allow $1 sudodomain:process sigchld;
')
+
+#######################################
+##
+## Execute sudo_exec_t without a domain transition
+##
+##
+##
+## This interface allows a domain to execute sudo_exec_t without a
+## domain transition. It is for daemons that already have setuid
+## access but are running as uid != 0.
+##
+##
+##
+##
+## The domain that can execute sudo.
+##
+##
+#
+template(`can_exec_sudo',`
+
+ gen_require(`
+ type sudo_exec_t;
+ ')
+
+ can_exec($1, sudo_exec_t)
+')
--- refpolicy-2.20110726.orig/policy/modules/admin/vpn.fc
+++ refpolicy-2.20110726/policy/modules/admin/vpn.fc
@@ -11,3 +11,6 @@
/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/admin/mrtg.fc
+++ refpolicy-2.20110726/policy/modules/admin/mrtg.fc
@@ -14,5 +14,12 @@
#
/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
+ifdef(`distro_debian', `
+/var/run/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
+/run/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
+')
/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20110726/policy/modules/admin/dpkg.te
@@ -51,8 +51,8 @@
# dpkg Local policy
#
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
-allow dpkg_t self:process { setpgid fork getsched setfscreate };
+allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable ipc_lock };
+allow dpkg_t self:process { setrlimit setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
@@ -66,6 +66,16 @@
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };
+# This is for se_aptitude et al, so that maintainer scripts can talk back.
+apt_use_fds(dpkg_script_t)
+apt_rw_pipes(dpkg_script_t)
+
+# This is for the maintainer scripts
+init_use_script_fds(dpkg_script_t)
+
+# se_apt-get needs this to run dpkg-preconfigure
+init_use_script_ptys(dpkg_t)
+
allow dpkg_t dpkg_lock_t:file manage_file_perms;
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
@@ -147,7 +157,6 @@
files_exec_etc_files(dpkg_t)
init_domtrans_script(dpkg_t)
-init_use_script_ptys(dpkg_t)
libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
@@ -163,11 +172,15 @@
userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
+allow userdomain dpkg_var_lib_t:dir list_dir_perms;
+allow userdomain dpkg_var_lib_t:file read_file_perms;
# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
-# since the scripts aren't labeled correctly yet...
+# since the scripts are not labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
+# This is used for running config files for debconf interactions
+allow dpkg_t dpkg_tmp_t:file { execute execute_no_trans };
optional_policy(`
apt_use_ptys(dpkg_t)
@@ -289,7 +302,6 @@
auth_manage_all_files_except_auth_files(dpkg_script_t)
init_domtrans_script(dpkg_script_t)
-init_use_script_fds(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
--- refpolicy-2.20110726.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20110726/policy/modules/system/lvm.te
@@ -41,6 +41,11 @@
type lvm_tmp_t;
files_tmp_file(lvm_tmp_t)
+allow lvm_t self:sem create_sem_perms;
+optional_policy(`
+ unconfined_sem_rw(lvm_t)
+')
+
########################################
#
# Cluster LVM daemon local policy
@@ -178,6 +183,7 @@
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
+term_dontaudit_use_generic_ptys(lvm_t)
manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
--- refpolicy-2.20110726.orig/policy/modules/system/mount.te
+++ refpolicy-2.20110726/policy/modules/system/mount.te
@@ -23,20 +23,26 @@
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
+dev_read_sysfs(mount_t)
+
# causes problems with interfaces when
# this is optionally declared in monolithic
# policy--duplicate type declaration
type unconfined_mount_t;
application_domain(unconfined_mount_t, mount_exec_t)
+kernel_request_load_module(mount_t)
########################################
#
# mount local policy
#
+kernel_setsched(mount_t)
+
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+dev_read_urand(mount_t)
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t mount_tmp_t:file manage_file_perms;
--- refpolicy-2.20110726.orig/policy/modules/system/lvm.fc
+++ refpolicy-2.20110726/policy/modules/system/lvm.fc
@@ -97,5 +97,15 @@
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+ifdef(`distro_debian', `
+/var/run/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/run/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+')
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+')
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/system/ipsec.fc
+++ refpolicy-2.20110726/policy/modules/system/ipsec.fc
@@ -43,4 +43,10 @@
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+')
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20110726/policy/modules/system/selinuxutil.te
@@ -107,6 +107,9 @@
type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
+term_read_console(setfiles_t)
+dev_read_urand(setfiles_t)
+dev_rw_generic_chr_files(setfiles_t)
########################################
#
@@ -159,6 +162,7 @@
read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
domain_use_interactive_fds(load_policy_t)
+dev_read_urand(load_policy_t)
# for mcs.conf
files_read_etc_files(load_policy_t)
@@ -304,6 +308,7 @@
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
+dev_read_urand(restorecond_t)
allow restorecond_t restorecond_var_run_t:file manage_file_perms;
files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
@@ -424,6 +429,7 @@
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+fs_getattr_xattr_fs(semanage_t)
allow semanage_t policy_config_t:file rw_file_perms;
@@ -431,6 +437,10 @@
allow semanage_t semanage_tmp_t:file manage_file_perms;
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+ifdef(`targeted_policy',`
+ allow semanage_t initrc_t:fd use;
+')
+
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
@@ -448,6 +458,7 @@
mls_file_write_all_levels(semanage_t)
mls_file_read_all_levels(semanage_t)
+selinux_get_fs_mount(semanage_t)
selinux_validate_context(semanage_t)
selinux_get_enforce_mode(semanage_t)
selinux_getattr_fs(semanage_t)
@@ -493,6 +504,10 @@
')
')
+optional_policy(`
+ pythonsupport_compiled_read(semanage_t)
+')
+
########################################
#
# Setfiles local policy
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20110726/policy/modules/system/unconfined.te
@@ -21,6 +21,15 @@
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
+##
+##
+## Enabling this allows some daemons to access unconfined_home_dir_t and
+## unconfined_home_t as if they were regular home directories. This does
+## reduce the protection...
+##
+##
+gen_bool(daemon_access_unconfined_home,true)
+
########################################
#
# Local policy
@@ -30,10 +39,9 @@
files_create_boot_flag(unconfined_t)
-mcs_killall(unconfined_t)
-mcs_ptrace_all(unconfined_t)
+allow unconfined_r system_r;
-init_run_daemon(unconfined_t, unconfined_r)
+init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
libs_run_ldconfig(unconfined_t, unconfined_r)
@@ -49,6 +57,9 @@
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+ifdef(`distro_debian',`
+ seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+')
ifdef(`distro_gentoo',`
seutil_run_runinit(unconfined_t, unconfined_r)
seutil_init_script_run_runinit(unconfined_t, unconfined_r)
--- refpolicy-2.20110726.orig/policy/modules/system/xen.te
+++ refpolicy-2.20110726/policy/modules/system/xen.te
@@ -83,6 +83,9 @@
files_type(xend_var_lib_t)
# for mounting an NFS store
files_mountpoint(xend_var_lib_t)
+fs_getattr_xattr_fs(xend_t)
+# for /var/lib/python-support/python2.5/.path
+files_read_var_lib_files(xend_t)
# log files
type xend_var_log_t;
@@ -341,6 +344,13 @@
netutils_domtrans(xend_t)
+unconfined_dontaudit_search_home_dirs({ xend_t xenconsoled_t xenstored_t })
+ifdef(`distro_debian', `
+# xend uses LD_PRELOAD or similar for libxenctrl.so
+allow xend_t { xenconsoled_t xenstored_t }:process noatsecure;
+')
+allow xend_t xenstored_var_run_t:file manage_file_perms;
+
optional_policy(`
brctl_domtrans(xend_t)
')
@@ -354,12 +364,16 @@
# Xen console local policy
#
-allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:capability { dac_override fsetid ipc_lock sys_tty_config };
allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+allow xenconsoled_t self:unix_dgram_socket create_socket_perms;
+
+# for /usr/lib/pt_chown
+libs_exec_lib_files(xenconsoled_t)
-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+allow xenconsoled_t xen_devpts_t:chr_file { setattr rw_term_perms };
# pid file
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
@@ -377,6 +391,7 @@
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
files_read_etc_files(xenconsoled_t)
+corecmd_search_bin(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
fs_list_tmpfs(xenconsoled_t)
@@ -428,6 +443,10 @@
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file })
+allow xend_t xenstored_var_lib_t:dir rw_dir_perms;
+allow xend_t xenstored_var_lib_t:file unlink;
+corecmd_search_bin(xenstored_t)
+fs_manage_xenfs_dirs(xenstored_t)
stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)
@@ -472,6 +491,7 @@
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
files_search_var_lib(xm_t)
+files_read_kernel_img(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
allow xm_t xen_image_t:file read_file_perms;
--- refpolicy-2.20110726.orig/policy/modules/system/xen.fc
+++ refpolicy-2.20110726/policy/modules/system/xen.fc
@@ -32,12 +32,36 @@
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+')
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+')
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+')
/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+')
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
+')
/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+')
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
+')
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
+')
/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/init.if
+++ refpolicy-2.20110726/policy/modules/system/init.if
@@ -346,6 +346,8 @@
domtrans_pattern(initrc_t, $2, $1)
+ init_use_fds($1)
+
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
# fds open from the initrd
--- refpolicy-2.20110726.orig/policy/modules/system/init.fc
+++ refpolicy-2.20110726/policy/modules/system/init.fc
@@ -15,6 +15,16 @@
/etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/x11/startDM\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
+ifdef(`distro_debian',`
+/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
+/var/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
+')
#
# /dev
--- refpolicy-2.20110726.orig/policy/modules/system/init.te
+++ refpolicy-2.20110726/policy/modules/system/init.te
@@ -178,6 +178,12 @@
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
+ifdef(`distro_debian',`
+ fs_rw_tmpfs_chr_files(init_t)
+ fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+')
+
+optional_policy(`
tunable_policy(`init_upstart',`
corecmd_shell_domtrans(init_t, initrc_t)
',`
@@ -185,6 +191,7 @@
# causes problems with upstart
sysadm_shell_domtrans(init_t)
')
+')
optional_policy(`
auth_rw_login_records(init_t)
@@ -240,7 +247,8 @@
manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
-files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_pid_filetrans(initrc_t,initrc_var_run_t,file)
+storage_var_run_filetrans_fixed_disk(initrc_t)
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -287,6 +295,7 @@
dev_read_framebuffer(initrc_t)
dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
+clock_rw_adjtime(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
@@ -294,8 +303,14 @@
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-# Wants to remove udev.tbl:
-dev_delete_generic_symlinks(initrc_t)
+
+optional_policy(`
+ # Wants to remove udev.tbl:
+ dev_delete_generic_symlinks(initrc_t)
+ udev_unlink_table(initrc_t)
+ dev_delete_generic_dirs(initrc_t)
+')
+
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
# Early devtmpfs
@@ -391,6 +406,7 @@
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
+logging_setattr_xconsole(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -407,10 +423,18 @@
# started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
+# seed udev /dev
+dev_create_generic_dirs(initrc_t)
+
ifdef(`distro_debian',`
- dev_setattr_generic_dirs(initrc_t)
+ # to be able to create /dev/xconsole
+ dev_create_generic_pipes(initrc_t)
- fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
+ # for /etc/network/run/ifstate
+ sysnet_manage_config(initrc_t)
+ fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir)
+ allow initrc_t initrc_var_run_t:dir manage_dir_perms;
+ allow initrc_t initrc_var_run_t:lnk_file manage_lnk_file_perms;
# for storing state under /dev/shm
fs_setattr_tmpfs_dirs(initrc_t)
@@ -418,6 +442,21 @@
storage_tmpfs_filetrans_fixed_disk(initrc_t)
files_setattr_etc_dirs(initrc_t)
+
+ selinux_get_fs_mount(init_t)
+
+ # for /lib/init/rw/.ramfs
+ fs_tmpfs_filetrans(initrc_t,initrc_state_t,file)
+
+ # for progress_state which is created by the initramfs
+ fs_allow_tmpfs_file_read(initrc_t)
+
+ # /etc/network/if-up.d/mountnfs wants to mkdir
+ # /var/run/network/mountnfs as a poor mans lock
+ allow initrc_t var_run_t:dir create;
+
+ # for lsb_release which calls apt-cache
+ apt_read_cache(initrc_t)
')
ifdef(`distro_gentoo',`
@@ -427,13 +466,11 @@
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
- dev_create_generic_dirs(initrc_t)
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
# with /dev/.rcboot to decide if we are in
# early init
- dev_create_generic_dirs(initrc_t)
dev_delete_generic_dirs(initrc_t)
# allow bootmisc to create /var/lock/.keep.
@@ -735,6 +772,7 @@
optional_policy(`
postfix_list_spool(initrc_t)
+ postfix_read_config(initrc_t)
')
optional_policy(`
@@ -844,9 +882,6 @@
')
optional_policy(`
- # Set device ownerships/modes.
- xserver_setattr_console_pipes(initrc_t)
-
# init script wants to check if it needs to update windowmanagerlist
xserver_read_xdm_rw_config(initrc_t)
')
--- refpolicy-2.20110726.orig/policy/modules/system/authlogin.fc
+++ refpolicy-2.20110726/policy/modules/system/authlogin.fc
@@ -1,11 +1,12 @@
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/\.group\.edit\.swp -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/\.gshadow\.edit\.swp -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/\.passwd\.edit\.swp -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/\.shadow\.edit\.swp -- gen_context(system_u:object_r:shadow_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/setrans.te
+++ refpolicy-2.20110726/policy/modules/system/setrans.te
@@ -50,7 +50,7 @@
files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
kernel_read_kernel_sysctls(setrans_t)
-kernel_read_proc_symlinks(setrans_t)
+kernel_read_system_state(setrans_t)
# allow performing getpidcon() on all processes
domain_read_all_domains_state(setrans_t)
--- refpolicy-2.20110726.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20110726/policy/modules/system/sysnetwork.te
@@ -253,6 +253,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
+term_read_console(ifconfig_t)
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
--- refpolicy-2.20110726.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20110726/policy/modules/system/sysnetwork.fc
@@ -28,6 +28,13 @@
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+ifdef(`distro_debian', `
+/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+ifdef(`distro_debian', `
+/run/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+')
+')
#
# /sbin
#
@@ -60,6 +67,9 @@
/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+')
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/logging.fc
+++ refpolicy-2.20110726/policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/pythonsupport.te
+++ refpolicy-2.20110726/policy/modules/system/pythonsupport.te
@@ -0,0 +1,41 @@
+policy_module(pythonsupport,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type pythoncompile_t;
+type pythoncompile_exec_t;
+domain_type(pythoncompile_t)
+domain_entry_file(pythoncompile_t, pythoncompile_exec_t)
+
+type python_compiled_t;
+files_type(python_compiled_t)
+
+########################################
+#
+# python-support local policy
+#
+
+kernel_read_system_state(pythoncompile_t)
+kernel_read_kernel_sysctls(pythoncompile_t)
+
+corecmd_exec_bin(pythoncompile_t)
+corecmd_exec_sbin(pythoncompile_t)
+
+files_read_etc_files(pythoncompile_t)
+files_read_usr_files(pythoncompile_t)
+
+libs_use_ld_so(pythoncompile_t)
+libs_use_shared_libs(pythoncompile_t)
+libs_use_lib_files(pythoncompile_t)
+
+miscfiles_read_localization(pythoncompile_t)
+
+
+# create compiled python modules
+allow pythoncompile_t python_compiled_t:dir manage_dir_perms;
+allow pythoncompile_t python_compiled_t:file manage_file_perms;
+allow pythoncompile_t python_compiled_t:lnk_file manage_lnk_file_perms;
+files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir)
--- refpolicy-2.20110726.orig/policy/modules/system/clock.te
+++ refpolicy-2.20110726/policy/modules/system/clock.te
@@ -24,6 +24,7 @@
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file rw_fifo_file_perms;
+dev_read_urand(hwclock_t)
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
--- refpolicy-2.20110726.orig/policy/modules/system/pcmcia.fc
+++ refpolicy-2.20110726/policy/modules/system/pcmcia.fc
@@ -7,4 +7,10 @@
/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0)
/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+')
/var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/system/getty.fc
+++ refpolicy-2.20110726/policy/modules/system/getty.fc
@@ -7,6 +7,9 @@
/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
+')
/var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
/var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/hotplug.fc
+++ refpolicy-2.20110726/policy/modules/system/hotplug.fc
@@ -8,4 +8,10 @@
/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
/var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+')
/var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/system/libraries.te
+++ refpolicy-2.20110726/policy/modules/system/libraries.te
@@ -97,6 +97,11 @@
userdom_use_user_terminals(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
+optional_policy(`
+ # This is needed for apt to get and install packages silently
+ apt_dontaudit_use_fds(ldconfig_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(ldconfig_t)
--- refpolicy-2.20110726.orig/policy/modules/system/iodine.fc
+++ refpolicy-2.20110726/policy/modules/system/iodine.fc
@@ -0,0 +1 @@
+/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/iodine.te
+++ refpolicy-2.20110726/policy/modules/system/iodine.te
@@ -0,0 +1,26 @@
+policy_module(iodine,1.0.0)
+
+# policy for the iodine IP over DNS tunneling daemon
+type iodine_t;
+type iodine_exec_t;
+files_type(iodine_exec_t)
+init_daemon_domain(iodine_t, iodine_exec_t)
+
+logging_send_syslog_msg(iodine_t)
+kernel_search_network_sysctl(iodine_t)
+kernel_read_network_state(iodine_t)
+kernel_request_load_module(iodine_t)
+kernel_read_system_state(iodine_t)
+files_read_etc_files(iodine_t)
+corecmd_exec_shell(iodine_t)
+allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
+sysnet_domtrans_ifconfig(iodine_t)
+
+allow iodine_t self:rawip_socket { write read create };
+allow iodine_t self:unix_dgram_socket { create connect };
+corenet_raw_receive_generic_node(iodine_t)
+corenet_rw_tun_tap_dev(iodine_t)
+corenet_udp_bind_dns_port(iodine_t)
+corenet_udp_bind_generic_node(iodine_t)
+allow iodine_t self:udp_socket connected_socket_perms;
+allow iodine_t self:tun_socket create;
--- refpolicy-2.20110726.orig/policy/modules/system/udev.te
+++ refpolicy-2.20110726/policy/modules/system/udev.te
@@ -14,6 +14,8 @@
domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
+init_domtrans_script(udev_t)
+
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -52,8 +54,8 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
+fs_read_anon_inodefs_files(udev_t)
-allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
allow udev_t udev_helper_exec_t:dir list_dir_perms;
@@ -64,10 +66,13 @@
# create udev database in /dev/.udevdb
allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
+allow udev_t udev_tbl_t:lnk_file manage_lnk_file_perms;
+allow udev_t udev_tbl_t:dir manage_dir_perms;
+dev_filetrans(udev_t,udev_tbl_t,file)
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+read_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
@@ -97,6 +102,7 @@
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
+dev_create_generic_symlinks(udev_t)
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
@@ -110,7 +116,11 @@
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
+ifdef(`distro_debian', `
+files_manage_etc_runtime_files(udev_t)
+', `
files_read_etc_runtime_files(udev_t)
+')
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
@@ -161,22 +171,29 @@
seutil_domtrans_setfiles(udev_t)
sysnet_domtrans_ifconfig(udev_t)
+sysnet_manage_config(udev_t)
sysnet_domtrans_dhcpc(udev_t)
sysnet_rw_dhcp_config(udev_t)
sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
-sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
userdom_dontaudit_search_user_home_content(udev_t)
+fstools_getattr_swap_files(udev_t)
+
ifdef(`distro_gentoo',`
# during boot, init scripts use /dev/.rcsysinit
# existance to determine if we are in early booting
init_getattr_script_status_files(udev_t)
')
+ifdef(`distro_debian',`
+ fs_manage_tmpfs_dirs(udev_t)
+ fs_manage_tmpfs_chr_files(udev_t)
+')
+
ifdef(`distro_redhat',`
fs_manage_tmpfs_dirs(udev_t)
fs_manage_tmpfs_files(udev_t)
@@ -285,6 +302,7 @@
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
+ fs_manage_xenfs_files(udev_t)
')
optional_policy(`
--- refpolicy-2.20110726.orig/policy/modules/system/udev.fc
+++ refpolicy-2.20110726/policy/modules/system/udev.fc
@@ -11,7 +11,15 @@
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+ifdef(`distro_debian', `
+/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
+/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
+')
+', `
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+')
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/setrans.fc
+++ refpolicy-2.20110726/policy/modules/system/setrans.fc
@@ -3,3 +3,6 @@
/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
+ifdef(`distro_debian', `
+/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
+')
--- refpolicy-2.20110726.orig/policy/modules/system/pythonsupport.fc
+++ refpolicy-2.20110726/policy/modules/system/pythonsupport.fc
@@ -0,0 +1,2 @@
+/usr/sbin/update-python-modules -- gen_context(system_u:object_r:pythoncompile_exec_t,s0)
+/var/lib/python-support(/.*)? gen_context(system_u:object_r:python_compiled_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/raid.fc
+++ refpolicy-2.20110726/policy/modules/system/raid.fc
@@ -4,3 +4,6 @@
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/system/udev.if
+++ refpolicy-2.20110726/policy/modules/system/udev.if
@@ -168,6 +168,24 @@
########################################
##
+## Allow process to remove udev table files
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`udev_unlink_table',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ allow $1 udev_tbl_t:file unlink;
+')
+
+########################################
+##
## Read the udev device table.
##
##
--- refpolicy-2.20110726.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20110726/policy/modules/system/authlogin.if
@@ -426,7 +426,7 @@
corecmd_search_bin($1)
domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
- dontaudit $1 shadow_t:file { getattr read };
+ dontaudit $1 shadow_t:file { open getattr read };
auth_domtrans_upd_passwd($1)
')
--- refpolicy-2.20110726.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20110726/policy/modules/system/modutils.te
@@ -20,6 +20,8 @@
mls_file_write_all_levels(insmod_t)
role system_r types insmod_t;
+kernel_request_load_module(insmod_t)
+
# module loading config
type modules_conf_t;
files_type(modules_conf_t)
@@ -75,6 +77,12 @@
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
+ifdef(`distro_debian',`
+ optional_policy(`
+ unconfined_run_to(depmod_t, depmod_exec_t)
+ ')
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(depmod_t)
@@ -104,11 +112,14 @@
# insmod local policy
#
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow insmod_t self:capability { dac_override net_raw sys_admin sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
allow insmod_t self:rawip_socket create_socket_perms;
+fs_mount_rpc_pipefs(insmod_t)
+fs_list_rpc(insmod_t)
+term_read_console(insmod_t)
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20110726/policy/modules/system/unconfined.if
@@ -96,6 +96,7 @@
optional_policy(`
xserver_unconfined($1)
')
+
')
########################################
@@ -319,6 +320,38 @@
########################################
##
+## Allow a domain to be in role unconfined_r
+##
+##
+##
+## Allow the specified domain to be run in the role unconfined_r
+## This is suitable for domains that are entered indirectly from
+## unconfined_t
+##
+##
+## Also allow the domain to send sigchld to unconfined_t and use fds
+##
+##
+##
+##
+## Domain to be in unconfined_r
+##
+##
+#
+interface(`in_unconfined_r',`
+ gen_require(`
+ type unconfined_t;
+ role unconfined_r;
+ ')
+
+ role unconfined_r types $1;
+ allow $1 unconfined_t:process sigchld;
+ allow $1 unconfined_t:fd use;
+ allow $1 unconfined_t:fifo_file { read write getattr };
+')
+
+########################################
+##
## Inherit file descriptors from the unconfined domain.
##
##
@@ -337,6 +370,24 @@
########################################
##
+## rw access to a semaphore created by the unconfined domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_sem_rw',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:sem rw_sem_perms;
+')
+
+########################################
+##
## Send a SIGCHLD signal to the unconfined domain.
##
##
@@ -587,3 +638,82 @@
allow $1 unconfined_t:dbus acquire_svc;
')
+
+########################################
+##
+## Read files in unconfined users home directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_read_home_content_files',`
+ gen_require(`
+ type unconfined_home_dir_t, unconfined_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+')
+
+########################################
+##
+## Do not audit attempts to search the unconfined
+## users home directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`unconfined_dontaudit_search_home_dirs',`
+ gen_require(`
+ type unconfined_home_dir_t;
+ ')
+
+ dontaudit $1 unconfined_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Read unconfined users temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_read_tmp_files',`
+ gen_require(`
+ type unconfined_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 unconfined_tmp_t:dir list_dir_perms;
+ read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+ read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+')
+
+########################################
+##
+## Write unconfined users temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`unconfined_write_tmp_files',`
+ gen_require(`
+ type unconfined_tmp_t;
+ ')
+
+ allow $1 unconfined_tmp_t:file { getattr write append };
+')
--- refpolicy-2.20110726.orig/policy/modules/system/logging.if
+++ refpolicy-2.20110726/policy/modules/system/logging.if
@@ -901,6 +901,41 @@
########################################
##
+## Set the attributes of the xconsole named pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_setattr_xconsole',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+##
+## Read the xconsole named pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_r_xconsole',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file { getattr read };
+')
+########################################
+##
## Create, read, write, and delete
## generic log files.
##
--- refpolicy-2.20110726.orig/policy/modules/system/unconfined.fc
+++ refpolicy-2.20110726/policy/modules/system/unconfined.fc
@@ -1,7 +1,5 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -9,6 +7,9 @@
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/gcj-dbtool-4.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/gij-4.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/lib/openoffice/program/soffice.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
ifdef(`distro_gentoo',`
/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/fstools.fc
+++ refpolicy-2.20110726/policy/modules/system/fstools.fc
@@ -36,6 +36,9 @@
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+# this is not ideal, but the best way to minimise privs for initrc_t
+/sbin/logsave -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/logging.te
+++ refpolicy-2.20110726/policy/modules/system/logging.te
@@ -61,6 +61,11 @@
type syslog_conf_t;
files_config_file(syslog_conf_t)
+ifdef(`distro_debian', `
+# for xconsole detection
+ allow initrc_t syslog_conf_t:file read_file_perms;
+')
+
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -81,6 +86,13 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+dev_associate(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
+
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
@@ -93,6 +105,7 @@
allow auditctl_t self:capability { fsetid dac_read_search dac_override };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+dev_read_urand(auditctl_t)
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
@@ -132,6 +145,7 @@
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:fifo_file rw_fifo_file_perms;
allow auditd_t self:tcp_socket create_stream_socket_perms;
+dev_read_urand(auditd_t)
allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
@@ -224,6 +238,7 @@
allow audisp_t self:fifo_file rw_fifo_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
+dev_read_urand(audisp_t)
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
@@ -354,11 +369,11 @@
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config };
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
# setrlimit for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit };
+allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -377,6 +392,9 @@
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+# for rsyslogd, this access is harmless so making it unconditional
+allow syslogd_t proc_t:file { getattr read };
+
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -506,8 +524,3 @@
optional_policy(`
udev_read_db(syslogd_t)
')
-
-optional_policy(`
- # log to the xconsole
- xserver_rw_console(syslogd_t)
-')
--- refpolicy-2.20110726.orig/policy/modules/system/iscsi.fc
+++ refpolicy-2.20110726/policy/modules/system/iscsi.fc
@@ -3,5 +3,12 @@
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+ifdef(`distro_debian', `
+/var/run/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+/run/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+')
/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/system/userdomain.te
+++ refpolicy-2.20110726/policy/modules/system/userdomain.te
@@ -91,6 +91,9 @@
files_tmpfs_file(user_tmpfs_t)
userdom_user_home_content(user_tmpfs_t)
+type user_hugetlbfs_t;
+files_hugetlbfs_file(user_hugetlbfs_t)
+
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
--- refpolicy-2.20110726.orig/policy/modules/system/getty.te
+++ refpolicy-2.20110726/policy/modules/system/getty.te
@@ -37,6 +37,7 @@
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
+dev_read_urand(getty_t)
read_files_pattern(getty_t, getty_etc_t, getty_etc_t)
read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t)
--- refpolicy-2.20110726.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20110726/policy/modules/system/sysnetwork.if
@@ -423,6 +423,7 @@
type net_conf_t;
')
+ allow $1 net_conf_t:dir manage_dir_perms;
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
--- refpolicy-2.20110726.orig/policy/modules/system/iptables.te
+++ refpolicy-2.20110726/policy/modules/system/iptables.te
@@ -27,6 +27,7 @@
# Iptables local policy
#
+kernel_request_load_module(iptables_t)
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
--- refpolicy-2.20110726.orig/policy/modules/system/libraries.fc
+++ refpolicy-2.20110726/policy/modules/system/libraries.fc
@@ -6,6 +6,8 @@
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+/lib64 -d gen_context(system_u:object_r:lib_t,s0)
+/lib64/.* gen_context(system_u:object_r:lib_t,s0)
')
ifdef(`distro_gentoo',`
@@ -37,13 +39,20 @@
#
/lib -d gen_context(system_u:object_r:lib_t,s0)
/lib/.* gen_context(system_u:object_r:lib_t,s0)
+ifdef(`distro_debian', `
+/lib32 -d gen_context(system_u:object_r:lib_t,s0)
+/lib32/.* gen_context(system_u:object_r:lib_t,s0)
+/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+/lib32/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+', `
/lib64 -d gen_context(system_u:object_r:lib_t,s0)
/lib64/.* gen_context(system_u:object_r:lib_t,s0)
-/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_debian',`
/lib32 -l gen_context(system_u:object_r:lib_t,s0)
@@ -62,7 +71,11 @@
#
/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ifdef(`distro_debian',`
+/opt/(.*/)?lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
+', `
/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+')
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -119,9 +132,14 @@
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ifdef(`distro_debian',`
+/usr/(.*/)?lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib(32)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+', `
/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-
/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+')
+
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/system/pythonsupport.if
+++ refpolicy-2.20110726/policy/modules/system/pythonsupport.if
@@ -0,0 +1,83 @@
+## Support for precompiling python modules
+##
+##
+## Debians python-support will precompile installed python
+## packages for installed python versions. This way,
+## the python2.3-foobar and python2.4-foobar (and 2.5) packages
+## could be merged into one python-foobar while keeping the
+## dependency information useful.
+##
+##
+#
+
+########################################
+##
+## Execute the python-support utility to precompile modules.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`pythonsupport_domtrans',`
+ gen_require(`
+ type pythoncompile_t, pythoncompile_exec_t;
+ ')
+
+ domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t)
+
+ allow $1 pythoncompile_t:fd use;
+ allow pythoncompile_t $1:fd use;
+ allow $1 pythoncompile_t:fifo_file rw_file_perms;
+ allow $1 pythoncompile_t:process sigchld;
+')
+
+########################################
+##
+## Role access for python.
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`python_role',`
+ gen_require(`
+ type pythoncompile_t, pythoncompile_exec_t;
+ ')
+
+ domtrans_pattern($2, pythoncompile_exec_t, pythoncompile_t)
+ role $1 types pythoncompile_t;
+
+ allow $2 pythoncompile_t:process { signal_perms };
+ ps_process_pattern($2, pythoncompile_t)
+')
+
+########################################
+##
+## Read compiled python modules
+##
+##
+##
+## Domain allowed to read the compiled python modules.
+##
+##
+#
+interface(`pythonsupport_compiled_read',`
+ gen_require(`
+ type python_compiled_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 python_compiled_t:dir list_dir_perms;
+ allow $1 python_compiled_t:file read_file_perms;
+ allow $1 python_compiled_t:lnk_file read_lnk_file_perms;
+')
--- refpolicy-2.20110726.orig/policy/modules/system/iodine.if
+++ refpolicy-2.20110726/policy/modules/system/iodine.if
@@ -0,0 +1 @@
+##
--- refpolicy-2.20110726.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20110726/policy/modules/system/userdomain.if
@@ -87,6 +87,7 @@
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
files_read_usr_files($1_t)
+ files_exec_usr_files($1_t)
# Read directories and files with the readable_t type.
# This type is a general type for "world"-readable files.
files_list_world_readable($1_t)
@@ -117,6 +118,19 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ tunable_policy(`user_manage_dos_files',`
+ fs_manage_dos_dirs($1_t)
+ fs_manage_dos_files($1_t)
+ ')
+
+ ifdef(`distro_debian', `
+ # allow reading /var/lib/apt/lists
+ apt_read_db($1_t)
+ # allow reading /var/cache/apt - should not be needed but
+ # does not really matter
+ apt_read_cache($1_t)
+ ')
')
#######################################
@@ -349,6 +363,7 @@
interface(`userdom_manage_tmpfs_role',`
gen_require(`
type user_tmpfs_t;
+ type user_hugetlbfs_t;
')
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
@@ -357,6 +372,8 @@
manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ manage_files_pattern($2, user_hugetlbfs_t, user_hugetlbfs_t)
+ fs_hugetlbfs_filetrans($2, user_hugetlbfs_t, { file })
')
#######################################
@@ -532,6 +549,7 @@
files_read_var_symlinks($1_t)
files_read_generic_spool($1_t)
files_read_var_lib_files($1_t)
+ files_read_var_lib_symlinks($1_t)
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
@@ -655,6 +673,10 @@
')
optional_policy(`
+ pythonsupport_compiled_read($1_t)
+ ')
+
+ optional_policy(`
pcscd_read_pub_files($1_t)
pcscd_stream_connect($1_t)
')
@@ -961,7 +983,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
- files_exec_usr_files($1_t)
# cjp: why?
files_read_kernel_symbol_table($1_t)
@@ -1006,10 +1027,49 @@
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
+
+ optional_policy(`
+ mysqld_exec($1_t)
+ ')
')
#######################################
##
+## The template for creating a user with network access.
+##
+##
+##
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+##
+##
+## This differs from the unpriv_user_template by allowing non-privileged network access.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., sysadm
+## is the prefix for sysadm_t).
+##
+##
+#
+template(`network_user_template',`
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Inherit rules for ordinary users.
+ userdom_unpriv_user_template($1)
+ # like user_tcp_server
+ corenet_tcp_bind_generic_port($1_t)
+ sysnet_dns_name_resolve($1_t)
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_stream_socket_perms;
+')
+#######################################
+##
## The template for creating an administrative user.
##
##
--- refpolicy-2.20110726.orig/policy/modules/system/selinuxutil.fc
+++ refpolicy-2.20110726/policy/modules/system/selinuxutil.fc
@@ -46,3 +46,6 @@
# /var/run
#
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/jabber.if
+++ refpolicy-2.20110726/policy/modules/services/jabber.if
@@ -11,7 +11,7 @@
##
#
interface(`jabber_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/dbus.fc
+++ refpolicy-2.20110726/policy/modules/services/dbus.fc
@@ -6,12 +6,23 @@
/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ifdef(`distro_redhat', `
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
+ifdef(`distro_debian', `
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+')
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
+ifdef(`distro_debian',`
+/usr/lib/gnome-vfs-2.0/gnome-vfs-daemon -- gen_context(system_u:object_r:bin_t,s0)
+')
ifdef(`distro_redhat',`
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
')
--- refpolicy-2.20110726.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20110726/policy/modules/services/jabber.te
@@ -28,10 +28,11 @@
allow jabberd_t self:capability dac_override;
dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:process signal_perms;
-allow jabberd_t self:fifo_file read_fifo_file_perms;
+allow jabberd_t self:process { signal_perms getsched setsched };
+allow jabberd_t self:fifo_file rw_fifo_file_perms;
allow jabberd_t self:tcp_socket create_stream_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;
+corenet_udp_bind_generic_node(jabberd_t)
manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
@@ -44,7 +45,7 @@
kernel_read_kernel_sysctls(jabberd_t)
kernel_list_proc(jabberd_t)
-kernel_read_proc_symlinks(jabberd_t)
+kernel_read_system_state(jabberd_t)
corenet_all_recvfrom_unlabeled(jabberd_t)
corenet_all_recvfrom_netlabel(jabberd_t)
@@ -55,14 +56,19 @@
corenet_tcp_sendrecv_all_ports(jabberd_t)
corenet_udp_sendrecv_all_ports(jabberd_t)
corenet_tcp_bind_generic_node(jabberd_t)
+corenet_tcp_connect_generic_port(jabberd_t)
corenet_tcp_bind_jabber_client_port(jabberd_t)
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+corecmd_exec_bin(jabberd_t)
+corecmd_exec_shell(jabberd_t)
+
dev_read_sysfs(jabberd_t)
# For SSL
dev_read_rand(jabberd_t)
+dev_read_urand(jabberd_t)
domain_use_interactive_fds(jabberd_t)
@@ -82,6 +88,10 @@
userdom_dontaudit_search_user_home_dirs(jabberd_t)
optional_policy(`
+ run_epmd(jabberd_t, system_r)
+')
+
+optional_policy(`
nis_use_ypbind(jabberd_t)
')
--- refpolicy-2.20110726.orig/policy/modules/services/fetchmail.fc
+++ refpolicy-2.20110726/policy/modules/services/fetchmail.fc
@@ -16,4 +16,8 @@
#
/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+')
/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/ftp.fc
+++ refpolicy-2.20110726/policy/modules/services/ftp.fc
@@ -23,6 +23,9 @@
# /var
#
/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0)
+')
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/cron.if
+++ refpolicy-2.20110726/policy/modules/services/cron.if
@@ -35,7 +35,8 @@
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t $1_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_t, $1_tmp_t, file)
+ allow $1_t $1_tmp_t:dir manage_dir_perms;
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
# create files in /var/spool/cron
manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
@@ -207,7 +208,7 @@
class passwd crontab;
')
- role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
+ role $1 types { cronjob_t admin_crontab_t };
# cronjob shows up in user ps
ps_process_pattern($2, cronjob_t)
@@ -257,11 +258,12 @@
#
interface(`cron_system_entry',`
gen_require(`
- type crond_t, system_cronjob_t;
+ type crond_t, system_cronjob_t, crond_tmp_t;
')
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
+ allow $1 crond_tmp_t:file { read write ioctl };
role system_r types $1;
')
@@ -631,3 +633,22 @@
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
')
+
+########################################
+##
+## Allow crond to search directories that are home directories for
+## accounts used or parent directories of home directories.
+##
+##
+##
+## Type of directory that crond_t may search.
+##
+##
+#
+interface(`crond_search_dir',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow crond_t $1:dir search;
+')
--- refpolicy-2.20110726.orig/policy/modules/services/ricci.fc
+++ refpolicy-2.20110726/policy/modules/services/ricci.fc
@@ -12,5 +12,14 @@
/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
/var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+')
/var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+')
/var/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20110726/policy/modules/services/ssh.if
@@ -421,6 +421,11 @@
')
optional_policy(`
+ run_gpg_agent($1_ssh_agent_t)
+ ')
+
+ optional_policy(`
+ xdm_sigchld($1_ssh_agent_t)
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
')
@@ -563,7 +568,7 @@
##
#
interface(`ssh_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/aisexec.fc
+++ refpolicy-2.20110726/policy/modules/services/aisexec.fc
@@ -7,3 +7,6 @@
/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/mta.te
+++ refpolicy-2.20110726/policy/modules/services/mta.te
@@ -5,11 +5,18 @@
# Declarations
#
+# attribute used for domains that act on behalf of the user to deliver mail
+# to the queue
attribute mailcontent_type;
attribute mta_exec_type;
attribute mta_user_agent;
+
+# attribute used for domains that deliver mail locally
attribute mailserver_delivery;
+
attribute mailserver_domain;
+
+# attribute used for domains that send mail externally (smtp or lmtp)
attribute mailserver_sender;
attribute user_mail_domain;
--- refpolicy-2.20110726.orig/policy/modules/services/portmap.if
+++ refpolicy-2.20110726/policy/modules/services/portmap.if
@@ -57,7 +57,7 @@
##
#
interface(`portmap_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -71,7 +71,7 @@
##
#
interface(`portmap_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -85,5 +85,5 @@
##
#
interface(`portmap_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
--- refpolicy-2.20110726.orig/policy/modules/services/dhcp.fc
+++ refpolicy-2.20110726/policy/modules/services/dhcp.fc
@@ -6,3 +6,6 @@
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/xserver.fc
+++ refpolicy-2.20110726/policy/modules/services/xserver.fc
@@ -9,11 +9,7 @@
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-
-#
-# /dev
-#
-/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
+HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /etc
@@ -21,10 +17,10 @@
/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
-/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
+/etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -33,10 +29,9 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-ifdef(`distro_redhat',`
+/etc/gdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-')
#
# /opt
@@ -65,13 +60,12 @@
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-ifdef(`distro_debian', `
-/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-')
/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ifndef(`distro_debian', `
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+')
/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -88,18 +82,26 @@
# /var
#
-/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[xgkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+')
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+')
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+')
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/devicekit.fc
+++ refpolicy-2.20110726/policy/modules/services/devicekit.fc
@@ -2,13 +2,31 @@
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+', `
/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+')
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+')
/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+')
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+')
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/openct.fc
+++ refpolicy-2.20110726/policy/modules/services/openct.fc
@@ -8,3 +8,6 @@
# /var
#
/var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/smartmon.fc
+++ refpolicy-2.20110726/policy/modules/services/smartmon.fc
@@ -9,4 +9,7 @@
# /var
#
/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/spamassassin.te
+++ refpolicy-2.20110726/policy/modules/services/spamassassin.te
@@ -43,6 +43,7 @@
typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
application_domain(spamc_t, spamc_exec_t)
ubac_constrained(spamc_t)
+role system_r types spamc_t;
type spamc_tmp_t;
typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
@@ -52,7 +53,8 @@
type spamd_t;
type spamd_exec_t;
-init_daemon_domain(spamd_t, spamd_exec_t)
+init_daemon_domain(spamd_t,spamd_exec_t)
+can_exec(spamd_t,spamc_exec_t)
type spamd_spool_t;
files_type(spamd_spool_t)
@@ -66,6 +68,7 @@
type spamd_var_run_t;
files_pid_file(spamd_var_run_t)
+manage_sock_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
##############################
#
@@ -205,6 +208,7 @@
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
+allow spamc_t self:netlink_route_socket { read write bind create getattr nlmsg_read };
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
@@ -286,7 +290,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { kill setgid setuid dac_override sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
@@ -333,6 +337,7 @@
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
corenet_tcp_bind_spamd_port(spamd_t)
+corenet_tcp_connect_spamd_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
corenet_tcp_connect_smtp_port(spamd_t)
corenet_sendrecv_razor_client_packets(spamd_t)
@@ -421,6 +426,7 @@
optional_policy(`
postfix_read_config(spamd_t)
+ postfix_search_spool(spamd_t)
')
optional_policy(`
--- refpolicy-2.20110726.orig/policy/modules/services/w3c.te
+++ refpolicy-2.20110726/policy/modules/services/w3c.te
@@ -5,6 +5,7 @@
# Declarations
#
+apache_script_exec_domain(w3c_validator)
apache_content_template(w3c_validator)
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/apache.if
+++ refpolicy-2.20110726/policy/modules/services/apache.if
@@ -11,12 +11,29 @@
##
##
#
+template(`apache_script_exec_domain',`
+ type httpd_$1_script_exec_t; # customizable;
+ fs_associate(httpd_$1_script_exec_t)
+')
+
+########################################
+##
+## Create a set of derived types for apache
+## web content.
+##
+##
+##
+## The prefix to be used for deriving type names.
+##
+##
+#
template(`apache_content_template',`
gen_require(`
attribute httpdcontent;
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_$1_script_exec_t;
')
# allow write access to public file transfer
# services files.
@@ -37,7 +54,9 @@
role system_r types httpd_$1_script_t;
# This type is used for executable scripts files
- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+ # must be defined by the caller
+ # type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+ typeattribute httpd_$1_script_exec_t httpd_script_exec_type;
corecmd_shell_entry_type(httpd_$1_script_t)
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
@@ -50,6 +69,7 @@
files_type(httpd_$1_ra_content_t)
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -108,6 +128,10 @@
seutil_dontaudit_search_config(httpd_$1_script_t)
+ allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_$1_script_t httpdcontent:file entrypoint;
@@ -121,7 +145,7 @@
miscfiles_manage_public_files(httpd_$1_script_t)
')
- # Allow the web server to run scripts and serve pages
+ # Allow the web server to run scripts
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -222,6 +246,13 @@
manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
--- refpolicy-2.20110726.orig/policy/modules/services/ftp.if
+++ refpolicy-2.20110726/policy/modules/services/ftp.if
@@ -29,7 +29,7 @@
##
#
interface(`ftp_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/spamassassin.if
+++ refpolicy-2.20110726/policy/modules/services/spamassassin.if
@@ -225,3 +225,23 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
+
+########################################
+##
+## Connect to spamd via unix socket
+##
+##
+##
+## Domain to connect
+##
+##
+#
+interface(`spamassassin_connect_unix_sock',`
+ gen_require(`
+ type spamd_t, spamd_var_run_t;
+ ')
+
+ allow $1 spamd_var_run_t:dir search_dir_perms;
+ allow $1 spamd_var_run_t:sock_file write;
+ allow $1 spamd_t:unix_stream_socket connectto;
+')
--- refpolicy-2.20110726.orig/policy/modules/services/zebra.fc
+++ refpolicy-2.20110726/policy/modules/services/zebra.fc
@@ -18,5 +18,14 @@
/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+')
/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+')
/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/stunnel.fc
+++ refpolicy-2.20110726/policy/modules/services/stunnel.fc
@@ -5,3 +5,6 @@
/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/clogd.fc
+++ refpolicy-2.20110726/policy/modules/services/clogd.fc
@@ -1,3 +1,6 @@
/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/samba.fc
+++ refpolicy-2.20110726/policy/modules/services/samba.fc
@@ -37,17 +37,53 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+')
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+')
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+')
/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+')
/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+')
/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+')
/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+')
/var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+')
/var/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+')
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+')
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+')
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+')
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/corosync.fc
+++ refpolicy-2.20110726/policy/modules/services/corosync.fc
@@ -9,4 +9,10 @@
/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+')
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/soundserver.fc
+++ refpolicy-2.20110726/policy/modules/services/soundserver.fc
@@ -8,6 +8,12 @@
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
+')
/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
+')
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/asterisk.fc
+++ refpolicy-2.20110726/policy/modules/services/asterisk.fc
@@ -6,4 +6,7 @@
/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0)
/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0)
/var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0)
+')
/var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/ssh.fc
+++ refpolicy-2.20110726/policy/modules/services/ssh.fc
@@ -14,3 +14,6 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/dkim.if
+++ refpolicy-2.20110726/policy/modules/services/dkim.if
@@ -1 +1,20 @@
## DomainKeys Identified Mail milter.
+
+########################################
+##
+## Connect to dkim-milter.
+##
+##
+##
+## Domain allowed to connect.
+##
+##
+#
+interface(`dkim_stream_connect',`
+ gen_require(`
+ type dkim_milter_t, dkim_milter_data_t;
+ ')
+
+ stream_connect_pattern($1,dkim_milter_data_t,dkim_milter_data_t,dkim_milter_t)
+')
+
--- refpolicy-2.20110726.orig/policy/modules/services/portmap.fc
+++ refpolicy-2.20110726/policy/modules/services/portmap.fc
@@ -4,9 +4,16 @@
ifdef(`distro_debian',`
/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
+')
', `
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
')
/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/tor.fc
+++ refpolicy-2.20110726/policy/modules/services/tor.fc
@@ -10,3 +10,6 @@
/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0)
/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20110726/policy/modules/services/apache.fc
@@ -32,8 +32,12 @@
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+ifdef(`distro_debian', `
+/usr/lib/apache2/mpm-.*/.*$ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+', `
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+')
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
@@ -79,7 +83,8 @@
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-
+/var/lib/squirrelmail/data(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -93,11 +98,29 @@
')
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+')
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+')
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+')
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+')
/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+')
/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+')
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/avahi.fc
+++ refpolicy-2.20110726/policy/modules/services/avahi.fc
@@ -5,5 +5,8 @@
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
+')
/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/ricci.te
+++ refpolicy-2.20110726/policy/modules/services/ricci.te
@@ -213,7 +213,9 @@
mount_domtrans(ricci_modcluster_t)
-consoletype_exec(ricci_modcluster_t)
+optional_policy(`
+ consoletype_exec(ricci_modcluster_t)
+')
ricci_stream_connect_modclusterd(ricci_modcluster_t)
@@ -394,7 +396,9 @@
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
-consoletype_exec(ricci_modservice_t)
+optional_policy(`
+ consoletype_exec(ricci_modservice_t)
+')
init_domtrans_script(ricci_modservice_t)
@@ -456,7 +460,9 @@
modutils_read_module_deps(ricci_modstorage_t)
-consoletype_exec(ricci_modstorage_t)
+optional_policy(`
+ consoletype_exec(ricci_modstorage_t)
+')
mount_domtrans(ricci_modstorage_t)
--- refpolicy-2.20110726.orig/policy/modules/services/cvs.te
+++ refpolicy-2.20110726/policy/modules/services/cvs.te
@@ -106,6 +106,7 @@
# CVSWeb policy
#
+apache_script_exec_domain(cvs)
optional_policy(`
apache_content_template(cvs)
--- refpolicy-2.20110726.orig/policy/modules/services/munin.fc
+++ refpolicy-2.20110726/policy/modules/services/munin.fc
@@ -65,5 +65,8 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+')
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/fail2ban.fc
+++ refpolicy-2.20110726/policy/modules/services/fail2ban.fc
@@ -6,3 +6,6 @@
/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/apache.te
+++ refpolicy-2.20110726/policy/modules/services/apache.te
@@ -215,6 +215,7 @@
files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
+apache_script_exec_domain(sys)
apache_content_template(sys)
typealias httpd_sys_content_t alias ntop_http_content_t;
@@ -224,6 +225,7 @@
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
+apache_script_exec_domain(user)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
userdom_user_home_content(httpd_user_content_t)
@@ -469,6 +471,14 @@
tunable_policy(`httpd_enable_homedirs',`
userdom_read_user_home_content_files(httpd_t)
')
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', `
+ unconfined_read_home_content_files(httpd_t)
+ ')
+')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_t)
@@ -517,7 +527,10 @@
')
optional_policy(`
+# for cron jobs to restart Apache
cron_system_entry(httpd_t, httpd_exec_t)
+# For cron jobs to run from accounts with home directories in the web store
+ crond_search_dir(httpd_sys_content_t)
')
optional_policy(`
@@ -542,8 +555,11 @@
')
')
-optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
+
+optional_policy(`
+ # read munin files
+ munin_search_lib(httpd_t)
')
optional_policy(`
@@ -739,6 +755,14 @@
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', `
+ unconfined_read_home_content_files(httpd_suexec_t)
+ ')
+')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_sys_script_t httpdcontent:file entrypoint;
@@ -824,6 +848,14 @@
tunable_policy(`httpd_enable_homedirs',`
userdom_read_user_home_content_files(httpd_sys_script_t)
')
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', `
+ unconfined_read_home_content_files(httpd_sys_script_t)
+ ')
+')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_sys_script_t)
--- refpolicy-2.20110726.orig/policy/modules/services/dkim.te
+++ refpolicy-2.20110726/policy/modules/services/dkim.te
@@ -11,12 +11,18 @@
type dkim_milter_private_key_t;
files_type(dkim_milter_private_key_t)
+type dkim_milter_tmp_t;
+files_tmp_file(dkim_milter_tmp_t)
+ubac_constrained(dkim_milter_tmp_t)
+files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, file)
+
########################################
#
# Local policy
#
allow dkim_milter_t self:capability { setgid setuid };
+kernel_read_system_state(dkim_milter_t)
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
--- refpolicy-2.20110726.orig/policy/modules/services/inn.fc
+++ refpolicy-2.20110726/policy/modules/services/inn.fc
@@ -62,6 +62,12 @@
/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+')
/var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+')
/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/postfix.if
+++ refpolicy-2.20110726/policy/modules/services/postfix.if
@@ -163,6 +163,7 @@
allow postfix_$1_t self:capability dac_override;
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
+ in_unconfined_r(postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
')
@@ -374,6 +375,7 @@
')
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+ domain_system_change_exemption($1)
')
########################################
@@ -454,7 +456,7 @@
#######################################
##
-## Execute the master postqueue in the caller domain.
+## Allow the master postqueue to use a fifo of the caller and send sigchld
##
##
##
@@ -462,12 +464,14 @@
##
##
#
-interface(`posftix_exec_postqueue',`
+interface(`posftix_run_postqueue',`
gen_require(`
- type postfix_postqueue_exec_t;
+ type postfix_postqueue_t;
')
- can_exec($1, postfix_postqueue_exec_t)
+ allow postfix_postqueue_t $1:fd use;
+ allow postfix_postqueue_t $1:fifo_file rw_file_perms;
+ allow postfix_postqueue_t $1:process sigchld;
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/dcc.fc
+++ refpolicy-2.20110726/policy/modules/services/dcc.fc
@@ -5,17 +5,36 @@
/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
+ifdef(`distro_redhat',`
/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+')
+ifdef(`distro_debian',`
+/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+')
+ifdef(`distro_redhat',`
/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
-
+', `
/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+')
/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
+')
/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+ifdef(`distro_debian', `
+/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+')
/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20110726/policy/modules/services/mysql.fc
@@ -16,6 +16,8 @@
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
#
@@ -27,4 +29,10 @@
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+')
/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/ntp.fc
+++ refpolicy-2.20110726/policy/modules/services/ntp.fc
@@ -20,3 +20,6 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/spamassassin.fc
+++ refpolicy-2.20110726/policy/modules/services/spamassassin.fc
@@ -10,6 +10,9 @@
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+')
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/exim.fc
+++ refpolicy-2.20110726/policy/modules/services/exim.fc
@@ -1,8 +1,14 @@
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+')
/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
ifdef(`distro_debian',`
/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
+')
')
--- refpolicy-2.20110726.orig/policy/modules/services/ldap.fc
+++ refpolicy-2.20110726/policy/modules/services/ldap.fc
@@ -5,13 +5,25 @@
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
ifdef(`distro_debian',`
-/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
')
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+')
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+')
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+')
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/ntop.fc
+++ refpolicy-2.20110726/policy/modules/services/ntop.fc
@@ -4,3 +4,6 @@
/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/mysql.if
+++ refpolicy-2.20110726/policy/modules/services/mysql.if
@@ -353,3 +353,23 @@
admin_pattern($1, mysqld_tmp_t)
')
+
+########################################
+##
+## Execute mysqld in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mysqld_exec',`
+ gen_require(`
+ type mysqld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, mysqld_exec_t)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/mailman.fc
+++ refpolicy-2.20110726/policy/modules/services/mailman.fc
@@ -4,8 +4,15 @@
/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+ifdef(`distro_debian', `
+/var/run/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+/run/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+')
/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+ifdef(`distro_debian', `
+/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+')
#
# distro_debian
--- refpolicy-2.20110726.orig/policy/modules/services/nsd.fc
+++ refpolicy-2.20110726/policy/modules/services/nsd.fc
@@ -12,3 +12,6 @@
/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/ppp.if
+++ refpolicy-2.20110726/policy/modules/services/ppp.if
@@ -228,6 +228,24 @@
########################################
##
+## Execute domain in the ppp caller.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ppp_script_exec',`
+ gen_require(`
+ type pppd_script_exec_t;
+ ')
+
+ can_exec($1, pppd_script_exec_t)
+')
+
+########################################
+##
## Read PPP-writable configuration files.
##
##
--- refpolicy-2.20110726.orig/policy/modules/services/uucp.fc
+++ refpolicy-2.20110726/policy/modules/services/uucp.fc
@@ -7,5 +7,9 @@
/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
+ifdef(`distro_debian', `
+/var/run/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
+/run/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
+')
/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/apm.fc
+++ refpolicy-2.20110726/policy/modules/services/apm.fc
@@ -14,9 +14,21 @@
/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+')
/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+')
/var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+')
/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+')
ifdef(`distro_suse',`
/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20110726/policy/modules/services/xserver.if
@@ -116,6 +116,24 @@
########################################
##
+## Allow domain to send sigchld to xdm_t
+## and environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xdm_sigchld',`
+ gen_require(`
+ type xdm_t;
+ ')
+ allow $1 xdm_t:process sigchld;
+')
+
+########################################
+##
## Rules required for using the X Windows server
## and environment.
##
@@ -280,7 +298,7 @@
##
#
interface(`xserver_user_client',`
- refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
+ refpolicyerr(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
type xdm_t, xdm_tmp_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
@@ -577,18 +595,18 @@
##
#
interface(`xserver_use_all_users_fonts',`
- refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.')
+ refpolicyerr(`$0() has been deprecated, please use xserver_use_user_fonts.')
xserver_use_user_fonts($1)
')
########################################
##
-## Read all users .Xauthority.
+## Read all users .Xauthority.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`xserver_read_user_xauth',`
@@ -729,6 +747,7 @@
files_search_tmp($1)
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20110726/policy/modules/services/mailman.te
@@ -61,6 +61,8 @@
# Mailman mail local policy
#
+dev_read_urand(mailman_mail_t)
+files_read_usr_files(mailman_mail_t)
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
allow mailman_mail_t self:process { signal signull };
allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
@@ -125,4 +127,5 @@
optional_policy(`
su_exec(mailman_queue_t)
-')
\ No newline at end of file
+')
+
--- refpolicy-2.20110726.orig/policy/modules/services/policykit.fc
+++ refpolicy-2.20110726/policy/modules/services/policykit.fc
@@ -3,6 +3,8 @@
/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
@@ -12,4 +14,7 @@
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/courier.if
+++ refpolicy-2.20110726/policy/modules/services/courier.if
@@ -29,7 +29,7 @@
allow courier_$1_t self:capability dac_override;
dontaudit courier_$1_t self:capability sys_tty_config;
allow courier_$1_t self:process { setpgid signal_perms };
- allow courier_$1_t self:fifo_file { read write getattr };
+ allow courier_$1_t self:fifo_file rw_fifo_file_perms;
allow courier_$1_t self:tcp_socket create_stream_socket_perms;
allow courier_$1_t self:udp_socket create_socket_perms;
@@ -105,6 +105,25 @@
')
########################################
+##
+## Act as a client for the courier authdaemon
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`courier_authdaemon_client',`
+ gen_require(`
+ type courier_authdaemon_t, courier_etc_t, courier_var_run_t;
+ ')
+ allow $1 courier_authdaemon_t:unix_stream_socket connectto;
+ allow $1 courier_etc_t:dir search;
+ allow $1 courier_var_run_t:sock_file write;
+')
+
+########################################
##
## Execute the courier POP3 and IMAP server with
## a domain transition.
--- refpolicy-2.20110726.orig/policy/modules/services/canna.fc
+++ refpolicy-2.20110726/policy/modules/services/canna.fc
@@ -19,5 +19,14 @@
/var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0)
/var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
+')
/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
+')
/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/psad.fc
+++ refpolicy-2.20110726/policy/modules/services/psad.fc
@@ -6,3 +6,6 @@
/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)
/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0)
/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/nis.if
+++ refpolicy-2.20110726/policy/modules/services/nis.if
@@ -205,7 +205,7 @@
##
#
interface(`nis_udp_send_ypbind',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -219,7 +219,7 @@
##
#
interface(`nis_tcp_connect_ypbind',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/gpm.te
+++ refpolicy-2.20110726/policy/modules/services/gpm.te
@@ -27,7 +27,7 @@
#
allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
-allow gpm_t self:process { getcap setcap };
+allow gpm_t self:process { signal signull getcap setcap };
allow gpm_t self:unix_stream_socket create_stream_socket_perms;
allow gpm_t gpm_conf_t:dir list_dir_perms;
--- refpolicy-2.20110726.orig/policy/modules/services/portmap.te
+++ refpolicy-2.20110726/policy/modules/services/portmap.te
@@ -32,6 +32,8 @@
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
allow portmap_t self:tcp_socket create_stream_socket_perms;
allow portmap_t self:udp_socket create_socket_perms;
+dev_read_urand(portmap_t)
+term_read_console(portmap_t)
manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
@@ -112,6 +114,8 @@
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
+dev_read_urand(portmap_helper_t)
+term_read_console(portmap_helper_t)
corenet_all_recvfrom_unlabeled(portmap_helper_t)
corenet_all_recvfrom_netlabel(portmap_helper_t)
--- refpolicy-2.20110726.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20110726/policy/modules/services/networkmanager.te
@@ -270,6 +270,7 @@
# wpa_cli local policy
#
+domain_auto_trans(NetworkManager_t, wpa_cli_exec_t, wpa_cli_t)
allow wpa_cli_t self:capability dac_override;
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
--- refpolicy-2.20110726.orig/policy/modules/services/snort.fc
+++ refpolicy-2.20110726/policy/modules/services/snort.fc
@@ -7,3 +7,6 @@
/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/transproxy.fc
+++ refpolicy-2.20110726/policy/modules/services/transproxy.fc
@@ -1,3 +1,6 @@
/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
/var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20110726/policy/modules/services/devicekit.te
@@ -203,7 +203,9 @@
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-consoletype_exec(devicekit_power_t)
+optional_policy(`
+ consoletype_exec(devicekit_power_t)
+')
domain_read_all_domains_state(devicekit_power_t)
--- refpolicy-2.20110726.orig/policy/modules/services/courier.fc
+++ refpolicy-2.20110726/policy/modules/services/courier.fc
@@ -7,6 +7,7 @@
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
/usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
@@ -14,7 +15,8 @@
/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
+/var/cache/sqwebmail(/.*)? gen_context(system_u:object_r:courier_sqwebmail_cache_t,s0)
ifdef(`distro_gentoo',`
/usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/pxe.fc
+++ refpolicy-2.20110726/policy/modules/services/pxe.fc
@@ -4,3 +4,6 @@
/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0)
/var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/snmp.te
+++ refpolicy-2.20110726/policy/modules/services/snmp.te
@@ -24,7 +24,7 @@
#
# Local policy
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { chown dac_override setgid setuid kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
--- refpolicy-2.20110726.orig/policy/modules/services/snmp.fc
+++ refpolicy-2.20110726/policy/modules/services/snmp.fc
@@ -21,4 +21,10 @@
/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+')
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/ccs.fc
+++ refpolicy-2.20110726/policy/modules/services/ccs.fc
@@ -3,4 +3,10 @@
/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
+')
/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/cron.fc
+++ refpolicy-2.20110726/policy/modules/services/cron.fc
@@ -5,6 +5,7 @@
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
@@ -12,12 +13,35 @@
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+')
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+')
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+')
/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+')
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+')
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+')
+ifdef(`distro_debian', `
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atjobs/[^/]* -- <>
+')
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
@@ -45,3 +69,5 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/cups.if
+++ refpolicy-2.20110726/policy/modules/services/cups.if
@@ -75,7 +75,7 @@
##
#
interface(`cups_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/milter.te
+++ refpolicy-2.20110726/policy/modules/services/milter.te
@@ -20,6 +20,10 @@
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
+files_pid_file(spamass_milter_data_t)
+files_pid_filetrans(spamass_milter_t, spamass_milter_data_t, { file sock_file })
+allow spamass_milter_t spamass_milter_data_t:{ file sock_file } manage_file_perms;
+
########################################
#
# milter-greylist local policy
--- refpolicy-2.20110726.orig/policy/modules/services/i18n_input.fc
+++ refpolicy-2.20110726/policy/modules/services/i18n_input.fc
@@ -17,3 +17,6 @@
#
/var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/perdition.te
+++ refpolicy-2.20110726/policy/modules/services/perdition.te
@@ -20,13 +20,16 @@
# Local policy
#
-allow perdition_t self:capability { setgid setuid };
+allow perdition_t self:netlink_route_socket create_netlink_socket_perms;
+allow perdition_t self:capability { chown fowner setgid setuid };
+dev_read_urand(perdition_t)
dontaudit perdition_t self:capability sys_tty_config;
allow perdition_t self:process signal_perms;
allow perdition_t self:tcp_socket create_stream_socket_perms;
allow perdition_t self:udp_socket create_socket_perms;
allow perdition_t perdition_etc_t:file read_file_perms;
+allow perdition_t perdition_etc_t:dir r_dir_perms;
files_search_etc(perdition_t)
manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
@@ -46,6 +49,8 @@
corenet_udp_sendrecv_all_ports(perdition_t)
corenet_tcp_bind_generic_node(perdition_t)
corenet_tcp_bind_pop_port(perdition_t)
+corenet_tcp_bind_sieve_port(perdition_t)
+corenet_tcp_connect_pop_port(perdition_t)
corenet_sendrecv_pop_server_packets(perdition_t)
dev_read_sysfs(perdition_t)
@@ -73,3 +78,7 @@
optional_policy(`
udev_read_db(perdition_t)
')
+optional_policy(`
+ mysql_tcp_connect(perdition_t)
+ mysql_stream_connect(perdition_t)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/memcached.fc
+++ refpolicy-2.20110726/policy/modules/services/memcached.fc
@@ -3,3 +3,6 @@
/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/pads.fc
+++ refpolicy-2.20110726/policy/modules/services/pads.fc
@@ -8,3 +8,6 @@
/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0)
/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
+ifdef(`distro_debian', `
+/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/nscd.fc
+++ refpolicy-2.20110726/policy/modules/services/nscd.fc
@@ -8,6 +8,15 @@
/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
+')
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+')
/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/nessus.if
+++ refpolicy-2.20110726/policy/modules/services/nessus.if
@@ -11,5 +11,5 @@
##
#
interface(`nessus_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
--- refpolicy-2.20110726.orig/policy/modules/services/postfix.fc
+++ refpolicy-2.20110726/policy/modules/services/postfix.fc
@@ -29,6 +29,8 @@
/usr/lib(64)?/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib(64)?/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
/usr/lib(64)?/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+/etc/network/if-down.d/postfix -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/network/if-up.d/postfix -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/finger.if
+++ refpolicy-2.20110726/policy/modules/services/finger.if
@@ -29,5 +29,5 @@
##
#
interface(`finger_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
--- refpolicy-2.20110726.orig/policy/modules/services/snmp.if
+++ refpolicy-2.20110726/policy/modules/services/snmp.if
@@ -30,7 +30,7 @@
##
#
interface(`snmp_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -44,7 +44,7 @@
##
#
interface(`snmp_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/dante.fc
+++ refpolicy-2.20110726/policy/modules/services/dante.fc
@@ -4,3 +4,6 @@
/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
/var/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/openvpn.fc
+++ refpolicy-2.20110726/policy/modules/services/openvpn.fc
@@ -15,3 +15,10 @@
#
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
+')
+/var/run/openvpn.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/openvpn.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/fetchmail.te
+++ refpolicy-2.20110726/policy/modules/services/fetchmail.te
@@ -19,6 +19,11 @@
type fetchmail_uidl_cache_t;
files_type(fetchmail_uidl_cache_t)
+type fetchmail_tmp_t;
+files_tmp_file(fetchmail_tmp_t)
+ubac_constrained(fetchmail_tmp_t)
+files_tmp_filetrans(fetchmail_t, fetchmail_tmp_t, file)
+
########################################
#
# Local policy
--- refpolicy-2.20110726.orig/policy/modules/services/soundserver.if
+++ refpolicy-2.20110726/policy/modules/services/soundserver.if
@@ -11,7 +11,7 @@
##
#
interface(`soundserver_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/asterisk.te
+++ refpolicy-2.20110726/policy/modules/services/asterisk.te
@@ -45,7 +45,7 @@
allow asterisk_t self:fifo_file rw_fifo_file_perms;
allow asterisk_t self:sem create_sem_perms;
allow asterisk_t self:shm create_shm_perms;
-allow asterisk_t self:unix_stream_socket connectto;
+allow asterisk_t self:unix_stream_socket { connectto rw_stream_socket_perms };
allow asterisk_t self:tcp_socket create_stream_socket_perms;
allow asterisk_t self:udp_socket create_socket_perms;
--- refpolicy-2.20110726.orig/policy/modules/services/prelude.te
+++ refpolicy-2.20110726/policy/modules/services/prelude.te
@@ -278,6 +278,7 @@
# prewikka_cgi Declarations
#
+apache_script_exec_domain(prewikka)
optional_policy(`
apache_content_template(prewikka)
--- refpolicy-2.20110726.orig/policy/modules/services/lircd.fc
+++ refpolicy-2.20110726/policy/modules/services/lircd.fc
@@ -6,5 +6,14 @@
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+')
/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+')
/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/puppet.fc
+++ refpolicy-2.20110726/policy/modules/services/puppet.fc
@@ -9,3 +9,6 @@
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/jabber.fc
+++ refpolicy-2.20110726/policy/modules/services/jabber.fc
@@ -1,6 +1,9 @@
/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/bluetooth.if
+++ refpolicy-2.20110726/policy/modules/services/bluetooth.if
@@ -126,7 +126,7 @@
##
#
interface(`bluetooth_domtrans_helper',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -152,7 +152,7 @@
##
#
interface(`bluetooth_run_helper',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/watchdog.te
+++ refpolicy-2.20110726/policy/modules/services/watchdog.te
@@ -54,7 +54,7 @@
corenet_sendrecv_all_client_packets(watchdog_t)
dev_read_sysfs(watchdog_t)
-dev_write_watchdog(watchdog_t)
+dev_rw_watchdog(watchdog_t)
# do not care about saving the random seed
dev_dontaudit_read_rand(watchdog_t)
dev_dontaudit_read_urand(watchdog_t)
--- refpolicy-2.20110726.orig/policy/modules/services/dcc.te
+++ refpolicy-2.20110726/policy/modules/services/dcc.te
@@ -91,6 +91,9 @@
allow cdcc_t dcc_client_map_t:file rw_file_perms;
# Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(cdcc_t)
+')
allow cdcc_t dcc_var_t:dir list_dir_perms;
read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
@@ -128,6 +131,9 @@
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
# Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(dcc_client_t)
+')
allow dcc_client_t dcc_var_t:dir list_dir_perms;
manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
@@ -176,6 +182,9 @@
manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
+ifdef(`distro_debian',`
+files_search_var_lib(dcc_dbclean_t)
+')
manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
@@ -214,6 +223,9 @@
allow dccd_t dcc_client_map_t:file rw_file_perms;
# Access files in /var/dcc. The map file can be updated
+ifdef(`distro_debian',`
+files_search_var_lib(dccd_t)
+')
allow dccd_t dcc_var_t:dir list_dir_perms;
read_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
@@ -288,6 +300,9 @@
allow dccifd_t dcc_client_map_t:file rw_file_perms;
# Updating dcc_db, flod, ...
+ifdef(`distro_debian',`
+files_search_var_lib(dccifd_t)
+')
manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t)
manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
@@ -352,6 +367,9 @@
allow dccm_t dcc_client_map_t:file rw_file_perms;
+ifdef(`distro_debian',`
+files_search_var_lib(dccm_t)
+')
manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t)
manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
--- refpolicy-2.20110726.orig/policy/modules/services/rsync.fc
+++ refpolicy-2.20110726/policy/modules/services/rsync.fc
@@ -5,3 +5,6 @@
/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/tuned.fc
+++ refpolicy-2.20110726/policy/modules/services/tuned.fc
@@ -6,3 +6,6 @@
/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/i18n_input.if
+++ refpolicy-2.20110726/policy/modules/services/i18n_input.if
@@ -11,5 +11,5 @@
##
#
interface(`i18n_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
--- refpolicy-2.20110726.orig/policy/modules/services/rhcs.fc
+++ refpolicy-2.20110726/policy/modules/services/rhcs.fc
@@ -6,6 +6,10 @@
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+ifdef(`distro_debian', `
+/var/run/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+/run/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+')
/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
@@ -15,8 +19,26 @@
/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+')
/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+')
/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+')
/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+')
/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+')
/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/ifplugd.fc
+++ refpolicy-2.20110726/policy/modules/services/ifplugd.fc
@@ -5,3 +5,6 @@
/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/cpucontrol.fc
+++ refpolicy-2.20110726/policy/modules/services/cpucontrol.fc
@@ -8,3 +8,6 @@
/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
/var/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20110726/policy/modules/services/openvpn.te
@@ -64,6 +64,10 @@
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+# for the list of vulnerable keys
+files_read_usr_files(openvpn_t)
+files_read_var_lib_files(openvpn_t)
+
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
--- refpolicy-2.20110726.orig/policy/modules/services/pyicqt.fc
+++ refpolicy-2.20110726/policy/modules/services/pyicqt.fc
@@ -3,5 +3,8 @@
/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+')
/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/ddclient.fc
+++ refpolicy-2.20110726/policy/modules/services/ddclient.fc
@@ -9,4 +9,10 @@
/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0)
/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0)
/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
+')
/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/ppp.fc
+++ refpolicy-2.20110726/policy/modules/services/ppp.fc
@@ -29,10 +29,22 @@
# /var
#
/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+')
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+')
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+')
# Fix pptp sockets
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+')
/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/ircd.fc
+++ refpolicy-2.20110726/policy/modules/services/ircd.fc
@@ -5,3 +5,6 @@
/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0)
/var/log/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0)
/var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/rpcbind.fc
+++ refpolicy-2.20110726/policy/modules/services/rpcbind.fc
@@ -5,5 +5,14 @@
/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+')
/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+')
/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/varnishd.fc
+++ refpolicy-2.20110726/policy/modules/services/varnishd.fc
@@ -14,5 +14,14 @@
/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0)
/var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0)
+')
/var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
+')
/var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/hal.fc
+++ refpolicy-2.20110726/policy/modules/services/hal.fc
@@ -19,14 +19,32 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
-/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm-.*\.log.* gen_context(system_u:object_r:hald_log_t,s0)
/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+')
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
+')
/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+')
/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+')
/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
+')
/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
+')
ifdef(`distro_gentoo',`
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20110726/policy/modules/services/postfix.te
@@ -26,6 +26,9 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
+# allow postfix_local_t to run programs like vacation that send mail
+mta_sendmail_domtrans(postfix_local_t, postfix_postdrop_t)
+
# Program for creating database files
type postfix_map_t;
type postfix_map_exec_t;
@@ -183,9 +186,11 @@
ifdef(`distro_redhat',`
# for newer main.cf that uses /etc/aliases
mta_manage_aliases(postfix_master_t)
- mta_etc_filetrans_aliases(postfix_master_t)
')
+mta_etc_filetrans_aliases(postfix_master_t)
+allow postfix_master_t etc_aliases_t:file manage_file_perms;
+
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
@@ -201,6 +206,8 @@
optional_policy(`
mysql_stream_connect(postfix_master_t)
+ mysql_stream_connect(postfix_smtpd_t)
+ mysql_stream_connect(postfix_cleanup_t)
')
optional_policy(`
@@ -231,6 +238,11 @@
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+# for milters - may be a bug in postfix
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket { getattr read write shutdown };
+allow postfix_cleanup_t postfix_smtpd_t:tcp_socket { read write getattr getopt };
+
########################################
#
# Postfix cleanup local policy
@@ -240,6 +252,7 @@
# connect to master process
stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+write_sock_files_pattern(postfix_virtual_t,postfix_private_t,postfix_private_t)
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
@@ -273,6 +286,9 @@
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
+# so it can write to the lock file
+mta_rw_spool(postfix_local_t)
+
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
@@ -304,7 +320,7 @@
')
optional_policy(`
- procmail_domtrans(postfix_local_t)
+ lda_domtrans(postfix_local_t)
')
########################################
@@ -405,11 +421,17 @@
dovecot_domtrans_deliver(postfix_pipe_t)
')
+corecmd_exec_bin(postfix_pipe_t)
+
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
optional_policy(`
+ lda_domtrans(postfix_pipe_t)
+')
+
+optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
')
@@ -565,7 +587,7 @@
')
optional_policy(`
- milter_stream_connect_all(postfix_smtp_t)
+ milter_stream_connect_all(postfix_smtpd_t)
')
########################################
@@ -603,6 +625,15 @@
')
optional_policy(`
+ clamav_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
+ dkim_stream_connect(postfix_smtpd_t)
+ dkim_stream_connect(postfix_cleanup_t)
+')
+
+optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -630,3 +661,8 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
+
+# for talking to spamass-milter
+optional_policy(`
+ spamassassin_connect_unix_sock(postfix_smtpd_t)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/nut.fc
+++ refpolicy-2.20110726/policy/modules/services/nut.fc
@@ -6,6 +6,9 @@
/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
+')
/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/vhostmd.fc
+++ refpolicy-2.20110726/policy/modules/services/vhostmd.fc
@@ -3,3 +3,6 @@
/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/portslave.te
+++ refpolicy-2.20110726/policy/modules/services/portslave.te
@@ -13,6 +13,9 @@
type portslave_etc_t;
files_config_file(portslave_etc_t)
+# for filters
+can_exec(portslave_t, { portslave_etc_t portslave_exec_t })
+
type portslave_lock_t;
files_lock_file(portslave_lock_t)
@@ -62,8 +65,10 @@
corenet_udp_sendrecv_generic_node(portslave_t)
corenet_tcp_sendrecv_all_ports(portslave_t)
corenet_udp_sendrecv_all_ports(portslave_t)
+corenet_udp_bind_all_nodes(portslave_t)
corenet_rw_ppp_dev(portslave_t)
+miscfiles_read_localization(portslave_t)
dev_read_sysfs(portslave_t)
# for ssh
dev_read_urand(portslave_t)
@@ -102,6 +107,7 @@
# instead of exec.
ppp_read_rw_config(portslave_t)
ppp_exec(portslave_t)
+ppp_script_exec(portslave_t)
ppp_read_secrets(portslave_t)
ppp_manage_pid_files(portslave_t)
ppp_pid_filetrans(portslave_t)
--- refpolicy-2.20110726.orig/policy/modules/services/cron.te
+++ refpolicy-2.20110726/policy/modules/services/cron.te
@@ -136,8 +136,8 @@
# Cron daemon local policy
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:capability { dac_override setgid setuid sys_nice sys_resource dac_read_search };
+dontaudit crond_t self:capability { sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
@@ -222,6 +222,7 @@
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
+system_mail_file_access(crond_tmp_t)
ifdef(`distro_debian',`
# pam_limits is used
@@ -260,6 +261,8 @@
optional_policy(`
amavis_search_lib(crond_t)
+ # for bayes maintainance scripts
+ amavis_domtrans(crond_t)
')
optional_policy(`
@@ -468,7 +471,8 @@
')
optional_policy(`
- mysql_read_config(system_cronjob_t)
+ mysql_read_config(system_crond_t)
+ mysql_stream_connect(system_crond_t)
')
optional_policy(`
--- refpolicy-2.20110726.orig/policy/modules/services/sssd.fc
+++ refpolicy-2.20110726/policy/modules/services/sssd.fc
@@ -9,3 +9,6 @@
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/kerberos.if
+++ refpolicy-2.20110726/policy/modules/services/kerberos.if
@@ -237,8 +237,10 @@
allow $2 $1_keytab_t:file read_file_perms;
- kerberos_read_keytab($2)
- kerberos_use($2)
+ optional_policy(`
+ kerberos_read_keytab($2)
+ kerberos_use($2)
+ ')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/inetd.if
+++ refpolicy-2.20110726/policy/modules/services/inetd.if
@@ -150,7 +150,7 @@
##
#
interface(`inetd_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -183,7 +183,7 @@
##
#
interface(`inetd_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/automount.if
+++ refpolicy-2.20110726/policy/modules/services/automount.if
@@ -49,7 +49,7 @@
##
#
interface(`automount_exec_config',`
- refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
+ refpolicyerr(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
files_exec_etc_files($1)
')
--- refpolicy-2.20110726.orig/policy/modules/services/perdition.if
+++ refpolicy-2.20110726/policy/modules/services/perdition.if
@@ -11,5 +11,5 @@
##
#
interface(`perdition_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
--- refpolicy-2.20110726.orig/policy/modules/services/apm.te
+++ refpolicy-2.20110726/policy/modules/services/apm.te
@@ -190,6 +190,9 @@
optional_policy(`
networkmanager_dbus_chat(apmd_t)
')
+ optional_policy(`
+ hal_dbus_chat(apmd_t)
+ ')
')
optional_policy(`
--- refpolicy-2.20110726.orig/policy/modules/services/nagios.fc
+++ refpolicy-2.20110726/policy/modules/services/nagios.fc
@@ -1,7 +1,9 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios/nrpe\.* -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+ifndef(`distro_debian', `
/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+')
/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
@@ -13,13 +15,19 @@
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+')
/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
ifdef(`distro_debian',`
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-')
+/usr/sbin/nagios.* -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/lib/cgi-bin/nagios.?/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib/nagios3/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+', `
/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+')
/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
# admin plugins
--- refpolicy-2.20110726.orig/policy/modules/services/dkim.fc
+++ refpolicy-2.20110726/policy/modules/services/dkim.fc
@@ -5,5 +5,14 @@
/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ifdef(`distro_debian', `
+/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+')
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ifdef(`distro_debian', `
+/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+')
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ifdef(`distro_debian', `
+/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/watchdog.fc
+++ refpolicy-2.20110726/policy/modules/services/watchdog.fc
@@ -3,3 +3,6 @@
/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/postfixpolicyd.fc
+++ refpolicy-2.20110726/policy/modules/services/postfixpolicyd.fc
@@ -4,3 +4,6 @@
/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
+ifdef(`distro_debian', `
+/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/epmd.if
+++ refpolicy-2.20110726/policy/modules/services/epmd.if
@@ -0,0 +1,29 @@
+## Erlang Port Mapper Daemon (epmd).
+
+########################################
+##
+## Execute epmd in the epmd domain, and
+## allow the specified role the epmd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the epmd domain.
+##
+##
+##
+#
+interface(`run_epmd',`
+ gen_require(`
+ type epmd_t, epmd_exec_t;
+ ')
+
+ domtrans_pattern($1, epmd_exec_t, epmd_t)
+ role $2 types epmd_t;
+ corenet_tcp_connect_epmd_port($1)
+')
+
--- refpolicy-2.20110726.orig/policy/modules/services/lpd.fc
+++ refpolicy-2.20110726/policy/modules/services/lpd.fc
@@ -35,3 +35,6 @@
/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/denyhosts.fc
+++ refpolicy-2.20110726/policy/modules/services/denyhosts.fc
@@ -4,4 +4,8 @@
/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0)
/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
+ifdef(`distro_debian', `
+/var/run/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
+/run/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
+')
/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/bind.te
+++ refpolicy-2.20110726/policy/modules/services/bind.te
@@ -69,6 +69,9 @@
allow named_t self:tcp_socket create_stream_socket_perms;
allow named_t self:udp_socket create_socket_perms;
+# because lwresd calls access(".", W_OK)
+files_dontaudit_rw_root_dir(named_t)
+
allow named_t dnssec_t:file read_file_perms;
# read configuration
@@ -199,6 +202,7 @@
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+dev_read_urand(ndc_t)
allow ndc_t dnssec_t:file read_file_perms;
allow ndc_t dnssec_t:lnk_file { getattr read };
--- refpolicy-2.20110726.orig/policy/modules/services/courier.te
+++ refpolicy-2.20110726/policy/modules/services/courier.te
@@ -24,12 +24,21 @@
type courier_var_run_t;
files_pid_file(courier_var_run_t)
+files_pid_filetrans(courier_authdaemon_t, courier_var_run_t, { file sock_file })
type courier_exec_t;
mta_agent_executable(courier_exec_t)
+type courier_sqwebmail_cache_t;
+files_type(courier_sqwebmail_cache_t)
+
courier_domain_template(sqwebmail)
typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
+files_pid_filetrans(courier_sqwebmail_t, courier_var_run_t, { file sock_file })
+
+manage_files_pattern(courier_sqwebmail_t, courier_sqwebmail_cache_t, courier_sqwebmail_cache_t)
+
+dev_read_urand(courier_sqwebmail_t)
########################################
#
@@ -45,12 +54,9 @@
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
allow courier_authdaemon_t courier_tcpd_t:fd use;
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
@@ -89,10 +95,17 @@
# POP3/IMAP local policy
#
-allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
+allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t courier_authdaemon_t:{ unix_stream_socket tcp_socket } { connectto rw_stream_socket_perms };
allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+dev_read_urand(courier_pop_t)
+
+# for FAM with IMAP
+sysnet_use_portmap(courier_pop_t)
+corenet_tcp_bind_all_rpc_ports(courier_pop_t)
+corenet_tcp_bind_all_nodes(courier_pop_t)
# inherits file handle - should it?
allow courier_pop_t courier_var_lib_t:file { read write };
--- refpolicy-2.20110726.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20110726/policy/modules/services/mysql.te
@@ -58,10 +58,13 @@
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
+corecmd_exec_shell(mysqld_t)
+corecmd_exec_bin(mysqld_t)
+
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -180,6 +183,7 @@
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+logging_send_syslog_msg(mysqld_safe_t)
hostname_exec(mysqld_safe_t)
--- refpolicy-2.20110726.orig/policy/modules/services/icecast.fc
+++ refpolicy-2.20110726/policy/modules/services/icecast.fc
@@ -5,3 +5,6 @@
/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0)
/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/apcupsd.te
+++ refpolicy-2.20110726/policy/modules/services/apcupsd.te
@@ -107,6 +107,7 @@
# apcupsd_cgi Declarations
#
+apache_script_exec_domain(apcupsd_cgi)
optional_policy(`
apache_content_template(apcupsd_cgi)
--- refpolicy-2.20110726.orig/policy/modules/services/networkmanager.fc
+++ refpolicy-2.20110726/policy/modules/services/networkmanager.fc
@@ -20,7 +20,22 @@
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+')
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+')
/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+')
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+')
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/sasl.fc
+++ refpolicy-2.20110726/policy/modules/services/sasl.fc
@@ -10,3 +10,6 @@
#
/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/smokeping.fc
+++ refpolicy-2.20110726/policy/modules/services/smokeping.fc
@@ -7,3 +7,6 @@
/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0)
/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/radvd.fc
+++ refpolicy-2.20110726/policy/modules/services/radvd.fc
@@ -4,4 +4,10 @@
/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
/var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0)
+')
/var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/howl.fc
+++ refpolicy-2.20110726/policy/modules/services/howl.fc
@@ -3,3 +3,6 @@
/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0)
/var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/dovecot.fc
+++ refpolicy-2.20110726/policy/modules/services/dovecot.fc
@@ -9,6 +9,12 @@
/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
+# Debian uses /etc/dovecot/
+ifdef(`distro_debian', `
+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+')
+
#
# /usr
#
@@ -18,8 +24,8 @@
/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
ifdef(`distro_debian', `
-/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/.+ -- gen_context(system_u:object_r:bin_t,s0)
')
ifdef(`distro_redhat', `
@@ -33,7 +39,16 @@
# /var
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
-/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+ifdef(`distro_debian', `
+/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+')
+ifdef(`distro_redhat', `
+# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
+/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+ifdef(`distro_debian', `
+/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+')
+')
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/amavis.fc
+++ refpolicy-2.20110726/policy/modules/services/amavis.fc
@@ -3,16 +3,21 @@
/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+ifdef(`strict_policy',`
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
+')
ifdef(`distro_debian',`
-/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
+/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
')
/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+')
/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/nsd.if
+++ refpolicy-2.20110726/policy/modules/services/nsd.if
@@ -11,7 +11,7 @@
##
#
interface(`nsd_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -25,5 +25,5 @@
##
#
interface(`nsd_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
--- refpolicy-2.20110726.orig/policy/modules/services/radius.if
+++ refpolicy-2.20110726/policy/modules/services/radius.if
@@ -11,7 +11,7 @@
##
#
interface(`radius_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/epmd.fc
+++ refpolicy-2.20110726/policy/modules/services/epmd.fc
@@ -0,0 +1 @@
+/usr/lib/erlang/erts-[^/]*/bin/epmd -- gen_context(system_u:object_r:epmd_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/cyphesis.fc
+++ refpolicy-2.20110726/policy/modules/services/cyphesis.fc
@@ -3,3 +3,6 @@
/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/dictd.fc
+++ refpolicy-2.20110726/policy/modules/services/dictd.fc
@@ -7,3 +7,6 @@
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/bind.if
+++ refpolicy-2.20110726/policy/modules/services/bind.if
@@ -336,7 +336,7 @@
##
#
interface(`bind_udp_chat_named',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/gatekeeper.fc
+++ refpolicy-2.20110726/policy/modules/services/gatekeeper.fc
@@ -5,4 +5,10 @@
/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0)
/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
+')
/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/nis.fc
+++ refpolicy-2.20110726/policy/modules/services/nis.fc
@@ -16,6 +16,18 @@
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
+')
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
+')
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
+')
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/automount.fc
+++ refpolicy-2.20110726/policy/modules/services/automount.fc
@@ -14,3 +14,6 @@
#
/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/clamav.fc
+++ refpolicy-2.20110726/policy/modules/services/clamav.fc
@@ -8,13 +8,47 @@
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+')
+/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+')
+/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+')
+/var/spool/postfix/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
+
/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
+')
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
+
+/etc/amavis\.conf -- gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/amavisd(/.*)? -- gen_context(system_u:object_r:clamd_etc_t,s0)
+
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:clamd_exec_t,s0)
+')
+
+/var/amavis(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/log/amavisd\.log -- gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ifdef(`distro_debian', `
+/run/amavis(d)?(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+')
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:clamd_spool_t,s0)
+/var/virusmails(/.*)? gen_context(system_u:object_r:clamd_spool_t,s0)
/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/inetd.te
+++ refpolicy-2.20110726/policy/modules/services/inetd.te
@@ -77,6 +77,7 @@
corenet_udp_bind_generic_node(inetd_t)
corenet_tcp_connect_all_ports(inetd_t)
corenet_sendrecv_all_client_packets(inetd_t)
+allow inetd_t self:netlink_route_socket r_netlink_socket_perms;
# listen on service ports:
corenet_tcp_bind_amanda_port(inetd_t)
--- refpolicy-2.20110726.orig/policy/modules/services/rpc.if
+++ refpolicy-2.20110726/policy/modules/services/rpc.if
@@ -133,7 +133,7 @@
##
#
interface(`rpc_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -374,7 +374,7 @@
##
#
interface(`rpc_udp_send_nfs',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/postgrey.fc
+++ refpolicy-2.20110726/policy/modules/services/postgrey.fc
@@ -7,6 +7,12 @@
/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
+')
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+')
/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/plymouthd.fc
+++ refpolicy-2.20110726/policy/modules/services/plymouthd.fc
@@ -4,4 +4,7 @@
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+')
/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/nslcd.fc
+++ refpolicy-2.20110726/policy/modules/services/nslcd.fc
@@ -2,3 +2,6 @@
/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/squid.fc
+++ refpolicy-2.20110726/policy/modules/services/squid.fc
@@ -10,5 +10,8 @@
/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+')
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/epmd.te
+++ refpolicy-2.20110726/policy/modules/services/epmd.te
@@ -0,0 +1,52 @@
+
+policy_module(epmd, 1.7.1)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow the Erlang Port mapper to coordinate all nodes in distributed
+## computing. It also wants to run on single nodes so any daemon written in
+## Erlang will need it.
+##
+##
+
+type epmd_t;
+type epmd_exec_t;
+init_daemon_domain(epmd_t,epmd_exec_t)
+role system_r types epmd_t;
+
+########################################
+#
+# epmd local policy
+#
+
+allow epmd_t self:tcp_socket create_stream_socket_perms;
+#allow epmd_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(epmd_t)
+corenet_all_recvfrom_netlabel(epmd_t)
+corenet_tcp_bind_epmd_port(epmd_t)
+corenet_tcp_sendrecv_all_if(epmd_t)
+#corenet_udp_sendrecv_all_if(epmd_t)
+corenet_tcp_sendrecv_all_nodes(epmd_t)
+#corenet_udp_sendrecv_all_nodes(epmd_t)
+corenet_tcp_sendrecv_all_ports(epmd_t)
+#corenet_udp_sendrecv_all_ports(epmd_t)
+corenet_tcp_bind_all_nodes(epmd_t)
+#corenet_udp_bind_all_nodes(epmd_t)
+#corenet_tcp_connect_all_ports(epmd_t)
+#corenet_udp_bind_all_unreserved_ports(epmd_t)
+
+files_read_etc_files(epmd_t)
+
+libs_use_ld_so(epmd_t)
+libs_use_shared_libs(epmd_t)
+
+logging_send_syslog_msg(epmd_t)
+
+miscfiles_read_localization(epmd_t)
+
--- refpolicy-2.20110726.orig/policy/modules/services/portreserve.fc
+++ refpolicy-2.20110726/policy/modules/services/portreserve.fc
@@ -5,3 +5,6 @@
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/certmaster.fc
+++ refpolicy-2.20110726/policy/modules/services/certmaster.fc
@@ -6,3 +6,6 @@
/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0)
/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/radius.fc
+++ refpolicy-2.20110726/policy/modules/services/radius.fc
@@ -20,4 +20,10 @@
/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
+')
/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/consolekit.fc
+++ refpolicy-2.20110726/policy/modules/services/consolekit.fc
@@ -3,5 +3,15 @@
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+')
/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+')
/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
+')
+/usr/lib/ConsoleKit(/.*)? gen_context(system_u:object_r:bin_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/certmonger.fc
+++ refpolicy-2.20110726/policy/modules/services/certmonger.fc
@@ -4,3 +4,6 @@
/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/postgresql.fc
+++ refpolicy-2.20110726/policy/modules/services/postgresql.fc
@@ -44,5 +44,11 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+')
/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/bind.fc
+++ refpolicy-2.20110726/policy/modules/services/bind.fc
@@ -14,9 +14,21 @@
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+')
/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+')
/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+')
/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+')
ifdef(`distro_debian',`
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/squid.te
+++ refpolicy-2.20110726/policy/modules/services/squid.te
@@ -177,6 +177,7 @@
corenet_tcp_bind_netport_port(squid_t)
')
+apache_script_exec_domain(squid)
optional_policy(`
apache_content_template(squid)
--- refpolicy-2.20110726.orig/policy/modules/services/lda.fc
+++ refpolicy-2.20110726/policy/modules/services/lda.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/procmail -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/maildrop -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/sbin/deliverquota.maildrop -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/mailbot -- gen_context(system_u:object_r:lda_exec_t,s0)
+
+/etc/courier/maildroprc -- gen_context(system_u:object_r:lda_etc_t,s0)
+/var/log/maildrop.log -- gen_context(system_u:object_r:lda_log_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/inetd.fc
+++ refpolicy-2.20110726/policy/modules/services/inetd.fc
@@ -10,3 +10,6 @@
/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/sendmail.fc
+++ refpolicy-2.20110726/policy/modules/services/sendmail.fc
@@ -3,4 +3,10 @@
/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+')
/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/setroubleshoot.fc
+++ refpolicy-2.20110726/policy/modules/services/setroubleshoot.fc
@@ -3,6 +3,9 @@
/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+')
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/milter.fc
+++ refpolicy-2.20110726/policy/modules/services/milter.fc
@@ -6,8 +6,25 @@
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ifdef(`distro_debian', `
+/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+')
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ifdef(`distro_debian', `
+/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+')
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+ifdef(`distro_debian', `
+/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+')
+/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+ifdef(`distro_debian', `
+/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+')
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+ifdef(`distro_debian', `
+/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+')
/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
+/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/oddjob.fc
+++ refpolicy-2.20110726/policy/modules/services/oddjob.fc
@@ -3,3 +3,6 @@
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/bluetooth.fc
+++ refpolicy-2.20110726/policy/modules/services/bluetooth.fc
@@ -27,4 +27,10 @@
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+')
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/rpc.fc
+++ refpolicy-2.20110726/policy/modules/services/rpc.fc
@@ -28,4 +28,10 @@
/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
+')
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/likewise.fc
+++ refpolicy-2.20110726/policy/modules/services/likewise.fc
@@ -46,9 +46,27 @@
/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0)
+')
/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
+')
/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
+')
/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
+')
/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
+')
/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/dictd.if
+++ refpolicy-2.20110726/policy/modules/services/dictd.if
@@ -12,7 +12,7 @@
##
#
interface(`dictd_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/cups.fc
+++ refpolicy-2.20110726/policy/modules/services/cups.fc
@@ -65,9 +65,27 @@
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+')
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+')
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+')
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+')
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+')
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+')
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20110726/policy/modules/services/xserver.te
@@ -151,12 +151,6 @@
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
-# this is not actually a device, its a pipe
-type xconsole_device_t;
-files_type(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
type xdm_t;
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
@@ -317,7 +311,8 @@
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+#allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+logging_r_xconsole(xdm_t)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
@@ -789,6 +784,7 @@
optional_policy(`
unconfined_domain_noaudit(xserver_t)
unconfined_domtrans(xserver_t)
+ unconfined_dbus_send(xserver_t)
')
optional_policy(`
--- refpolicy-2.20110726.orig/policy/modules/services/ksmtuned.fc
+++ refpolicy-2.20110726/policy/modules/services/ksmtuned.fc
@@ -3,3 +3,6 @@
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20110726/policy/modules/services/dovecot.te
@@ -20,11 +20,13 @@
type dovecot_cert_t;
files_type(dovecot_cert_t)
+ifdef(`distro_redhat', `
type dovecot_deliver_t;
type dovecot_deliver_exec_t;
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
+')
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
@@ -72,6 +74,7 @@
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
allow dovecot_t dovecot_etc_t:file read_file_perms;
files_search_etc(dovecot_t)
@@ -180,6 +183,10 @@
# dovecot auth local policy
#
+logging_search_logs(dovecot_auth_t)
+allow dovecot_auth_t dovecot_etc_t:dir list_dir_perms;
+allow dovecot_auth_t dovecot_etc_t:file read_file_perms;
+manage_sock_files_pattern(dovecot_auth_t,dovecot_var_run_t,dovecot_var_run_t)
allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
@@ -236,6 +243,8 @@
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
+ mysql_tcp_connect(dovecot_auth_t)
+ mysql_read_config(dovecot_auth_t)
')
optional_policy(`
@@ -250,10 +259,12 @@
#
# dovecot deliver local policy
#
+ifdef(`distro_redhat', `
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -266,7 +277,6 @@
auth_use_nsswitch(dovecot_deliver_t)
logging_send_syslog_msg(dovecot_deliver_t)
-logging_search_logs(dovecot_auth_t)
miscfiles_read_localization(dovecot_deliver_t)
@@ -304,3 +314,15 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
')
+# end ifdef distro_redhat
+')
+
+optional_policy(`
+ mysql_tcp_connect(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+ postgresql_tcp_connect(dovecot_auth_t)
+ postgresql_stream_connect(dovecot_auth_t)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/squid.if
+++ refpolicy-2.20110726/policy/modules/services/squid.if
@@ -184,7 +184,7 @@
##
#
interface(`squid_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/rgmanager.fc
+++ refpolicy-2.20110726/policy/modules/services/rgmanager.fc
@@ -3,5 +3,11 @@
/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+')
/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/ldap.if
+++ refpolicy-2.20110726/policy/modules/services/ldap.if
@@ -50,7 +50,7 @@
##
#
interface(`ldap_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20110726/policy/modules/services/dbus.if
@@ -194,6 +194,8 @@
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
+ allow system_dbusd_t $1:dir search;
+ allow system_dbusd_t $1:file read_file_perms;
')
#######################################
--- refpolicy-2.20110726.orig/policy/modules/services/dnsmasq.fc
+++ refpolicy-2.20110726/policy/modules/services/dnsmasq.fc
@@ -9,4 +9,10 @@
/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+')
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/clamav.te
+++ refpolicy-2.20110726/policy/modules/services/clamav.te
@@ -36,6 +36,10 @@
type clamd_var_lib_t;
files_type(clamd_var_lib_t)
+# spool files
+type clamd_spool_t;
+files_type(clamd_spool_t)
+
# pid files
type clamd_var_run_t;
files_pid_file(clamd_var_run_t)
@@ -53,6 +57,8 @@
type freshclam_exec_t;
init_daemon_domain(freshclam_t, freshclam_exec_t)
+allow freshclam_t self:netlink_route_socket r_netlink_socket_perms;
+
# log files
type freshclam_var_log_t;
logging_log_file(freshclam_var_log_t)
@@ -62,12 +68,22 @@
# clamd local policy
#
+allow clamd_t self:process signull;
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
allow clamd_t self:tcp_socket { listen accept };
+allow clamd_t self:fd use;
+corecmd_exec_bin(clamd_t)
+corecmd_read_bin_symlinks(clamd_t)
+files_read_usr_files(clamd_t)
+
+optional_policy(`
+# to allow creating the unix domain socket
+ postfix_search_spool(clamd_t)
+')
# configuration files
allow clamd_t clamd_etc_t:dir list_dir_perms;
@@ -83,6 +99,10 @@
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+# spool files
+manage_dirs_pattern(clamd_t,clamd_spool_t,clamd_spool_t)
+manage_files_pattern(clamd_t,clamd_spool_t,clamd_spool_t)
+
# log files
manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
@@ -100,17 +120,22 @@
corecmd_exec_shell(clamd_t)
+# for /proc/meminfo
+allow clamd_t proc_t:file { getattr read };
+
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_generic_if(clamd_t)
corenet_tcp_sendrecv_generic_node(clamd_t)
corenet_tcp_sendrecv_all_ports(clamd_t)
corenet_tcp_sendrecv_clamd_port(clamd_t)
+corenet_tcp_sendrecv_amavisd_send_port(clamd_t)
corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
+corenet_udp_bind_all_nodes(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
@@ -120,6 +145,7 @@
files_read_etc_files(clamd_t)
files_read_etc_runtime_files(clamd_t)
files_search_spool(clamd_t)
+files_search_var_lib(clamd_t)
auth_use_nsswitch(clamd_t)
@@ -130,6 +156,7 @@
cron_use_fds(clamd_t)
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
+crond_search_dir(clamd_var_lib_t)
mta_read_config(clamd_t)
mta_send_mail(clamd_t)
@@ -156,6 +183,8 @@
# Freshclam local policy
#
+files_search_var_lib(freshclam_t)
+
allow freshclam_t self:capability { setgid setuid dac_override };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
@@ -189,6 +218,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
@@ -204,6 +234,7 @@
logging_send_syslog_msg(freshclam_t)
miscfiles_read_localization(freshclam_t)
+kernel_read_system_state(freshclam_t)
clamav_stream_connect(freshclam_t)
--- refpolicy-2.20110726.orig/policy/modules/services/munin.te
+++ refpolicy-2.20110726/policy/modules/services/munin.te
@@ -122,6 +122,7 @@
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_user_home_dirs(munin_t)
+apache_script_exec_domain(munin)
optional_policy(`
apache_content_template(munin)
--- refpolicy-2.20110726.orig/policy/modules/services/exim.te
+++ refpolicy-2.20110726/policy/modules/services/exim.te
@@ -52,6 +52,11 @@
# exim local policy
#
+ifdef(`distro_debian', `
+# for /var/lib/exim4/config.autogenerated
+files_read_var_lib_files(exim_t)
+')
+
allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
allow exim_t self:process { setrlimit setpgid };
allow exim_t self:fifo_file rw_fifo_file_perms;
--- refpolicy-2.20110726.orig/policy/modules/services/apcupsd.fc
+++ refpolicy-2.20110726/policy/modules/services/apcupsd.fc
@@ -8,6 +8,9 @@
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+')
/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/resmgr.fc
+++ refpolicy-2.20110726/policy/modules/services/resmgr.fc
@@ -4,4 +4,10 @@
/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+')
/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/git.te
+++ refpolicy-2.20110726/policy/modules/services/git.te
@@ -5,4 +5,5 @@
# Declarations
#
+apache_script_exec_domain(git)
apache_content_template(git)
--- refpolicy-2.20110726.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20110726/policy/modules/services/ssh.te
@@ -44,6 +44,11 @@
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
+ifdef(`distro_debian', `
+# for key blacklist related to openssl bug
+ allow sshd_t usr_t:file read_file_perms;
+')
+
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
@@ -238,6 +243,8 @@
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+allow sshd_t self:process { getcap setcap };
+
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
@@ -291,6 +298,10 @@
xserver_domtrans_xauth(sshd_t)
')
+optional_policy(`
+ gitosis_read_lib_files(sshd_t)
+')
+
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
--- refpolicy-2.20110726.orig/policy/modules/services/prelude.fc
+++ refpolicy-2.20110726/policy/modules/services/prelude.fc
@@ -13,6 +13,12 @@
/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0)
/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
+')
/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
+')
/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/lda.te
+++ refpolicy-2.20110726/policy/modules/services/lda.te
@@ -0,0 +1,162 @@
+
+policy_module(lda, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type lda_t;
+typealias lda_t alias procmail_t;
+type lda_exec_t;
+typealias lda_exec_t alias procmail_exec_t;
+application_domain(lda_t,lda_exec_t)
+role system_r types lda_t;
+
+type lda_tmp_t;
+typealias lda_tmp_t alias procmail_tmp_t;
+files_tmp_file(lda_tmp_t)
+
+type lda_etc_t;
+files_config_file(lda_etc_t)
+
+type lda_log_t;
+logging_log_file(lda_log_t)
+manage_files_pattern(lda_t,lda_log_t,lda_log_t)
+logging_log_filetrans(lda_t,lda_log_t,file)
+
+
+########################################
+#
+# Local policy
+#
+
+allow lda_t self:capability { sys_nice chown setuid setgid dac_override };
+allow lda_t self:process { setsched signal signull };
+allow lda_t self:fifo_file rw_fifo_file_perms;
+allow lda_t self:unix_stream_socket create_socket_perms;
+allow lda_t self:unix_dgram_socket create_socket_perms;
+allow lda_t self:tcp_socket create_stream_socket_perms;
+allow lda_t self:udp_socket create_socket_perms;
+read_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+
+can_exec(lda_t,lda_exec_t)
+
+allow lda_t lda_tmp_t:file manage_file_perms;
+files_tmp_filetrans(lda_t, lda_tmp_t, file)
+
+kernel_read_system_state(lda_t)
+kernel_read_kernel_sysctls(lda_t)
+
+corenet_all_recvfrom_unlabeled(lda_t)
+corenet_all_recvfrom_netlabel(lda_t)
+corenet_tcp_sendrecv_all_if(lda_t)
+corenet_udp_sendrecv_all_if(lda_t)
+corenet_tcp_sendrecv_all_nodes(lda_t)
+corenet_udp_sendrecv_all_nodes(lda_t)
+corenet_tcp_sendrecv_all_ports(lda_t)
+corenet_udp_sendrecv_all_ports(lda_t)
+corenet_udp_bind_all_nodes(lda_t)
+corenet_tcp_connect_spamd_port(lda_t)
+corenet_sendrecv_spamd_client_packets(lda_t)
+corenet_sendrecv_comsat_client_packets(lda_t)
+
+dev_read_urand(lda_t)
+
+fs_getattr_xattr_fs(lda_t)
+fs_search_auto_mountpoints(lda_t)
+fs_rw_anon_inodefs_files(lda_t)
+
+auth_use_nsswitch(lda_t)
+
+corecmd_exec_bin(lda_t)
+corecmd_exec_shell(lda_t)
+
+files_read_etc_files(lda_t)
+files_read_etc_runtime_files(lda_t)
+files_search_pids(lda_t)
+# for spamassasin
+files_read_usr_files(lda_t)
+
+libs_use_ld_so(lda_t)
+libs_use_shared_libs(lda_t)
+
+logging_send_syslog_msg(lda_t)
+
+miscfiles_read_localization(lda_t)
+
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(lda_t)
+userdom_manage_user_home_content_files(lda_t)
+userdom_user_home_dir_filetrans_user_home_content(lda_t, { dir file })
+
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+# tunable_policy(`daemon_access_unconfined_home', `
+# unconfined_write_home_content_files(lda_t)
+# ')
+')
+
+mta_manage_spool(lda_t)
+
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(lda_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(lda_t)
+ fs_manage_nfs_files(lda_t)
+ fs_manage_nfs_symlinks(lda_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(lda_t)
+ fs_manage_cifs_files(lda_t)
+ fs_manage_cifs_symlinks(lda_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(lda_t)
+ clamav_search_lib(lda_t)
+')
+
+optional_policy(`
+ courier_authdaemon_client(lda_t)
+')
+
+optional_policy(`
+ munin_dontaudit_search_lib(lda_t)
+')
+
+optional_policy(`
+ # for a bug in the postfix local program
+ postfix_dontaudit_rw_local_tcp_sockets(lda_t)
+ postfix_dontaudit_use_fds(lda_t)
+ postfix_read_spool_files(lda_t)
+ postfix_read_local_state(lda_t)
+ postfix_read_master_state(lda_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(lda_t)
+')
+
+optional_policy(`
+ mta_read_config(lda_t)
+ sendmail_domtrans(lda_t)
+ sendmail_rw_tcp_sockets(lda_t)
+ sendmail_rw_unix_stream_sockets(lda_t)
+')
+
+optional_policy(`
+ corenet_udp_bind_generic_port(lda_t)
+ corenet_dontaudit_udp_bind_all_ports(lda_t)
+
+ spamassassin_exec(lda_t)
+ spamassassin_exec_client(lda_t)
+ spamassassin_read_lib_files(lda_t)
+')
+
--- refpolicy-2.20110726.orig/policy/modules/services/pcscd.fc
+++ refpolicy-2.20110726/policy/modules/services/pcscd.fc
@@ -1,6 +1,18 @@
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
+')
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+')
/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+')
/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
+')
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/gpsd.fc
+++ refpolicy-2.20110726/policy/modules/services/gpsd.fc
@@ -3,4 +3,10 @@
/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+')
/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/virt.fc
+++ refpolicy-2.20110726/policy/modules/services/virt.fc
@@ -24,6 +24,12 @@
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+')
/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+')
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/chronyd.fc
+++ refpolicy-2.20110726/policy/modules/services/chronyd.fc
@@ -7,3 +7,6 @@
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/mta.if
+++ refpolicy-2.20110726/policy/modules/services/mta.if
@@ -96,6 +96,8 @@
miscfiles_read_localization($1_mail_t)
+ kernel_read_system_state($1_mail_t)
+
optional_policy(`
exim_read_log($1_mail_t)
exim_append_log($1_mail_t)
@@ -104,6 +106,8 @@
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
+ # for postalias - role stops unpriv user from doing it
+ postfix_domtrans_master($1_mail_t)
')
optional_policy(`
@@ -585,7 +589,7 @@
##
#
interface(`mta_tcp_connect_all_mailservers',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
#######################################
@@ -899,3 +903,20 @@
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
+
+########################################
+##
+## Allow system_mail_t to access files of specified types
+##
+##
+##
+## File type that system_mail_t can access
+##
+##
+#
+interface(`system_mail_file_access',`
+ gen_require(`
+ type system_mail_t;
+ ')
+ allow system_mail_t $1:file { read write };
+')
--- refpolicy-2.20110726.orig/policy/modules/services/sasl.te
+++ refpolicy-2.20110726/policy/modules/services/sasl.te
@@ -99,6 +99,7 @@
optional_policy(`
mysql_search_db(saslauthd_t)
mysql_stream_connect(saslauthd_t)
+ mysql_tcp_connect(saslauthd_t)
')
optional_policy(`
--- refpolicy-2.20110726.orig/policy/modules/services/lda.if
+++ refpolicy-2.20110726/policy/modules/services/lda.if
@@ -0,0 +1,41 @@
+## mail delivery agent
+
+########################################
+##
+## Execute lda with a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lda_domtrans',`
+ gen_require(`
+ type lda_exec_t, lda_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1,lda_exec_t,lda_t)
+')
+
+########################################
+##
+## Execute lda in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lda_exec',`
+ gen_require(`
+ type lda_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1,lda_exec_t)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/nagios.te
+++ refpolicy-2.20110726/policy/modules/services/nagios.te
@@ -143,6 +143,7 @@
#
# Nagios CGI local policy
#
+apache_script_exec_domain(nagios)
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
@@ -191,8 +192,15 @@
files_search_etc(nrpe_t)
manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
+manage_files_pattern(nrpe_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+type nrpe_tmp_t;
+files_tmp_file(nrpe_tmp_t)
+manage_dirs_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t)
+manage_files_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t)
+files_tmp_filetrans(nrpe_t, nrpe_tmp_t, { file dir })
+
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
@@ -202,6 +210,16 @@
corenet_tcp_bind_generic_node(nrpe_t)
corenet_tcp_bind_inetd_child_port(nrpe_t)
corenet_sendrecv_unlabeled_packets(nrpe_t)
+corenet_all_recvfrom_unlabeled(nrpe_t)
+corenet_all_recvfrom_netlabel(nrpe_t)
+corenet_tcp_sendrecv_all_if(nrpe_t)
+corenet_tcp_sendrecv_all_nodes(nrpe_t)
+corenet_tcp_sendrecv_generic_port(nrpe_t)
+corenet_tcp_bind_all_nodes(nrpe_t)
+corenet_tcp_bind_nrpe_port(nrpe_t)
+sysnet_dns_name_resolve(nrpe_t)
+
+allow nrpe_t self:netlink_route_socket create_netlink_socket_perms;
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
@@ -223,6 +241,15 @@
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+domain_read_all_domains_state(nrpe_t)
+fs_getattr_all_fs(nrpe_t)
+storage_getattr_fixed_disk_dev(nrpe_t)
+init_read_utmp(nrpe_t)
+
+term_dontaudit_getattr_all_user_ttys(nrpe_t)
+term_dontaudit_getattr_unallocated_ttys(nrpe_t)
+term_dontaudit_getattr_all_user_ptys(nrpe_t)
+
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
@@ -270,6 +297,7 @@
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+dontaudit nagios_mail_plugin_t self:capability { sys_resource };
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -289,17 +317,25 @@
sysnet_read_config(nagios_mail_plugin_t)
+files_read_usr_files(nagios_mail_plugin_t)
+
optional_policy(`
mta_send_mail(nagios_mail_plugin_t)
')
optional_policy(`
+ can_exec_sudo(nagios_mail_plugin_t)
+')
+
+optional_policy(`
nscd_dontaudit_search_pid(nagios_mail_plugin_t)
')
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
- posftix_exec_postqueue(nagios_mail_plugin_t)
+ posftix_run_postqueue(nagios_mail_plugin_t)
+ postfix_list_spool(nagios_mail_plugin_t)
+ postfix_read_spool_files(nagios_mail_plugin_t)
')
######################################
@@ -313,6 +349,7 @@
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
@@ -343,6 +380,8 @@
')
optional_policy(`
+ mysql_read_config(nagios_services_plugin_t)
+ mysql_tcp_connect(nagios_services_plugin_t)
mysql_stream_connect(nagios_services_plugin_t)
')
@@ -389,3 +428,14 @@
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
+
+optional_policy(`
+ mysql_tcp_connect(nrpe_t)
+ mysql_stream_connect(nrpe_t)
+ mysql_read_config(nrpe_t)
+')
+
+optional_policy(`
+ postgresql_tcp_connect(nrpe_t)
+ postgresql_stream_connect(nrpe_t)
+')
--- refpolicy-2.20110726.orig/policy/modules/services/pegasus.fc
+++ refpolicy-2.20110726/policy/modules/services/pegasus.fc
@@ -8,5 +8,8 @@
/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+')
/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/kernel/corenetwork.if.in
+++ refpolicy-2.20110726/policy/modules/kernel/corenetwork.if.in
@@ -2145,7 +2145,7 @@
##
#
interface(`corenet_non_ipsec_sendrecv',`
- refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
+ refpolicyerr(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
corenet_all_recvfrom_unlabeled($1)
')
@@ -2173,7 +2173,7 @@
##
#
interface(`corenet_dontaudit_non_ipsec_sendrecv',`
- refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
+ refpolicyerr(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
corenet_dontaudit_all_recvfrom_unlabeled($1)
')
@@ -2188,7 +2188,7 @@
##
#
interface(`corenet_tcp_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
+ refpolicyerr(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
corenet_tcp_recvfrom_netlabel($1)
')
@@ -2243,7 +2243,7 @@
##
#
interface(`corenet_dontaudit_tcp_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
+ refpolicyerr(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
corenet_dontaudit_tcp_recvfrom_netlabel($1)
')
@@ -2299,7 +2299,7 @@
##
#
interface(`corenet_udp_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
+ refpolicyerr(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
corenet_udp_recvfrom_netlabel($1)
')
@@ -2354,7 +2354,7 @@
##
#
interface(`corenet_dontaudit_udp_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
+ refpolicyerr(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
corenet_dontaudit_udp_recvfrom_netlabel($1)
')
@@ -2410,7 +2410,7 @@
##
#
interface(`corenet_raw_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
+ refpolicyerr(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
corenet_raw_recvfrom_netlabel($1)
')
--- refpolicy-2.20110726.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20110726/policy/modules/kernel/filesystem.if
@@ -4064,6 +4064,24 @@
########################################
##
+## Allow reading tmpfs files
+##
+##
+##
+## Domain to read files
+##
+##
+#
+interface(`fs_allow_tmpfs_file_read',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:file read;
+')
+
+########################################
+##
## Create, read, write, and delete
## auto moutpoints.
##
--- refpolicy-2.20110726.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20110726/policy/modules/kernel/corecommands.fc
@@ -185,6 +185,7 @@
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -201,6 +202,9 @@
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ifdef(`distro_debian', `
+/usr/lib(64)?/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
+')
/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/kernel/terminal.if
+++ refpolicy-2.20110726/policy/modules/kernel/terminal.if
@@ -909,7 +909,7 @@
##
#
interface(`term_getattr_all_user_ptys',`
- refpolicywarn(`$0 has been deprecated, use term_getattr_all_ptys() instead.')
+ refpolicyerr(`$0 has been deprecated, use term_getattr_all_ptys() instead.')
term_getattr_all_ptys($1)
')
@@ -926,7 +926,7 @@
##
#
interface(`term_dontaudit_getattr_all_user_ptys',`
- refpolicywarn(`$0 has been deprecated, use term_dontaudit_getattr_all_ptys() instead.')
+ refpolicyerr(`$0 has been deprecated, use term_dontaudit_getattr_all_ptys() instead.')
term_dontaudit_getattr_all_ptys($1)
')
@@ -943,7 +943,7 @@
##
#
interface(`term_setattr_all_user_ptys',`
- refpolicywarn(`$0 has been deprecated, use term_setattr_all_ptys() instead.')
+ refpolicyerr(`$0 has been deprecated, use term_setattr_all_ptys() instead.')
term_setattr_all_ptys($1)
')
@@ -958,7 +958,7 @@
##
#
interface(`term_relabelto_all_user_ptys',`
- refpolicywarn(`$0 has been deprecated, use term_relabelto_all_ptys() instead.')
+ refpolicyerr(`$0 has been deprecated, use term_relabelto_all_ptys() instead.')
term_relabelto_all_ptys($1)
')
@@ -973,7 +973,7 @@
##
#
interface(`term_write_all_user_ptys',`
- refpolicywarn(`$0 has been deprecated, use term_write_all_ptys() instead.')
+ refpolicyerr(`$0 has been deprecated, use term_write_all_ptys() instead.')
term_write_all_ptys($1)
')
@@ -989,7 +989,7 @@
##
#
interface(`term_use_all_user_ptys',`
- refpolicywarn(`$0 has been deprecated, use term_use_all_ptys() instead.')
+ refpolicyerr(`$0 has been deprecated, use term_use_all_ptys() instead.')
term_use_all_ptys($1)
')
@@ -1005,7 +1005,7 @@
##
#
interface(`term_dontaudit_use_all_user_ptys',`
- refpolicywarn(`$0 has been deprecated, use term_dontaudit_use_all_ptys() instead.')
+ refpolicyerr(`$0 has been deprecated, use term_dontaudit_use_all_ptys() instead.')
term_dontaudit_use_all_ptys($1)
')
@@ -1021,7 +1021,7 @@
##
#
interface(`term_relabel_all_user_ptys',`
- refpolicywarn(`$0 has been deprecated, use term_relabel_all_ptys() instead.')
+ refpolicyerr(`$0 has been deprecated, use term_relabel_all_ptys() instead.')
term_relabel_all_ptys($1)
')
@@ -1393,7 +1393,7 @@
##
#
interface(`term_getattr_all_user_ttys',`
- refpolicywarn(`$0() is deprecated, use term_getattr_all_ttys() instead.')
+ refpolicyerr(`$0() is deprecated, use term_getattr_all_ttys() instead.')
term_getattr_all_ttys($1)
')
@@ -1410,7 +1410,7 @@
##
#
interface(`term_dontaudit_getattr_all_user_ttys',`
- refpolicywarn(`$0() is deprecated, use term_dontaudit_getattr_all_ttys() instead.')
+ refpolicyerr(`$0() is deprecated, use term_dontaudit_getattr_all_ttys() instead.')
term_dontaudit_getattr_all_ttys($1)
')
@@ -1427,7 +1427,7 @@
##
#
interface(`term_setattr_all_user_ttys',`
- refpolicywarn(`$0() is deprecated, use term_setattr_all_ttys() instead.')
+ refpolicyerr(`$0() is deprecated, use term_setattr_all_ttys() instead.')
term_setattr_all_ttys($1)
')
@@ -1443,7 +1443,7 @@
##
#
interface(`term_relabel_all_user_ttys',`
- refpolicywarn(`$0() is deprecated, use term_relabel_all_ttys() instead.')
+ refpolicyerr(`$0() is deprecated, use term_relabel_all_ttys() instead.')
term_relabel_all_ttys($1)
')
@@ -1458,7 +1458,7 @@
##
#
interface(`term_write_all_user_ttys',`
- refpolicywarn(`$0() is deprecated, use term_write_all_ttys() instead.')
+ refpolicyerr(`$0() is deprecated, use term_write_all_ttys() instead.')
term_write_all_ttys($1)
')
@@ -1474,7 +1474,7 @@
##
#
interface(`term_use_all_user_ttys',`
- refpolicywarn(`$0() is deprecated, use term_use_all_ttys() instead.')
+ refpolicyerr(`$0() is deprecated, use term_use_all_ttys() instead.')
term_use_all_ttys($1)
')
@@ -1490,6 +1490,6 @@
##
#
interface(`term_dontaudit_use_all_user_ttys',`
- refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+ refpolicyerr(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
--- refpolicy-2.20110726.orig/policy/modules/kernel/mcs.te
+++ refpolicy-2.20110726/policy/modules/kernel/mcs.te
@@ -5,8 +5,19 @@
# Declarations
#
+# process may kill all processes (init)
attribute mcskillall;
+# process may ptrace at all levels
attribute mcsptraceall;
+# process may run a child in any level
attribute mcssetcats;
+# process may set the low level for a child with no restriction
+attribute mcssetlow;
+# object may be accessed by any process at a higher level
+attribute mcstrustedobject;
+# process may write all files/dirs
attribute mcswriteall;
+# process may read all files/dirs
attribute mcsreadall;
+# process may delete all files and write dirs as appropriate
+attribute mcsdeleteall;
--- refpolicy-2.20110726.orig/policy/modules/kernel/storage.if
+++ refpolicy-2.20110726/policy/modules/kernel/storage.if
@@ -290,6 +290,24 @@
########################################
##
+## Create block devices in a directory labelled as var_run_t
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`storage_var_run_filetrans_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ files_pid_filetrans($1,fixed_disk_device_t,blk_file)
+')
+
+########################################
+##
## Relabel fixed disk device nodes.
##
##
--- refpolicy-2.20110726.orig/policy/modules/kernel/kernel.if
+++ refpolicy-2.20110726/policy/modules/kernel/kernel.if
@@ -299,7 +299,7 @@
##
#
interface(`kernel_tcp_recvfrom',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -313,7 +313,7 @@
##
#
interface(`kernel_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -327,7 +327,7 @@
##
#
interface(`kernel_udp_recvfrom',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/kernel/selinux.if
+++ refpolicy-2.20110726/policy/modules/kernel/selinux.if
@@ -544,6 +544,7 @@
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:filesystem getattr;
allow $1 security_t:security check_context;
')
--- refpolicy-2.20110726.orig/policy/modules/kernel/filesystem.te
+++ refpolicy-2.20110726/policy/modules/kernel/filesystem.te
@@ -95,6 +95,8 @@
type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
+files_type(hugetlbfs_t)
+files_poly_parent(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
type ibmasmfs_t;
--- refpolicy-2.20110726.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy-2.20110726/policy/modules/kernel/corenetwork.te.in
@@ -100,6 +100,7 @@
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(epmd, tcp,4369,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
network_port(fingerd, tcp,79,s0)
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
@@ -118,7 +119,7 @@
network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
network_port(innd, tcp,119,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
@@ -155,6 +156,7 @@
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
+network_port(nrpe, tcp,5666,s0)
network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
--- refpolicy-2.20110726.orig/policy/modules/kernel/selinux.te
+++ refpolicy-2.20110726/policy/modules/kernel/selinux.te
@@ -19,6 +19,7 @@
type security_t, boolean_type;
fs_type(security_t)
mls_trusted_object(security_t)
+mcs_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/kernel/devices.fc
+++ refpolicy-2.20110726/policy/modules/kernel/devices.fc
@@ -1,5 +1,12 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
+ifdef(`distro_debian',`
+# this is a static /dev dir "backup mount"
+# if you want to disable udev, you'll have to boot permissive and relabel!
+/dev/\.static -d gen_context(system_u:object_r:device_t,s0)
+/dev/\.static/dev -d gen_context(system_u:object_r:device_t,s0)
+/dev/\.static/dev/(.*)? <>
+')
/dev/.* gen_context(system_u:object_r:device_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/kernel/mcs.if
+++ refpolicy-2.20110726/policy/modules/kernel/mcs.if
@@ -45,6 +45,26 @@
########################################
##
+## This domain is allowed to delete files and directories
+## regardless of their MCS category set.
+##
+##
+##
+## Domain target for user exemption.
+##
+##
+##
+#
+interface(`mcs_file_delete_all',`
+ gen_require(`
+ attribute mcsdeleteall;
+ ')
+
+ typeattribute $1 mcsdeleteall;
+')
+
+########################################
+##
## This domain is allowed to sigkill and sigstop
## all domains regardless of their MCS category set.
##
@@ -102,3 +122,53 @@
typeattribute $1 mcssetcats;
')
+
+########################################
+##
+## Make specified domain MCS trusted
+## for setting the low level of its range for the processes it executes,
+## IE MCS will not be mandatory for it.
+##
+##
+##
+## Domain target for user exemption.
+##
+##
+#
+interface(`mcs_process_set_low',`
+ gen_require(`
+ attribute mcssetlow;
+ ')
+
+ typeattribute $1 mcssetlow;
+')
+
+########################################
+##
+## Make specified object MCS trusted.
+##
+##
+##
+## Make specified object MCS trusted. This
+## allows all levels to read and write the
+## object.
+##
+##
+## This currently only applies to filesystem
+## objects, for example, files and directories.
+##
+##
+##
+##
+## The type of the object.
+##
+##
+#
+interface(`mcs_trusted_object',`
+ gen_require(`
+ attribute mcstrustedobject;
+ ')
+
+ typeattribute $1 mcstrustedobject;
+')
+
--- refpolicy-2.20110726.orig/policy/modules/kernel/files.te
+++ refpolicy-2.20110726/policy/modules/kernel/files.te
@@ -31,6 +31,7 @@
attribute tmpfile;
attribute tmpfsfile;
+attribute hugetlbfsfile;
# this attribute is not currently used and will be removed in the future.
# unfortunately, this attribute can not be removed yet because it may cause
@@ -213,6 +214,13 @@
########################################
#
+# Rules for all hugetlbfs file types
+#
+
+fs_associate_hugetlbfs(hugetlbfsfile)
+
+########################################
+#
# Unconfined access to this module
#
--- refpolicy-2.20110726.orig/policy/modules/kernel/files.fc
+++ refpolicy-2.20110726/policy/modules/kernel/files.fc
@@ -62,8 +62,6 @@
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -255,5 +253,11 @@
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
ifdef(`distro_debian',`
-/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+ifdef(`distro_debian', `
+/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
+# on Debian /lib/init/rw is a tmpfs used like /var/run but
+# before /var is mounted
+/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
')
--- refpolicy-2.20110726.orig/policy/modules/kernel/filesystem.fc
+++ refpolicy-2.20110726/policy/modules/kernel/filesystem.fc
@@ -1,4 +1,8 @@
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ifdef(`distro_debian', `
+/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+')
/cgroup/.* <>
/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
--- refpolicy-2.20110726.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20110726/policy/modules/kernel/devices.if
@@ -140,7 +140,7 @@
interface(`dev_relabel_all_dev_nodes',`
gen_require(`
attribute device_node;
- type device_t;
+ type device_t, tmpfs_t;
')
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -150,6 +150,7 @@
relabelfrom_sock_files_pattern($1, device_t, device_node)
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
+ allow $1 tmpfs_t:chr_file { read write };
')
########################################
@@ -787,6 +788,26 @@
########################################
##
+## Create FIFO pipes in device directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_create_generic_pipes',`
+ gen_require(`
+ type device_t;
+ ')
+ allow $1 device_t:dir add_entry_dir_perms;
+ allow $1 device_t:fifo_file { getattr create };
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 device_t:file setattr_file_perms;
+')
+
+########################################
+##
## Create, delete, read, and write symbolic links in device directories.
##
##
@@ -2882,7 +2903,7 @@
##
#
interface(`dev_read_mtrr',`
- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+ refpolicyerr(`$0($*) has been replaced with dev_rw_mtrr().')
dev_rw_mtrr($1)
')
@@ -2911,7 +2932,7 @@
##
#
interface(`dev_write_mtrr',`
- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+ refpolicyerr(`$0($*) has been replaced with dev_rw_mtrr().')
dev_rw_mtrr($1)
')
@@ -4550,7 +4571,7 @@
########################################
##
-## Write to watchdog devices.
+## Read/Write watchdog devices.
##
##
##
@@ -4558,12 +4579,12 @@
##
##
#
-interface(`dev_write_watchdog',`
+interface(`dev_rw_watchdog',`
gen_require(`
type device_t, watchdog_device_t;
')
- write_chr_files_pattern($1, device_t, watchdog_device_t)
+ rw_chr_files_pattern($1, device_t, watchdog_device_t)
')
########################################
--- refpolicy-2.20110726.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20110726/policy/modules/kernel/files.if
@@ -413,6 +413,26 @@
########################################
##
+## Transform the type into a file, for use on a
+## virtual memory filesystem (hugetlbfs).
+##
+##
+##
+## The type to be transformed.
+##
+##
+#
+interface(`files_hugetlbfs_file',`
+ gen_require(`
+ attribute hugetlbfsfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 hugetlbfsfile;
+')
+
+########################################
+##
## Get the attributes of all directories.
##
##
@@ -3460,8 +3480,9 @@
gen_require(`
type mnt_t;
')
-
- allow $1 mnt_t:dir search_dir_perms;
+
+ allow $1 mnt_t:dir search_dir_perms;
+ allow $1 mnt_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -3480,6 +3501,7 @@
')
dontaudit $1 mnt_t:dir search_dir_perms;
+ dontaudit $1 mnt_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -3498,6 +3520,7 @@
')
allow $1 mnt_t:dir list_dir_perms;
+ allow $1 mnt_t:lnk_file read_lnk_file_perms;
')
######################################
@@ -5504,6 +5527,7 @@
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
@@ -5527,6 +5551,7 @@
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
@@ -5800,6 +5825,26 @@
')
########################################
+##
+## Create directories under /var/run
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_pid_dirs',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:dir manage_dir_perms;
+')
+
+########################################
##
## Do not audit attempts to write to daemon runtime data files.
##
--- refpolicy-2.20110726.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20110726/policy/modules/roles/unprivuser.te
@@ -27,6 +27,9 @@
optional_policy(`
xserver_role(user_r, user_t)
')
+optional_policy(`
+ consolekit_dbus_chat(user_t)
+')
ifndef(`distro_redhat',`
optional_policy(`
--- refpolicy-2.20110726.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20110726/policy/modules/roles/sysadm.te
@@ -156,6 +156,10 @@
')
optional_policy(`
+ python_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
# allow system administrator to use the ipsec script to look
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
--- refpolicy-2.20110726.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20110726/policy/modules/roles/staff.te
@@ -41,6 +41,9 @@
optional_policy(`
sudo_role_template(staff, staff_r, staff_t)
')
+optional_policy(`
+ consolekit_dbus_chat(staff_t)
+')
optional_policy(`
sysadm_role_change(staff_r)
--- refpolicy-2.20110726.orig/debian/copyright
+++ refpolicy-2.20110726/debian/copyright
@@ -0,0 +1,49 @@
+This is the Debian package for the SELinux Reference policy, and it is
+built from sources obtained from:
+ http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
+
+This package was originally debianized by Erich Schubert
+ on Mon, 13 Feb 2006 22:50:03 +0100.
+
+The package has since changed maintainers, the current maintainer being
+Manoj Srivastava .
+
+Changes:
+ * added Debian GNU/Linux package maintenance system files
+ * Some Debian specific tweaks and changes to policy also exist
+
+
+The reference policy is
+Copyright (C) 2002 Michael Droettboom
+Copyright (C) 2003 - 2006 Tresys Technology, LLC
+
+
+License:
+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, version 2 of the License.
+
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+
+The debian specific changes are Copyright © 2006 Manoj Srivastava, and
+distributed under the terms of the GNU General Public License, version
+2.
+
+On Debian GNU/Linux systems, the complete text of the GNU General
+Public License can be found in `/usr/share/common-licenses/GPL-2'.
+
+ A copy of the GNU General Public License is also available at
+ . You may also obtain
+ it by writing to the Free Software Foundation, Inc., 51 Franklin
+ St, Fifth Floor, Boston, MA 02110-1301 USA
+
+Manoj Srivastava
+arch-tag: d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27
--- refpolicy-2.20110726.orig/debian/doc.postinst
+++ refpolicy-2.20110726/debian/doc.postinst
@@ -0,0 +1,211 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# postinst ---
+# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+# Created On : Fri Nov 14 11:25:07 2003
+# Created On Node : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Sun Aug 20 16:26:45 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 16
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: 4e408b9c-d423-4177-b8a3-2d7b4fe51af7
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+#
+
+# Abort if any command returns an error value
+set -e
+
+package_name=selinux-policy-refpolicy-doc
+
+if [ -z "$package_name" ]; then
+ print >&2 "Internal Error. Please report a bug."
+ exit 1;
+fi
+
+# This script is called as the last step of the installation of the
+# package. All the package's files are in place, dpkg has already done
+# its automatic conffile handling, and all the packages we depend of
+# are already fully installed and configured.
+# summary of how this script can be called:
+# * `configure'
+# * `abort-upgrade'
+# * abort-remove # if prerm fails during removal
+# * `abort-remove' `in-favour'
+#
+# * `abort-deconfigure' `in-favour'
+# `removing'
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+# The following idempotent stuff doesn't generally need protecting
+# against being run in the abort-* cases.
+
+# Install info files into the dir file
+#install-info --quiet --section "Development" "Development" \
+# --description="The GNU make utility." /usr/share/info/$package_name.info.gz
+
+# Create stub directories under /usr/local
+##: if test ! -d /usr/local/lib/${package_name}; then
+##: if test ! -d /usr/local/lib; then
+##: if mkdir /usr/local/lib; then
+##: chown root.staff /usr/local/lib || true
+##: chmod 2775 /usr/local/lib || true
+##: fi
+##: fi
+##: if mkdir /usr/local/lib/${package_name}; then
+##: chown root.staff /usr/local/lib/${package_name} || true
+##: chmod 2775 /usr/local/lib/${package_name} || true
+##: fi
+##: fi
+
+# Ensure the menu system is updated
+##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus
+
+# Arrange for a daemon to be started at system boot time
+##: update-rc.d ${package_name} default >/dev/null
+
+case "$1" in
+ configure)
+ # Configure this package. If the package must prompt the user for
+ # information, do it here.
+ # Install emacs lisp files
+ ##:if [ -x /usr/lib/emacsen-common/emacs-package-install ]; then
+ ##: /usr/lib/emacsen-common/emacs-package-install $package_name
+ ##:fi
+
+
+ # Activate menu-methods script
+ ##: chmod a+x /etc/menu-methods/${package_name}
+
+ # Update ld.so cache
+ ##: ldconfig
+
+ # Make our version of a program available
+ ##: update-alternatives \
+ ##: --install /usr/bin/program program /usr/bin/alternative 50 \
+ ##: --slave /usr/man/man1/program.1.gz program.1.gz \
+ ##: /usr/man/man1/alternative.1.gz
+
+ # Tell ucf that the file in /usr/share/foo is the latest
+ # maintainer version, and let it handle how to manage the real
+ # confuguration file in /etc. This is how a static configuration
+ # file can be handled:
+ ##:if which ucf >/dev/null 2>&1; then
+ ##: ucf /usr/share/${package_name}/configuration /etc/${package_name}.conf
+ ##:fi
+
+ ### We could also do this on the fly. The following is from Tore
+ ### Anderson:
+
+ #. /usr/share/debconf/confmodule
+
+ ### find out what the user answered.
+ # db_get foo/run_on_boot
+ # run_on_boot=$RET
+ # db_stop
+
+ ### safely create a temporary file to generate our suggested
+ ### configuration file.
+ # tempfile=`tempfile`
+ # cat << _eof > $tempfile
+ ### Configuration file for Foo.
+
+ ### this was answered by you, the user in a debconf dialogue
+ # RUNONBOOT=$run_on_boot
+
+ ### this was not, as it has a sane default value.
+ # COLOUROFSKY=blue
+
+ #_eof
+
+ ### Note that some versions of debconf do not release stdin, so
+ ### the following invocation of ucf may not work, since the stdin
+ ### is never coneected to ucfr.
+
+ ### now, invoke ucf, which will take care of the rest, and ask
+ ### the user if he wants to update his file, if it is modified.
+ #ucf $tempfile /etc/foo.conf
+
+ ### done! now we'll just clear up our cruft.
+ #rm -f $tempfile
+
+
+
+ # There are three sub-cases:
+ if test "${2+set}" != set; then
+ # We're being installed by an ancient dpkg which doesn't remember
+ # which version was most recently configured, or even whether
+ # there is a most recently configured version.
+ :
+
+ elif test -z "$2" || test "$2" = ""; then
+ # The package has not ever been configured on this system, or was
+ # purged since it was last configured.
+ :
+
+ else
+ # Version $2 is the most recently configured version of this
+ # package.
+ :
+
+ fi ;;
+ abort-upgrade)
+ # Back out of an attempt to upgrade this package FROM THIS VERSION
+ # to version $2. Undo the effects of "prerm upgrade $2".
+ :
+
+ ;;
+ abort-remove)
+ if test "$2" != in-favour; then
+ echo "$0: undocumented call to \`postinst $*'" 1>&2
+ exit 0
+ fi
+ # Back out of an attempt to remove this package, which was due to
+ # a conflict with package $3 (version $4). Undo the effects of
+ # "prerm remove in-favour $3 $4".
+ :
+
+ ;;
+ abort-deconfigure)
+ if test "$2" != in-favour || test "$5" != removing; then
+ echo "$0: undocumented call to \`postinst $*'" 1>&2
+ exit 0
+ fi
+ # Back out of an attempt to deconfigure this package, which was
+ # due to package $6 (version $7) which we depend on being removed
+ # to make way for package $3 (version $4). Undo the effects of
+ # "prerm deconfigure in-favour $3 $4 removing $6 $7".
+ :
+
+ ;;
+ *) echo "$0: didn't understand being called with \`$1'" 1>&2
+ exit 0;;
+esac
+
+exit 0
--- refpolicy-2.20110726.orig/debian/changelog
+++ refpolicy-2.20110726/debian/changelog
@@ -0,0 +1,1399 @@
+refpolicy (2:2.20110726-1ubuntu1) precise; urgency=low
+
+ * Merge from Debian testing. Remaining changes:
+ - debian/control: drop "selinux" conflict (Closes: #576598)
+
+ -- Angel Abad Sat, 03 Dec 2011 15:16:52 +0100
+
+refpolicy (2:2.20110726-1) unstable; urgency=low
+
+ * New upstream policy
+ * Built for Wheezy, made it depend on all Wheezy versions. It won't work
+ on Squeeze and can't be easily backported.
+ * Label /dev/xconsole as xconsole_device_t
+ * Allow syslogd_t capability sys_nice and process:{ getsched setsched }
+ * Allow xconsole_device_t to be associated with device_t filesystems
+ * This version is a bit rough, you can boot unstable in enforcing mode and
+ login via ssh but I won't guarantee any more.
+
+ -- Russell Coker Mon, 31 Oct 2011 21:54:20 +1100
+
+refpolicy (2:0.2.20100524-13) unstable; urgency=low
+
+ * Labeled awffull as webalizer_exec_t.
+ * Removed nx.pp from unstable as it doesn't build with latest utils.
+
+ -- Russell Coker Thu, 15 Sep 2011 11:53:02 +1000
+
+refpolicy (2:0.2.20100524-12ubuntu1) precise; urgency=low
+
+ * Merge from debian testing. Remaining changes:
+ - debian/control: drop "selinux" conflict (Closes: #576598)
+
+ -- Angel Abad Sun, 16 Oct 2011 16:06:08 +0200
+
+refpolicy (2:0.2.20100524-12) unstable; urgency=low
+
+ * Allow perdition to bind to sieve port, read /dev/urandom, and capabilities
+ chown and fowner.
+ * Allow nrpe_t to manage nagios_var_run_t files.
+ * Change the in_unconfined_r() interface so that postfix_postqueue_t can
+ read and write unconfined_t fifos.
+ * Allow quota_t to load kernel modules.
+
+ -- Russell Coker Tue, 30 Aug 2011 23:10:50 +1000
+
+refpolicy (2:0.2.20100524-11) unstable; urgency=low
+
+ * Allow snmpd to setuid and setgid.
+ * Allow nagios services to connect to mysql servers via tcp and read /etc
+ files for mysql.
+ * Allow nagios_mail_plugin_t to read usr files.
+ * Allow postfix_postqueue_t to use a fd from nagios_mail_plugin_t.
+ * Allow crond_t the sys_resource capability to set resource limits for
+ children.
+ * Allow user_t to manage httpd_user_content_t, also allow httpd_t
+ the same access to httpd_user_content_t sym-links as to files.
+ * Allow gpg_agent_t to create sock_files under ~/.gnupg
+ Allow gpg_pinentry_t to read var_lib_t files for fonts.conf
+ * Allow perdition to authenticate with mysql, read directories of type
+ perdition_etc_t, connect to the pop ports
+ * Allow nagios_checkdisk_plugin_t to getattr all mountpoint dirs, so it
+ can check the root directory of a filesystem.
+
+ -- Russell Coker Fri, 19 Aug 2011 16:36:17 +1000
+
+refpolicy (2:0.2.20100524-10ubuntu1) oneiric; urgency=low
+
+ * Merge from debian unstable. Remaining changes:
+ - debian/control: drop "selinux" conflict (Debian bug 576598)
+
+ -- Angel Abad Tue, 26 Jul 2011 00:31:22 +0200
+
+refpolicy (2:0.2.20100524-10) unstable; urgency=low
+
+ * Label gpgsm as gpg_exec_t
+ * Add policy for /run etc, thanks to Martin Orr for
+ working on this, even though we can't use subst now.
+ Closes: #629066, #628039, #626720
+
+ -- Russell Coker Sun, 24 Jul 2011 15:50:23 +1000
+
+refpolicy (2:0.2.20100524-9ubuntu1) oneiric; urgency=low
+
+ * Merge from debian unstable. Remaining changes:
+ - debian/control: drop "selinux" conflict (Debian bug 576598)
+
+ -- Angel Abad Tue, 17 May 2011 14:44:24 +0200
+
+refpolicy (2:0.2.20100524-9) unstable; urgency=low
+
+ * Make gnome.pp not be autoloaded and revert some of the gnome stuff from the
+ previous version. Getting gnome (gconfd) policy to work correctly is too
+ hard for Squeeze.
+ * Allow user_t to talk to xdm_var_run_t sockets so switch user can work.
+ * Allow mailman_mail_t to read /dev/urandom and usr_t files
+ * Allow xenconsoled_t capability sys_tty_config and create unix_dgram_socket
+ * Allow iodine_t to read /proc/filesystems
+ * Allow jabber_t to write it's fifos, process set/getsched, connect to
+ generic tcp ports, and bind to udp ports.
+ * Label /var/lib/sudo as pam_var_run_t
+ * Allow sshd_t to read gitosis files.
+ * Made the gitosis label apply to /srv/gitosis.
+ * Allow webalizer to read usr_t files for geoip database.
+ * Allow user_t and staff_t consolekit_dbus_chat() access so they can
+ determine their session status - necessary to login in KDE sometimes.
+ * Label ~/.gnupg/gpg.conf as user_home_t and allow user_t to list directories
+ of type gpg_secret_t so gpg-agent can start.
+ * Allow gpg_agent_t to launch a user session and send sigchld to xdm_t
+ * Allow user_ssh_agent_t to send sigchld to xdm_t and allow it to run the
+ gpg agent.
+ * Add new paths for chromium-browser to support the version in unstable,
+ needed for backports.
+ * Allow user_mail_t to transition to postfix_master_t for postalias, confined
+ by roles. Uses domain_system_change_exemption() for user_mail_t via
+ postfix_domtrans_master() which isn't ideal.
+
+ -- Russell Coker Wed, 11 May 2011 11:58:46 +1000
+
+refpolicy (2:0.2.20100524-8ubuntu1) oneiric; urgency=low
+
+ * Merge from debian unstable. Remaining change:
+ - debian/control: drop "selinux" conflict (Debian bug 576598)
+
+ -- Bhavani Shankar Sun, 01 May 2011 15:52:51 +0530
+
+refpolicy (2:0.2.20100524-8) unstable; urgency=low
+
+ * Add tunable user_manage_dos_files which defaults to true
+ * Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub
+ * Allow mozilla to create directories under /tmp
+ * Use correct label for /usr/lib/libgconf2-4/gconfd-2 and load gnome.pp on
+ installation if libgconf2-4 is installed
+ * Use correct label for /usr/lib/upower/upowerd
+ * Dontaudit bind_t write attempts to / for lwresd calling access(".", W_OK)
+ * Allow user domains to execute mysqld_exec_t, for KDE
+ * Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t.
+ * Label /var/lib/fetchmail as fetchmail_uidl_cache_t and allow fetchmail_t to
+ search /var/lib and manage fetchmail_uidl_cache_t dirs
+ * Allow xm_t to read kernel image files, needed for DomU startup on boot
+ * Allow gpg_agent_t to read etc_t files and sysctl_crypto_t.
+ * Allow network manager to run wpa_cli_exec_t programs.
+
+ -- Russell Coker Fri, 11 Mar 2011 14:28:58 +1100
+
+refpolicy (2:0.2.20100524-7ubuntu1) natty; urgency=low
+
+ * Merge from debian unstable. Remaining changes:
+ - debian/control: drop "selinux" conflict (Debian bug 576598)
+
+ -- Angel Abad Thu, 13 Jan 2011 22:04:50 +0100
+
+refpolicy (2:0.2.20100524-7) unstable; urgency=low
+
+ * Allow crontab_t to create a directory of type crontab_tmp_t, necessary to
+ allow crontab -e to work
+
+ -- Russell Coker Thu, 13 Jan 2011 21:32:24 +1100
+
+refpolicy (2:0.2.20100524-6ubuntu1) natty; urgency=low
+
+ * Merge from debian unstable. Remaining changes:
+ - debian/control: drop "selinux" conflict (Debian bug 576598)
+
+ -- Angel Abad Thu, 13 Jan 2011 13:40:14 +0100
+
+refpolicy (2:0.2.20100524-6) unstable; urgency=low
+
+ * Allow mysqld_safe_t to send messages to syslogd
+ * Allow mysqld_t to run shell scripts (shell_exec_t and bin_t)
+ * Fixed a bug in the previous release that stopped MTAs from talking to
+ the dkim-milter, the .if file had the wrong type.
+ * Made it load ipsec.pp if ipsec-tools or racoon is installed
+ * Include policy for the iodine IP over DNS tunnel daemon
+ * Allow saslauthd_t to talk to mysqld via TCP
+ * Allow freshclam_t to read proc_t files
+ * Allow postfix_local_t to write to mail_spool_t files for locking
+ * Allow system_mail_t (sendmail) to get read/write access to crond_tmp_t
+
+ -- Russell Coker Thu, 13 Jan 2011 12:41:00 +1100
+
+refpolicy (2:0.2.20100524-5ubuntu1) natty; urgency=low
+
+ * Merge from debian unstable. Remaining change:
+ - ebian/control: drop "selinux" conflict (Debian bug 576598)
+
+ -- Bhavani Shankar Sun, 09 Jan 2011 19:02:47 +0530
+
+refpolicy (2:0.2.20100524-5) unstable; urgency=low
+
+ * Label /usr/bin/tcsh as shell_exec_t
+ * Domain trans from unconfined_t to depmod_t
+ * Don't include /usr/lib/dovecot/deliver in dovecot.fc/te as it's in lda.pp
+ * Don't include /usr/sbin/spamass-milter and /var/spool/postfix/spamass in
+ spamassassin.fc as they are in milter.fc
+ * Label /var/run/spamass as spamass_milter_data_t
+ * Allow lvm_t rw access to unconfined_t semaphores.
+ * Added in_unconfined_r() interface and made postfix user domains use it
+ so they can be in the role unconfined_r. Ugly but no better solution at
+ this time
+ Closes: #592038 #599053
+ * Include Chromium policy in mozilla.pp
+ * Allow sshd getcap and setcap access
+ * Correctly label ~/.xsession-errors
+ * Allow spamc_t to be in system_r and allow it access to netlink_route_socket
+ * Allow lda_t to talk to the Courier Authdaemon - for courier maildrop
+ * Allow fetchmail_t to read usr_t for certificates and to create /tmp files
+ * Allow cron jobs to write to crond_tmp_t
+ * Label courier socket files as courier_var_run_t
+ * Run /usr/sbin/authdaemond as courier_authdaemon_t
+ * Allow dkim_milter_t to read proc_t files and create /tmp files
+ * Allow dovecot domains to search dovecot_etc_t dirs
+ * Allow dovecot_auth_t to talk to mysqld via TCP and read /etc/mysql/my.cnf
+ * Label /etc/network/run as etc_t
+ * Label X as spamass_milter_var_run_t
+ * Remove unconfined_exec_t label from /usr/bin/qemu
+ Closes: #601686
+ * Label /usr/lib/apache2/mpm-*/apache2 as httpd_exec_t
+ Closes: #608291
+ * Allow nagios.pp to be installed without apache.pp
+ Closes: #587596
+ * Removed amavis.pp because it doesn't work and it's functionality is covered
+ by clamav.pp
+ Closes: #559860
+ * Allow mono_t to be in role unconfined_r
+ Closes: #540143
+
+ -- Russell Coker Sat, 08 Jan 2011 14:13:43 +1100
+
+refpolicy (2:0.2.20100524-4ubuntu1) natty; urgency=low
+
+ * Merge from debian unstable. Remaining changes:
+ - debian/control: drop "selinux" conflict (Debian bug 576598)
+
+ -- Bhavani Shankar Sun, 17 Oct 2010 19:29:51 +0530
+
+refpolicy (2:0.2.20100524-4) unstable; urgency=low
+
+ * Label /dev/vd* as fixed_disk_device_t, closes: #589997
+ * Remove mcskillall and mcsptraceall from unconfined_t, the sysadmin should
+ have unconfined_t:SystemLow-SystemHigh.
+
+ -- Russell Coker Mon, 26 Jul 2010 11:18:00 +1000
+
+refpolicy (2:0.2.20100524-3) unstable; urgency=low
+
+ * Give freshclam_t and clamd_t the same access WRT execmem.
+ * Install lvm.pp when dmsetup is installed.
+ * Add label for /usr/lib/udisks/udisks-daemon .
+ * Made devicekit.pp and ricci.pp not depend on consoletype.pp and don't
+ build consoletype.
+ * label /usr/lib/udisks/.* as bin_t
+ * label /etc/kde4 the same way as /etc/kde3.
+ * Escape the . in /etc/init.d/mount...
+ * Allow insmod_t the capability sys_admin.
+ * Label all of /etc/network/run/* as etc_runtime_t and allow udev_t to manage
+ such files.
+ * Label /etc/network/if-(up|down).d/postfix as initrc_exec_t so that udev
+ can reload Postfix and push the queue.
+ * Label /usr/lib/ConsoleKit(/.*)? as bin_t to avoid an error message on
+ graphical login.
+ * On initial install load module policykit.pp when policykit-1 is installed.
+ * label /lib/init/rw(/.*)? as var_run_t.
+ * label /var/run/xauth as xdm_var_run_t.
+ * label /var/run/motd as initrc_var_run_t.
+
+ -- Russell Coker Sat, 25 Jul 2010 09:39:00 +1000
+
+refpolicy (2:0.2.20100524-2ubuntu1) maverick; urgency=low
+
+ * Merge from debian unstable (LP: #607149). Remaining changes:
+ - debian/control: drop "selinux" conflict (Debian bug 576598).
+
+ -- Angel Abad Fri, 09 Jul 2010 06:30:26 +0100
+
+refpolicy (2:0.2.20100524-2) unstable; urgency=low
+
+ * Include tmpreaper in base policy as mountnfs-bootclean.sh and
+ mountall-bootclean.sh need to run as tmpreaper_t.
+ * Added a new mcsdeleteall attribute for tmpreaper_t so that it can
+ delete files and directories regardless of mcs level.
+ * Allow perdition netlink_route_socket access.
+ * Allow nrpe_t to execute sudo and search /var/spool
+ also don't audit capability sys_resource.
+ * Allow postfix_local_t to run sendmail for programs like vacation
+ * Make the milter module be loaded if the milter-greylist or spamass-milter
+ package is installed. Make spamassassin policy optional when using the
+ milter module.
+ * Added a bunch of fixes from git mostly trivial stuff but also allowed
+ bootloader_t to load modules, allowed kismet_t to search home directories,
+ * Don't allow cron daemon to search /var/lib/logrotate.
+ * Fixed a typo in gitosis.if
+ * Commented out the genfscon line in selinux.if for the includes directory,
+ now sepolgen-ifgen works without error.
+
+ -- Russell Coker Fri, 9 Jul 2010 09:47:00 +1000
+
+refpolicy (2:0.2.20100524-1ubuntu1) maverick; urgency=low
+
+ * Merge from debian unstable. Remaining changes: LP: #602199
+ - debian/control: drop "selinux" conflict (Debian bug 576598).
+
+ -- Bhavani Shankar Tue, 06 Jul 2010 14:26:53 +0530
+
+refpolicy (2:0.2.20100524-1) unstable; urgency=low
+
+ * New Upstream release. This version has had a good deal of testing for
+ server use but almost no testing for desktop use. The usual "Unstable"
+ disclaimers apply.
+
+ * Disable UBAC - see http://etbe.coker.com.au/2010/05/26/ubac-selinux-debian/
+ * Allow mount_t to read sysfs_t.
+ * Allow lvm_t to create semaphores.
+ * Allow mount_t and setfiles_t to read/write device_t chr_file.
+ * Allow udev to read sym-links in it's config directory.
+ * Allow vbetool_t to read inotify directories.
+ * Allow gpm_t self signull and signal access.
+
+ -- Russell Coker Tue, 29 Jun 2010 10:42:00 +1000
+
+refpolicy (2:0.2.20091117-3) unstable; urgency=low
+
+ * label Google Chrome as unconfined_execmem_exec_t
+ * Change the apache_content_template() macro to not define the type
+ httpd_$1_script_exec_t, now the caller must unconditionally define it and
+ can therefore use it in it's .fc file without making a .fc dependency.
+ * Allow setrans_t to read proc_t files.
+ * Allow pppd to load modules.
+ * Allow watchdog_t to read/write /dev/watchdog
+ * Allow rpcd_t getcap and setcap access.
+ * Allow insmod_t to mount a rpc_pipefs_t filesystem.
+ * Correctly label kdm.log.* pm-*log* aptitude*
+ * Allow consolekit_t to access pam console data.
+ * Correctly label consolekit scripts
+ * Allow mount_t to set the scheduling for kernel threads.
+
+ -- Russell Coker Tue, 18 May 2010 19:06:24 +1000
+
+refpolicy (2:0.2.20091117-2ubuntu1) maverick; urgency=low
+
+ * Merge from debian unstable. Remaining changes:
+ - debian/control: drop "selinux" conflict (Debian bug 576598).
+
+ -- Kees Cook Thu, 24 Jun 2010 14:26:07 -0700
+
+refpolicy (2:0.2.20091117-2) unstable; urgency=low
+
+ * Label /etc/gdm/Xsession, /etc/gdm/PostSession/* and /etc/gdm/PreSession/*
+ as xsession_exec_t.
+ * Label /usr/lib/dbus-1.0/dbus-daemon-launch-helper as dbusd_exec_t.
+ * Allow syslogd_t to read/write access to xconsole_device_t.
+ * Allow system_dbusd_t list access to inotifyfs.
+ * Allow udev to manage symlinks under /dev
+ * Treat devtmpfs the same way as tmpfs.
+ * Changed upstream to http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
+ * Allow iptables_t, insmod_t and mount_t to do module_request
+ * Use lib32 instead of lib64
+ Closes: #569297
+ * Make manage_lnk_file_perms allow write access for setting the timestamp.
+ * Use filesystem transitions for hugetlbfs_t.
+ * Label xenfs_t and allow xend etc to use it.
+ * Use lda_t for mail local delivery
+ * Allow udev to manage xenfs_t files, to write to etc_runtime_t (for ifstate),
+ and to load modules.
+ * Allow ifconfig to load modules.
+ * Made auth_domtrans_chk_passwd() specify dontaudit for shadow_t file open.
+
+ -- Russell Coker Mon, 22 Feb 2010 07:58:07 +1100
+
+refpolicy (2:0.2.20091117-1ubuntu1) lucid; urgency=low
+
+ * debian/control: drop "selinux" conflict for sane installation
+ in Ubuntu (Debian bug 576598).
+
+ -- Kees Cook Mon, 05 Apr 2010 13:03:23 -0700
+
+refpolicy (2:0.2.20091117-1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- Manoj Srivastava Thu, 19 Nov 2009 23:08:14 -0600
+
+refpolicy (2:0.2.20091013-1) unstable; urgency=low
+
+ * New upstream VCS snapshot
+ * Added modules: hddtemp, shorewall, kdump, gnomeclock, nslcd, rtkit,
+ seunshare (Dan Walsh); dkim (Stefan Schulze Frielinghaus); gitosis
+ (Miroslav Grepl); xscreensaver (Corentin Labbe)
+ * [dd26539]: [topic--urand-fix]: Fix issues related to
+ /dev/{urandom,console}
+ + Allow: load_policy_t, audisp_t, auditd_t, restorecond_t, portmap_t,
+ hwclock_t, auditctl_t, hostname_t, portmap_helper_t, ndc_t, mount_t,
+ dmidecode_t, getty_t, and setfiles_t to read /dev/urandom
+ + Allow: portmap_helper_t, insmod_t, ifconfig_t, setfiles_t and
+ portmap_t to read /dev/console
+ + Allow udev_t to access anon_inodefs_t
+ These changes take care of most of the problems encountered in recent
+ reference policy packages in Debian. Thanks to Russell Coker for the
+ fixes.
+
+ -- Manoj Srivastava Tue, 13 Oct 2009 15:29:54 -0500
+
+refpolicy (2:0.2.20090828-1) unstable; urgency=low
+
+ * New upstream snapshot.
+ - Deprecated the userdom_xwindwos_client_template().
+ * Modified the list of modules we build (added consolekit, and added a
+ dependency on consolekit to the devicekit policymodule. Turned off
+ ddcprobe, since it needs kudzu.
+ * Bug fix: "linking policy fails", thanks to Jonathan Nieder
+ (Closes: #544079).
+ * Bug fix: "linking policy fails (with a statement to file a bug)",
+ thanks to Philipp Kern (Closes: #543148).
+ * Bug fix: "module cvs appears to depend on module apache", thanks to
+ Russell Coker (Closes: #539855).
+ * Bug fix: "SELinux prevented console-kit-dae from using the terminal
+ /dev/tty0", thanks to Ritesh Raj Sarraf. We now have:
+ policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t)
+ This should allow access to all terms and ttys. (Closes: #515167).
+ * Bug fix: "SELinux is preventing pulseaudio from loading
+ /usr/lib/libFLAC.so.8.2.0 which requires text relocation", thanks to
+ Ritesh Raj Sarraf. /usr/lib/libFLAC\.so.* now has the context
+ system_u:object_r:textrel_shlib_t, so this should now work.
+ (Closes: #515166).
+ * [1ba2425]: nscd cache location changed from /var/db/nscd to
+ /var/cache/nscd. The nscd policy module uses the old
+ nscd cache location. The cache location changed with glibc 2.7-1,
+ and the current nscd does place the files in /var/cache/nscd/.
+ Bug fix: "nscd cache location changed from /var/db/nscd to
+ /var/cache/nscd", thanks to Sami Haahtinen (Closes: #506779).
+
+ -- Manoj Srivastava Fri, 28 Aug 2009 15:10:50 -0500
+
+refpolicy (2:0.2.20090818-1) unstable; urgency=low
+
+ * New upstream snapshot, with a number of improvements.
+ - Misc Gentoo fixes from Corentin Labbe.
+ - Debian policykit fixes from Martin Orr.
+ - Fix unconfined_r use of unconfined_java_t.
+ - Add missing x_device rules for XI2 functions, from Eamon Walsh.
+ - Add missing rules to make unconfined_cronjob_t a valid cron job domain.
+ - Add btrfs and ext4 to labeling targets.
+ - Fix infrastructure to expand macros in initrc_context when installing.
+ - Handle unix_chkpwd usage by useradd and groupadd.
+ - Add missing compatibility aliases for xdm_xserver*_t types.
+
+ -- Manoj Srivastava Wed, 26 Aug 2009 16:31:37 -0500
+
+refpolicy (2:0.2.20090730-2.1) unstable; urgency=low
+
+ * Build policykit policy and default to loading it when the policykit
+ package is installed.
+ * Default to loading the consolekit module when the consolekit package is
+ installed.
+
+ -- Russell Coker Wed, 26 Aug 2009 18:55:23 +1000
+
+refpolicy (2:0.2.20090730-2) unstable; urgency=low
+
+ * Bug fix: "selinux policy violation "Unknown" fo rs2ram
+ (hald_t)", thanks to Ritesh Raj Sarraf. This has been fixed for a
+ while, but I only just tested it. (Closes: #515566).
+ * Re-enable building in parallel. The current statge should be
+ friendlier to jobserver mode, disabling which causewd all the issues
+ with the previous state.
+
+ -- Manoj Srivastava Sat, 22 Aug 2009 19:47:20 -0500
+
+refpolicy (2:0.2.20090730-1) unstable; urgency=low
+
+ * New upstream release.
+ * Updated the location of dovecot's configuration files.
+ * Bug fix: "dovecot's etc files are in unexpected location", thanks
+ to Frank Engler (Closes: #517712).
+ * Fixed rules to note that parallel=N fails.
+ * Bug fix: "FTBFS: tmp/rolemap.conf":2194:ERROR 'syntax
+ error' at token 'genfscon' on line 704548:", thanks to
+ Lucas Nussbaum (Closes: #536899).
+ * Bug fix: "dpkg-buildpackage -j2 fails on AMD64", thanks to Russell
+ Coker (Closes: #538789).
+
+ -- Manoj Srivastava Sun, 09 Aug 2009 15:03:37 -0500
+
+refpolicy (2:0.0.20090629-1) unstable; urgency=low
+
+ * New upstream snapshot.
+ * [82f63f3]: Removed the lda policy package. There were a number of
+ reasons for doing so: this package was created in order to deal with
+ local mail delivery in Debian, and has not been adopted upstream. I
+ would like to remove the divergence from upstream policy, and not
+ maintian it. so that was incentive. Also, upstream policy for
+ mail-related packages has been improved in the meanwhile, and the lda
+ package was conflicting with some of the changes, so that was added
+ reason for it to go.
+
+ -- Manoj Srivastava Mon, 29 Jun 2009 02:14:30 -0500
+
+refpolicy (2:0.0.20090621-1) unstable; urgency=low
+
+ * New upstream snapshot.
+ - Greylist milter from Paul Howarth.
+ - Crack db access for su to handle password expiration, from Brandon Whalen.
+ - Misc fixes for unix_update from Brandon Whalen.
+ - Add x_device permissions for XI2 functions, from Eamon Walsh.
+ - MLS constraints for the x_selection class, from Eamon Walsh.
+ - Postgresql updates from KaiGai Kohei.
+ - Milter state directory patch from Paul Howarth.
+ - Add MLS constrains for ingress/egress and secmark from Paul Moore.
+ - Drop write permission from fs_read_rpc_sockets().
+ - Remove unused udev_runtime_t type.
+ - Patch for RadSec port from Glen Turner.
+ - Enable network_peer_controls policy capability from Paul Moore.
+ - Btrfs xattr support from Paul Moore.
+ - Add db_procedure install permission from KaiGai Kohei.
+ - Add support for network interfaces with access controlled by a Boolean
+ from the CLIP project.
+ - Several fixes from the CLIP project.
+ - Add support for labeled Booleans.
+ - Remove node definitions and change node usage to generic nodes.
+ - Add kernel_service access vectors, from Stephen Smalley.
+ - Added modules:
+ certmaster (Dan Walsh)
+ git (Dan Walsh)
+ gpsd (Miroslav Grepl)
+ guest (Dan Walsh)
+ ifplugd (Dan Walsh)
+ lircd (Miroslav Grepl)
+ logadm (Dan Walsh)
+ pingd (Dan Walsh)
+ psad (Dan Walsh)
+ portreserve (Dan Walsh)
+ ulogd (Dan Walsh)
+ webadm (Dan Walsh)
+ xguest (Dan Walsh)
+ zosremote (Dan Walsh)
+
+ - Fix consistency of audioentropy and iscsi module naming.
+ - Debian file context fix for xen from Russell Coker.
+ - Xserver MLS fix from Eamon Walsh.
+ - Add omapi port for dhcpcd.
+ - Deprecate per-role templates and rolemap support.
+ - Implement user-based access control for use as role separations.
+ - Move shared library calls from individual modules to the domain module.
+ - Enable open permission checks policy capability.
+ - Remove hierarchy from portage module as it is not a good example of
+ hieararchy.
+ - Remove enableaudit target from modular build as semodule -DB supplants it.
+ - Added modules:
+ milter (Paul Howarth)
+ * Sync'd with Russell Coker
+
+ -- Manoj Srivastava Mon, 22 Jun 2009 02:42:42 -0500
+
+refpolicy (2:0.0.20081014-1) unstable; urgency=low
+
+ * New upstream release
+ - Fix httpd_enable_homedirs to actually provide the access it is
+ supposed to provide.
+ - Add unused interface/template parameter metadata in XML.
+ - Patch to handle postfix data_directory from Vaclav Ovsik.
+ - SE-Postgresql policy from KaiGai Kohei.
+ - Patch for X.org dbus support from Martin Orr.
+ - Patch for labeled networking controls in 2.6.25 from Paul Moore.
+ - Module loading now requires setsched on kernel threads.
+ - Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
+ - X application data class from Eamon Walsh and Ted Toth.
+ - Move user roles into individual modules.
+ - Make hald_log_t a log file.
+ - Cryptsetup runs shell scripts. Patch from Martin Orr.
+ - Add file for enabling policy capabilities.
+ - Patch to fix leaky interface/template call depth calculator from
+ Vaclav Ovsik.
+ - Added modules:
+ kerneloops (Dan Walsh)
+ kismet (Dan Walsh)
+ podsleuth (Dan Walsh)
+ prelude (Dan Walsh)
+ qemu (Dan Walsh)
+ virt (Dan Walsh)
+ * Updated the link to the shared copyright file.
+
+ -- Manoj Srivastava Sat, 14 Feb 2009 15:42:48 -0600
+
+refpolicy (2:0.0.20080702-16) unstable; urgency=low
+
+ * Allow system_dbusd_t to read /proc/X/cmdline so it knows the client name
+ * Label /usr/lib/gnome-vfs-2.0/gnome-vfs-daemon as bin_t
+ * Allow $1_gpg_t to read inotifyfs_t directories
+ * Allow user_t signull access to xdm_t for gdmflexiserver
+ * Fix the path for deliver in lda.fc
+ * Load lda.pp when dovecot-common is installed and dovecot.pp when other
+ dovecot packages are installed. Allow lda_t to use dovecot auth socket
+ * Allow dovecot_auth_t to create sockets labeled as dovecot_var_run_t,
+ also allow chown capability to apply correct ownership
+ * Label /usr/sbin/nrpe and allow it to search nagios_etc_t:dir, read etc_t
+ files, do setgid() and setuid(), create a pidfile, bind to port 5666, stat
+ filesystems, get a list of processes, and check mysql and postgresql
+ databases.
+ * Make mail_spool_t a filesystem_type.
+ * Allow snmpd_t capabilities setuid and chown
+ * Allow xdm_xserver_t to send dbus messages to unconfined_t
+ * Allow postfix_cleanup_t shutdown access to a postfix_smtpd_t
+ unix_stream_socket
+ * Allow clamd_t access to inherit it's own fds.
+ * Enable the watchdog policy in the build.
+ * Grant capability ipc_lock to dpkg_t
+
+ -- Russell Coker Wed, 13 May 2009 09:13:38 +1000
+
+refpolicy (2:0.0.20080702-15) unstable; urgency=low
+
+ * Gave every domain that has process:setcap access also have process:getcap.
+ * Set the type of /etc/network/run/ifstate to etc_runtime_t and allow
+ udev_t to write to it.
+ * allow apt_t to manage directories of type apt_var_log_t
+ * allow initrc_t postfix_etc_t:file ioctl;
+ * allow postfix_showq_t to be used from user roles.
+ * allow postfix_virtual_t to connect to postfix_private_t sockets
+ * allow postfix_pipe_t to execute bin_t
+ * allow initrc_t udev_tbl_t:file unlink and device_t:dir rmdir
+ * allow the Courier POP server fill rw_file_perms access to courier_var_lib_t.
+ * allow jabberd_t to connect to jabber_interserver_port_t.
+ * allow fcrond to do all the funky things it desires.
+ * allow cupsd_t to read/write generic USB devices.
+ * allow webalizer to read /usr files (for GeoIP).
+ * Enable dovecot_t for daemon_access_unconfined_home
+ * dontaudit logrotate stating terminal devices.
+ * allow dpkg_t to set rlimit
+ * Label /var/lib/squirrelmail/data(/.*)? as httpd_squirrelmail_t.
+ * allow apmd_t to talk to hald_t via dbus.
+ * allow dovecot to connect to Mysql and PostgreSQL
+ * label most /usr/lib/dovecot/* files as bin_t
+ * Added new "lda" module for email local delivery agents such as maildrop
+ and procmail and don't build procmail.pp any more.
+ * Label /var/run/xauth/* as xdm_var_run_t.
+ * Label /var/run/openvpn.client* as openvpn_var_run_t.
+ * Make /var/log/?dm.log.* files get the type xserver_log_t
+ * Make /var/log/aptitude* files get the type apt_var_log_t
+ * Make /var/run/gdm_socket get the type xdm_var_run_t
+ * Labelled the entrypoint scripts under /etc/gdm as xsession_exec_t
+ * Fixed Debian labelling for atspool
+ * allow openvpn_t to access var_lib_t and usr_t files for vulnkey.
+ * allow user domains to access the xdm socket of type xdm_var_run_t for
+ switch user.
+ * allow unconfined_t to transition to system_dbusd_t.
+ Closes: #498965
+
+ -- Russell Coker Wed, 04 Mar 2009 23:10:14 +1100
+
+refpolicy (2:0.0.20080702-14.1) unstable; urgency=low
+
+ * Fix FTBS problems when building in parallel, by moving to the new,
+ make -j friendly targets in debian/rules. These rules have been tested
+ in several packages, and have been tested often with
+ "fakeroot make -j4 -f ./debian/rules binary".
+ * Updated the VCS-* variables in control to point to the git repo.
+
+ -- Manoj Srivastava Wed, 07 Jan 2009 11:58:44 -0600
+
+refpolicy (2:0.0.20080702-14) unstable; urgency=high
+
+ * Allow noatsecure for Xen domains so that LD_PRELOAD will work across
+ a domain transition. Also dontaudit searching of the sysadm home dir
+ and allow xend_t to manage xenstored_var_run_t.
+ Allow losetup (fsadm_t) and udev access to Xen image files
+ * Add support for Exim.
+ * Add support for Jabber, including adding the epmd_t domain for the Erlang
+ Port Mapper Daemon (used by ejabberd). Label port 5280 as being for Jabber
+ (the ejabberd web administration service) and port 7777 (SOCKS5
+ Bytestreams (XEP-0065) for proxy file transfer).
+ * Allow cron to search httpd_sys_content_t
+ * Dontaudit logrotate search access to unconfined_home_dir_t.
+ * Fixed labelling of /var/lock/mailman
+ * Allow courier_pop_t to read /dev/urandom and to do ioctl on it's fifos.
+ Also allow it to talk to portmap so the IMAP server can do FAM.
+
+ -- Russell Coker Mon, 27 Oct 2008 23:01:33 +1100
+
+refpolicy (2:0.0.20080702-13) unstable; urgency=high
+
+ * Allow spamd_t to create a Unix domain socket.
+ * Allow clamd_t to read files under /usr (for Perl).
+ Allow it to connect to amavisd_send_port_t.
+ Allow it to talk to itself by unix stream sockets and bind to UDP nodes.
+ Closes: #502274
+ * Allow logrotate_t to transition to webalizer_t for web log processing.
+ * Allow initrc_t to create fixed_disk_device_t nodes under var_run_t,
+ for the case where /etc/fstab has an error regarding the root fs.
+ * Use the Lenny paths for xm, xend, xenstored, and xenconsoled.
+ Add some extra permissions that Xen needs.
+
+ -- Russell Coker Tue, 21 Oct 2008 00:36:00 +1100
+
+refpolicy (2:0.0.20080702-12) unstable; urgency=low
+
+ * Allow procmail to deliver mail to the unconfined home directories if
+ daemon_access_unconfined_home is set.
+ * Add the audioentropy module for use with the randomsound package.
+ * Allow spamd_t the kill capability.
+ * Make the default range for MCS __default__ users be s0-s0:c0.c1023,
+ this fixes a problem with restarting daemons after logging in as non-root
+ and running "su -".
+
+ -- Russell Coker Tue, 07 Oct 2008 13:17:01 +1100
+
+refpolicy (2:0.0.20080702-11) unstable; urgency=high
+
+ * Create new interface crond_search_dir() and use it to allow crond_t to
+ search clamd_var_lib_t for amavis cron jobs.
+ * Allow postfix_cleanup_t to talk to dkim for signing local messages.
+ * Allow freshclam_t to read the routing table and talk to http_cache_port_t.
+ * Allow clamd_t to search bin_t and read bin_t links.
+ * Allow clamd_t to search postfix_spool_t for creation of Unix domain socket
+ in the sub-directory, this is ugly and a little bit wrong but makes it
+ easier to configure Postfix.
+ * Allow semanage_t (for setsebool and semodule) to call statfs().
+ * Add Asterisk policy module, and grant setcap access.
+ * Copy the Fedora 10 cron changes to reduce the policy size.
+ Allow user_t to send sigchld to user_crontab_t and to write to
+ user_crontab_tmp_t files. Necessary for full functionality!
+
+ -- Russell Coker Sat, 27 Sep 2008 18:52:00 +1000
+
+refpolicy (2:0.0.20080702-10) unstable; urgency=low
+
+ * Allow mailserver local delivery agent to manage_file_perm access to
+ mail_spool_t
+ Closes: #499218
+ * Build a module for xen, and make lvm support optional in it.
+ * Make the postinst link the xen, lvm, and pcmcia modules if appropriate.
+ * Added the clamav module to the policy.
+ * Wrote a new DKIM module.
+ * Allowed crontab to create directories under /tmp.
+ * Made unconfined_crond_t an alias for unconfined_t and made unconfined cron
+ jobs work.
+ * Built the NAGIOS module and include the suggested change from #493979.
+ NB I won't have time to do any testing of this so someone else will need
+ to deploy it on a fully functional NAGIOS system.
+ Closes: #493979
+
+ -- Russell Coker Fri, 19 Sep 2008 22:25:00 +1000
+
+refpolicy (2:0.0.20080702-9) unstable; urgency=low
+
+ * Allow the Postfix newaliases to create new /etc/aliases.db file so that
+ the postinst for Postfix can work.
+ * The last update broke unconfined_mail_t for systems not running postfix,
+ fixing that (thanks Martin Orr).
+ Closes: #499064
+ * Fix a check for syslogd being executable by logrotate (thanks Václav Ovsk).
+ Closes: #496809
+
+ -- Russell Coker Tue, 16 Sep 2008 20:42:00 +1000
+
+refpolicy (2:0.0.20080702-8) unstable; urgency=low
+
+ * Made the postinst faster on machines with small amounts of memory. 5%
+ improvement on AMD64 with 64M of RAM. Not sure how much benefit it might
+ give for a NSLUG.
+ * Allowed dictd to create pid file.
+ * Allowed mcstransd to getcap.
+ * Revert part of the change from 2:0.0.20080702-7, we don't want /etc/init.d
+ scripts running as run_init_t.
+ Closes: #498965
+ * Makes Postfix work correctly.
+ Closes: #473043
+ * Allow $1_mail_t to read proc_t:file (for Postfix).
+
+ -- Russell Coker Fri, 12 Sep 2008 10:51:01 +1000
+
+refpolicy (2:0.0.20080702-7) unstable; urgency=low
+
+ * Polish updates, added labelling for /lib/udev/create_static_nodes,
+ /var/log/prelink.log, and corrected labelling for /var/run/kdm
+ * Made Postfix work with unconfined_t.
+ * Made spamass-milter run in the spamd_t domain, and allow postfix_smtpd_t
+ to talk to it.
+ * Labelled /var/cache/sqwebmail and allowed courier_sqwebmail_t to access it.
+ Also allowed courier_sqwebmail_t to access /dev/urandom.
+ * Allowed courier-pop and apache to access unconfined home directories.
+ * Changed the policy for /var/cache/ldconfig to match upstream.
+ * Allowed unconfined_t to run run_init.
+
+ -- Russell Coker Wed, 10 Sep 2008 11:10:00 +1000
+
+refpolicy (2:0.0.20080702-6) unstable; urgency=low
+
+ * Made it build-depend on policycoreutils 2.0.49 and checkpolicy 2.0.16.
+ Closes: #494234
+ * Made xserver.pp be loaded whenevedr xbase-clients is installed so that
+ /tmp/.ICE-unix gets the right context.
+ * Policy updates, allowed rsyslogd to work correctly
+ Allow gpg to read/write user files under /tmp
+ Set the context of /var/run/portmap_mapping and /var/cache/ldconfig
+ Allow users to read symlinks under /var/lib (for python)
+ Make udev_t transition when running initrc_exec_t.
+ Changed the type of /var/init/rw to var_run_t
+ Changed r_dir_perms to list_dir_perms and r_file_perms to read_file_perms
+ to avoid warnings.
+ Changed read_file_perms to read_lnk_file_perms for lnk_file class.
+ Set the contexts for /var/run/hotkey-setup, /var/run/motd, /var/run/kdm/*,
+ and /var/lib/gdm/*
+ Dontaudit logrotate_t trying to write initrc_var_run_t.
+
+ -- Russell Coker Wed, 13 Aug 2008 08:20:08 +1000
+
+refpolicy (2:0.0.20080702-5) unstable; urgency=low
+
+ * Allow unconfined_r to transition to system_r.
+
+ -- Russell Coker Tue, 29 Jul 2008 18:02:33 +1000
+
+refpolicy (2:0.0.20080702-4) unstable; urgency=low
+
+ * Policy updates.
+ * Depend on libsepol1 version 2.0.30-2.
+
+ -- Russell Coker Tue, 29 Jul 2008 15:16:46 +1000
+
+refpolicy (2:0.0.20080702-3) unstable; urgency=low
+
+ * More policy fixes.
+ * Made it build-depend and depend on libsepol1 (>=2.0.30-2)
+ Closes: #492318
+ * Made it automatically change the SELINUXTYPE if the old value is obsolete
+ and the policy was linked successfully.
+
+ -- Russell Coker Sat, 26 Jul 2008 10:01:00 +1000
+
+refpolicy (2:0.0.20080702-2) unstable; urgency=low
+
+ * Made the mls package extra and made some other packages optional.
+ Closes: #490760
+ * Merged some patches from older policy packages.
+
+ -- Russell Coker Sun, 20 Jul 2008 16:48:19 +1000
+
+refpolicy (2:0.0.20080702-1) unstable; urgency=low
+
+ * Update to latest upstream and take over the package as Manoj seems busy
+ on other things.
+ * Change the policy package names to selinux-policy-default and
+ selinux-policy-mls. Made selinux-policy-default do strict and targeted
+ (targeted by default).
+ * Optimise module loading to halve postinst time.
+ * Depend on the latest policycoreutils (which sets the right default in
+ /etc/selinux/config).
+
+ -- Russell Coker Sun, 13 Jul 2008 12:49:00 +1000
+
+refpolicy (0.0.20080314-1) unstable; urgency=low
+
+ * New upstream SVN HEAD
+ - Add wireshark module based on ethereal module.
+ - Revise upstart support in init module to use a tunable, as upstart is now
+ used in Fedora too.
+ - Add iferror.m4 rather generate it out of the Makefiles.
+ - Definitions for open permisson on file and similar objects from Eric
+ Paris.
+ - Apt updates for ptys and logs, from Martin Orr.
+ - RPC update from Vaclav Ovsik.
+ - Exim updates on Debian from Devin Carrawy.
+ - Pam and samba updates from Stefan Schulze Frielinghaus.
+ - Backup update on Debian from Vaclav Ovsik.
+ - Cracklib update on Debian from Vaclav Ovsik.
+ - Label /proc/kallsyms with system_map_t.
+ - 64-bit capabilities from Stephen Smalley.
+ - Labeled networking peer object class updates.
+ * refpolicy includes an Exim policy, but did not install it on a fresh
+ refpolicy installation, because the module package is exim.pp, while
+ Debian calls its exim package 'exim4'. Thanks to Devin Carraway for
+ the heavy lifting. Closes: #465208
+ * Bug fix: "selinux-policy-refpolicy-dev: Installed build.conf specifies
+ MCS build type", thanks to Devin Carraway. Closes: #465215
+ * Bug fix: "newer policycoreutils required", thanks to Max Kellermann
+ Closes: #469123
+ * The latest set of packages also seem to resolve the consolekit
+ issues. Bug fix: "consolekit gives error messages when running with SELinux
+ enabled", thanks to Ritesh Raj Sarraf. Closes: #463995
+ * Bug fix: "selinux-policy-refpolicy-targeted: descriptions seems to
+ misplace '.' to split paragraphs (debian/control)", thanks to
+ Felipe Augusto van de Wiel (faw). Closes: #466638,#466978
+
+ -- Manoj Srivastava Wed, 19 Mar 2008 18:27:23 -0500
+
+refpolicy (0.0.20071214-1) unstable; urgency=low
+
+ * New upstream release. This has updated policy for ssh, which
+ Closes: #433972
+ * The new policy also permits postfix to read files on anon_inodefs file
+ systems, which then Closes: #435497
+ * Allow use of wildcards when trying to map package names to policy
+ modules. Thanks to Vaclav Ovsik for the heavy lifting. Closes: #427906
+ * Debian puts hpssd.py in /usr/lib -- not /usr/share. Thanks to Frodo
+ Looijaard. Closes: #443177
+ * Alsa needs changes in file context as well. Thanks to Martin Orr
+ for pointing this out. Closes: #428464
+ * Allow apache to read munin files. Thanks to Vesa-Pekka Palmu for
+ pointing this out. Closes: #433886
+ * Fix targeted policies priority in control file. Thanks to Stas
+ Myasnikov for pointing this out. Closes: #447253
+ * Several files in /usr/lib/cups/backend are hard links to files in
+ /usr/lib/cups/backend-available. In the cups.fc, only the files in
+ backend are tagged with the cupsd_exec_t, so the files in
+ backend-available are tagged with lib_t. This results in somewhat
+ undefined behaviour: depending on the order of directory traversal the
+ files are tagged with either lib_t or cupsd_exec_t. Thanks to Frodo
+ Looijaard. Closes: #442898
+ * selinux-policy-refpolicy-dev now also depends on make and m4, since
+ those are required to actually build policy. Thanks to Erik
+ Johansson. Closes: #449203
+ * Similarly, the source package recommends make and gcc, since those
+ are needed to build policy. Closes: #436211
+ * The bug mentioned in 437139 does not exist in the new policy. A
+ versioned close will allow the bug to remain open for Etch.
+ Closes: #437139
+ * The duplicate declaration of system_chkpwd_t does not appear to be in
+ the sources, based in a find/grep. Closes: #463818
+ * There was a spurious + sign in policy/modules/kernel/devices.if.
+ Thanks to Frans Pop for pointing this out. Closes: #438887
+
+ -- Manoj Srivastava Sat, 09 Feb 2008 20:28:43 -0600
+
+refpolicy (0.0.20070507-5) unstable; urgency=low
+
+ * Allow users to read the dpkg database. With this change, every user
+ of the strict policy now has access to dpkg-checkbuildeps, grep-dctrl,
+ etc, which was not the case previously.
+ * Change the example localStrict.te policy file to silently ignore apt
+ searching for something in /var/lib. With this example policy loaded
+ in my strict policy UML virtual machine, I can compile packages in
+ enforcing mode. Based on advice on the mailing list, allow more things
+ to access /selinux
+ * Merge in changes from Russell Coker. These include a better fix for
+ /lib.init/rw.
+
+ -- Manoj Srivastava Fri, 18 May 2007 00:34:07 -0500
+
+refpolicy (0.0.20070507-4) unstable; urgency=low
+
+ * Allow apt to run update by giving r_netlink_socket_perms to
+ self:netlink_route_socket.
+ * Allow apt/aptitude to update, and install files
+ - Added an interface to apt.if allow silently ignoring processes that
+ attempt to use file descriptors from apt.
+ - Bump the apt policy module version number, since we have added to
+ the interface.
+ - Added some stuff to dpkg.te to allow debconf .config file
+ interactions back to the user
+ - Add an optional dontaudit rule to libraries.te to allow
+ apt-get/aptitude to install packages silently.
+ * Very early in boot, /lib/init/rw is created as a mandatory tmpfs for
+ state information. Label that directory as initrc_tmp_t to allow
+ mount.te to be permitted to mount a tmpfs there.
+ * In init.te, allow /etc/network/if-up.d/mountnfs to create
+ /var/run/network/mountnfs as a poor mans lock.
+
+ -- Manoj Srivastava Fri, 11 May 2007 00:55:07 -0500
+
+refpolicy (0.0.20070507-3) unstable; urgency=low
+
+ * Add hostfs as a recognized remote file-system. This should allow a
+ UML virtual machine to function in a fully enforcing mode.
+
+ -- Manoj Srivastava Wed, 9 May 2007 15:48:26 -0500
+
+refpolicy (0.0.20070507-2) unstable; urgency=medium
+
+ * Keep track of modules that are really built into the base policy in
+ Debian. We then use this list to remove the modules .pp files from
+ the policy shipped, since they can not be installed along with the
+ base policy anyway. Make sure we don't add such modules hen
+ considering module dependencies either.
+ * Added Module ricci to modules.conf for both strict and targeted.
+
+ -- Manoj Srivastava Mon, 7 May 2007 09:07:36 -0500
+
+refpolicy (0.0.20070507-1) unstable; urgency=low
+
+ * New upstream SVN HEAD.
+ - Miscellaneous consolekit fixes from Dan Walsh.
+ - Patch to have avahi use the nsswitch interface rather than individual
+ permissions from Dan Walsh.
+ - Patch to dontaudit logrotate searching avahi pid directory from Dan
+ Walsh.
+ - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t
+ pipes to handle usage from userhelper from Dan Walsh.
+ - Patch to allow amavis to read spamassassin libraries from Dan Walsh.
+ - Patch to allow slocate to getattr other filesystems and directories
+ on those filesystems from Dan Walsh.
+ - Fixes for RHEL4 from the CLIP project.
+ - Replace the old lrrd fc entries with munin ones.
+ - Move program admin template usage out of
+ userdom_admin_user_template() to sysadm policy in userdomain.te to
+ fix usage of the template for third parties.
+ - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
+ template instead of an interface.
+ - Added modules: rwho (Nalin Dahyabhai)
+ * Updated dependencies, since this refpolicy needs newer toolchain,
+
+ -- Manoj Srivastava Mon, 7 May 2007 01:47:44 -0500
+
+refpolicy (0.0.20070417-1) unstable; urgency=low
+
+ * New upstream release.
+ * Added XS-VCS-Arch and XS-VCS-Browse to debian/control, and updated
+ build dependencies.
+ * Bug fix: "selinux-policy-refpolicy-targeted: need file_contexts for
+ gcj-dbtool-4.1 and /var/log/account", thanks to Russell Coker
+ (Closes: #416910).
+
+ -- Manoj Srivastava Thu, 19 Apr 2007 02:28:29 -0500
+
+refpolicy (0.0.20061018-5) unstable; urgency=high
+
+ * Add policy for log and lock files for aptitude. This is needed for
+ proper function; so one does not need to go into permissive mode to
+ run aptitude. Stolen from Erich. This is a low risk change.
+ * Debian puts grub in /usr/sbin/grub. Reflect that in the initial file
+ context.
+ * Debian creates /dev/xconsole independently of whether or not a xserver
+ has been installed or not. So move the policy related to /dev/sconsole
+ out of the xserver policy, and into places where relevant (init.te,
+ logging.fc), to reflect the status that /dev/console is present
+ anyway.
+ * Add support for /etc/network/run and /dev/shm/network, which seem to
+ be Debian specific as well.
+ * Allow udev to manage configuration files.
+
+ -- Manoj Srivastava Fri, 9 Mar 2007 00:22:19 -0600
+
+refpolicy (0.0.20061018-4) unstable; urgency=low
+
+ * Bug fix: "selinux-policy-refpolicy-targeted: does not suggest a way to
+ fix the 'maybe failing' attempt in postinst", thanks to Eddy Petrisor.
+ While this does not belong in the postinst, I have addedthis to the
+ README.Debian file. This should be a low risk change. (Closes: #407691).
+ * Bug fix: "Default build.conf doesn't match default strict/targeted
+ policy", thanks to Stefan.The build.conf included in the reference
+ source policy describe to build a policy of the type "strict". The
+ default binary policies coming with Debian are build with the policy
+ type "strict-mcs" or "targeted-mcs". Change the build.conf shipped in
+ source to conform to what we really use. (changes TYPE=strict to
+ TYPE=strict-mcs, very low risk change. (Closes: #411256).
+ * Bug fix: "selinux-policy-refpolicy-targeted: openvpn policy do not
+ allow tcp connection mode", thanks to Rafal Kupka. This bug really
+ should be at least important, and we should fully support a class of
+ security product like OpenVPN on machines which are running SELinux,
+ and this is a very low risk change. (Closes: #409041).
+ * Install header files required for policy building for both strict and
+ targeted policies in a new -dev package, so it becomes really useful
+ to work with the source package. Moved the examples from the -src
+ package to this new -dev package, since the example is only useful in
+ with the headers provided. This is a new package, but it contains only
+ files already in the sources (No upstream changes at all), and is the
+ result of make install-headers. This new package has no rdepends, and
+ should be a very low risk addition to Debian.
+ * This release should be a whole lot better for building local policies,
+ including the policygentool for creating a new policy from scratch,
+ and ability to build local policy modular packages. The build.conf
+ files have been cleaned up, and the source policy defaults to targeted
+ policy, which is standard in Debian, as opposed to the strict policy,
+ which has priority optional.
+
+ -- Manoj Srivastava Mon, 26 Feb 2007 22:37:17 -0600
+
+refpolicy (0.0.20061018-3) unstable; urgency=high
+
+ * Bug fix: "refpolicy: FTBFS: /bin/sh: debian/stamp/config-strict: No
+ such file or directory", thanks to Lucas Nussbaum. This was fixed by
+ moving all the stamps into ./debian instead. I'll re-visit the
+ ./debian/stamp/ directory in lenny. This is a pretty minor packaging
+ change. (Closes: #405613).
+ * Bug fix: "selinux-policy-refpolicy-targeted: Policy for dcc misses
+ Debian's FHS paths", thanks to Devin Carraway. From the bug report:
+ Many of the files in these packages are overlooked when labelling
+ files, because refpolicy's dcc module stipulates paths not consistent
+ with the Debian FHS layout. The files go unlabelled and dcc-client
+ (at least) stops working. The two major problems are the references
+ to /usr/libexec/dcc (damons, placed in /usr/sbin by the Debian
+ packages) and to /var/dcc (all sorts of things, placed under
+ /var/lib/dcc). A side effect of the latter is that dccifd_t and
+ probably others need search on var_lib_t, through which it must pass
+ to get to /var/lib/dcc. Fixed the policy; will send upstream.
+ (Closes: #404309).
+ * Bug fix: "selinux-policy-refpolicy-targeted: clamav policy forbids
+ clamd_t search on /var/lib", thanks to Devin Carraway. This is a
+ simple one line change, and obviously an oversight; I think getting
+ clamd to work is fairly important. (Closes: #404895).
+ * Bug fix: "selinux-policy-refpolicy-targeted: Multiple problems with
+ courier policy", thanks to Devin Carraway. There is detailed
+ information of the changes made in the bug report, and in the commit
+ logs. Again, fixing courier daemons seems pretty important; SELinux
+ tends to get used a lot on remote mail servers, and this fixes issues
+ with the policy. (Closes: #405103).
+
+ -- Manoj Srivastava Mon, 15 Jan 2007 13:20:30 -0600
+
+refpolicy (0.0.20061018-2) unstable; urgency=high
+
+ * The This update enables MCS for targeted and strict, uses 1024
+ categories (as Fedora uses - necessary for compatability). Please note
+ that enabling MCS categories is required for compatibility with
+ filesystems created on Fedora Core 5 and above, RHEL 5 and above, and
+ CentOS 5 and above. MCS categories is also a feature that we plan for
+ all future releases of SE Linux and does not have a nice upgrade path
+ - releasing etch without MCS will make things painful for SE Linux
+ users on the upgrade to lenny. This feature has been extensively
+ tested by Russel Coker and myself, and does not otherwise impact the
+ install.
+ * Allow semanage to use the initrd file descriptor in targeted policy.
+ * Fix a bug with restorecon.
+ * Bug fix: "refpolicy: qemu should have execmem permissions", thanks to
+ David Härdeman (Closes: #402293).
+
+ -- Manoj Srivastava Fri, 22 Dec 2006 10:33:22 -0600
+
+refpolicy (0.0.20061018-1) unstable; urgency=low
+
+ * New upstream release
+ * Updated copyright file with the new location of the sources, and added
+ a watch file.
+ * Bug fix: "selinux-policy-refpolicy-targeted: postinst package list
+ retrieval suggestion", thanks to Alexander Buerger. Thanks to the
+ provided suggestion, the selection of policy modules to install is not
+ only faster, it is actually correct :) (Closes: #388744).
+ * Bug fix: "Makefile for building policy modules?", thanks to Uwe
+ Hermann. Provided an intial version, may have bugs. (Closes: #389116).
+
+ -- Manoj Srivastava Tue, 24 Oct 2006 14:31:22 -0500
+
+refpolicy (0.0.20060911-2) unstable; urgency=low
+
+ * Fixed a typo in policy postinst that made all the policies reload at
+ every update.
+
+ -- Manoj Srivastava Tue, 12 Sep 2006 10:28:11 -0500
+
+refpolicy (0.0.20060911-1) unstable; urgency=low
+
+ * New upstream SCM HEAD.
+ * Synched with Erich Schubert
+ + Added first draft of python-support. You'll want to relabel these files.
+ + Build python-support and setroubleshoot modules
+ + Removed modules from guessing hintfile that are included in base.
+
+ * Bug fix: "Defaults should match the strict/targeted policy", thanks to
+ Uwe Hermann. Makde them match strict. (Closes: #386931).
+ * Bug fix: "selinux-policy-refpolicy-src: Duplicate entries in policy
+ files", thanks to Simon Richard Grint (Closes: #386909).
+ * Bug fix: "modules.conf vs. modules.conf.dist", thanks to Uwe Hermann
+ (Closes: #386887).
+ * Bug fix: "OUTPUT_POLICY and policy-version comments", thanks to Uwe
+ Hermann (Closes: #386930).
+ * Bug fix: "s/bzip2/gzip/?", thanks to Uwe Hermann (Closes: #386885).
+ * Bug fix: "selinux-refpolicy-src: include modules.conf files of strict
+ and targeted for -src package", thanks to Erich Schubert
+ (Closes: #386573).
+
+ -- Manoj Srivastava Mon, 11 Sep 2006 17:46:10 -0500
+
+refpolicy (0.0.20060907-3) unstable; urgency=low
+
+ * Updated a few more policy modules to latest versions for Debian.
+
+ -- Manoj Srivastava Fri, 8 Sep 2006 12:42:22 -0500
+
+refpolicy (0.0.20060907-2) unstable; urgency=low
+
+ * Update the module/package mapping.
+ * In the selinux-policy-refpolicy-src package, now ship the
+ modules.conf.strict and the modules.conf.targeted files which are used
+ to build the corresponding policy packages, snce the raw modules.conf
+ package has issues on Debian.
+ * With this version, we no longer ship the selinux-policy-refpolicy-src
+ unpacked into /etc with a gazillion conffiles; instead, we now ship a
+ compressed tarball in /usr/src, which the user may unpack where they
+ wish, and install policies as they wish.
+
+ -- Manoj Srivastava Fri, 8 Sep 2006 10:49:40 -0500
+
+refpolicy (0.0.20060907-1) unstable; urgency=low
+
+ * New upstream SCM HEAD.
+ * Bug fix: "selinux-policy-refpolicy-src: Compile failure of modular
+ targeted policy", thanks to Simon Richard Grint. Put a wrapper around
+ the offending lines to only take effect when running a strict policy.
+ (Closes: #384502).
+ * Bug fix: "make: /usr/sbin/setfiles: Command not found", thanks to Uwe
+ Hermann. Fixed upstream. (Closes: #384850).
+
+ -- Manoj Srivastava Fri, 8 Sep 2006 00:27:39 -0500
+
+refpolicy (0.0.20060813-2) unstable; urgency=low
+
+ * Bug fix: "Needs gawk", thanks to Simon Richard Grint
+ (Closes: #382821).
+ * Bug fix: "Move /etc/selinux/refpolicy/src/policy/man/man8/*
+ manpages?", thanks to Uwe Hermann (Closes: #372789).
+ * Fix errors in post installation initial policy creation process in the
+ postinst.
+ * Add directories required during policy build during postinst. This bug
+ prevented any policies being built when the package was initially
+ installed. Also, create an empty file_contexts.local file if it does
+ not already exist.
+ * Make selinux-policy-refpolicy-targeted provide and replace the
+ obsolete package selinux-policy-default; which should in the future be
+ just a virtual package.
+ * Added postrm packages to strict and targeted policy packages, in order
+ to clean out the directories in which files are created during policy
+ build.
+ * Rewrote the postinst in perl to allow us to do module dependency
+ checks, and to map policy modules to debian packages, in order to
+ better detect the modules that would be necessary for the target
+ machine.
+ * Also, compiling with either MCS or MLS produced errors while
+ installing policy, since we lack setrans daemon. So we are now
+ building with out them, created an easy to modify option to re-enable
+ it later.
+ * Updated modules.conf to use the latest offerings from Erich.
+
+ -- Manoj Srivastava Mon, 21 Aug 2006 14:59:52 -0500
+
+refpolicy (0.0.20060813-1) unstable; urgency=low
+
+ * New upstream SCM HEAD.
+ * Bug fix: "refpolicy: FTBFS: tmp/generated_definitions.conf:597:ERROR
+ 'syntax error' at token '' on line 3416:", thanks to Andreas Jochens
+ (Closes: #379559).
+ * Bug fix: "FTBFS while generating selinux-policy-refpolicy-strict",
+ thanks to Devin Carraway (Closes: #379376).
+ * Python transition (#2): you are building a private python module.
+ (Closes: #380930).
+
+ -- Manoj Srivastava Tue, 15 Aug 2006 09:53:06 -0500
+
+refpolicy (0.0.20060509-2) unstable; urgency=low
+
+ * Modified some paths to be more in line with upstream standards.
+
+ -- Manoj Srivastava Fri, 12 May 2006 08:30:08 -0500
+
+refpolicy (0.0.20060509-1) unstable; urgency=low
+
+ * New upstream release. First packaging for Sid.
+
+ -- Manoj Srivastava Tue, 9 May 2006 13:56:10 -0500
+
+refpolicy (20060506-1) sesarge; urgency=low
+
+ * New upstream checkout from CVS.
+ * Even more new modules.
+
+ -- Erich Schubert Sat, 6 May 2006 21:44:07 +0200
+
+refpolicy (20060418-2) sesarge; urgency=low
+
+ * New upstream checkout from CVS.
+
+ -- Erich Schubert Fri, 21 Apr 2006 19:17:05 +0200
+
+refpolicy (20060417-1) sesarge; urgency=low
+
+ * New upstream checkout from CVS.
+ * Until module linking is fixed, build everything into base.
+ (Sorry, this will result in a much larger policy than necessary.
+ Feel free to use the -src package to build your own!)
+
+ -- Erich Schubert Mon, 17 Apr 2006 21:04:49 +0200
+
+refpolicy (20060414-1) sesarge; urgency=low
+
+ * New upstream version with tons of new policy files
+
+ -- Erich Schubert Mon, 17 Apr 2006 20:48:50 +0200
+
+refpolicy (20060329-2) sesarge; urgency=low
+
+ * Merge upstream 20060329-2
+
+ -- Erich Schubert Mon, 3 Apr 2006 00:44:06 +0200
+
+refpolicy (20060324-2) sesarge; urgency=low
+
+ * Merge upstream 20060324-4
+
+ -- Erich Schubert Sat, 25 Mar 2006 03:34:36 +0100
+
+refpolicy (20060324-1) sesarge; urgency=low
+
+ * Merge upstream 20060323-2
+ * Merge changes by Thomas Bleher
+ * Build with checkpolicy 1.30.1
+ * Sorry, still doesn't work with make > 3.80
+
+ -- Erich Schubert Sat, 25 Mar 2006 02:21:00 +0100
+
+refpolicy (20060315-2) sesarge; urgency=low
+
+ * Make modular policy actually work. Hopefully.
+ (Up to now, optional_policy(`module') in base was not working upstream!)
+ * Revamp build process, don't use CDBS anymore since I didn't figure out
+ how to do two clean runs of the same source tree, and there is little
+ benefit here without any autotools or library magic needed
+
+ -- Erich Schubert Fri, 17 Mar 2006 20:51:55 +0100
+
+refpolicy (20060315-1.1) sesarge; urgency=low
+
+ * Small tweaks and bugfixes to policy
+
+ -- Erich Schubert Thu, 16 Mar 2006 23:13:40 +0100
+
+refpolicy (20060315-1) sesarge; urgency=low
+
+ * Merge with upstream and debian changes as of 20060309, rev 50
+ * Merge with upstream and debian changes as of 20060315, rev 55
+ * Added "netuser" role, similar to user_tcp_server boolean, but
+ you can enable it for single users only.
+
+ -- Erich Schubert Thu, 16 Mar 2006 00:23:54 +0100
+
+refpolicy (20060306-1) sesarge; urgency=low
+
+ * Merge with upstream and debian policy changes as of 20060306, Rev 31
+ * Try to auto-build a policy after a fresh install in postinst
+ * Add inetd module to base for now
+ * Increase policycoreutils build-dep to hopefully solve the users_extra
+ issues by using a newer policycoreutils for building...
+
+ -- Erich Schubert Mon, 6 Mar 2006 17:10:43 +0100
+
+refpolicy (20060227-1) sesarge; urgency=low
+
+ * Merge with upstream and debian policy changes as of 20060227, Rev 20
+
+ -- Erich Schubert Tue, 28 Feb 2006 03:48:48 +0100
+
+refpolicy (20060224-2) sesarge; urgency=low
+
+ * Update build process to not require a tarball, include previous
+ patches into our "branch" of the reference policy instead.
+
+ -- Erich Schubert Tue, 28 Feb 2006 03:13:51 +0100
+
+refpolicy (20060224-1) sesarge; urgency=low
+
+ * New upstream CVS checkout.
+ * Move policy src from /etc to /usr/share/selinux/refpolicy
+ This avoids an apt-get size limitation and follows Fedora.
+ * Ship edited build.conf with policy source.
+ * Use debhelper for installing documentation.
+ * Add dependency for source onto gawk.
+
+ -- Erich Schubert Sat, 25 Feb 2006 01:01:44 +0100
+
+refpolicy (20060222-1) sesarge; urgency=low
+
+ * New upstream CVS checkout.
+ * Thomas also provided a workaround for the make issues in his version.
+ * Update dpkg/apt policy to interface renamings
+ * Remove dpkg_script_exec_t, as supporting this would require bad hacks
+ to dpkg and/or tar. Use dpkg_var_lib_t instead.
+
+ -- Erich Schubert Thu, 23 Feb 2006 02:01:35 +0100
+
+refpolicy (20060217-3) sesarge; urgency=low
+
+ * Create selinux-policy-refpolicy-doc package
+ * DIRECT_INITRC=y
+
+ -- Thomas Bleher Mon, 20 Feb 2006 23:43:53 +0000
+
+refpolicy (20060217-2) sesarge; urgency=low
+
+ * Added first drafts of dpkg, apt policy
+
+ -- Erich Schubert Sat, 18 Feb 2006 03:20:59 +0100
+
+refpolicy (20060217-1) sesarge; urgency=low
+
+ * New upstream CVS checkout
+ * Document make incompaibility via build-dep
+ * Don't build some redhat specific policy modules, minor tweaks
+
+ -- Erich Schubert Tue, 14 Feb 2006 02:35:04 +0100
+
+refpolicy (20060213-1) sesarge; urgency=low
+
+ * New upstream CVS checkout.
+ * Still not really useable
+
+ -- Erich Schubert Tue, 14 Feb 2006 02:35:04 +0100
+
+refpolicy (20060117-1) sesarge; urgency=low
+
+ * Experimental release
+
+ -- Erich Schubert Mon, 13 Feb 2006 22:50:03 +0100
+
--- refpolicy-2.20110726.orig/debian/rules
+++ refpolicy-2.20110726/debian/rules
@@ -0,0 +1,65 @@
+#! /usr/bin/make -f
+############################ -*- Mode: Makefile; coding: utf-8 -*- ###########################
+## rules ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Fri Nov 14 12:33:34 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Tue Nov 18 17:46:22 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count : 70
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: 9a5063f4-1e20-4fff-b22a-de94c1e3d954
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+##
+###############################################################################
+
+# Include dpkg-architecture generated variables
+include debian/common/archvars.mk
+
+# Does not work with the upstream build system
+FAILS_PARALLEL_BUILD=parallel=N
+# Set variables with information extracted from control and changelog files
+include debian/common/pkgvars.mk
+
+# variables useful for perl packages
+include debian/common/perlvars.mk
+
+# Install commands
+include debian/common/install_cmds.mk
+
+include debian/local-vars.mk
+
+include debian/common/copt.mk
+
+include debian/common/automake.mk
+
+
+
+all:
+ @echo nothing to be done
+
+include debian/common/targets.mk
+
+include debian/local.mk
+
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-2.20110726.orig/debian/policygentool
+++ refpolicy-2.20110726/debian/policygentool
@@ -0,0 +1,300 @@
+#! /usr/bin/env python
+# Copyright (C) 2006 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# policygentool is a tool for the initial generation of SELinux policy
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+# 02111-1307 USA
+#
+# arch-tag: 4c33ae23-a363-4ace-bae9-86fb8a792206
+import os, sys, getopt
+import re
+
+########################### Interface File #############################
+interface="""\
+## policy for TEMPLATETYPE
+
+########################################
+##
+## Execute a domain transition to run TEMPLATETYPE.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`TEMPLATETYPE_domtrans',`
+ gen_require(`
+ type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
+ ')
+
+ domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
+
+ allow $1 TEMPLATETYPE_t:fd use;
+ allow TEMPLATETYPE_t $1:fd use;
+ allow TEMPLATETYPE_t $1:fifo_file rw_file_perms;
+ allow TEMPLATETYPE_t $1:process sigchld;
+')
+"""
+
+########################### Type Enforcement File #############################
+te="""\
+policy_module(TEMPLATETYPE,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type TEMPLATETYPE_t;
+type TEMPLATETYPE_exec_t;
+domain_type(TEMPLATETYPE_t)
+init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
+"""
+te_pidfile="""
+# pid files
+type TEMPLATETYPE_var_run_t;
+files_pid_file(TEMPLATETYPE_var_run_t)
+"""
+te_logfile="""
+# log files
+type TEMPLATETYPE_var_log_t;
+logging_log_file(TEMPLATETYPE_var_log_t)
+"""
+te_libfile="""
+# var/lib files
+type TEMPLATETYPE_var_lib_t;
+files_type(TEMPLATETYPE_var_lib_t)
+"""
+te_sep="""
+########################################
+#
+# TEMPLATETYPE local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(TEMPLATETYPE_t)
+libs_use_ld_so(TEMPLATETYPE_t)
+libs_use_shared_libs(TEMPLATETYPE_t)
+miscfiles_read_localization(TEMPLATETYPE_t)
+## internal communication is often done using fifo and unix sockets.
+allow TEMPLATETYPE_t self:fifo_file { read write };
+allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
+"""
+te_pidfile2="""
+# pid file
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
+"""
+te_logfile2="""
+# log files
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
+"""
+te_libfile2="""
+# var/lib files for TEMPLATETYPE
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
+files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir sock_file })
+"""
+te_network2="""
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
+corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
+corenet_tcp_connect_http_port(TEMPLATETYPE_t)
+#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
+## if it is a network daemon, consider these:
+#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
+#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
+allow TEMPLATETYPE_t self:tcp_socket { listen accept };
+"""
+te_initsc2="""
+# Init script handling
+init_use_fds(TEMPLATETYPE_t)
+init_use_script_ptys(TEMPLATETYPE_t)
+domain_use_interactive_fds(TEMPLATETYPE_t)
+"""
+
+########################### File Context ##################################
+fc="""\
+# TEMPLATETYPE executable will have:
+# label: system_u:object_r:TEMPLATETYPE_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
+"""
+fc_pidfile="""\
+FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
+"""
+fc_logfile="""\
+FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
+"""
+fc_libfile="""\
+FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
+"""
+def errorExit(error):
+ sys.stderr.write("%s: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+
+def write_te_file(module, pidfile, logfile, libfile, network, initsc):
+ file="%s.te" % module
+ newte=re.sub("TEMPLATETYPE", module, te)
+ if pidfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
+ if logfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
+ if libfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
+ newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
+ if pidfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
+ if logfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
+ if libfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
+ if network:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
+ if initsc:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
+ if os.path.exists(file):
+ errorExit("%s already exists" % file)
+ fd = open(file, 'w')
+ fd.write(newte)
+ fd.close()
+
+def write_if_file(module):
+ file="%s.if" % module
+ newif=re.sub("TEMPLATETYPE", module, interface)
+ if os.path.exists(file):
+ errorExit("%s already exists" % file)
+ fd = open(file, 'w')
+ fd.write(newif)
+ fd.close()
+
+def write_fc_file(module, executable, pidfile, logfile, libfile):
+ file="%s.fc" % module
+ temp=re.sub("TEMPLATETYPE", module, fc)
+ newfc=re.sub("EXECUTABLE", executable, temp)
+ if pidfile:
+ temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
+ newfc=newfc + re.sub("FILENAME", pidfile, temp)
+ if logfile:
+ temp=re.sub("TEMPLATETYPE", module, fc_logfile)
+ newfc=newfc + re.sub("FILENAME", logfile, temp)
+ if libfile:
+ temp=re.sub("TEMPLATETYPE", module, fc_libfile)
+ newfc=newfc + re.sub("FILENAME", libfile, temp)
+ if os.path.exists(file):
+ errorExit("%s already exists" % file)
+ fd = open(file, 'w')
+ fd.write(newfc)
+ fd.close()
+
+def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
+ write_te_file(module, pidfile, logfile, libfile, initsc, network)
+ write_if_file(module)
+ write_fc_file(module, executable, pidfile, logfile, libfile)
+
+if __name__ == '__main__':
+ def usage(message = ""):
+ print '%s ModuleName Executable' % sys.argv[0]
+ sys.exit(1)
+
+ if len(sys.argv) != 3:
+ usage()
+
+ print """\n
+This tool generate three files for policy development, A Type Enforcement (te)
+file, a File Context (fc), and a Interface File(if). Most of the policy rules
+will be written in the te file. Use the File Context file to associate file
+paths with security context. Use the interface rules to allow other protected
+domains to interact with the newly defined domains.
+
+After generating these files use the /usr/share/selinux/POLICY-NAME/include/Makefile to
+compile your policy package. Then use the semodule tool to load it.
+
+# /usr/bin/policygentool myapp /usr/bin/myapp
+# echo 'HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include' >Makefile
+# echo 'include $(HEADERDIR)/Makefile' >> Makefile
+# make
+# semodule -l myapp.pp
+# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
+
+Now you can turn on permissive mode, start your application and avc messages
+will be generated. You can use audit2allow to help translate the avc messages
+into policy.
+
+# setenforce 0
+# /etc/init.d/myapp start
+# audit2allow -R -i /var/log/audit/audit.log
+
+Return to continue:"""
+ sys.stdin.readline().rstrip()
+
+ print 'If the module uses pidfiles, what is the pidfile called?'
+ pidfile = sys.stdin.readline().rstrip()
+ if pidfile == "":
+ pidfile = None
+ print 'If the module uses logfiles, where are they stored?'
+ logfile = sys.stdin.readline().rstrip()
+ if logfile == "":
+ logfile = None
+ print 'If the module has var/lib files, where are they stored?'
+ libfile = sys.stdin.readline().rstrip()
+ if libfile == "":
+ libfile = None
+ print 'Does the module have a init script? [yN]'
+ initsc = sys.stdin.readline().rstrip()
+ if initsc == "" or initsc == "n" or initsc == "N":
+ initsc = False
+ elif initsc == "y" or initsc == "Y":
+ initsc = True
+ else:
+ raise "Please answer with 'y' or 'n'!"
+ print 'Does the module use the network? [yN]'
+ network = sys.stdin.readline().rstrip()
+ if network == "" or network == "n" or network == "N":
+ network = False
+ elif network == "y" or network == "Y":
+ network = True
+ else:
+ raise "Please answer with 'y' or 'n'!"
+
+ gen_policy(
+ module=sys.argv[1],
+ executable=sys.argv[2],
+ pidfile=pidfile,
+ logfile=logfile,
+ libfile=libfile,
+ initsc=initsc,
+ network=network
+ )
+
+
--- refpolicy-2.20110726.orig/debian/example.fc
+++ refpolicy-2.20110726/debian/example.fc
@@ -0,0 +1,8 @@
+# myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
+
+# arch-tag: 883e01c8-54bc-4083-83b5-61be97c970fb
--- refpolicy-2.20110726.orig/debian/Makefile.src
+++ refpolicy-2.20110726/debian/Makefile.src
@@ -0,0 +1,214 @@
+# arch-tag: 2d5f59a8-3b3b-4118-a3ef-4de1ea00d6e4
+# helper tools
+AWK ?= gawk
+INSTALL ?= install
+M4 ?= m4
+SED ?= sed
+EINFO ?= echo
+PYTHON ?= python
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+
+include build.conf
+
+# executables
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMODULE := $(SBINDIR)/semodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+XMLLINT := $(BINDIR)/xmllint
+
+# set default build options if missing
+TYPE ?= strict
+DIRECT_INITRC ?= n
+POLY ?= n
+QUIET ?= y
+
+genxml := $(PYTHON) support/segenxml.py
+
+docs = doc
+polxml = $(docs)/policy.xml
+xmldtd = support/policy.dtd
+layerxml = metadata.xml
+
+globaltun = global_tunables.xml
+globalbool = global_booleans.xml
+
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+ M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+ M4PARAM += -D targeted_policy
+endif
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+# enable polyinstantiation
+ifeq ($(POLY),y)
+ M4PARAM += -D enable_polyinstantiation
+endif
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+ verbose := @
+endif
+
+M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D mandatory_mcs
+
+# policy headers
+m4support = $(wildcard support/*.spt)
+all_layers = $(filter-out support,$(shell find $(wildcard *) -maxdepth 0 -type d))
+all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
+rolemap = rolemap
+
+detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+3rd_party_mods = $(wildcard *.te)
+detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
+detected_ifs = $(detected_mods:.te=.if)
+detected_fcs = $(detected_mods:.te=.fc)
+all_packages = $(notdir $(detected_mods:.te=.pp))
+
+vpath %.te $(detected_layers)
+vpath %.if $(detected_layers)
+vpath %.fc $(detected_layers)
+
+# if there are modules in the current directory, add them into the third party layer
+ifneq "$(3rd_party_mods)" ""
+ genxml += -3 .
+endif
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+ $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+ $(call parse-rolemap,$1,$2)
+ $(verbose) echo "')" >> $2
+
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+ $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+ $(call parse-rolemap-compat,$1,$2)
+ $(verbose) echo "')" >> $2
+endef
+
+.PHONY: clean all xml load
+.SUFFIXES:
+.SUFFIXES: .pp
+# broken in make 3.81:
+#.SECONDARY:
+
+########################################
+#
+# Main targets
+#
+
+all: $(all_packages)
+
+xml: $(polxml)
+
+########################################
+#
+# Load module packages
+#
+load: $(all_packages)
+ @$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $(all_packages)))"
+ $(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod))
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
+ @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
+ @test -d tmp || mkdir -p tmp
+ $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+tmp/%.mod.fc: $(m4support) %.fc
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+%.pp: tmp/%.mod tmp/%.mod.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+# so users dont have to make empty .fc and .if files
+$(detected_ifs) $(detected_fcs):
+ @touch $@
+
+########################################
+#
+# Documentation generation
+#
+
+# minimal dependencies here, because we don't want to rebuild
+# this and its dependents every time the dependencies
+# change. Also use all .if files here, rather then just the
+# enabled modules.
+$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
+ @echo "Creating $@"
+ @mkdir -p doc
+ $(verbose) echo '' > $@
+ $(verbose) echo '' >> $@
+ $(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
+ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+ $(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
+ fi
+
+########################################
+#
+# Clean the environment
+#
+
+clean:
+ rm -fR tmp
+ rm -f *.pp
--- refpolicy-2.20110726.orig/debian/example.mk
+++ refpolicy-2.20110726/debian/example.mk
@@ -0,0 +1,26 @@
+# installation paths
+
+AWK ?= gawk
+NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
+
+MLSENABLED := $(shell cat /selinux/mls)
+ifeq ($(MLSENABLED),)
+ MLSENABLED := 1
+endif
+
+ifeq ($(MLSENABLED),1)
+ MCSFLAG=-mcs
+endif
+
+ifeq ($(NAME), mls)
+ NAME = strict
+ MCSFLAG = -mls
+endif
+
+TYPE ?= $(NAME)${MCSFLAG}
+
+# This can also be changed to /usr/share/selinux/mls/include
+HEADERDIR := /usr/share/selinux/default/include
+include $(HEADERDIR)/Makefile
+
+# arch-tag: 56a0db1b-e624-4696-9882-9b7147b719f9
--- refpolicy-2.20110726.orig/debian/global_booleans.xml
+++ refpolicy-2.20110726/debian/global_booleans.xml
@@ -0,0 +1,25 @@
+
+
+
+Enabling secure mode disallows programs, such as
+newrole, from transitioning to administrative
+user domains.
+
+
+
+
+
+
+Disable transitions to insmod.
+
+
+
+
+
+
+boolean to determine whether the system permits loading policy, setting
+enforcing mode, and changing boolean values. Set this to true and you
+have to reboot to set it back
+
+
+
--- refpolicy-2.20110726.orig/debian/localStrict.te
+++ refpolicy-2.20110726/debian/localStrict.te
@@ -0,0 +1,98 @@
+########################### -*- Mode: Fundamental -*- #########################
+## localStrict.te ---
+## Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+## Created On : Thu May 10 23:57:50 2007
+## Created On Node : glaurung.internal.golden-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Mon Oct 29 11:57:13 2007
+## Last Machine Used: anzu.internal.golden-gryphon.com
+## Update Count : 5
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## This is a example local policy, which is used by the author to set
+## up am user mode linux virtual machine in enforcing mode using the
+## strict policy. With this policy module loaded, root can run
+## apt/aptitude/dpkg, install and remove packages, and mount a hostfs
+## filesystem.
+##
+## This .te file can be compiled with:
+## checkmodule -M -m -o localStrict.mod localStrict.te
+## semodule_package -o localStrict.pp -m localStrict.mod
+## And loaded into policy with:
+## semodule -i localStrict.pp
+##
+## arch-tag: b4a20d2d-3c47-40c3-bc8f-a6adc1f31250
+##
+###############################################################################
+
+module localStrict 1.0;
+
+require {
+ type apt_t;
+ type auditd_t;
+ type crond_t;
+ type fsadm_log_t;
+ type fsadm_t;
+ type initrc_t;
+ type mount_t;
+ type security_t;
+ type system_chkpwd_t;
+ type var_run_t;
+ class unix_stream_socket listen;
+ class file write;
+ class fd use;
+ class dir search;
+ class filesystem getattr;
+ class process setrlimit;
+}
+
+#============= apt_t ==============
+# src="apt_t" tgt="var_run_t" class="dir", perms="search"
+# comm="aptitude" exe="" path=""
+allow apt_t var_run_t:dir search;
+
+#============= auditd_t ==============
+# src="auditd_t" tgt="auditd_t" class="unix_stream_socket", perms="listen"
+# comm="audispd" exe="" path=""
+allow auditd_t self:unix_stream_socket listen;
+
+#============= crond_t ==============
+# Since cron policy explicitly did not give permission for this,
+# we should silence the audit messages.
+# src="crond_t" tgt="crond_t" class="process", perms="setrlimit"
+# comm="cron" exe="" path=""
+allow crond_t self:process setrlimit;
+
+##============= fsadm_t ==============
+# src="fsadm_t" tgt="security_t" class="filesystem", perms="getattr"
+# comm="fsck.ext3" exe="" path=""
+allow fsadm_t security_t:filesystem getattr;
+
+#============= initrc_t ==============
+### /etc/init.d/checkroot.sh running "/sbin/logsave", as well as
+### /etc/init.d/checkfs.sh
+# src="initrc_t" tgt="fsadm_log_t" class="file", perms="write"
+# comm="logsave" exe="" path=""
+allow initrc_t fsadm_log_t:file write;
+
+### Allow auditd postinst, fer instance
+# src="initrc_t" tgt="apt_t" class="fd", perms="use"
+# comm="auditd" exe="" path=""
+allow initrc_t apt_t:fd use;
+
+#============= mount_t ==============
+# src="mount_t" tgt="security_t" class="filesystem", perms="getattr"
+# comm="mount" exe="" path=""
+allow mount_t security_t:filesystem getattr;
+
+#============= system_chkpwd_t ==============
+# src="system_chkpwd_t" tgt="security_t" class="filesystem", perms="getattr"
+# comm="unix_chkpwd" exe="" path=""
+allow system_chkpwd_t security_t:filesystem getattr;
+
+### I have no idea why this is looking in /var/run
+# src="system_chkpwd_t" tgt="var_run_t" class="dir", perms="search"
+# comm="unix_chkpwd" exe="" path=""
+allow system_chkpwd_t var_run_t:dir search;
--- refpolicy-2.20110726.orig/debian/README.Debian
+++ refpolicy-2.20110726/debian/README.Debian
@@ -0,0 +1,8 @@
+It would be useful for most users to be familiar with policycoreutils
+tools in order to manipulate policies installed on the
+system. Specifically, it is useful to be familiar with:
+ semodule(8) - Manage SELinux policy modules.
+ load_policy(8) - load a new policy into the kernel
+
+
+ -- Manoj Srivastava , Tue, 9 May 2006 14:07:31 -0500
--- refpolicy-2.20110726.orig/debian/local.mk
+++ refpolicy-2.20110726/debian/local.mk
@@ -0,0 +1,476 @@
+############################ -*- Mode: Makefile -*- ###########################
+## local.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 10:42:10 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Feb 14 15:46:22 2009
+## Last Machine Used: anzu.internal.golden-gryphon.com
+## Update Count : 130
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: b07b1015-30ba-4b46-915f-78c776a808f4
+##
+###############################################################################
+
+testdir:
+ $(testdir)
+
+debian/stamp/pre-config-common: debian/stamp/conf/common
+debian/stamp/pre-build-common: debian/stamp/build/common
+
+debian/stamp/CONFIG/selinux-policy-mls: debian/stamp/conf/selinux-policy-mls
+debian/stamp/BUILD/selinux-policy-mls: debian/stamp/build/selinux-policy-mls
+debian/stamp/INST/selinux-policy-mls: debian/stamp/install/selinux-policy-mls
+debian/stamp/BIN/selinux-policy-mls: debian/stamp/binary/selinux-policy-mls
+
+debian/stamp/CONFIG/selinux-policy-default: debian/stamp/conf/selinux-policy-default
+debian/stamp/BUILD/selinux-policy-default: debian/stamp/build/selinux-policy-default
+debian/stamp/INST/selinux-policy-default: debian/stamp/install/selinux-policy-default
+debian/stamp/BIN/selinux-policy-default: debian/stamp/binary/selinux-policy-default
+
+
+debian/stamp/CONFIG/selinux-policy-src: debian/stamp/conf/selinux-policy-src
+debian/stamp/BUILD/selinux-policy-src: debian/stamp/build/selinux-policy-src
+debian/stamp/INST/selinux-policy-src: debian/stamp/install/selinux-policy-src
+debian/stamp/BIN/selinux-policy-src: debian/stamp/binary/selinux-policy-src
+
+debian/stamp/CONFIG/selinux-policy-dev: debian/stamp/conf/selinux-policy-dev
+debian/stamp/BUILD/selinux-policy-dev: debian/stamp/build/selinux-policy-dev
+debian/stamp/INST/selinux-policy-dev: debian/stamp/install/selinux-policy-dev
+debian/stamp/BIN/selinux-policy-dev: debian/stamp/binary/selinux-policy-dev
+
+
+debian/stamp/CONFIG/selinux-policy-doc: debian/stamp/conf/selinux-policy-doc
+debian/stamp/BUILD/selinux-policy-doc: debian/stamp/build/selinux-policy-doc
+debian/stamp/INST/selinux-policy-doc: debian/stamp/install/selinux-policy-doc
+debian/stamp/BIN/selinux-policy-doc: debian/stamp/binary/selinux-policy-doc
+
+CLEAN/selinux-policy-mls CLEAN/selinux-policy-default CLEAN/selinux-policy-src CLEAN/selinux-policy-src CLEAN/selinux-policy-dev CLEAN/selinux-policy-doc ::
+ $(REASON)
+ -test -f Makefile && $(MAKE) bare
+ test ! -d $(TMPTOP) || rm -rf $(TMPTOP)
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+
+debian/stamp/conf/common:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/conf || mkdir -p debian/stamp/conf
+ test -d $(SRCTOP)/config/appconfig-mcs || \
+ cp -a $(SRCTOP)/config/appconfig-mcs $(SRCTOP)/config/appconfig-default
+ test -d $(SRCTOP)/config/appconfig-mcs || \
+ cp -a $(SRCTOP)/config/appconfig-mls $(SRCTOP)/config/appconfig-mls
+ echo done > $@
+
+debian/stamp/conf/selinux-policy-mls:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/conf || mkdir -p debian/stamp/conf
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ test -e debian/stamp-config-mls || \
+ cp -lr policy support Makefile Rules.modular doc \
+ Rules.monolithic config VERSION Changelog COPYING INSTALL \
+ README man $(SRCTOP)/debian/build-$(package)
+ cp debian/build.conf.mls $(SRCTOP)/debian/build-$(package)/build.conf
+ $(MAKE) -C $(SRCTOP)/debian/build-$(package) \
+ NAME=mls TYPE=mls $(OPTIONS) bare
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=mls TYPE=mls $(OPTIONS) conf)
+ cp debian/modules.conf.mls \
+ $(SRCTOP)/debian/build-$(package)/policy/modules.conf
+ echo done > $@
+
+debian/stamp/conf/selinux-policy-default:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/conf || mkdir -p debian/stamp/conf
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ cp -lr policy support Makefile Rules.modular doc \
+ Rules.monolithic config VERSION Changelog COPYING INSTALL \
+ README man $(SRCTOP)/debian/build-$(package)
+ cp debian/build.conf.default $(SRCTOP)/debian/build-$(package)/build.conf
+ $(MAKE) -C $(SRCTOP)/debian/build-$(package) \
+ NAME=default TYPE=mcs $(OPTIONS) bare
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=default TYPE=mcs $(OPTIONS) conf)
+ cp debian/modules.conf.default \
+ $(SRCTOP)/debian/build-$(package)/policy/modules.conf
+ echo done > $@
+
+debian/stamp/conf/selinux-policy-src:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/conf || mkdir -p debian/stamp/conf
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ cp -lr policy support Makefile Rules.modular doc \
+ Rules.monolithic config VERSION Changelog COPYING INSTALL \
+ README man $(SRCTOP)/debian/build-$(package)
+ cp debian/build.conf.default $(SRCTOP)/debian/build-$(package)/build.conf
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=default $(OPTIONS) conf)
+ cp debian/modules.conf.* $(SRCTOP)/debian/build-$(package)/policy/
+ cp debian/build.conf.default $(SRCTOP)/debian/build-$(package)/policy/
+ echo done > $@
+
+debian/stamp/conf/selinux-policy-dev:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/conf || mkdir -p debian/stamp/conf
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ echo done > $@
+
+debian/stamp/conf/selinux-policy-doc::
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/conf || mkdir -p debian/stamp/conf
+ test ! -d $(SRCTOP)/debian/build-$(package) || \
+ rm -rf $(SRCTOP)/debian/build-$(package)
+ mkdir -p $(SRCTOP)/debian/build-$(package)
+ cp -lr policy support Makefile Rules.modular doc \
+ Rules.monolithic config VERSION Changelog COPYING INSTALL \
+ README man $(SRCTOP)/debian/build-$(package)
+ cp debian/build.conf.default $(SRCTOP)/debian/build-$(package)/build.conf
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=default $(OPTIONS) conf )
+ echo done > $@
+
+debian/stamp/build/common:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/build || mkdir -p debian/stamp/build
+ perl -wc debian/postinst.policy
+ echo done > $@
+
+debian/stamp/build/selinux-policy-mls:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/build || mkdir -p debian/stamp/build
+ test -e debian/stamp-build-mls || \
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=mls TYPE=mls $(OPTIONS) policy all)
+ echo done > $@
+
+debian/stamp/build/selinux-policy-default:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/build || mkdir -p debian/stamp/build
+ (cd $(SRCTOP)/debian/build-$(package) ; \
+ $(MAKE) NAME=default TYPE=mcs $(OPTIONS) policy all)
+ echo done > $@
+
+debian/stamp/build/selinux-policy-src:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/build || mkdir -p debian/stamp/build
+ echo done > $@
+
+debian/stamp/build/selinux-policy-dev:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/build || mkdir -p debian/stamp/build
+ echo done > $@
+
+debian/stamp/build/selinux-policy-doc:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/build || mkdir -p debian/stamp/build
+ echo done > $@
+
+
+debian/stamp/install/selinux-policy-mls:
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/install || mkdir -p debian/stamp/install
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)/
+ $(make_directory) $(TMPTOP)/etc/selinux/mls/modules/active
+ $(make_directory) $(TMPTOP)/etc/selinux/mls/policy
+ test -f $(TMPTOP)/etc/selinux/mls/modules/active/file_contexts.local || \
+ touch $(TMPTOP)/etc/selinux/mls/modules/active/file_contexts.local
+ touch $(TMPTOP)/etc/selinux/mls/modules/semanage.read.LOCK
+ chmod 600 $(TMPTOP)/etc/selinux/mls/modules/semanage.read.LOCK
+ touch $(TMPTOP)/etc/selinux/mls/modules/semanage.trans.LOCK
+ chmod 600 $(TMPTOP)/etc/selinux/mls/modules/semanage.trans.LOCK
+ (cd $(SRCTOP)/debian/build-$(package); \
+ $(MAKE) NAME=mls TYPE=mls $(OPTIONS) \
+ DESTDIR=$(TMPTOP) install install-headers \
+ $(TMPTOP)/etc/selinux/mls/users/local.users \
+ $(TMPTOP)/etc/selinux/mls/users/system.users)
+ for module in $(NON_MODULES); do \
+ test ! -f $(TMPTOP)/usr/share/selinux/mls/$$module.pp || \
+ rm -f $(TMPTOP)/usr/share/selinux/mls/$$module.pp; \
+ done
+ $(install_file) debian/setrans.conf $(TMPTOP)/etc/selinux/mls/
+ $(install_file) debian/file_contexts.subs_dist $(TMPTOP)/etc/selinux/mls/contexts/files/
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) debian/localStrict.te $(DOCDIR)/
+ $(install_file) debian/NEWS.Debian $(DOCDIR)/NEWS.Debian
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ gzip -9fqr $(DOCDIR)
+ $(install_file) debian/copyright $(DOCDIR)/
+ echo done > $@
+
+debian/stamp/install/selinux-policy-default:
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/install || mkdir -p debian/stamp/install
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)/
+ $(make_directory) $(TMPTOP)/etc/selinux/default/modules/active
+ $(make_directory) $(TMPTOP)/etc/selinux/default/policy
+ test -f $(TMPTOP)/etc/selinux/default/modules/active/file_contexts.local || \
+ touch $(TMPTOP)/etc/selinux/default/modules/active/file_contexts.local
+ touch $(TMPTOP)/etc/selinux/default/modules/semanage.read.LOCK
+ chmod 600 $(TMPTOP)/etc/selinux/default/modules/semanage.read.LOCK
+ touch $(TMPTOP)/etc/selinux/default/modules/semanage.trans.LOCK
+ chmod 600 $(TMPTOP)/etc/selinux/default/modules/semanage.trans.LOCK
+ (cd $(SRCTOP)/debian/build-$(package); \
+ $(MAKE) NAME=default TYPE=mcs $(OPTIONS) \
+ DESTDIR=$(TMPTOP) install install-headers \
+ $(TMPTOP)/etc/selinux/default/users/local.users \
+ $(TMPTOP)/etc/selinux/default/users/system.users)
+ for module in $(NON_MODULES); do \
+ test ! -f $(TMPTOP)/usr/share/selinux/default/$$module.pp || \
+ rm -f $(TMPTOP)/usr/share/selinux/default/$$module.pp; \
+ done
+ $(install_file) debian/setrans.conf $(TMPTOP)/etc/selinux/default/
+ $(install_file) debian/file_contexts.subs_dist $(TMPTOP)/etc/selinux/default/contexts/files/
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ gzip -9fqr $(DOCDIR)
+ $(install_file) debian/copyright $(DOCDIR)/
+ echo done > $@
+
+debian/stamp/install/selinux-policy-src:
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/install || mkdir -p debian/stamp/install
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)
+ $(make_directory) $(TMPTOP)/usr/src
+ (cd $(SRCTOP)/debian/build-$(package); \
+ $(MAKE) NAME=default $(OPTIONS) DESTDIR=$(TMPTOP) bare conf install-src; )
+ find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf
+ test ! -e $(TMPTOP)/etc/selinux/default/src/policy/COPYING || \
+ rm -f $(TMPTOP)/etc/selinux/default/src/policy/COPYING
+ rm -rf $(TMPTOP)/etc/selinux/default/src/policy/man
+ (cd $(TMPTOP)/etc/selinux/default/src/policy; \
+ if test -f modules.conf; then \
+ mv modules.conf modules.conf.dist; \
+ fi; \
+ ln -sf modules.conf.mls modules.conf)
+ $(install_file) policy/rolemap \
+ $(TMPTOP)/etc/selinux/default/src/policy/
+ $(install_file) debian/build.conf.default \
+ $(TMPTOP)/etc/selinux/default/src/policy/build.conf
+ $(install_file) debian/global_booleans.xml \
+ $(TMPTOP)/etc/selinux/default/src/policy/
+ $(install_file) debian/global_tunables.xml \
+ $(TMPTOP)/etc/selinux/default/src/policy/
+ $(install_file) debian/Makefile.src \
+ $(TMPTOP)/etc/selinux/default/src/policy/
+ (cd $(TMPTOP)/etc/selinux/default/src/; mv policy $(package); \
+ mv support $(package)/; \
+ tar zfc $(TMPTOP)/usr/src/$(package).tar.gz $(package))
+ rm -rf $(TMPTOP)/etc
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ gzip -9fqr $(DOCDIR)
+ $(install_file) debian/copyright $(DOCDIR)/
+ echo done > $@
+
+debian/stamp/install/selinux-policy-dev: debian/stamp/install/selinux-policy-mls debian/stamp/install/selinux-policy-default
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/install || mkdir -p debian/stamp/install
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)/examples
+ $(make_directory) $(MAN1DIR)
+ $(make_directory) $(TMPTOP)/usr/bin
+ $(make_directory) $(TMPTOP)/usr/share/selinux/mls/include
+ $(make_directory) $(TMPTOP)/usr/share/selinux/default/include
+ find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf
+ (cd $(SRCTOP)/debian/selinux-policy-mls/usr/share/selinux/mls; \
+ tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/mls; umask 000; \
+ tar xpsf -))
+ (cd $(SRCTOP)/debian/selinux-policy-default/usr/share/selinux/default; \
+ tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/default; umask 000; \
+ tar xpsf -))
+ sed -e s/^[^#]*genfscon/###genfscon/ < $(TMPTOP)/usr/share/selinux/default/include/kernel/selinux.if > $(TMPTOP)/usr/share/selinux/default/include/kernel/selinux.if-new
+ mv $(TMPTOP)/usr/share/selinux/default/include/kernel/selinux.if-new $(TMPTOP)/usr/share/selinux/default/include/kernel/selinux.if
+ sed -e s/^[^#]*genfscon/###genfscon/ < $(TMPTOP)/usr/share/selinux/mls/include/kernel/selinux.if > $(TMPTOP)/usr/share/selinux/mls/include/kernel/selinux.if-new
+ mv $(TMPTOP)/usr/share/selinux/mls/include/kernel/selinux.if-new $(TMPTOP)/usr/share/selinux/mls/include/kernel/selinux.if
+ rm -rf $(SRCTOP)/debian/selinux-policy-mls/usr/share/selinux/mls/include
+ rm -rf $(SRCTOP)/debian/selinux-policy-default/usr/share/selinux/default/include
+ $(install_file) policy/rolemap \
+ $(TMPTOP)/usr/share/selinux/default/include/support
+ $(install_file) debian/global_booleans.xml \
+ $(TMPTOP)/usr/share/selinux/default/include/support
+ $(install_file) debian/global_tunables.xml \
+ $(TMPTOP)/usr/share/selinux/default/include/support
+ $(install_file) debian/build.conf.default \
+ $(TMPTOP)/usr/share/selinux/default/include/build.conf
+ $(install_file) policy/rolemap \
+ $(TMPTOP)/usr/share/selinux/mls/include/support
+ $(install_file) debian/global_booleans.xml \
+ $(TMPTOP)/usr/share/selinux/mls/include/support
+ $(install_file) debian/global_tunables.xml \
+ $(TMPTOP)/usr/share/selinux/mls/include/support
+ $(install_file) debian/build.conf.mls \
+ $(TMPTOP)/usr/share/selinux/mls/include/build.conf
+ chmod +x $(TMPTOP)/usr/share/selinux/default/include/support/segenxml.py
+ chmod +x $(TMPTOP)/usr/share/selinux/mls/include/support/segenxml.py
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ gzip -9fqr $(DOCDIR)
+ $(install_file) debian/copyright $(DOCDIR)/
+ $(install_file) debian/example.fc $(DOCDIR)/examples/
+ $(install_file) debian/example.if $(DOCDIR)/examples/
+ $(install_file) debian/example.te $(DOCDIR)/examples/
+ $(install_file) debian/example.mk $(DOCDIR)/examples/Makefile
+ $(install_program) debian/policygentool $(TMPTOP)/usr/bin
+ $(install_file) debian/policygentool.1 $(MAN1DIR)
+ gzip -9fqr $(MAN1DIR)
+ echo done > $@
+
+debian/stamp/install/selinux-policy-doc:
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/install || mkdir -p debian/stamp/install
+ rm -rf $(TMPTOP) $(TMPTOP).deb
+ $(make_directory) $(DOCDIR)
+ $(make_directory) $(DOCBASEDIR)
+ $(make_directory) $(MAN8DIR)
+ cp -a man/man8/*.8 $(MAN8DIR)
+ $(install_file) VERSION $(DOCDIR)/
+ $(install_file) README $(DOCDIR)/
+ $(install_file) debian/README.Debian $(DOCDIR)/
+ $(install_file) Changelog $(DOCDIR)/changelog
+ $(install_file) debian/changelog $(DOCDIR)/changelog.Debian
+ $(install_file) debian/docentry $(DOCBASEDIR)/$(package)
+ gzip -9fqr $(MANDIR)
+ gzip -9fqr $(DOCDIR)
+ (cd $(SRCTOP)/debian/build-$(package); \
+ $(MAKE) NAME=default $(OPTIONS) DESTDIR=$(TMPTOP) \
+ PKGNAME=selinux-policy-doc conf html install-docs;)
+ gzip -9fq $(DOCDIR)/example.if $(DOCDIR)/example.fc $(DOCDIR)/Makefile.example
+ $(install_file) debian/copyright $(DOCDIR)/
+ $(install_file) debian/docentry $(DOCBASEDIR)/$(package)
+ echo done > $@
+
+debian/stamp/binary/selinux-policy-mls:
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/binary || mkdir -p debian/stamp/binary
+ $(make_directory) $(TMPTOP)/DEBIAN
+ (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles)
+ test ! -f $(TMPTOP)/DEBIAN/conffiles || test -s $(TMPTOP)/DEBIAN/conffiles || \
+ rm $(TMPTOP)/DEBIAN/conffiles
+ sed -e 's/=T/mls/g' debian/postinst.policy > $(TMPTOP)/DEBIAN/postinst
+ chmod 755 $(TMPTOP)/DEBIAN/postinst
+ $(install_program) debian/mls.postrm $(TMPTOP)/DEBIAN/postrm
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+ echo done > $@
+
+debian/stamp/binary/selinux-policy-default:
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/binary || mkdir -p debian/stamp/binary
+ $(make_directory) $(TMPTOP)/DEBIAN
+ (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles)
+ test ! -f $(TMPTOP)/DEBIAN/conffiles || test -s $(TMPTOP)/DEBIAN/conffiles ||\
+ rm $(TMPTOP)/DEBIAN/conffiles
+ sed -e 's/=T/default/g' debian/postinst.policy >$(TMPTOP)/DEBIAN/postinst
+ chmod 755 $(TMPTOP)/DEBIAN/postinst
+ $(install_program) debian/default.postrm $(TMPTOP)/DEBIAN/postrm
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+ echo done > $@
+
+debian/stamp/binary/selinux-policy-src:
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/binary || mkdir -p debian/stamp/binary
+ $(make_directory) $(TMPTOP)/DEBIAN
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+ echo done > $@
+
+debian/stamp/binary/selinux-policy-dev:
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/binary || mkdir -p debian/stamp/binary
+ $(make_directory) $(TMPTOP)/DEBIAN
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+ echo done > $@
+
+debian/stamp/binary/selinux-policy-doc:
+ $(REASON)
+ $(checkdir)
+ $(TESTROOT)
+ @test -d debian/stamp/binary || mkdir -p debian/stamp/binary
+ $(make_directory) $(TMPTOP)/DEBIAN
+ (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles)
+ test ! -f $(TMPTOP)/DEBIAN/conffiles || test -s $(TMPTOP)/DEBIAN/conffiles || \
+ rm $(TMPTOP)/DEBIAN/conffiles
+ $(install_program) debian/doc.postinst $(TMPTOP)/DEBIAN/postinst
+ $(install_program) debian/doc.prerm $(TMPTOP)/DEBIAN/prerm
+ dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+ -p$(package) -isp -P$(TMPTOP)
+ $(create_md5sum) $(TMPTOP)
+ chown -R root:root $(TMPTOP)
+ chmod -R u+w,go=rX $(TMPTOP)
+ dpkg --build $(TMPTOP) ..
+ echo done > $@
+
+
--- refpolicy-2.20110726.orig/debian/example.te
+++ refpolicy-2.20110726/debian/example.te
@@ -0,0 +1,30 @@
+
+policy_module(myapp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t;
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t)
+
+type myapp_log_t;
+logging_log_file(myapp_log_t)
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file ra_file_perms;
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
+
+# arch-tag: 5a574a9f-92ea-4cc2-becb-9715b6107d1b
--- refpolicy-2.20110726.orig/debian/postinst.policy
+++ refpolicy-2.20110726/debian/postinst.policy
@@ -0,0 +1,339 @@
+#! /usr/bin/perl
+# -*- Mode: Cperl -*-
+# postinst.pl ---
+# Author : Manoj Srivastava ( srivasta@golden-gryphon.com )
+# Created On : Mon Aug 21 01:14:21 2006
+# Created On Node : glaurung.internal.golden-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Tue Sep 1 22:50:34 2009
+# Last Machine Used: anzu.internal.golden-gryphon.com
+# Update Count : 35
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: 69c85425-4822-4b17-bb54-3b2d22e76687
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+#
+#use strict; #for debugging
+use Cwd 'abs_path';
+$|=1;
+
+# Ignore all invocations except when called on to configure.
+exit 0 if $ARGV[0] =~ /abort-upgrade/;
+exit 0 if $ARGV[0] =~ /abort-remove/;
+exit 0 if $ARGV[0] =~ /abort-deconfigure/;
+exit 0 unless $ARGV[0] =~ /configure/;
+
+my $type = '=T';
+my $package_name= "selinux-policy-$type";
+my $policy_name = "$type";
+my $basedir = "/etc/selinux/$policy_name";
+my $src_dir = "/usr/share/selinux/$policy_name";
+
+# List of all the modules in the policy
+my @all_modules;
+# Full path of all modules in the policy
+my %Module_Path;
+# Dpendencies for policy modules, as determined by semodule_deps
+my %Deps = ( 'cups' => 'lpd', 'telnet' => 'remotelogin',
+ 'devicekit' => 'dbus'
+ );
+# A hash of all modules already processed
+my %Seen;
+# A hash of all packages installed on this machine
+my %Installed;
+# Policy modules in dependency order (subset of all modules in policy)
+my @ordered;
+# A list of modules already scheduled to be laoded
+my %Loaded;
+# and the order in which the modules should be loaded into policy.
+my @load_order;
+# A mapping of policy modules to Debian package names.
+my %map = (
+ 'apache' => [ 'apache*', 'cvsweb' ],
+ 'apm' => [ 'acpid' ],
+ 'asterisk' => [ 'asterisk' ],
+ 'automount' => [ 'autofs*' ],
+ 'avahi' => [ 'avahi-*' ],
+ 'bind' => [ 'bind9' ],
+# 'bootloader' => [ 'grub', 'lilo' ],
+ 'cdrecord' => [ 'wodim' ],
+ 'clamav' => [ 'clamav', 'amavisd-new' ],
+ 'courier' => [ 'courier*' ],
+ 'consolekit' => [ 'consolekit' ],
+ 'cpufreqselector' => [ 'cpufreqd', 'cpufrequtils', 'gnome-applets' ],
+ 'cups' => [ 'cupsys*', 'cups', 'cups-bsd', 'cups-client',
+ 'cups-common' ],
+ 'cyrus' => [ 'cyrus*' ],
+ 'devicekit' => [ 'udev', 'hal', 'udisks' ],
+ 'dovecot' => [ 'dovecot-imapd', 'dovecot-pop3d' ],
+ 'dhcp' => [ 'dhcp*', 'dhclient*', 'pump' ],
+ 'dkim' => [ 'dkim-filter' ],
+ 'epmd' => [ 'erlang-base' ],
+ 'exim' => [ 'exim4' ],
+ 'finger' => [ 'finger', '*fingerd' ],
+ 'ftp' => [ 'ftp', '*ftpd' ],
+ 'gitosis' => [ 'gitosis' ],
+ 'gpg' => [ 'gnupg' ],
+ 'hddtemp' => [ 'hddtemp' ],
+ 'hwclock' => [ 'util-linux' ],
+ 'inetd' => [ '*-inetd', 'openbsd-inetd', 'netkit-inetd',
+ 'rinetd', 'rlinetd', 'xinetd' ],
+ 'iodine' => [ 'iodine' ],
+ 'ipsec' => [ 'ipsec-tools', 'racoon' ],
+ 'jabber' => [ 'jabber', 'ejabberd' ],
+ 'java' => [ 'sun-java5*', 'cacao', 'gcj*', 'gij*', 'kaffe*',
+ 'java*', 'jvm*', 'jre*', 'jsdk*' ],
+ 'kdump' => [ 'crash' ],
+ 'lda' => [ 'procmail', 'courier-maildrop', 'dovecot-common' ],
+ 'ldap' => [ 'slapd' ],
+ 'lpd' => [ 'lprng', 'rlpr' ],
+ 'loadkeys' => [ 'console-tools' ],
+ 'lvm' => [ 'lvm2', 'dmsetup' ],
+ 'milter' => [ 'milter-greylist', 'spamass-milter' ],
+ 'mono' => [ 'mono*' ],
+ 'munin' => [ 'munin-node' ],
+ 'mysql' => [ 'mysql-server', 'mysql-server*' ],
+ 'mozilla' => [ 'mozilla-browser', 'firefox', 'galeon',
+ 'mozilla-*', 'firefox*', 'epiphany-browser',
+ 'chromium-browser' ],
+ 'nagios' => [ 'nagios*' ],
+ 'netutils' => [ 'arping', 'nmap', '*-ping', 'traceroute*' ],
+ 'nslcd' => [ 'nslcd' ],
+ 'pcmcia' => [ 'pcmciautils' ],
+ 'policykit' => [ 'policykit', 'policykit-1' ],
+ 'ptchown' => [ 'libc-bin' ],
+ 'pythonsupport' => [ 'python-support' ],
+ 'radius' => [ 'freeradius*', 'radiusd*' ],
+ 'raid' => [ 'mdadm' ],
+ 'rpc' => [ 'nfs-common', 'nfs-kernel-server' ],
+ 'sasl' => [ 'libsasl2' ],
+ 'shorewall' => [ 'shorewall-common', 'shorewall-lite',
+ 'shorewall-perl', 'shorewall-shell',
+ 'shorewall6', 'shorewall6-lite'
+ ],
+ 'ssh' => [ 'openssh*' ],
+# 'su' => [ 'login' ],
+ 'sysstat' => [ 'atsar' ],
+ 'telnet' => [ 'telnet', '*telnetd*' ],
+ 'uml' => [ 'linux-uml*' ],
+ 'uptime' => [ 'uptimed' ],
+ 'usbmodules' => [ 'usbutils' ],
+ 'varnishd' => [ 'varnish' ],
+# 'usermanage' => [ 'passwd' ],
+ 'wm' => [ 'aewm', 'afterstep', 'awesome', 'blackbox',
+ 'compiz', 'ctwm', 'dwm', 'e17', 'evilwm',
+ 'fluxbox', 'flwm', 'fvwm', 'i3-wm', 'icewm',
+ 'lwm', 'matchbox-window-manager', 'metacity',
+ 'mutter', 'nawm', 'openbox', 'oroborus',
+ 'pekwm', 'ratpoison', 'sapphire', 'sawfish',
+ 'scrotwm', 'stumpwm','sugar-0.84', 'tinywm',
+ 'twm', 'uwm', 'vtwm', 'w9wm', 'wm2', 'wmaker',
+ 'xfwm4', 'xmonad', 'ion3', 'kwin', 'amiwm'
+ ],
+ 'xen' => [ 'xen-utils-common' ],
+ 'xscreensaver' => [ 'xscreensaver', 'kscreensaver',
+ 'gnome-screensaver', 'innerspace.app',
+ 'kanjisaver', 'kannasaver' ],
+ 'xserver' => [ 'gdm', 'kdm', 'xdm', 'xserver*', 'xbase-clients' ]
+ );
+
+# Converts wildcard (glob) pattern into regex pattern (only `*' is wild).
+sub wild2re {
+ my ($pat) = @_;
+ return join('.*', map(quotemeta, split('\*', $pat, -1)));
+}
+
+# List all th modules, except the base module, in the policy
+# directory. This sets @all_modules and %Module_Path
+sub list_modules {
+ my $src_dir = shift;
+ print STDERR "Locating modules\n";
+ opendir(DIR, $src_dir) || die "can't opendir $src_dir: $!";
+
+ @all_modules = grep { ! m/^base\.pp$/ && m/\.pp/ && -f "$src_dir/$_" }
+ readdir(DIR);
+ %Module_Path = map { +"$src_dir/$_" => 0 } @all_modules;
+ closedir DIR;
+}
+
+# Using the hash array %Module_Path created in the last step, run
+# semodule_deps to get the dependency relationships. This creates the
+# %Deps dependency hash.
+sub get_dependencies {
+ my $src_dir = shift;
+ print STDERR "Calculating dependencies between modules\n";
+ open(COMMAND, '-|', "semodule_deps -g $src_dir/base.pp " .
+ join(' ', keys %Module_Path)) || die "Could not run semodule_deps";
+ while () {
+ chomp;
+ next unless m/\-\>/;
+ next unless m/\s*(\S+)\s*\-\>\s*(\S+)\s*$/;
+ if (defined $Deps{$1}) {
+ $Deps{$1} = "$Deps{$1} $2";
+ }
+ else {
+ $Deps{$1} = $2;
+ }
+ }
+ close COMMAND;
+}
+
+# In this step, use the dependecy hash %Deps created in the last step,
+# and feed the information to tsort to get an ordered list of
+# modules. This creates the array @ordered
+sub get_ordering {
+ print STDERR "Ordering modules based on dependencies\n";
+ my $tempfile=`tempfile -p tsrt -m 0600`;
+ open(SORT, "| tsort > $tempfile") || die "can't open pipe to tsort: $!";
+ for my $pkg (keys %Deps) {
+ for my $dep (split(/ /, $Deps{$pkg})) {
+ print SORT "$dep $pkg\n";
+ }
+ }
+ close SORT;
+
+ open(RESULTS, $tempfile) || die "can't read $tempfile: $!";
+ while () {
+ chomp;
+ push @ordered, $_;
+ }
+ unlink $tempfile;
+ close RESULTS;
+}
+
+my @Load_Order;
+# Cycle over all the modules installed, starting with the dependency
+# ordered modules, taking care that we only look at a module once. For
+# each module, we look to see a mapping ogf the packages that need
+# this policy module. We then query dpkg to see if any of the package
+# patterns that are associated with a policy module are installed on
+# this system, if so, we schedule the module to be loaded, ensuring
+# that the dependent policy modules are also targeted for installation
+# before the current module is installed. This creates the Seen hash,
+# and the Load_Order array, as well as the Loaded hash.
+sub installed_modules {
+ print STDERR "Selecting modules based on installed packages\n";
+
+ # This suggestion from Alexander Bürger
+ open( my $PACKAGES, "dpkg-query -W |" )
+ or die("Cannot run 'dpkg-query -W'. $!");
+ while( my $p = <$PACKAGES> ) {
+ $Installed{$1} = $2 if( $p =~ /^(.*)\t(.+)$/ );
+ }
+ close($PACKAGES) or die("Could not close pipe.");
+
+ foreach my $module (@ordered, @all_modules) {
+ $module =~ s/\.pp$//o;
+
+ next if $Seen{$module};
+ $Seen{$module}++;
+
+ if (! defined $map{$module}) { $map{$module} = [ $module ]; }
+
+ PACKAGE:
+ for my $pkg (@{ $map{$module} }) {
+ my $is_installed = index($pkg, '*') < 0 ?
+ $Installed{$pkg} # exact name
+ : grep(m/^@{[wild2re($pkg)]}$/, keys %Installed); # wildcard
+ if ($is_installed) {
+ if (defined $Deps{$module}) {
+ for my $dep (split(' ', $Deps{$module})) {
+ next if $Loaded{$dep};
+ if (-e "${src_dir}/${dep}.pp") {
+ push @Load_Order, $dep;
+ $Loaded{$dep}++
+ }
+ else {
+ print STDERR "Could not find ${src_dir}/${dep}.pp\n";
+ print STDERR "which is required for module ${module}.pp\n";
+ print STDERR "Assuming ${dep}.pp is built into base.pp\n";
+ }
+ }
+ }
+ push @Load_Order, $module;
+ $Loaded{$module}++;
+ last PACKAGE;
+ }
+ }
+ }
+}
+
+sub change_policy_type
+{
+ my $file = "/etc/selinux/config";
+ open(IN, "<$file") or return;
+ open(OUT, ">$file.new") or close(IN) && return;
+ while()
+ {
+ if($_ =~ /^SELINUXTYPE *= *refpolicy/)
+ {
+ print OUT "SELINUXTYPE=$type\n";
+ }
+ else
+ {
+ print OUT $_;
+ }
+ }
+ close(IN);
+ close(OUT);
+ rename("$file.new", "$file");
+ print "changed policy type to $type as the \"refpolicy\" names are obsolete\n";
+}
+
+sub main {
+ if (-e "$basedir/modules/active/base.pp" ) {
+ print STDERR "You already have a $policy_name policy installed.\n";
+ print STDERR "I am leaving it alone. Please check and update manually.\n";
+ }
+ elsif (-e "$src_dir/base.pp") {
+ print STDERR "Notice: Trying to link (but not load) a $policy_name policy.\n";
+ print STDERR "This process may fail -- you should check the results, and \n";
+ print STDERR "you need to switch to this policy yourself anyway.\n\n";
+ &list_modules("$src_dir");
+ &get_dependencies("$src_dir");
+ &get_ordering();
+ &installed_modules();
+ chdir "$src_dir" or die "Can't access $src_dir";
+ my $semod = "semodule -b base.pp -s $policy_name -n ";
+ if("$type" eq "default") {
+ $semod .= " -i unconfined.pp";
+ }
+ my $mod_list;
+ for my $mod (@Load_Order) {
+ $semod .= " -i ${mod}.pp";
+ $mod_list .= " $mod";
+ }
+ if (system($semod) == 0) {
+ print STDERR "Loaded modules $mod_list\n";
+ change_policy_type();
+ }
+ else {
+ print STDERR "Error running \"$semod\", please load policy manually and report a bug.\n";
+ }
+ }
+ else {
+ print STDERR ".\n";
+ }
+}
+
+&main;
+
+exit 0;
+
+__END__
--- refpolicy-2.20110726.orig/debian/build.conf.mls
+++ refpolicy-2.20110726/debian/build.conf.mls
@@ -0,0 +1,75 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports. Setting this will
+# override the version. This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 21
+
+# Policy Type
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
+TYPE = mls
+
+# Policy Name
+# If set, this will be used as the policy
+# name. Otherwise the policy type will be
+# used for the name.
+NAME = mls
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution. Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+DISTRO = debian
+
+# Unknown Permissions Handling
+# The behavior for handling permissions defined in the
+# kernel but missing from the policy. The permissions
+# can either be allowed, denied, or the policy loading
+# can be rejected.
+# allow, deny, and reject are current options.
+UNK_PERMS = deny
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC = y
+
+# Build monolithic policy. Putting n here
+# will build a loadable module policy.
+MONOLITHIC = n
+
+# User-based access control (UBAC)
+# Enable UBAC for role separations.
+UBAC = n
+
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS = 16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS = 1024
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS = 1024
+
+# Set this to y to only display status messages
+# during build.
+QUIET = n
+
+# arch-tag: 6e61abf2-f3d7-42b4-bbb9-7a1b38350518
--- refpolicy-2.20110726.orig/debian/doc.prerm
+++ refpolicy-2.20110726/debian/doc.prerm
@@ -0,0 +1,120 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# prerm ---
+# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+# Created On : Fri Nov 14 12:16:39 2003
+# Created On Node : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Fri May 12 02:30:40 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 10
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: a4c1a888-137d-4800-98f8-93d0365422d8
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+#
+
+# Abort if any command returns an error value
+set -e
+
+package_name=selinux-policy-refpolicy-doc
+
+if [ -z "$package_name" ]; then
+ print >&2 "Internal Error. Please report a bug."
+ exit 1;
+fi
+
+
+# This script is called as the first step in removing the package from
+# the system. This includes cases where the user explicitly asked for
+# the package to be removed, upgrade, automatic removal due to conflicts,
+# and deconfiguration due to temporary removal of a depended-on package.
+
+# Info files should be uninstalled from the dir file in any case.
+# install-info --quiet --remove /usr/info/${package_name}
+
+case "$1" in
+ remove)
+ # This package about to be removed.
+ :
+
+ # Remove package-specific directories from /usr/local. Don't try
+ # to remove standard directories such as /usr/local/lib.
+ ##: if test -d /usr/local/lib/${package_name}; then
+ ##: rmdir /usr/local/lib/${package_name} || true
+ ##: fi
+
+ # Deactivate menu-methods script.
+ ##: chmod a-x /etc/menu-methods/${package_name}
+
+ # Withdraw our version of a program.
+ ##: update-alternatives --remove program /usr/bin/alternative
+
+ # Get rid of the byte compiled files
+ ##: if [ -x /usr/lib/emacsen-common/emacs-package-remove ]; then
+ ##: /usr/lib/emacsen-common/emacs-package-remove $package_name
+ ##: fi
+
+ # There are two sub-cases:
+ if test "${2+set}" = set; then
+ if test "$2" != in-favour; then
+ echo "$0: undocumented call to \`prerm $*'" 1>&2
+ exit 0
+ fi
+ # We are being removed because of a conflict with package $3
+ # (version $4), which is now being installed.
+ :
+
+ else
+ # The package is being removed in its own right.
+ :
+
+ fi ;;
+ deconfigure)
+ if test "$2" != in-favour || test "$5" != removing; then
+ echo "$0: undocumented call to \`prerm $*'" 1>&2
+ exit 0
+ fi
+ # Package $6 (version $7) which we depend on is being removed due
+ # to a conflict with package $3 (version $4), and this package is
+ # being deconfigured until $6 can be reinstalled.
+ :
+
+ ;;
+ upgrade)
+ # Prepare to upgrade FROM THIS VERSION of this package to version $2.
+ :
+
+ if [ -L /usr/doc/$package_name ]; then
+ rm -f /usr/doc/$package_name
+ fi
+
+ ;;
+ failed-upgrade)
+ # Prepare to upgrade from version $2 of this package TO THIS VERSION.
+ # This is only used if the old version's prerm couldn't handle it,
+ # and returned non-zero. (Fix old prerm bugs here.)
+ :
+
+ ;;
+ *) echo "$0: didn't understand being called with \`$1'" 1>&2
+ exit 0;;
+esac
+
+exit 0
--- refpolicy-2.20110726.orig/debian/docentry
+++ refpolicy-2.20110726/debian/docentry
@@ -0,0 +1,24 @@
+Document: selinux-policy-refpolicy-doc
+Title: SELinux Reference Policy
+Author: various
+Abstract: The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+Section: System/Administration
+
+Format: HTML
+Index: /usr/share/doc/selinux-policy-doc/html/index.html
+Files: /usr/share/doc/selinux-policy-doc/html/*.html
--- refpolicy-2.20110726.orig/debian/global_tunables.xml
+++ refpolicy-2.20110726/debian/global_tunables.xml
@@ -0,0 +1,583 @@
+
+
+
+Allow cvs daemon to read shadow
+
+
+
+
+
+
+Allow zebra daemon to write it configuration files
+
+
+
+
+
+
+Allow making the heap executable.
+
+
+
+
+
+
+Allow making anonymous memory executable, e.g.
+for runtime-code generation or executable stack.
+
+
+
+
+
+
+Allow making a modified private file
+mapping executable (text relocation).
+
+
+
+
+
+
+Allow making the stack executable via mprotect.
+Also requires allow_execmem.
+
+
+
+
+
+
+Allow ftp servers to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow ftp servers to use cifs
+used for public file transfer services.
+
+
+
+
+
+
+Allow ftp servers to use nfs
+used for public file transfer services.
+
+
+
+
+
+
+Allow gssd to read temp directory.
+
+
+
+
+
+
+Allow Apache to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow Apache to use mod_auth_pam
+
+
+
+
+
+
+Allow java executable stack
+
+
+
+
+
+
+Allow system to run with kerberos
+
+
+
+
+
+
+Allow nfs servers to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow rsync to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow sasl to read shadow
+
+
+
+
+
+
+Allow samba to modify public files
+used for public file transfer services.
+
+
+
+
+
+
+Allow system to run with NIS
+
+
+
+
+
+
+Enable extra rules in the cron domain
+to support fcron.
+
+
+
+
+
+
+Allow ftp to read and write files in the user home directories
+
+
+
+
+
+
+Allow ftpd to run directly without inetd
+
+
+
+
+
+
+Enable reading of urandom for all domains.
+
+
+This should be enabled when all programs
+are compiled with ProPolice/SSP
+stack smashing protection. All domains will
+be allowed to read from /dev/urandom.
+
+
+
+
+
+
+Allow httpd to use built in scripting (usually php)
+
+
+
+
+
+
+Allow http daemon to tcp connect
+
+
+
+
+
+
+Allow httpd to connect to mysql/posgresql
+
+
+
+
+
+
+Allow httpd to act as a relay
+
+
+
+
+
+
+Allow httpd cgi support
+
+
+
+
+
+
+Allow httpd to act as a FTP server by
+listening on the ftp port.
+
+
+
+
+
+
+Allow httpd to read home directories
+
+
+
+
+
+
+Run SSI execs in system CGI script domain.
+
+
+
+
+
+
+Allow http daemon to communicate with the TTY
+
+
+
+
+
+
+Run CGI in the main httpd domain
+
+
+
+
+
+
+Allow BIND to write the master zone files.
+Generally this is used for dynamic DNS.
+
+
+
+
+
+
+Allow nfs to be exported read/write.
+
+
+
+
+
+
+Allow nfs to be exported read only
+
+
+
+
+
+
+Allow pppd to load kernel modules for certain modems
+
+
+
+
+
+
+Allow reading of default_t files.
+
+
+
+
+
+
+Allow samba to export user home directories.
+
+
+
+
+
+
+Allow samba to export NFS volumes.
+
+
+
+
+
+
+Allow squid to connect to all ports, not just
+HTTP, FTP, and Gopher ports.
+
+
+
+
+
+
+Configure stunnel to be a standalone daemon or
+inetd service.
+
+
+
+
+
+
+Support NFS home directories
+
+
+
+
+
+
+Support SAMBA home directories
+
+
+
+
+
+
+Control users use of ping and traceroute
+
+
+
+
+
+
+Allow gpg executable stack
+
+
+
+
+
+
+Allow mplayer executable stack
+
+
+
+
+
+
+Allow sysadm to ptrace all processes
+
+
+
+
+
+
+allow host key based authentication
+
+
+
+
+
+
+Allow users to connect to mysql
+
+
+
+
+
+
+Allows clients to write to the X server shared
+memory segments.
+
+
+
+
+
+
+Allow cdrecord to read various content.
+nfs, samba, removable devices, user temp
+and untrusted content files
+
+
+
+
+
+
+Allow system cron jobs to relabel filesystem
+for restoring file contexts.
+
+
+
+
+
+
+force to games to run in user_t
+mapping executable (text relocation).
+
+
+
+
+
+
+Disable transitions to evolution domains.
+
+
+
+
+
+
+Disable transitions to user mozilla domains
+
+
+
+
+
+
+Disable transitions to user thunderbird domains
+
+
+
+
+
+
+Allow email client to various content.
+nfs, samba, removable devices, user temp
+and untrusted content files
+
+
+
+
+
+
+Control mozilla content access
+
+
+
+
+
+
+Allow pppd to be run for a regular user
+
+
+
+
+
+
+Allow applications to read untrusted content
+If this is disallowed, Internet content has
+to be manually relabeled for read access to be granted
+
+
+
+
+
+
+Allow ssh to run from inetd instead of as a daemon.
+
+
+
+
+
+
+Allow user spamassassin clients to use the network.
+
+
+
+
+
+
+Allow ssh logins as sysadm_r:sysadm_t
+
+
+
+
+
+
+Allow staff_r users to search the sysadm home
+dir and read files (such as ~/.bashrc)
+
+
+
+
+
+
+Allow regular users direct mouse access
+
+
+
+
+
+
+Allow users to read system messages.
+
+
+
+
+
+
+Allow users to control network interfaces
+(also needs USERCTL=true)
+
+
+
+
+
+
+Allow user to r/w files on filesystems
+that do not have extended attributes (FAT, CDROM, FLOPPY)
+
+
+
+
+
+
+Allow users to run TCP servers (bind to ports and accept connection from
+the same domain and outside users) disabling this forces FTP passive mode
+and may change other protocols.
+
+
+
+
+
+
+Allow w to display everyone
+
+
+
+
+
+
+Allow applications to write untrusted content
+If this is disallowed, no Internet content
+will be stored.
+
+
+
+
+
+
+Allow xdm logins as sysadm
+
+
+
+
+
+
+Allow all daemons the ability to use unallocated ttys
+
+
+
+
+
+
+Allow mount to mount any file
+
+
+
+
+
+
+Allow spammd to read/write user home directories.
+
+
+
+
+
+
+Allow httpd cgi support
+
+
+
+
+
+
+Allow unconfined to dyntrans to unconfined_execmem
+
+
+
--- refpolicy-2.20110726.orig/debian/mls.postrm
+++ refpolicy-2.20110726/debian/mls.postrm
@@ -0,0 +1,176 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# postrm ---
+# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+# Created On : Fri Nov 14 12:22:20 2003
+# Created On Node : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Sun Aug 20 20:52:23 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 11
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: 56802d51-d980-4822-85c0-28fce19ed430
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+
+# Abort if any command returns an error value
+set -e
+
+NAME=mls
+package_name=selinux-policy-$NAME
+POLICYNAME=$NAME
+BASEDIR=/etc/selinux/$POLICYNAME
+
+
+if [ -z "$package_name" ]; then
+ print >&2 "Internal Error. Please report a bug."
+ exit 1;
+fi
+
+# This script is called twice during the removal of the package; once
+# after the removal of the package's files from the system, and as
+# the final step in the removal of this package, after the package's
+# conffiles have been removed.
+# summary of how this script can be called:
+# * `remove'
+# * `purge'
+# * `upgrade'
+# * `failed-upgrade'
+# * `abort-install'
+# * `abort-install'
+# * `abort-upgrade'
+# * `disappear' overwrit>r>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+# Ensure the menu system is updated
+##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus
+
+case "$1" in
+ remove)
+ # This package is being removed, but its configuration has not yet
+ # been purged.
+ :
+
+ # Remove diversion
+ ##: dpkg-divert --package ${package_name} --remove --rename \
+ ##: --divert /usr/bin/other.real /usr/bin/other
+
+ # ldconfig is NOT needed during removal of a library, only during
+ # installation
+
+ ;;
+ purge)
+ # This package has previously been removed and is now having
+ # its configuration purged from the system.
+ :
+
+ # we mimic dpkg as closely as possible, so we remove configuration
+ # files with dpkg backup extensions too:
+ ### Some of the following is from Tore Anderson:
+ ##: for ext in '~' '%' .bak .dpkg-tmp .dpkg-new .dpkg-old .dpkg-dist; do
+ ##: rm -f /etc/${package_name}.conf$ext
+ ##: done
+
+ # remove the configuration file itself
+ ##: rm -f /etc/${package_name}.conf
+ rm -rf "$BASEDIR"
+
+ # and finally clear it out from the ucf database
+ ##: ucf --purge /etc/${package_name}.conf
+
+ # Remove symlinks from /etc/rc?.d
+ ##: update-rc.d ${package_name} remove >/dev/null
+
+ ##: if [ -e /usr/share/debconf/confmodule ]; then
+ ##: # Purge this package's data from the debconf database.
+ ##: . /usr/share/debconf/confmodule
+ ##: db_purge
+ ##: fi
+
+ # This package has previously been removed and is now having
+ # its configuration purged from the system.
+ ##: for flavour in emacs20 emacs21; do
+ ##: STARTDIR=/etc/$flavour/site-start.d;
+ ##: STARTFILE="${package_name}-init.el";
+ ##: if [ -e "$STARTDIR/20$STARTFILE" ]; then
+ ##: rm -f "$STARTDIR/20$STARTFILE"
+ ##: fi
+ ##: done
+
+ ;;
+ disappear)
+ if test "$2" != overwriter; then
+ echo "$0: undocumented call to \`postrm $*'" 1>&2
+ exit 0
+ fi
+ # This package has been completely overwritten by package $3
+ # (version $4). All our files are already gone from the system.
+ # This is a special case: neither "prerm remove" nor "postrm remove"
+ # have been called, because dpkg didn't know that this package would
+ # disappear until this stage.
+ :
+
+ ;;
+ upgrade)
+ # About to upgrade FROM THIS VERSION to version $2 of this package.
+ # "prerm upgrade" has been called for this version, and "preinst
+ # upgrade" has been called for the new version. Last chance to
+ # clean up.
+ :
+
+ ;;
+ failed-upgrade)
+ # About to upgrade from version $2 of this package TO THIS VERSION.
+ # "prerm upgrade" has been called for the old version, and "preinst
+ # upgrade" has been called for this version. This is only used if
+ # the previous version's "postrm upgrade" couldn't handle it and
+ # returned non-zero. (Fix old postrm bugs here.)
+ :
+
+ ;;
+ abort-install)
+ # Back out of an attempt to install this package. Undo the effects of
+ # "preinst install...". There are two sub-cases.
+ :
+
+ if test "${2+set}" = set; then
+ # When the install was attempted, version $2's configuration
+ # files were still on the system. Undo the effects of "preinst
+ # install $2".
+ :
+
+ else
+ # We were being installed from scratch. Undo the effects of
+ # "preinst install".
+ :
+
+ fi ;;
+ abort-upgrade)
+ # Back out of an attempt to upgrade this package from version $2
+ # TO THIS VERSION. Undo the effects of "preinst upgrade $2".
+ :
+
+ ;;
+ *) echo "$0: didn't understand being called with \`$1'" 1>&2
+ exit 0;;
+esac
+
+exit 0
--- refpolicy-2.20110726.orig/debian/modules.conf.mls
+++ refpolicy-2.20110726/debian/modules.conf.mls
@@ -0,0 +1,2171 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+# Required in base
+#
+# User-based access control policy
+#
+ubac = base
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+#
+acct = module
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+#
+alsa = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+#
+amanda = module
+
+# Layer: admin
+# Module: amtu
+#
+# Abstract Machine Test Utility
+#
+amtu = off
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+#
+anaconda = off
+
+# Layer: admin
+# Module: apt
+#
+# APT advanced package tool.
+#
+apt = base
+
+# Layer: admin
+# Module: backup
+#
+# System backup scripts
+#
+backup = module
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: admin
+# Module: brctl
+#
+# Utilities for configuring the linux ethernet bridge
+#
+brctl = module
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+#
+certwatch = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = off
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+#
+ddcprobe = off
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = base
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+#
+dmidecode = module
+
+# Layer: admin
+# Module: dpkg
+#
+# Policy for the Debian package manager.
+#
+dpkg = base
+
+# Layer: admin
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+#
+firstboot = off
+
+# Layer: admin
+# Module: kismet
+#
+# Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
+#
+kismet = module
+
+# Layer: admin
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+#
+kudzu = off
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+#
+logrotate = base
+
+# Layer: admin
+# Module: logwatch
+#
+# System log analyzer and reporter
+#
+logwatch = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+#
+mrtg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: portage
+#
+# Portage Package Management System. The primary package management and
+# distribution system for Gentoo.
+#
+portage = off
+
+# Layer: admin
+# Module: prelink
+#
+# Prelink ELF shared library mappings.
+#
+prelink = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+#
+quota = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+#
+readahead = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = module
+
+# Layer: admin
+# Module: shorewall
+#
+# Shoreline Firewall high-level tool for configuring netfilter
+#
+shorewall = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer: admin
+# Module: sxid
+#
+# SUID/SGID program monitoring
+#
+sxid = module
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+#
+tmpreaper = base
+
+# Layer: admin
+# Module: tripwire
+#
+# Tripwire file integrity checker.
+#
+tripwire = module
+
+# Layer: admin
+# Module: tzdata
+#
+# Time zone updater
+#
+tzdata = module
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+#
+updfstab = off
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+#
+usbmodules = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = base
+
+# Layer: admin
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+#
+vbetool = module
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+#
+vpn = module
+
+# Layer: apps
+# Module: ada
+#
+# GNAT Ada95 compiler
+#
+ada = module
+
+# Layer: apps
+# Module: authbind
+#
+# Tool for non-root processes to bind to reserved ports
+#
+authbind = module
+
+# Layer: apps
+# Module: awstats
+#
+# AWStats is a free powerful and featureful tool that generates advanced
+# web, streaming, ftp or mail server statistics, graphically.
+#
+awstats = module
+
+# Layer: apps
+# Module: calamaris
+#
+# Squid log analysis
+#
+calamaris = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+#
+cdrecord = module
+
+# Layer: apps
+# Module: cpufreqselector
+#
+# Command-line CPU frequency settings.
+#
+cpufreqselector = module
+
+# Layer: apps
+# Module: evolution
+#
+# Evolution email client
+#
+evolution = module
+
+# Layer: apps
+# Module: games
+#
+# Games
+#
+games = module
+
+# Layer: apps
+# Module: gift
+#
+# giFT peer to peer file sharing tool
+#
+gift = module
+
+# Layer: apps
+# Module: gitosis
+#
+# Tools for managing and hosting git repositories.
+#
+gitosis = module
+
+# Layer: apps
+# Module: gnome
+#
+# GNU network object model environment (GNOME)
+#
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+#
+gpg = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+#
+irc = module
+
+# Layer: apps
+# Module: java
+#
+# Java virtual machine
+#
+java = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+#
+loadkeys = module
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+#
+lockdev = module
+
+# Layer: apps
+# Module: mono
+#
+# Run .NET server and client applications on Linux.
+#
+mono = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+#
+mozilla = module
+
+# Layer: apps
+# Module: mplayer
+#
+# Mplayer media player and encoder
+#
+mplayer = module
+
+# Layer: apps
+# Module: podsleuth
+#
+# Podsleuth is a tool to get information about an Apple (TM) iPod (TM)
+#
+podsleuth = module
+
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+#
+ptchown = module
+
+# Layer: apps
+# Module: pulseaudio
+#
+# Pulseaudio network sound server.
+#
+pulseaudio = module
+
+# Layer: apps
+# Module: qemu
+#
+# QEMU machine emulator and virtualizer
+#
+qemu = module
+
+# Layer: apps
+# Module: rssh
+#
+# Restricted (scp/sftp) only shell
+#
+rssh = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+#
+screen = module
+
+# Layer: apps
+# Module: seunshare
+#
+# Filesystem namespacing/polyinstantiation application.
+#
+seunshare = module
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+#
+slocate = module
+
+# Layer: apps
+# Module: thunderbird
+#
+# Thunderbird email client
+#
+thunderbird = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+#
+tvtime = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+#
+uml = module
+
+# Layer: apps
+# Module: userhelper
+#
+# SELinux utility to run a shell with a new role
+#
+userhelper = module
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+#
+usernetctl = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+#
+vmware = module
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+#
+webalizer = module
+
+# Layer: apps
+# Module: wine
+#
+# Wine Is Not an Emulator. Run Windows programs in Linux.
+#
+wine = module
+
+# Layer: apps
+# Module: wireshark
+#
+# Wireshark packet capture tool.
+#
+wireshark = module
+
+# Layer: apps
+# Module: wm
+#
+# X Window Managers
+#
+wm = module
+
+# Layer: apps
+# Module: xscreensaver
+#
+# X Screensaver
+#
+xscreensaver = module
+
+# Layer: apps
+# Module: yam
+#
+# Yum/Apt Mirroring
+#
+yam = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = base
+
+# Layer: roles
+# Module: auditadm
+#
+# Audit administrator role
+#
+auditadm = base
+
+# Layer: roles
+# Module: guest
+#
+# Least privledge terminal user role
+#
+guest = module
+
+# Layer: roles
+# Module: logadm
+#
+# Log administrator role
+#
+logadm = module
+
+# Layer: roles
+# Module: secadm
+#
+# Security administrator role
+#
+secadm = base
+
+# Layer: roles
+# Module: staff
+#
+# Administrator's unprivileged user role
+#
+staff = base
+
+# Layer: roles
+# Module: sysadm
+#
+# General system administration role
+#
+sysadm = base
+
+# Layer: roles
+# Module: unprivuser
+#
+# Generic unprivileged user role
+#
+unprivuser = base
+
+# Layer: roles
+# Module: webadm
+#
+# Web administrator role
+#
+webadm = module
+
+# Layer: roles
+# Module: xguest
+#
+# Least privledge xwindows user role
+#
+xguest = module
+
+# Layer: services
+# Module: abrt
+#
+# ABRT - automated bug-reporting tool
+#
+abrt = off
+
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+#
+afs = module
+
+# Layer: services
+# Module: aide
+#
+# Aide filesystem integrity checker
+#
+aide = module
+
+# Layer: services
+# Module: amavis
+#
+# Daemon that interfaces mail transfer agents and content
+# checkers, such as virus scanners.
+#
+amavis = off
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+#
+apache = module
+
+# Layer: services
+# Module: apcupsd
+#
+# APC UPS monitoring daemon
+#
+apcupsd = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+#
+apm = module
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+#
+arpwatch = module
+
+# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+#
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+#
+avahi = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+#
+bind = module
+
+# Layer: services
+# Module: bitlbee
+#
+# Bitlbee service
+#
+bitlbee = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+#
+bluetooth = module
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+#
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# Cluster Configuration System
+#
+ccs = module
+
+# Layer: services
+# Module: certmaster
+#
+# Certmaster SSL certificate distribution service
+#
+certmaster = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+#
+cipe = module
+
+# Layer: services
+# Module: clamav
+#
+# ClamAV Virus Scanner
+#
+clamav = module
+
+# Layer: services
+# Module: clockspeed
+#
+# Clockspeed simple network time protocol client
+#
+clockspeed = module
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+#
+comsat = module
+
+# Layer: services
+# Module: consolekit
+#
+# Framework for facilitating multiple user sessions on desktops.
+#
+consolekit = module
+
+# Layer: services
+# Module: courier
+#
+# Courier IMAP and POP3 email servers
+#
+courier = module
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+#
+cpucontrol = module
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+#
+cron = base
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+#
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+#
+cvs = module
+
+# Layer: services
+# Module: cyphesis
+#
+# Cyphesis WorldForge game server
+#
+cyphesis = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+#
+cyrus = module
+
+# Layer: services
+# Module: dante
+#
+# Dante msproxy and socks4/5 proxy server
+#
+dante = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+#
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+#
+dbus = module
+
+# Layer: services
+# Module: dcc
+#
+# Distributed checksum clearinghouse spam filtering
+#
+dcc = module
+
+# Layer: services
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+#
+ddclient = module
+
+# Layer: services
+# Module: devicekit
+#
+# Devicekit modular hardware abstraction layer
+#
+devicekit = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+#
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+#
+dictd = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+#
+distcc = module
+
+# Layer: services
+# Module: djbdns
+#
+# small and secure DNS daemon
+#
+djbdns = module
+
+# Layer: services
+# Module: dkim
+#
+# DomainKeys Identified Mail milter.
+#
+dkim = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# dnsmasq DNS forwarder and DHCP server
+#
+dnsmasq = module
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+#
+dovecot = module
+
+# Layer: services
+# Module: epmd
+#
+# Erlang Port Mapper Daemon (epmd).
+#
+epmd = module
+
+# Layer: services
+# Module: exim
+#
+# Exim mail transfer agent
+#
+exim = module
+
+# Layer: services
+# Module: fail2ban
+#
+# Update firewall filtering to ban IP addresses with too many password failures.
+#
+fail2ban = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+#
+fetchmail = module
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+#
+finger = module
+
+# Layer: services
+# Module: fprintd
+#
+# DBus fingerprint reader service
+#
+fprintd = module
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+#
+ftp = module
+
+# Layer: services
+# Module: gatekeeper
+#
+# OpenH.323 Voice-Over-IP Gatekeeper
+#
+gatekeeper = module
+
+# Layer: services
+# Module: git
+#
+# GIT revision control system
+#
+git = module
+
+# Layer: services
+# Module: gnomeclock
+#
+# Gnome clock handler for setting the time.
+#
+gnomeclock = module
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+#
+gpm = module
+
+# Layer: services
+# Module: gpsd
+#
+# gpsd monitor daemon
+#
+gpsd = module
+
+# Layer: services
+# Module: hal
+#
+# Hardware abstraction layer
+#
+hal = base
+
+# Layer: services
+# Module: hddtemp
+#
+# hddtemp hard disk temperature tool running as a daemon
+#
+hddtemp = module
+
+# Layer: services
+# Module: howl
+#
+# Port of Apple Rendezvous multicast DNS
+#
+howl = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+#
+i18n_input = module
+
+# Layer: services
+# Module: ifplugd
+#
+# Bring up/down ethernet interfaces based on cable detection.
+#
+ifplugd = module
+
+# Layer: services
+# Module: imaze
+#
+# iMaze game server
+#
+imaze = module
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+#
+inetd = base
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+#
+inn = module
+
+# Layer: services
+# Module: ircd
+#
+# IRC server
+#
+ircd = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+#
+irqbalance = module
+
+# Layer: services
+# Module: jabber
+#
+# Jabber instant messaging server
+#
+jabber = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+#
+kerberos = module
+
+# Layer: services
+# Module: kerneloops
+#
+# Service for reporting kernel oopses to kerneloops.org
+#
+kerneloops = module
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+#
+ktalk = module
+
+# Layer: services
+# Module: lda
+#
+# mail delivery agent
+#
+lda = module
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+#
+ldap = module
+
+# Layer: services
+# Module: lircd
+#
+# Linux infared remote control daemon
+#
+lircd = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+#
+lpd = module
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+#
+mailman = module
+
+# Layer: services
+# Module: memcached
+#
+# high-performance memory object caching system
+#
+memcached = module
+
+# Layer: services
+# Module: milter
+#
+# Milter mail filters
+#
+milter = module
+
+# Layer: services
+# Module: modemmanager
+#
+# Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.
+#
+modemmanager = module
+
+# Layer: services
+# Module: monop
+#
+# Monopoly daemon
+#
+monop = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+#
+mta = base
+
+# Layer: services
+# Module: munin
+#
+# Munin network-wide load graphing (formerly LRRD)
+#
+munin = module
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+#
+mysql = module
+
+# Layer: services
+# Module: nagios
+#
+# Net Saint / NAGIOS - network monitoring server
+#
+nagios = module
+
+# Layer: services
+# Module: nessus
+#
+# Nessus network scanning daemon
+#
+nessus = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+#
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+#
+nis = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+#
+nscd = module
+
+# Layer: services
+# Module: nsd
+#
+# Authoritative only name server
+#
+nsd = module
+
+# Layer: services
+# Module: nslcd
+#
+# nslcd - local LDAP name service daemon.
+#
+nslcd = module
+
+# Layer: services
+# Module: ntop
+#
+# Network Top
+#
+ntop = module
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+#
+ntp = module
+
+# Layer: services
+# Module: nx
+#
+# NX remote desktop
+#
+# nx = module
+
+# Layer: services
+# Module: oav
+#
+# Open AntiVirus scannerdaemon and signature update
+#
+oav = module
+
+# Layer: services
+# Module: oddjob
+#
+# Oddjob provides a mechanism by which unprivileged applications can
+# request that specified privileged operations be performed on their
+# behalf.
+#
+oddjob = module
+
+# Layer: services
+# Module: oident
+#
+# SELinux policy for Oident daemon.
+#
+oident = module
+
+# Layer: services
+# Module: openca
+#
+# OpenCA - Open Certificate Authority
+#
+openca = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+#
+openct = module
+
+# Layer: services
+# Module: openvpn
+#
+# full-featured SSL VPN solution
+#
+openvpn = module
+
+# Layer: services
+# Module: pads
+#
+# Passive Asset Detection System
+#
+pads = module
+
+# Layer: services
+# Module: pcscd
+#
+# PCSC smart card service
+#
+pcscd = module
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+#
+pegasus = module
+
+# Layer: services
+# Module: perdition
+#
+# Perdition POP and IMAP proxy
+#
+perdition = module
+
+# Layer: services
+# Module: pingd
+#
+# Pingd of the Whatsup cluster node up/down detection utility
+#
+pingd = module
+
+# Layer: services
+# Module: policykit
+#
+# Policy framework for controlling privileges for system-wide services.
+#
+policykit = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+#
+portmap = module
+
+# Layer: services
+# Module: portreserve
+#
+# Reserve well-known ports in the RPC port range.
+#
+portreserve = module
+
+# Layer: services
+# Module: portslave
+#
+# Portslave terminal server software
+#
+portslave = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+#
+postfix = module
+
+# Layer: services
+# Module: postfixpolicyd
+#
+# Postfix policy server
+#
+postfixpolicyd = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: postgrey
+#
+# Postfix grey-listing server
+#
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+#
+ppp = module
+
+# Layer: services
+# Module: prelude
+#
+# Prelude hybrid intrusion detection system
+#
+prelude = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+#
+privoxy = module
+
+# Layer: services
+# Module: psad
+#
+# Intrusion Detection and Log Analysis with iptables
+#
+psad = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+#
+publicfile = module
+
+# Layer: services
+# Module: puppet
+#
+# Puppet client daemon
+#
+puppet = module
+
+# Layer: services
+# Module: pxe
+#
+# Server for the PXE network boot protocol
+#
+pxe = module
+
+# Layer: services
+# Module: pyzor
+#
+# Pyzor is a distributed, collaborative spam detection and filtering network.
+#
+pyzor = module
+
+# Layer: services
+# Module: qmail
+#
+# Qmail Mail Server
+#
+qmail = module
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+#
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+#
+radvd = module
+
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+#
+razor = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+#
+rdisc = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+#
+remotelogin = module
+
+# Layer: services
+# Module: resmgr
+#
+# Resource management daemon
+#
+resmgr = module
+
+# Layer: services
+# Module: rhgb
+#
+# Red Hat Graphical Boot
+#
+rhgb = module
+
+# Layer: services
+# Module: ricci
+#
+# Ricci cluster management agent
+#
+ricci = module
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+#
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+#
+roundup = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+#
+rpc = module
+
+# Layer: services
+# Module: rpcbind
+#
+# Universal Addresses to RPC Program Number Mapper
+#
+rpcbind = module
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+#
+rshd = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+#
+rsync = module
+
+# Layer: services
+# Module: rtkit
+#
+# Realtime scheduling for user processes.
+#
+rtkit = module
+
+# Layer: services
+# Module: rwho
+#
+# Who is logged in on other machines?
+#
+rwho = module
+
+# Layer: services
+# Module: samba
+#
+# SMB and CIFS client/server programs for UNIX and
+# name Service Switch daemon for resolving names
+# from Windows NT servers.
+#
+samba = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+#
+sasl = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+#
+sendmail = module
+
+# Layer: services
+# Module: setroubleshoot
+#
+# SELinux troubleshooting service
+#
+setroubleshoot = module
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+#
+slrnpull = module
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+#
+smartmon = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+#
+snmp = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+#
+snort = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc
+#
+soundserver = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+#
+spamassassin = module
+
+# Layer: services
+# Module: speedtouch
+#
+# Alcatel speedtouch USB ADSL modem
+#
+speedtouch = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+#
+squid = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+#
+sssd = module
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+#
+stunnel = module
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+#
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+#
+tcpd = module
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+#
+telnet = module
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+#
+tftp = module
+
+# Layer: services
+# Module: tgtd
+#
+# Linux Target Framework Daemon.
+#
+tgtd = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+#
+timidity = module
+
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+#
+tor = module
+
+# Layer: services
+# Module: transproxy
+#
+# HTTP transperant proxy
+#
+transproxy = module
+
+# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: services
+# Module: ucspitcp
+#
+# ucspitcp policy
+#
+ucspitcp = module
+
+# Layer: services
+# Module: ulogd
+#
+# Iptables/netfilter userspace logging daemon.
+#
+ulogd = module
+
+# Layer: services
+# Module: uptime
+#
+# Uptime daemon
+#
+uptime = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+#
+uucp = module
+
+# Layer: services
+# Module: uwimap
+#
+# University of Washington IMAP toolkit POP3 and IMAP mail server
+#
+uwimap = module
+
+# Layer: services
+# Module: varnishd
+#
+# Varnishd http accelerator daemon
+#
+varnishd = module
+
+# Layer: services
+# Module: virt
+#
+# Libvirt virtualization API
+#
+virt = module
+
+# Layer: services
+# Module: w3c
+#
+# W3C Markup Validator
+#
+w3c = module
+
+# Layer: services
+# Module: watchdog
+#
+# Software watchdog
+#
+watchdog = module
+
+# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+#
+xfs = module
+
+# Layer: services
+# Module: xprint
+#
+# X print server
+#
+xprint = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: services
+# Module: zabbix
+#
+# Distributed infrastructure monitoring
+#
+zabbix = module
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+#
+zebra = module
+
+# Layer: services
+# Module: zosremote
+#
+# policy for z/OS Remote-services Audit dispatcher plugin
+#
+zosremote = module
+
+# Layer: system
+# Module: application
+#
+# Policy for user executable applications.
+#
+application = base
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = base
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = base
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+#
+daemontools = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = base
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = base
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = base
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = base
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iodine
+#
+# IP over DNS tunneling
+#
+iodine = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = base
+
+# Layer: system
+# Module: iscsi
+#
+# Establish connections to iSCSI devices
+#
+iscsi = module
+
+# Layer: system
+# Module: kdump
+#
+# Kernel crash dumping mechanism
+#
+kdump = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = base
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = base
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = base
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = base
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = base
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = base
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+#
+pcmcia = module
+
+# Layer: system
+# Module: pythonsupport
+#
+# Support for precompiling python modules
+#
+pythonsupport = module
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+#
+raid = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = base
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = base
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = base
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = base
+
+# Layer: system
+# Module: xen
+#
+# Xen hypervisor
+#
+xen = module
+
--- refpolicy-2.20110726.orig/debian/NEWS
+++ refpolicy-2.20110726/debian/NEWS
@@ -0,0 +1,27 @@
+refpolicy (2:0.2.20100524-6) unstable; urgency=low
+
+ http://etbe.coker.com.au/2010/04/21/upgrading-se-linux-system-squeez/
+
+ * I've documented the process of upgrading a SE Linux system to Lenny at
+ the above URL. But I'll summarise it here.
+
+ deb http://www.coker.com.au lenny selinux
+
+ * To run a Squeeze kernel with Lenny policy you need to use the latest Lenny
+ SE Linux policy from the above APT repository, install that and run
+ "selinux-policy-upgrade" to apply it before booting the Lenny kernel.
+
+ * If you run a Lenny kernel with Squeeze policy then you will get a large
+ number of annoying kernel messages due to a minor kernel bug. The
+ command “dmesg -n 1” will prevent such messages from going to the system
+ console, this is necessary for a usable console login.
+
+ * To upgrade a system to the Squeeze policy you should run the following
+ commands. They must be run in single-user mode if SE Linux is a critical
+ part of the system's security model but may be run from multi-user mode
+ if your use of SE Linux is just to catch any attacks that get past Unix
+ security.
+
+ setenforce 0 ; selinux-policy-upgrade ; touch /.autorelabel ; reboot
+
+ -- Russell Coker Thu, 13 Jan 2011 11:38:32 +1100
--- refpolicy-2.20110726.orig/debian/control
+++ refpolicy-2.20110726/debian/control
@@ -0,0 +1,128 @@
+Source: refpolicy
+VCS-Git: git://git.debian.org/git/users/srivasta/debian/refpolicy.git
+VCS-Browser: http://git.debian.org/?p=users/srivasta/debian/refpolicy.git;a=summary
+Priority: optional
+Section: admin
+Homepage: http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
+Maintainer: Ubuntu Developers
+XSBC-Original-Maintainer: Russell Coker
+Uploaders: Erich Schubert , Manoj Srivastava
+Standards-Version: 3.8.3.0
+Build-Depends-Indep: policycoreutils (>= 2.1.0), checkpolicy (>= 2.1.0),
+ python, m4, bzip2, gawk, libsepol1 (>=2.1.0)
+
+Package: selinux-policy-default
+Architecture: all
+Depends: policycoreutils (>= 2.1.0), libpam-modules (>= 0.77-0.se5),
+ python, libselinux1 (>= 2.0.35), libsepol1 (>=2.1.0)
+Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1),
+ procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1),
+ selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted
+Recommends: checkpolicy, setools
+Suggests: logcheck, syslog-summary
+Description: Strict and Targeted variants of the SELinux policy
+ This is the reference policy for SE Linux. In the default configuration it
+ will provide the functionality previously known as the "targeted" policy. If
+ the module "unconfined" is removed then it provides the functionality
+ previously known as the "strict" policy.
+ .
+ This uses the MMCS system of categories.
+
+Package: selinux-policy-mls
+Architecture: all
+Priority: extra
+Depends: policycoreutils (>= 2.1.0), libpam-modules (>= 0.77-0.se5),
+ python, libselinux1 (>= 2.0.35), libsepol1 (>=2.1.0)
+Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1),
+ procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1),
+ selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted
+Recommends: checkpolicy, setools
+Suggests: logcheck, syslog-summary
+Description: MLS (Multi Level Security) variant of the SELinux policy
+ This is the reference policy for SE Linux built with MLS support. It allows
+ giving data labels such as "Top Secret" and preventing such data from leaking
+ to processes or files with lower classification.
+ .
+ It was developed for Common Criteria LSPP certification for RHEL. It will
+ probably never be well supported in Debian and is only recommended for
+ students who want to learn about the security features used by the military.
+
+Package: selinux-policy-src
+Architecture: all
+Depends: python, policycoreutils (>= 2.1.0), checkpolicy (>= 2.1.0), gawk
+Conflicts: selinux-policy-refpolicy-targeted, selinux-policy-refpolicy-src
+Recommends: setools
+Suggests: logcheck, syslog-summary
+Description: Source of the SELinux reference policy for customization
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+ .
+ This is the source of the policy, provided so that local variations of
+ SELinux policy may be created.
+
+Package: selinux-policy-dev
+Architecture: all
+Depends: python, policycoreutils (>= 2.1.0), checkpolicy (>= 2.1.0), gawk, make, m4
+Recommends: setools
+Conflicts: selinux-policy-refpolicy-dev
+Description: Headers from the SELinux reference policy for building modules
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+ .
+ This package provides header files for building your own SELinux
+ policy packages compatible with official policy packages.
+
+Package: selinux-policy-doc
+Architecture: all
+Section: doc
+Recommends: make, gcc
+Conflicts: selinux-policy-refpolicy-doc
+Description: Documentation for the SELinux reference policy
+ The SELinux Reference Policy (refpolicy) is a complete SELinux
+ policy, as an alternative to the existing strict and targeted
+ policies available from http://selinux.sf.net. The goal is to have
+ this policy as the system policy, be and used as the basis for
+ creating other policies. Refpolicy is based on the current strict and
+ targeted policies, but aims to accomplish many additional
+ goals:
+ + Strong Modularity
+ + Clearly stated security Goals
+ + Documentation
+ + Development Tool Support
+ + Forward Looking
+ + Configurability
+ + Flexible Base Policy
+ + Application Policy Variations
+ + Multi-Level Security
+ .
+ This package contains the documentation for the reference policy.
+
+
--- refpolicy-2.20110726.orig/debian/file_contexts.subs_dist
+++ refpolicy-2.20110726/debian/file_contexts.subs_dist
@@ -0,0 +1,5 @@
+/run /var/run
+/run/lock /var/lock
+/var/run/lock /var/lock
+/run/shm /dev/shm
+/var/run/shm /dev/shm
--- refpolicy-2.20110726.orig/debian/default.postrm
+++ refpolicy-2.20110726/debian/default.postrm
@@ -0,0 +1,176 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# postrm ---
+# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+# Created On : Fri Nov 14 12:22:20 2003
+# Created On Node : glaurung.green-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Sun Aug 20 21:01:06 2006
+# Last Machine Used: glaurung.internal.golden-gryphon.com
+# Update Count : 11
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: bea9fd02-e287-4245-8009-9023c3333ff3
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+
+# Abort if any command returns an error value
+set -e
+
+NAME=default
+package_name=selinux-policy-$NAME
+POLICYNAME=$NAME
+BASEDIR=/etc/selinux/$POLICYNAME
+
+
+if [ -z "$package_name" ]; then
+ print >&2 "Internal Error. Please report a bug."
+ exit 1;
+fi
+
+# This script is called twice during the removal of the package; once
+# after the removal of the package's files from the system, and as
+# the final step in the removal of this package, after the package's
+# conffiles have been removed.
+# summary of how this script can be called:
+# * `remove'
+# * `purge'
+# * `upgrade'
+# * `failed-upgrade'
+# * `abort-install'
+# * `abort-install'
+# * `abort-upgrade'
+# * `disappear' overwrit>r>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+# Ensure the menu system is updated
+##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus
+
+case "$1" in
+ remove)
+ # This package is being removed, but its configuration has not yet
+ # been purged.
+ :
+
+ # Remove diversion
+ ##: dpkg-divert --package ${package_name} --remove --rename \
+ ##: --divert /usr/bin/other.real /usr/bin/other
+
+ # ldconfig is NOT needed during removal of a library, only during
+ # installation
+
+ ;;
+ purge)
+ # This package has previously been removed and is now having
+ # its configuration purged from the system.
+ :
+
+ # we mimic dpkg as closely as possible, so we remove configuration
+ # files with dpkg backup extensions too:
+ ### Some of the following is from Tore Anderson:
+ ##: for ext in '~' '%' .bak .dpkg-tmp .dpkg-new .dpkg-old .dpkg-dist; do
+ ##: rm -f /etc/${package_name}.conf$ext
+ ##: done
+
+ # remove the configuration file itself
+ ##: rm -f /etc/${package_name}.conf
+ rm -rf "$BASEDIR"
+
+ # and finally clear it out from the ucf database
+ ##: ucf --purge /etc/${package_name}.conf
+
+ # Remove symlinks from /etc/rc?.d
+ ##: update-rc.d ${package_name} remove >/dev/null
+
+ ##: if [ -e /usr/share/debconf/confmodule ]; then
+ ##: # Purge this package's data from the debconf database.
+ ##: . /usr/share/debconf/confmodule
+ ##: db_purge
+ ##: fi
+
+ # This package has previously been removed and is now having
+ # its configuration purged from the system.
+ ##: for flavour in emacs20 emacs21; do
+ ##: STARTDIR=/etc/$flavour/site-start.d;
+ ##: STARTFILE="${package_name}-init.el";
+ ##: if [ -e "$STARTDIR/20$STARTFILE" ]; then
+ ##: rm -f "$STARTDIR/20$STARTFILE"
+ ##: fi
+ ##: done
+
+ ;;
+ disappear)
+ if test "$2" != overwriter; then
+ echo "$0: undocumented call to \`postrm $*'" 1>&2
+ exit 0
+ fi
+ # This package has been completely overwritten by package $3
+ # (version $4). All our files are already gone from the system.
+ # This is a special case: neither "prerm remove" nor "postrm remove"
+ # have been called, because dpkg didn't know that this package would
+ # disappear until this stage.
+ :
+
+ ;;
+ upgrade)
+ # About to upgrade FROM THIS VERSION to version $2 of this package.
+ # "prerm upgrade" has been called for this version, and "preinst
+ # upgrade" has been called for the new version. Last chance to
+ # clean up.
+ :
+
+ ;;
+ failed-upgrade)
+ # About to upgrade from version $2 of this package TO THIS VERSION.
+ # "prerm upgrade" has been called for the old version, and "preinst
+ # upgrade" has been called for this version. This is only used if
+ # the previous version's "postrm upgrade" couldn't handle it and
+ # returned non-zero. (Fix old postrm bugs here.)
+ :
+
+ ;;
+ abort-install)
+ # Back out of an attempt to install this package. Undo the effects of
+ # "preinst install...". There are two sub-cases.
+ :
+
+ if test "${2+set}" = set; then
+ # When the install was attempted, version $2's configuration
+ # files were still on the system. Undo the effects of "preinst
+ # install $2".
+ :
+
+ else
+ # We were being installed from scratch. Undo the effects of
+ # "preinst install".
+ :
+
+ fi ;;
+ abort-upgrade)
+ # Back out of an attempt to upgrade this package from version $2
+ # TO THIS VERSION. Undo the effects of "preinst upgrade $2".
+ :
+
+ ;;
+ *) echo "$0: didn't understand being called with \`$1'" 1>&2
+ exit 0;;
+esac
+
+exit 0
--- refpolicy-2.20110726.orig/debian/example.if
+++ refpolicy-2.20110726/debian/example.if
@@ -0,0 +1,57 @@
+## Myapp example policy
+##
+##
+## More descriptive text about myapp. The
+## tag can also use ,
, and
+## html tags for formatting.
+##
+##
+## This policy supports the following myapp features:
+##
+## - Feature A
+## - Feature B
+## - Feature C
+##
+##
+##
+#
+
+########################################
+##
+## Execute a domain transition to run myapp.
+##
+##
+## Domain allowed to transition.
+##
+#
+interface(`myapp_domtrans',`
+ gen_require(`
+ type myapp_t, myapp_exec_t;
+ ')
+
+ domain_auto_trans($1,myapp_exec_t,myapp_t)
+
+ allow $1 myapp_t:fd use;
+ allow myapp_t $1:fd use;
+ allow $1 myapp_t:fifo_file rw_file_perms;
+ allow $1 myapp_t:process sigchld;
+')
+
+########################################
+##
+## Read myapp log files.
+##
+##
+## Domain allowed to read the log files.
+##
+#
+interface(`myapp_read_log',`
+ gen_require(`
+ type myapp_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 myapp_log_t:file r_file_perms;
+')
+
+# arch-tag: e3624959-d1f4-4546-850b-4a1f22f7018d
--- refpolicy-2.20110726.orig/debian/policygentool.1
+++ refpolicy-2.20110726/debian/policygentool.1
@@ -0,0 +1,100 @@
+.\" -*- Mode: Nroff -*-
+.\" policygentool.1 ---
+.\" Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+.\" Created On : Mon Feb 26 20:57:11 2007
+.\" Created On Node : glaurung.internal.golden-gryphon.com
+.\" Last Modified By : Manoj Srivastava
+.\" Last Modified On : Mon Feb 26 23:18:43 2007
+.\" Last Machine Used: glaurung.internal.golden-gryphon.com
+.\" Update Count : 12
+.\" Status : Unknown, Use with caution!
+.\" HISTORY :
+.\" Description :
+.\"
+.\" Copyright (c) 20077 Manoj Srivastava
+.\"
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, write to the Free
+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
+.\" USA.
+.\"
+.\" arch-tag: 8236ff3b-4ae2-4591-afa3-298e441e927c
+.\"
+.TH POLICYGENTOOL 1 "Feb 27 2007" "Debian" "Debian GNU/Linux manual"
+.SH NAME
+policygentool \- Interactive SELinux policy generation tool
+.SH SYNOPSIS
+.B policygentool
+.I [options]
+.I
+.I
+.SH DESCRIPTION
+This tool generate three files for policy development, A Type Enforcement (te)
+file, a File Context (fc), and a Interface File(if). Most of the policy rules
+will be written in the te file. Use the File Context file to associate file
+paths with security context. Use the interface rules to allow other protected
+domains to interact with the newly defined domains.
+.PP
+The tool prompts for locations of
+.I pidfiles,
+any
+.I logfiles,
+files in
+.I /var/lib,
+and any
+.I init scripts,
+and whether any network access is desirable for the application. The
+tool then generates the appropriate policy rules for the module.
+After these files have been generated, the make files for the
+appropriate SELinux policy, namely,
+.I /usr/share/selinux/refpolicy-targeted/include/Makefile
+or
+.I /usr/share/selinux/refpolicy-strict/include/Makefile
+can be used to compile the SELinux policy policy package. The
+resulting policy package can be loaded using
+.B semodule.
+.PP
+ # /usr/bin/policygentool myapp /usr/bin/myapp
+ # cat >Makefile
+ > HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include
+ > include $(HEADERDIR)/Makefile
+ > ^D
+ # make
+ # semodule -l myapp.pp
+ # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
+ # setenforce 0
+ # /etc/init.d/myapp start
+ # audit2allow -R -i /var/log/audit/audit.log
+.SH OPTIONS
+.TP
+.B "-h, --help"
+Print a short usage message.
+.SH FILES
+.PP
+.I myapp.te,
+.I myapp.if,
+.I myapp.fc.
+.SH "SEE ALSO"
+semodule(8),
+check_policy(8),
+load_policy(8).
+.SH BUGS
+None known.
+.SH AUTHOR
+This manual page was written by Manoj Srivastava ,
+for the Debian GNU/Linux system.
--- refpolicy-2.20110726.orig/debian/ChangeLog
+++ refpolicy-2.20110726/debian/ChangeLog
@@ -0,0 +1,42 @@
+2008-03-20 Manoj Srivastava
+
+ * postinst.policy:
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-13
+ refpolicy includes an Exim policy, but doesn't install
+ it on a fresh refpolicy installation, because the module
+ package is exim.pp, while Debian calls its exim package
+ 'exim4'. Thanks to Devin Carraway for the heavy
+ lifting.
+
+2007-05-07 Manoj Srivastava
+
+ * modules.conf.targeted (ricci):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Added module.
+
+ * modules.conf.strict (ricci):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Added module.
+
+ * postinst.policy (installed_modules):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Only add modules to the load order that have already
+ been shipped when considering dependencies for
+ modules. If the module is not shipped, chances are that
+ it was moved into the base policy.
+
+ * local-vars.mk (NON_MODULES):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Added a list of modules that are really built into the
+ base policy in Debian. We then use this list to remove
+ the modules .pp files from the policy shipped, since
+ they can not be installed along with the base policy
+ anyway.
+
+ * local.mk (install/selinux-policy-refpolicy-strict):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Remove the mosules that are built into the base already.
+ (install/selinux-policy-refpolicy-targeted):
+ srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3
+ Ditto.
+
--- refpolicy-2.20110726.orig/debian/build.conf.default
+++ refpolicy-2.20110726/debian/build.conf.default
@@ -0,0 +1,73 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports. Setting this will
+# override the version. This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 21
+
+# Policy Type
+# standard, mls, mcs
+TYPE = mcs
+
+# Policy Name
+# If set, this will be used as the policy
+# name. Otherwise the policy type will be
+# used for the name.
+NAME = default
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution. Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+DISTRO = debian
+
+# Unknown Permissions Handling
+# The behavior for handling permissions defined in the
+# kernel but missing from the policy. The permissions
+# can either be allowed, denied, or the policy loading
+# can be rejected.
+# allow, deny, and reject are current options.
+UNK_PERMS = deny
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC = y
+
+# Build monolithic policy. Putting n here
+# will build a loadable module policy.
+MONOLITHIC = n
+
+# User-based access control (UBAC)
+# Enable UBAC for role separations.
+UBAC = n
+
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS = 16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS = 1024
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS = 1024
+
+# Set this to y to only display status messages
+# during build.
+QUIET = n
+
+# arch-tag: ec64afa6-f6f8-4b08-b002-6025ada3a269
--- refpolicy-2.20110726.orig/debian/watch
+++ refpolicy-2.20110726/debian/watch
@@ -0,0 +1,8 @@
+# format version number, currently 2; this line is compulsory!
+version=3
+
+opts="uversionmangle=s/^2./0.2./" \
+http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease \
+ /files/refpolicy/refpolicy-(.*)\.tar\.bz2
+
+# arch-tag: cf70b245-38bc-49ea-a6a4-ac970978aea4
--- refpolicy-2.20110726.orig/debian/modules.conf.default
+++ refpolicy-2.20110726/debian/modules.conf.default
@@ -0,0 +1,2171 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+# Required in base
+#
+# User-based access control policy
+#
+ubac = base
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+#
+acct = module
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+#
+alsa = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+#
+amanda = module
+
+# Layer: admin
+# Module: amtu
+#
+# Abstract Machine Test Utility
+#
+amtu = off
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+#
+anaconda = off
+
+# Layer: admin
+# Module: apt
+#
+# APT advanced package tool.
+#
+apt = base
+
+# Layer: admin
+# Module: backup
+#
+# System backup scripts
+#
+backup = module
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: admin
+# Module: brctl
+#
+# Utilities for configuring the linux ethernet bridge
+#
+brctl = module
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+#
+certwatch = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = off
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+#
+ddcprobe = off
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = base
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+#
+dmidecode = module
+
+# Layer: admin
+# Module: dpkg
+#
+# Policy for the Debian package manager.
+#
+dpkg = base
+
+# Layer: admin
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+#
+firstboot = off
+
+# Layer: admin
+# Module: kismet
+#
+# Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
+#
+kismet = module
+
+# Layer: admin
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+#
+kudzu = off
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+#
+logrotate = base
+
+# Layer: admin
+# Module: logwatch
+#
+# System log analyzer and reporter
+#
+logwatch = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+#
+mrtg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: portage
+#
+# Portage Package Management System. The primary package management and
+# distribution system for Gentoo.
+#
+portage = off
+
+# Layer: admin
+# Module: prelink
+#
+# Prelink ELF shared library mappings.
+#
+prelink = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+#
+quota = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+#
+readahead = module
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = module
+
+# Layer: admin
+# Module: shorewall
+#
+# Shoreline Firewall high-level tool for configuring netfilter
+#
+shorewall = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer: admin
+# Module: sxid
+#
+# SUID/SGID program monitoring
+#
+sxid = module
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+#
+tmpreaper = base
+
+# Layer: admin
+# Module: tripwire
+#
+# Tripwire file integrity checker.
+#
+tripwire = module
+
+# Layer: admin
+# Module: tzdata
+#
+# Time zone updater
+#
+tzdata = module
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+#
+updfstab = off
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+#
+usbmodules = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = base
+
+# Layer: admin
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+#
+vbetool = module
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+#
+vpn = module
+
+# Layer: apps
+# Module: ada
+#
+# GNAT Ada95 compiler
+#
+ada = module
+
+# Layer: apps
+# Module: authbind
+#
+# Tool for non-root processes to bind to reserved ports
+#
+authbind = module
+
+# Layer: apps
+# Module: awstats
+#
+# AWStats is a free powerful and featureful tool that generates advanced
+# web, streaming, ftp or mail server statistics, graphically.
+#
+awstats = module
+
+# Layer: apps
+# Module: calamaris
+#
+# Squid log analysis
+#
+calamaris = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+#
+cdrecord = module
+
+# Layer: apps
+# Module: cpufreqselector
+#
+# Command-line CPU frequency settings.
+#
+cpufreqselector = module
+
+# Layer: apps
+# Module: evolution
+#
+# Evolution email client
+#
+evolution = module
+
+# Layer: apps
+# Module: games
+#
+# Games
+#
+games = module
+
+# Layer: apps
+# Module: gift
+#
+# giFT peer to peer file sharing tool
+#
+gift = module
+
+# Layer: apps
+# Module: gitosis
+#
+# Tools for managing and hosting git repositories.
+#
+gitosis = module
+
+# Layer: apps
+# Module: gnome
+#
+# GNU network object model environment (GNOME)
+#
+gnome = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+#
+gpg = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+#
+irc = module
+
+# Layer: apps
+# Module: java
+#
+# Java virtual machine
+#
+java = module
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+#
+loadkeys = module
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+#
+lockdev = module
+
+# Layer: apps
+# Module: mono
+#
+# Run .NET server and client applications on Linux.
+#
+mono = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+#
+mozilla = module
+
+# Layer: apps
+# Module: mplayer
+#
+# Mplayer media player and encoder
+#
+mplayer = module
+
+# Layer: apps
+# Module: podsleuth
+#
+# Podsleuth is a tool to get information about an Apple (TM) iPod (TM)
+#
+podsleuth = module
+
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+#
+ptchown = module
+
+# Layer: apps
+# Module: pulseaudio
+#
+# Pulseaudio network sound server.
+#
+pulseaudio = module
+
+# Layer: apps
+# Module: qemu
+#
+# QEMU machine emulator and virtualizer
+#
+qemu = module
+
+# Layer: apps
+# Module: rssh
+#
+# Restricted (scp/sftp) only shell
+#
+rssh = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+#
+screen = module
+
+# Layer: apps
+# Module: seunshare
+#
+# Filesystem namespacing/polyinstantiation application.
+#
+seunshare = module
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+#
+slocate = module
+
+# Layer: apps
+# Module: thunderbird
+#
+# Thunderbird email client
+#
+thunderbird = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+#
+tvtime = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+#
+uml = module
+
+# Layer: apps
+# Module: userhelper
+#
+# SELinux utility to run a shell with a new role
+#
+userhelper = module
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+#
+usernetctl = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+#
+vmware = module
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+#
+webalizer = module
+
+# Layer: apps
+# Module: wine
+#
+# Wine Is Not an Emulator. Run Windows programs in Linux.
+#
+wine = module
+
+# Layer: apps
+# Module: wireshark
+#
+# Wireshark packet capture tool.
+#
+wireshark = module
+
+# Layer: apps
+# Module: wm
+#
+# X Window Managers
+#
+wm = module
+
+# Layer: apps
+# Module: xscreensaver
+#
+# X Screensaver
+#
+xscreensaver = module
+
+# Layer: apps
+# Module: yam
+#
+# Yum/Apt Mirroring
+#
+yam = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = base
+
+# Layer: roles
+# Module: auditadm
+#
+# Audit administrator role
+#
+auditadm = module
+
+# Layer: roles
+# Module: guest
+#
+# Least privledge terminal user role
+#
+guest = module
+
+# Layer: roles
+# Module: logadm
+#
+# Log administrator role
+#
+logadm = module
+
+# Layer: roles
+# Module: secadm
+#
+# Security administrator role
+#
+secadm = off
+
+# Layer: roles
+# Module: staff
+#
+# Administrator's unprivileged user role
+#
+staff = base
+
+# Layer: roles
+# Module: sysadm
+#
+# General system administration role
+#
+sysadm = base
+
+# Layer: roles
+# Module: unprivuser
+#
+# Generic unprivileged user role
+#
+unprivuser = base
+
+# Layer: roles
+# Module: webadm
+#
+# Web administrator role
+#
+webadm = module
+
+# Layer: roles
+# Module: xguest
+#
+# Least privledge xwindows user role
+#
+xguest = module
+
+# Layer: services
+# Module: abrt
+#
+# ABRT - automated bug-reporting tool
+#
+abrt = off
+
+# Layer: services
+# Module: afs
+#
+# Andrew Filesystem server
+#
+afs = module
+
+# Layer: services
+# Module: aide
+#
+# Aide filesystem integrity checker
+#
+aide = module
+
+# Layer: services
+# Module: amavis
+#
+# Daemon that interfaces mail transfer agents and content
+# checkers, such as virus scanners.
+#
+amavis = off
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+#
+apache = module
+
+# Layer: services
+# Module: apcupsd
+#
+# APC UPS monitoring daemon
+#
+apcupsd = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+#
+apm = module
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+#
+arpwatch = module
+
+# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+#
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+#
+avahi = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+#
+bind = module
+
+# Layer: services
+# Module: bitlbee
+#
+# Bitlbee service
+#
+bitlbee = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+#
+bluetooth = module
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+#
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# Cluster Configuration System
+#
+ccs = module
+
+# Layer: services
+# Module: certmaster
+#
+# Certmaster SSL certificate distribution service
+#
+certmaster = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+#
+cipe = module
+
+# Layer: services
+# Module: clamav
+#
+# ClamAV Virus Scanner
+#
+clamav = module
+
+# Layer: services
+# Module: clockspeed
+#
+# Clockspeed simple network time protocol client
+#
+clockspeed = module
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+#
+comsat = module
+
+# Layer: services
+# Module: consolekit
+#
+# Framework for facilitating multiple user sessions on desktops.
+#
+consolekit = module
+
+# Layer: services
+# Module: courier
+#
+# Courier IMAP and POP3 email servers
+#
+courier = module
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+#
+cpucontrol = module
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+#
+cron = base
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+#
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+#
+cvs = module
+
+# Layer: services
+# Module: cyphesis
+#
+# Cyphesis WorldForge game server
+#
+cyphesis = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+#
+cyrus = module
+
+# Layer: services
+# Module: dante
+#
+# Dante msproxy and socks4/5 proxy server
+#
+dante = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+#
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+#
+dbus = module
+
+# Layer: services
+# Module: dcc
+#
+# Distributed checksum clearinghouse spam filtering
+#
+dcc = module
+
+# Layer: services
+# Module: ddclient
+#
+# Update dynamic IP address at DynDNS.org
+#
+ddclient = module
+
+# Layer: services
+# Module: devicekit
+#
+# Devicekit modular hardware abstraction layer
+#
+devicekit = module
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+#
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+#
+dictd = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+#
+distcc = module
+
+# Layer: services
+# Module: djbdns
+#
+# small and secure DNS daemon
+#
+djbdns = module
+
+# Layer: services
+# Module: dkim
+#
+# DomainKeys Identified Mail milter.
+#
+dkim = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# dnsmasq DNS forwarder and DHCP server
+#
+dnsmasq = module
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+#
+dovecot = module
+
+# Layer: services
+# Module: epmd
+#
+# Erlang Port Mapper Daemon (epmd).
+#
+epmd = module
+
+# Layer: services
+# Module: exim
+#
+# Exim mail transfer agent
+#
+exim = module
+
+# Layer: services
+# Module: fail2ban
+#
+# Update firewall filtering to ban IP addresses with too many password failures.
+#
+fail2ban = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+#
+fetchmail = module
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+#
+finger = module
+
+# Layer: services
+# Module: fprintd
+#
+# DBus fingerprint reader service
+#
+fprintd = module
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+#
+ftp = module
+
+# Layer: services
+# Module: gatekeeper
+#
+# OpenH.323 Voice-Over-IP Gatekeeper
+#
+gatekeeper = module
+
+# Layer: services
+# Module: git
+#
+# GIT revision control system
+#
+git = module
+
+# Layer: services
+# Module: gnomeclock
+#
+# Gnome clock handler for setting the time.
+#
+gnomeclock = module
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+#
+gpm = module
+
+# Layer: services
+# Module: gpsd
+#
+# gpsd monitor daemon
+#
+gpsd = module
+
+# Layer: services
+# Module: hal
+#
+# Hardware abstraction layer
+#
+hal = base
+
+# Layer: services
+# Module: hddtemp
+#
+# hddtemp hard disk temperature tool running as a daemon
+#
+hddtemp = module
+
+# Layer: services
+# Module: howl
+#
+# Port of Apple Rendezvous multicast DNS
+#
+howl = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+#
+i18n_input = module
+
+# Layer: services
+# Module: ifplugd
+#
+# Bring up/down ethernet interfaces based on cable detection.
+#
+ifplugd = module
+
+# Layer: services
+# Module: imaze
+#
+# iMaze game server
+#
+imaze = module
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+#
+inetd = base
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+#
+inn = module
+
+# Layer: services
+# Module: ircd
+#
+# IRC server
+#
+ircd = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+#
+irqbalance = module
+
+# Layer: services
+# Module: jabber
+#
+# Jabber instant messaging server
+#
+jabber = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+#
+kerberos = module
+
+# Layer: services
+# Module: kerneloops
+#
+# Service for reporting kernel oopses to kerneloops.org
+#
+kerneloops = module
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+#
+ktalk = module
+
+# Layer: services
+# Module: lda
+#
+# mail delivery agent
+#
+lda = module
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+#
+ldap = module
+
+# Layer: services
+# Module: lircd
+#
+# Linux infared remote control daemon
+#
+lircd = module
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+#
+lpd = module
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+#
+mailman = module
+
+# Layer: services
+# Module: memcached
+#
+# high-performance memory object caching system
+#
+memcached = module
+
+# Layer: services
+# Module: milter
+#
+# Milter mail filters
+#
+milter = module
+
+# Layer: services
+# Module: modemmanager
+#
+# Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.
+#
+modemmanager = module
+
+# Layer: services
+# Module: monop
+#
+# Monopoly daemon
+#
+monop = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+#
+mta = base
+
+# Layer: services
+# Module: munin
+#
+# Munin network-wide load graphing (formerly LRRD)
+#
+munin = module
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+#
+mysql = module
+
+# Layer: services
+# Module: nagios
+#
+# Net Saint / NAGIOS - network monitoring server
+#
+nagios = module
+
+# Layer: services
+# Module: nessus
+#
+# Nessus network scanning daemon
+#
+nessus = module
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+#
+networkmanager = module
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+#
+nis = module
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+#
+nscd = module
+
+# Layer: services
+# Module: nsd
+#
+# Authoritative only name server
+#
+nsd = module
+
+# Layer: services
+# Module: nslcd
+#
+# nslcd - local LDAP name service daemon.
+#
+nslcd = module
+
+# Layer: services
+# Module: ntop
+#
+# Network Top
+#
+ntop = module
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+#
+ntp = module
+
+# Layer: services
+# Module: nx
+#
+# NX remote desktop
+#
+# nx = module
+
+# Layer: services
+# Module: oav
+#
+# Open AntiVirus scannerdaemon and signature update
+#
+oav = module
+
+# Layer: services
+# Module: oddjob
+#
+# Oddjob provides a mechanism by which unprivileged applications can
+# request that specified privileged operations be performed on their
+# behalf.
+#
+oddjob = module
+
+# Layer: services
+# Module: oident
+#
+# SELinux policy for Oident daemon.
+#
+oident = module
+
+# Layer: services
+# Module: openca
+#
+# OpenCA - Open Certificate Authority
+#
+openca = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+#
+openct = module
+
+# Layer: services
+# Module: openvpn
+#
+# full-featured SSL VPN solution
+#
+openvpn = module
+
+# Layer: services
+# Module: pads
+#
+# Passive Asset Detection System
+#
+pads = module
+
+# Layer: services
+# Module: pcscd
+#
+# PCSC smart card service
+#
+pcscd = module
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+#
+pegasus = module
+
+# Layer: services
+# Module: perdition
+#
+# Perdition POP and IMAP proxy
+#
+perdition = module
+
+# Layer: services
+# Module: pingd
+#
+# Pingd of the Whatsup cluster node up/down detection utility
+#
+pingd = module
+
+# Layer: services
+# Module: policykit
+#
+# Policy framework for controlling privileges for system-wide services.
+#
+policykit = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+#
+portmap = module
+
+# Layer: services
+# Module: portreserve
+#
+# Reserve well-known ports in the RPC port range.
+#
+portreserve = module
+
+# Layer: services
+# Module: portslave
+#
+# Portslave terminal server software
+#
+portslave = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+#
+postfix = module
+
+# Layer: services
+# Module: postfixpolicyd
+#
+# Postfix policy server
+#
+postfixpolicyd = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: postgrey
+#
+# Postfix grey-listing server
+#
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+#
+ppp = module
+
+# Layer: services
+# Module: prelude
+#
+# Prelude hybrid intrusion detection system
+#
+prelude = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+#
+privoxy = module
+
+# Layer: services
+# Module: psad
+#
+# Intrusion Detection and Log Analysis with iptables
+#
+psad = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+#
+publicfile = module
+
+# Layer: services
+# Module: puppet
+#
+# Puppet client daemon
+#
+puppet = module
+
+# Layer: services
+# Module: pxe
+#
+# Server for the PXE network boot protocol
+#
+pxe = module
+
+# Layer: services
+# Module: pyzor
+#
+# Pyzor is a distributed, collaborative spam detection and filtering network.
+#
+pyzor = module
+
+# Layer: services
+# Module: qmail
+#
+# Qmail Mail Server
+#
+qmail = module
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+#
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+#
+radvd = module
+
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+#
+razor = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+#
+rdisc = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+#
+remotelogin = module
+
+# Layer: services
+# Module: resmgr
+#
+# Resource management daemon
+#
+resmgr = module
+
+# Layer: services
+# Module: rhgb
+#
+# Red Hat Graphical Boot
+#
+rhgb = module
+
+# Layer: services
+# Module: ricci
+#
+# Ricci cluster management agent
+#
+ricci = module
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+#
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+#
+roundup = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+#
+rpc = module
+
+# Layer: services
+# Module: rpcbind
+#
+# Universal Addresses to RPC Program Number Mapper
+#
+rpcbind = module
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+#
+rshd = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+#
+rsync = module
+
+# Layer: services
+# Module: rtkit
+#
+# Realtime scheduling for user processes.
+#
+rtkit = module
+
+# Layer: services
+# Module: rwho
+#
+# Who is logged in on other machines?
+#
+rwho = module
+
+# Layer: services
+# Module: samba
+#
+# SMB and CIFS client/server programs for UNIX and
+# name Service Switch daemon for resolving names
+# from Windows NT servers.
+#
+samba = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+#
+sasl = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+#
+sendmail = module
+
+# Layer: services
+# Module: setroubleshoot
+#
+# SELinux troubleshooting service
+#
+setroubleshoot = module
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+#
+slrnpull = module
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+#
+smartmon = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+#
+snmp = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+#
+snort = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc
+#
+soundserver = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+#
+spamassassin = module
+
+# Layer: services
+# Module: speedtouch
+#
+# Alcatel speedtouch USB ADSL modem
+#
+speedtouch = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+#
+squid = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: sssd
+#
+# System Security Services Daemon
+#
+sssd = module
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+#
+stunnel = module
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+#
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+#
+tcpd = module
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+#
+telnet = module
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+#
+tftp = module
+
+# Layer: services
+# Module: tgtd
+#
+# Linux Target Framework Daemon.
+#
+tgtd = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+#
+timidity = module
+
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+#
+tor = module
+
+# Layer: services
+# Module: transproxy
+#
+# HTTP transperant proxy
+#
+transproxy = module
+
+# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: services
+# Module: ucspitcp
+#
+# ucspitcp policy
+#
+ucspitcp = module
+
+# Layer: services
+# Module: ulogd
+#
+# Iptables/netfilter userspace logging daemon.
+#
+ulogd = module
+
+# Layer: services
+# Module: uptime
+#
+# Uptime daemon
+#
+uptime = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+#
+uucp = module
+
+# Layer: services
+# Module: uwimap
+#
+# University of Washington IMAP toolkit POP3 and IMAP mail server
+#
+uwimap = module
+
+# Layer: services
+# Module: varnishd
+#
+# Varnishd http accelerator daemon
+#
+varnishd = module
+
+# Layer: services
+# Module: virt
+#
+# Libvirt virtualization API
+#
+virt = module
+
+# Layer: services
+# Module: w3c
+#
+# W3C Markup Validator
+#
+w3c = module
+
+# Layer: services
+# Module: watchdog
+#
+# Software watchdog
+#
+watchdog = module
+
+# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+#
+xfs = module
+
+# Layer: services
+# Module: xprint
+#
+# X print server
+#
+xprint = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: services
+# Module: zabbix
+#
+# Distributed infrastructure monitoring
+#
+zabbix = module
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+#
+zebra = module
+
+# Layer: services
+# Module: zosremote
+#
+# policy for z/OS Remote-services Audit dispatcher plugin
+#
+zosremote = module
+
+# Layer: system
+# Module: application
+#
+# Policy for user executable applications.
+#
+application = base
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = base
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = base
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+#
+daemontools = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = base
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = base
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = base
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = base
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iodine
+#
+# IP over DNS tunneling
+#
+iodine = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = base
+
+# Layer: system
+# Module: iscsi
+#
+# Establish connections to iSCSI devices
+#
+iscsi = module
+
+# Layer: system
+# Module: kdump
+#
+# Kernel crash dumping mechanism
+#
+kdump = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = base
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = base
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = base
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = base
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = base
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = base
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+#
+pcmcia = module
+
+# Layer: system
+# Module: pythonsupport
+#
+# Support for precompiling python modules
+#
+pythonsupport = module
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+#
+raid = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = base
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = base
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = base
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = base
+
+# Layer: system
+# Module: xen
+#
+# Xen hypervisor
+#
+xen = module
+
--- refpolicy-2.20110726.orig/debian/setrans.conf
+++ refpolicy-2.20110726/debian/setrans.conf
@@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+#
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023. Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=SystemLow
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
--- refpolicy-2.20110726.orig/debian/NEWS.Debian
+++ refpolicy-2.20110726/debian/NEWS.Debian
@@ -0,0 +1,24 @@
+refpolicy (2:0.0.20090621-1) unstable; urgency=low
+
+ * There have been some major updates in the file contexts in this
+ release, so a relabelling of the file system is recommended after this
+ upgrade. Please install selinux-basics, touch /.autorelabel as root,
+ and reboot.
+
+ -- Manoj Srivastava Mon, 22 Jun 2009 02:42:42 -0500
+
+
+refpolicy (0.0.20061018-2) unstable; urgency=high
+
+
+ * When installing strict policy, the postinst does not check for the
+ contents of /etc/selinux/config to see if SELINUXTYPE is set to
+ refpolicy-strict or not. Ideally, if config does not have SELINUXTYPE
+ set to refpolicy-strict, the installer should be prompted to see if
+ they want to change the policy type and relabel; this is not yet
+ done. Please ensure that the setting for SELINUXTYPE in the
+ configuration file /etc/selinux/config matches what you want it to
+ be.
+
+ -- Manoj Srivastava Fri, 22 Dec 2006 10:40:38 -0600
+
--- refpolicy-2.20110726.orig/debian/local-vars.mk
+++ refpolicy-2.20110726/debian/local-vars.mk
@@ -0,0 +1,68 @@
+############################ -*- Mode: Makefile -*- ###########################
+## local-vars.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 10:43:00 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sun Aug 20 21:57:04 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 14
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: 1a76a87e-7af5-424a-a30d-61660c8f243e
+##
+###############################################################################
+
+FILES_TO_CLEAN = debian/files
+STAMPS_TO_CLEAN =
+DIRS_TO_CLEAN = config/appconfig-strict-mcs config/appconfig-targeted-mcs
+
+# Location of the source dir
+SRCTOP := $(shell if [ "$$PWD" != "" ]; then echo $$PWD; else pwd; fi)
+TMPTOP = $(SRCTOP)/debian/$(package)
+LINTIANDIR = $(TMPTOP)/usr/share/lintian/overrides
+DOCBASEDIR = $(TMPTOP)/usr/share/doc-base
+
+BINDIR = $(TMPTOP)$(PREFIX)/bin
+LIBDIR = $(TMPTOP)$(PREFIX)/lib
+# Man Pages
+MANDIR = $(TMPTOP)/usr/share/man
+MAN1DIR = $(MANDIR)/man1
+MAN3DIR = $(MANDIR)/man3
+MAN5DIR = $(MANDIR)/man5
+MAN7DIR = $(MANDIR)/man7
+MAN8DIR = $(MANDIR)/man8
+
+INFODIR = $(TMPTOP)/usr/share/info
+DOCTOP = $(TMPTOP)/usr/share/doc
+DOCDIR = $(DOCTOP)/$(package)
+MENUDIR = $(TMPTOP)/usr/lib/menu/
+
+OPTIONS=DISTRO=debian DIRECT_INITRC=y MONOLITHIC=n
+
+PYDEFAULT =$(strip $(shell pyversions -vd))
+MODULES_DIR=$(TMPTOP)/usr/share/python-support/$(package)
+
+# set this to -mcs, -mls, or -mcs-mls
+MCS_MLS_TYPE=-mcs
+
+# Things we have put into the base for Debian systems.
+# egrep base debian/modules.conf.targeted | grep -v '#' | \
+# sort | sed -e 's/=.*$//g'
+NON_MODULES=application apt authlogin clock corecommands \
+ corenetwork cron devices dmesg domain dpkg files filesystem \
+ fstools getty hostname init iptables kernel libraries \
+ locallogin logging logrotate mcs miscfiles mls modutils mount \
+ mta selinux selinuxutil storage su sysnetwork terminal \
+ userdomain userhelper usermanage
+
+define checkdir
+ @test -f debian/rules -a -f policy/modules/kernel/kernel.fc || \
+ (echo Not in correct source directory; exit 1)
+endef
+
+define checkroot
+ @test $$(id -u) = 0 || (echo need root priviledges; exit 1)
+endef
--- refpolicy-2.20110726.orig/debian/common/pkgvars.mk
+++ refpolicy-2.20110726/debian/common/pkgvars.mk
@@ -0,0 +1,168 @@
+############################ -*- Mode: Makefile -*- ###########################
+## pkgvars.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 02:56:30 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Thu Jun 15 12:05:46 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 11
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description : This is what allows us toseparate out the top level
+## targets, by determining which packages needto be built.
+##
+## arch-tag: 75fcc720-7389-4eaa-a7ac-c556d3eac331
+##
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+##
+###############################################################################
+
+# The maintainer information.
+maintainer := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Maintainer: | \
+ sed 's/^Maintainer: *//')
+email := srivasta@debian.org
+
+# Priority of this version (or urgency, as dchanges would call it)
+urgency := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Urgency: | \
+ sed 's/^Urgency: *//')
+
+# Common useful variables
+DEB_SOURCE_PACKAGE := $(strip $(shell egrep '^Source: ' debian/control | \
+ cut -f 2 -d ':'))
+DEB_VERSION := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \
+ egrep '^Version:' | cut -f 2 -d ' '))
+DEB_ISNATIVE := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \
+ perl -ne 'print if (m/^Version:/g && ! m/^Version:.*\-/);'))
+DEB_DISTRIBUTION := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \
+ egrep '^Distribution:' | cut -f 2 -d ' '))
+
+DEB_PACKAGES := $(shell perl -e ' \
+ $$/=""; \
+ while(<>){ \
+ $$p=$$1 if m/^Package:\s*(\S+)/; \
+ die "duplicate package $$p" if $$seen{$$p}; \
+ $$seen{$$p}++; print "$$p " if $$p; \
+ }' debian/control )
+
+DEB_INDEP_PACKAGES := $(shell perl -e ' \
+ $$/=""; \
+ while(<>){ \
+ $$p=$$1 if m/^Package:\s*(\S+)/; \
+ die "duplicate package $$p" if $$seen{$$p}; \
+ $$seen{$$p}++; \
+ $$a=$$1 if m/^Architecture:\s*(\S+)/m; \
+ next unless ($$a eq "all"); \
+ print "$$p " if $$p; \
+ }' debian/control )
+
+DEB_ARCH_PACKAGES := $(shell perl -e ' \
+ $$/=""; \
+ while(<>){ \
+ $$p=$$1 if m/^Package:\s*(\S+)/; \
+ die "duplicate package $$p" if $$seen{$$p}; \
+ $$seen{$$p}++; \
+ $$c=""; \
+ if (/^Architecture:\s*(.*?)\s*$$/sm) { \
+ @a = split /\s+/, $$1 }; \
+ for my $$b (@a) { \
+ next unless ($$b eq "$(DEB_HOST_ARCH)" || \
+ $$b eq "any"); \
+ $$c="$$p"; \
+ } \
+ print "$$c " if $$c; \
+ }' debian/control )
+
+# This package is what we get after removing the psuedo dirs we use in rules
+package = $(notdir $@)
+DEBIANDIR = $(dir $(firstword $(MAKEFILE_LIST)))
+
+ifeq (,$(filter parallel=%,$(FAILS_PARALLEL_BUILD)))
+ ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+ NUMJOBS = $(patsubst parallel=%,-j%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+ endif
+endif
+
+# Define canned sequences used to strip executables and libraries,
+# keeping in mind the directives in DEB_BUILD_OPTIONS
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+define strip-exec
+find $(TMPTOP) -type f | while read i; do \
+ if file -b $$i | egrep -q "^ELF.*executable"; then \
+ strip --strip-all --remove-section=.comment --remove-section=.note $$i; \
+ fi; \
+ done
+endef
+
+define strip-lib
+find $(TMPTOP) -type f | while read i; do \
+ if file -b $$i | egrep -q "^ELF.*shared object"; then \
+ strip --strip-unneeded --remove-section=.comment --remove-section=.note $$i; \
+ fi; \
+done
+endef
+else
+define strip-exec
+@echo Not strippping executables as asked
+endef
+
+define strip-lib
+@echo Not strippping libraries as asked
+endef
+
+endif
+
+# this canned command specifies how to run dpkg-shlibs to add things
+# to debian/substvars by scanning executables and libraries; this
+# should suffice for the common case. Some rules files might need some
+# changes to the command sequence, though
+define get-shlib-deps
+k=`find $(TMPTOP) -type f | ( while read i; do \
+ if file -b $$i | \
+ egrep -q "^ELF.*(executable.*dynamically linked|shared object)"; then \
+ j="$$j $$i"; \
+ fi; \
+done; echo $$j; )`; if [ -n "$$k" ]; then dpkg-shlibdeps $$k; fi
+endef
+
+# This canned sequence checks to see if all the libraries we link to
+# actually provide some symbols needed by some executable ot library
+# in the package itself.
+ifeq (,$(strip $(filter nocheck,$(DEB_BUILD_OPTIONS))))
+ ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+define check-libraries
+echo Checking libs
+xtra=$$($(SHELL) debian/common/checklibs); \
+if [ -n "$$extra" ]; then \
+ echo "Extra libraries: $$extra"; \
+ exit 1; \
+fi
+endef
+ else
+define check-libraries
+echo Not checking libs
+endef
+ endif
+else
+define check-libraries
+echo Not checking libs
+endef
+endif
+
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-2.20110726.orig/debian/common/get_shlib_ver
+++ refpolicy-2.20110726/debian/common/get_shlib_ver
@@ -0,0 +1,40 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# get_shlib_ver ---
+# Author : Manoj Srivastava ( srivasta@golden-gryphon.com )
+# Created On : Tue Sep 1 15:27:07 2009
+# Created On Node : anzu.internal.golden-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+# If there is a symbols file preent, get the most recent version a
+# symbol was added in.
+#
+
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+# Make sure we abort on error
+set -e
+progname="$(basename \"$0\")"
+
+test ! -d debian || \
+ find debian -wholename 'debian/*\.symbols' | while read lib; do
+ echo -n "Shlib info for" ${lib%%.symbols} ": ";
+ sort -n -k 2,2b $lib | grep '^ ' | tail -n 1 | awk '{print $2;}';
+done
+
--- refpolicy-2.20110726.orig/debian/common/automake.mk
+++ refpolicy-2.20110726/debian/common/automake.mk
@@ -0,0 +1,37 @@
+############################ -*- Mode: Makefile -*- ###########################
+## automake.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 02:47:23 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Nov 15 02:47:53 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count : 1
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: 1fabe69b-7cc8-4ecc-9411-bc5906b19857
+##
+###############################################################################
+
+AUTOCONF_VERSION:=$(shell if [ -e configure ]; then \
+ grep "Generated automatically using autoconf" \
+ configure | sed -e 's/^.*autoconf version //g'; \
+ fi)
+HAVE_NEW_AUTOMAKE:=$(shell if [ "X$(AUTOCONF_VERSION)" != "X2.13" ]; then \
+ echo 'YES' ; fi)
+
+ifneq ($(strip $(HAVE_NEW_AUTOMAKE)),)
+ ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
+ confflags += --build $(DEB_BUILD_GNU_TYPE)
+ else
+ confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
+ endif
+else
+ ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
+ confflags += $(DEB_HOST_GNU_TYPE)
+ else
+ confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
+ endif
+endif
--- refpolicy-2.20110726.orig/debian/common/perlvars.mk
+++ refpolicy-2.20110726/debian/common/perlvars.mk
@@ -0,0 +1,27 @@
+############################ -*- Mode: Makefile -*- ###########################
+## perlvars.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 02:55:47 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Dec 13 13:50:58 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count : 3
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: a97a01ba-d08d-404d-aa81-572717c03e6c
+##
+###############################################################################
+
+# Perl variables
+PERL = /usr/bin/perl
+
+INSTALLPRIVLIB = $(TMPTOP)/$(shell \
+ perl -e 'use Config; print "$$Config{'installprivlib'}\n";')
+INSTALLARCHLIB = $(TMPTOP)/$(shell \
+ perl -e 'use Config; print "$$Config{'installarchlib'}\n";')
+INSTALLVENDORLIB =$(TMPTOP)/$(shell \
+ perl -e 'use Config; print "$$Config{'vendorlibexp'}\n";')
+CONFIG = INSTALLDIRS=vendor
--- refpolicy-2.20110726.orig/debian/common/debconf.mk
+++ refpolicy-2.20110726/debian/common/debconf.mk
@@ -0,0 +1,42 @@
+############################ -*- Mode: Makefile -*- ###########################
+## debconf.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+## Created On : Fri Mar 12 11:11:31 2004
+## Created On Node : glaurung.internal.golden-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Mon Apr 11 13:19:10 2005
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 20
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description : helps with using debconf
+##
+## arch-tag: 32b933a9-05ad-4c03-97a8-8644745b832a
+##
+###############################################################################
+
+# The idea behind this scheme is that the maintainer (or whoever's
+# building the package for upload to unstable) has to build on a
+# machine with po-debconf installed, but nobody else does.
+
+# Also, make sure that debian/control has ${debconf-depends} in the
+# appropriate Depends: line., and use the following in the binary
+# target:
+# dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))'
+#
+
+# WARNING!! You need to create the debian/templates file before this
+# all works.
+
+# Run debconf-updatepo whenever the template file changes.
+# the tool podebconf-report-po is also a great friend to have in such
+# circumstances
+define CHECKPO
+ @for i in debian/po/*.po; do \
+ if [ -f $$i ]; then \
+ echo \"Checking: $$i\"; \
+ msgmerge -U $$i debian/po/templates.pot; \
+ msgfmt -o /dev/null -c --statistics $$i; \
+ fi; \
+ done
+endef
--- refpolicy-2.20110726.orig/debian/common/checklibs
+++ refpolicy-2.20110726/debian/common/checklibs
@@ -0,0 +1,78 @@
+#! /bin/sh
+# -*- Mode: Sh -*-
+# checklibs.sh ---
+# Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com )
+# Created On : Fri Sep 29 15:36:22 2006
+# Created On Node : glaurung.internal.golden-gryphon.com
+# Last Modified By : Manoj Srivastava
+# Last Modified On : Wed Sep 2 01:16:46 2009
+# Last Machine Used: anzu.internal.golden-gryphon.com
+# Update Count : 47
+# Status : Unknown, Use with caution!
+# HISTORY :
+# Description :
+#
+# arch-tag: 8ba11489-77fa-45a0-92c4-9c5b162ee119
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+# Make sure we abort on error
+set -e
+progname="$(basename \"$0\")"
+
+trap 'rm -f search_patterns.txt;' ALRM HUP INT PIPE TERM ABRT FPE BUS QUIT SEGV ILL EXIT
+
+# Find all undefined symbols in all ELF objects in this tree
+readelf -s -D -W $(find . -type f -print0 | xargs -0r file | grep " ELF" | \
+ awk '{print $1}' | sed -e 's/:$//') | grep UND | grep -v LOCAL |
+ perl -ple 's/.*\s(\S+)\s*$/\^$1\$/g' | sort -u > search_patterns.txt;
+
+LOCAL_LIBS=$(find . -type f -print0 | xargs -0r file | egrep "ELF.*shared object" | \
+ awk '{print $1}' | sed -e 's/:$//' -e 's,/[^/]*$,,')
+
+# Find all the libraries needed in this tree
+objdump -T --private-headers $(find . -type f -print0 | \
+ xargs -0r file | egrep "ELF.*(shared object|executable)" | \
+ awk '{print $1}' | sed -e 's/:$//') | grep NEEDED | sort -u | awk '{print $2}' |
+ while read lib; do
+ # For each library, see where it lives on the file system
+ LIB=
+ for library_dir in "/lib" "/usr/lib" $LOCAL_LIBS $EXTRA_LIBRARY_PATHS; do
+ if [ -e "$library_dir/$lib" ]; then
+ LIB="$library_dir/$lib";
+ break
+ fi
+ done
+ if [ -z "$LIB" ]; then
+ echo >&2 "Can't find $lib"
+ continue
+ fi
+ # If we fond the library, find what symbols it defines, and if these symbols
+ # are some that we need
+ if readelf -s -D -W $LIB | grep -v UND | perl -ple 's/.*\s(\S+)\s*$/$1/g' | \
+ sort -u | grep -q -f search_patterns.txt ; then
+ # Library provides at least some symbols we need
+ if [ -n "$DEBUG" ]; then echo "Found $LIB"; fi
+ else
+ # Library does not provide any symbols we need
+ echo "$LIB" ;
+ fi
+done
+
+# Get rid of the intermediate file
+rm -f search_patterns.txt;
+exit 0
+
--- refpolicy-2.20110726.orig/debian/common/README
+++ refpolicy-2.20110726/debian/common/README
@@ -0,0 +1,78 @@
+# This file provides a quick overview of this build system. The idea is
+# to convert ./debian/rules into a framework, which abstracts most of
+# the work required to create a Debian package into this common set of
+# make snippets.
+
+# The rules file would look like this:
+
+## Include dpkg-architecture generated variables
+# This make snippet uses dpkg-architecture to set the various
+# DEB_BUILD* and DEB_HOST* variables. It also adds a couple of DEBUG
+# macros for use in the rules file.
+include debian/common/archvars.mk
+
+## variables useful for perl packages
+# This sets things like the installed location of the private lib,
+# arch dependent lib, and vendor library directories.
+include debian/common/perlvars.mk
+
+## Install commands
+# This sets the convenience macros install_{file,script,program} and
+# a make directory macro, all run as root, for the install and binary
+# targets. It also includes a macro to create the md5sum for
+# installed files.
+include debian/common/install_cmds.mk
+
+## Per package variable settings.
+# This file sets the Make variables on a per package basis. Things
+# like include files, C, C++, and LD flags are set here, as well as
+# installation paths or, really, anything else that would be needed
+# during packaging operations
+include debian/local-vars.mk
+
+## Setting C compiler flags.
+# This file takes care of setting C compiler flags, setting the
+# compiler if a cross compilation effort is detected, and either
+# arranges for binaries to be stripped or not based on
+# DEB_BUILD_OPTIONS.
+include debian/common/copt.mk
+
+## Set automake configuration flags
+# This file sets confflags variable with the proper --host and
+# --build options if it detects a cross compilation effort underway.
+include debian/common/automake.mk
+
+# Set up the default target.
+all:
+ @echo nothing to be done
+
+## Include the common targets
+# This file sets up the flow of control during a Debian package build
+# process, taking into account policy requirements (mandatory
+# targets, ordering targets). It sets up rules for each package found
+# in ./debian/control file in the package, and arranges package build
+# to follow the order of configuration, building, installation, and
+# binary package creation (and of course, clean).
+
+# The details of the targets can be seen visually by running dot on
+# the accompanying targets.dot file. In the figure, the legend is:
+# Nodes attributes:
+# filled == Work target (most work is done in dependencies added
+# to these targets). These are the targets referred to
+# in the local.mk file
+# Octagon == Phony target
+# Oval == Real target based on a time stamp
+# Double lines denote a mandatory target
+#
+# Edge attributes: A Red line indicates the target is called using
+# $(MAKE) -f ./debian/rules . So the targets connected by the
+# red lines are run after all the dependencies have been updated, but
+# before anything else is done.
+
+include debian/common/targets.mk
+
+## The bulk of packaging
+# This file adds dependencies to the double-colon rules set up in
+# targets.mk above, and perform the bulk of the packaging.
+include debian/local.mk
+
--- refpolicy-2.20110726.orig/debian/common/targets.mk
+++ refpolicy-2.20110726/debian/common/targets.mk
@@ -0,0 +1,532 @@
+############################ -*- Mode: Makefile -*- ###########################
+## targets.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 01:10:05 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Apr 26 22:33:09 2008
+## Last Machine Used: anzu.internal.golden-gryphon.com
+## Update Count : 131
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description : The top level targets mandated by policy, as well as
+## their dependencies.
+##
+## arch-tag: a81086a7-00f7-4355-ac56-8f38396935f4
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+##
+###############################################################################
+
+#######################################################################
+#######################################################################
+############### Miscellaneous ###############
+#######################################################################
+#######################################################################
+source diff:
+ @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false
+
+define TESTROOT
+ @test $$(id -u) = 0 || (echo need root priviledges; exit 1)
+endef
+
+testroot:
+ $(TESTROOT)
+
+checkpo:
+ $(CHECKPO)
+
+# arch-buildpackage likes to call this
+prebuild:
+
+ifneq (,$(shell if [ -f $(DEBIANDIR)/watch ]; then echo yes; fi))
+.PHONY: get-orig-source
+get-orig-source:
+ cd $(DEBIANDIR)/.. && \
+ uscan --verbose --rename --destdir $(DEBIANDIR)../.. || true
+endif
+
+# OK. We have two sets of rules here, one for arch dependent packages,
+# and one for arch independent packages. We have already calculated a
+# list of each of these packages.
+
+# In each set, we may need to do things in five steps: configure,
+# build, install, package, and clean. Now, there can be a common
+# actions to be taken for all the packages, all arch dependent
+# packages, all all independent packages, and each package
+# individually at each stage.
+
+###########################################################################
+# The current code does a number of things: It ensures that the highest #
+# dependency at any stage (usually the -Common target) depends on the #
+# stamp-STAGE of the previous stage; so no work on a succeeding stage can #
+# start before the previous stage is all done. #
+###########################################################################
+
+###########################################################################
+# In the following, the do_* targets make sure all the real non-generic #
+# work is done, but are not in the direct line of dependencies. This #
+# makes sure that previous step in the order is all up to date before any #
+# of the per package target dependencies are run. #
+###########################################################################
+
+
+#######################################################################
+#######################################################################
+############### Configuration ###############
+#######################################################################
+#######################################################################
+# Just a dummy target to make sure that the stamp directory exists
+debian/stamp/dummy-config-common:
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+# Configuration tasks common to arch and arch indep packages go here
+debian/stamp/pre-config-common: debian/stamp/dummy-config-common
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+# Do not add dependencies to this rule
+debian/stamp/do-pre-config-common: debian/stamp/dummy-config-common
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/pre-config-common
+ @echo done > $@
+
+# Arch specific and arch independent tasks go here
+debian/stamp/pre-config-arch: debian/stamp/do-pre-config-common
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+# Do not add dependencies to this rule
+debian/stamp/do-pre-config-arch: debian/stamp/do-pre-config-common
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/pre-config-arch
+ @echo done > $@
+
+
+debian/stamp/pre-config-indep: debian/stamp/do-pre-config-common
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+# Do not add dependencies to this rule
+debian/stamp/do-pre-config-indep: debian/stamp/do-pre-config-common
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/pre-config-indep
+ @echo done > $@
+
+# Per package work happens as an added dependency of this rule.
+$(patsubst %,debian/stamp/CONFIG/%,$(DEB_ARCH_PACKAGES)) : debian/stamp/CONFIG/% : debian/stamp/do-pre-config-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/CONFIG || mkdir -p debian/stamp/CONFIG
+ @echo done > $@
+$(patsubst %,debian/stamp/CONFIG/%,$(DEB_INDEP_PACKAGES)) : debian/stamp/CONFIG/% : debian/stamp/do-pre-config-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/CONFIG || mkdir -p debian/stamp/CONFIG
+ @echo done > $@
+
+# Do not add dependencies to this rule
+debian/stamp/dep-configure-arch: debian/stamp/do-pre-config-arch $(patsubst %,debian/stamp/CONFIG/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+# Do not add dependencies to this rule
+debian/stamp/dep-configure-indep: debian/stamp/do-pre-config-indep $(patsubst %,debian/stamp/CONFIG/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+debian/stamp/do-configure-arch: debian/stamp/do-pre-config-arch
+ $(REASON)
+ @test -d debian/stamp/CONFIG || mkdir -p debian/stamp/CONFIG
+ $(MAKE) -f debian/rules debian/stamp/dep-configure-arch
+ @echo done > $@
+debian/stamp/do-configure-indep: debian/stamp/do-pre-config-indep
+ $(REASON)
+ @test -d debian/stamp/CONFIG || mkdir -p debian/stamp/CONFIG
+ $(MAKE) -f debian/rules debian/stamp/dep-configure-indep
+ @echo done > $@
+
+# These three targets are required by policy
+configure-arch: debian/stamp/do-configure-arch
+ $(REASON)
+configure-indep: debian/stamp/do-configure-indep
+ $(REASON)
+configure: debian/stamp/do-configure-arch debian/stamp/do-configure-indep
+ $(REASON)
+
+#######################################################################
+#######################################################################
+############### Build ###############
+#######################################################################
+#######################################################################
+# tasks common to arch and arch indep packages go here
+debian/stamp/pre-build-common:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+# Arch specific and arch independent tasks go here
+debian/stamp/pre-build-arch: debian/stamp/do-configure-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+debian/stamp/do-pre-build-arch: debian/stamp/do-configure-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @test -e debian/stamp/pre-build-common || $(MAKE) -f debian/rules debian/stamp/pre-build-common
+ $(MAKE) -f debian/rules debian/stamp/pre-build-arch
+ @echo done > $@
+
+debian/stamp/pre-build-indep: debian/stamp/do-configure-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+debian/stamp/do-pre-build-indep: debian/stamp/do-configure-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @test -e debian/stamp/pre-build-common || $(MAKE) -f debian/rules debian/stamp/pre-build-common
+ $(MAKE) -f debian/rules debian/stamp/pre-build-indep
+ @echo done > $@
+
+# Per package work happens as an added dependency of this rule.
+$(patsubst %,debian/stamp/BUILD/%,$(DEB_ARCH_PACKAGES)) : debian/stamp/BUILD/% : debian/stamp/do-pre-build-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/BUILD || mkdir -p debian/stamp/BUILD
+ @echo done > $@
+
+$(patsubst %,debian/stamp/BUILD/%,$(DEB_INDEP_PACKAGES)) : debian/stamp/BUILD/% : debian/stamp/do-pre-build-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/BUILD || mkdir -p debian/stamp/BUILD
+ @echo done > $@
+
+# These do targeta make sure all the per package configuration is
+# done, but is not in the direct line of dependencies. This makes sure
+# that pre-config targets are all up to date before any of the per
+# package target dependencies are run.
+debian/stamp/dep-build-arch: debian/stamp/do-pre-build-arch $(patsubst %,debian/stamp/BUILD/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+debian/stamp/dep-build-indep: debian/stamp/do-pre-build-indep $(patsubst %,debian/stamp/BUILD/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+debian/stamp/do-build-arch: debian/stamp/do-pre-build-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/dep-build-arch
+ @echo done > $@
+debian/stamp/do-build-indep: debian/stamp/do-pre-build-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/dep-build-indep
+ @echo done > $@
+
+# required
+build-arch: debian/stamp/do-build-arch
+ $(REASON)
+build-indep: debian/stamp/do-build-indep
+ $(REASON)
+build: debian/stamp/do-build-arch debian/stamp/do-build-indep
+ $(REASON)
+
+# Work here
+debian/stamp/post-build-arch: debian/stamp/do-build-arch
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+debian/stamp/do-post-build-arch: debian/stamp/do-build-arch
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/post-build-arch
+ @echo done > $@
+
+debian/stamp/post-build-indep: debian/stamp/do-build-indep
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+debian/stamp/do-post-build-indep: debian/stamp/do-build-indep
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/post-build-indep
+ @echo done > $@
+
+#######################################################################
+#######################################################################
+############### Install ###############
+#######################################################################
+#######################################################################
+# tasks common to arch and arch indep packages go here
+debian/stamp/pre-inst-common:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+# Arch specific and arch independent tasks go here
+debian/stamp/pre-inst-arch: debian/stamp/do-post-build-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+debian/stamp/do-pre-inst-arch: debian/stamp/do-post-build-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @test -e debian/stamp/INST-common || $(MAKE) -f debian/rules debian/stamp/pre-inst-common
+ $(MAKE) -f debian/rules debian/stamp/pre-inst-arch
+ @echo done > $@
+
+debian/stamp/pre-inst-indep: debian/stamp/do-post-build-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+debian/stamp/do-pre-inst-indep: debian/stamp/do-post-build-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @test -e debian/stamp/INST-common || $(MAKE) -f debian/rules debian/stamp/pre-inst-common
+ $(MAKE) -f debian/rules debian/stamp/pre-inst-indep
+ @echo done > $@
+
+
+# Per package work happens as an added dependency of this rule
+$(patsubst %,debian/stamp/INST/%,$(DEB_ARCH_PACKAGES)) : debian/stamp/INST/% : debian/stamp/do-pre-inst-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/INST || mkdir -p debian/stamp/INST
+ @echo done > $@
+$(patsubst %,debian/stamp/INST/%,$(DEB_INDEP_PACKAGES)) : debian/stamp/INST/% : debian/stamp/do-pre-inst-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/INST || mkdir -p debian/stamp/INST
+ @echo done > $@
+
+# These do targeta make sure all the per package configuration is
+# done, but is not in the direct line of dependencies. This makes sure
+# that pre-config targets are all up to date before any of the per
+# package target dependencies are run.
+debian/stamp/dep-install-arch: debian/stamp/do-pre-inst-arch $(patsubst %,debian/stamp/INST/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+debian/stamp/dep-install-indep: debian/stamp/do-pre-inst-indep $(patsubst %,debian/stamp/INST/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+
+debian/stamp/do-install-arch: debian/stamp/do-pre-inst-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/dep-install-arch
+ @echo done > $@
+debian/stamp/do-install-indep: debian/stamp/do-pre-inst-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/dep-install-indep
+ @echo done > $@
+
+#required
+install-arch: debian/stamp/do-install-arch
+ $(REASON)
+ $(TESTROOT)
+install-indep: debian/stamp/do-install-indep
+ $(REASON)
+ $(TESTROOT)
+install: debian/stamp/do-install-arch debian/stamp/do-install-indep
+ $(REASON)
+ $(TESTROOT)
+
+#######################################################################
+#######################################################################
+############### Package ###############
+#######################################################################
+#######################################################################
+# tasks common to arch and arch indep packages go here
+debian/stamp/pre-bin-common:
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+# Arch specific and arch independent tasks go here
+debian/stamp/pre-bin-arch: debian/stamp/do-install-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+debian/stamp/do-pre-bin-arch: debian/stamp/do-install-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @test -e debian/stamp/BIN-common || $(MAKE) -f debian/rules debian/stamp/pre-bin-common
+ $(MAKE) -f debian/rules debian/stamp/pre-bin-arch
+ @echo done > $@
+
+debian/stamp/pre-bin-indep: debian/stamp/do-install-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+debian/stamp/do-pre-bin-indep: debian/stamp/do-install-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @test -e debian/stamp/BIN-common || $(MAKE) -f debian/rules debian/stamp/pre-bin-common
+ $(MAKE) -f debian/rules debian/stamp/pre-bin-indep
+ @echo done > $@
+
+# Per package work happens as an added dependency of this rule
+$(patsubst %,debian/stamp/BIN/%,$(DEB_ARCH_PACKAGES)) : debian/stamp/BIN/% : debian/stamp/do-pre-bin-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/BIN || mkdir -p debian/stamp/BIN
+ @echo done > $@
+
+$(patsubst %,debian/stamp/BIN/%,$(DEB_INDEP_PACKAGES)) : debian/stamp/BIN/% : debian/stamp/do-pre-bin-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp/BIN || mkdir -p debian/stamp/BIN
+ @echo done > $@
+
+# These do targeta make sure all the per package work is done, but is
+# not in the direct line of dependencies. This makes sure that
+# pre-config targets are all up to date before any of the per package
+# target dependencies are run.
+debian/stamp/dep-binary-arch: debian/stamp/pre-bin-arch $(patsubst %,debian/stamp/BIN/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+debian/stamp/dep-binary-indep: debian/stamp/pre-bin-indep $(patsubst %,debian/stamp/BIN/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ @echo done > $@
+
+debian/stamp/do-binary-arch: debian/stamp/do-pre-bin-arch
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/dep-binary-arch
+ @echo done > $@
+debian/stamp/do-binary-indep: debian/stamp/do-pre-bin-indep
+ $(REASON)
+ $(checkdir)
+ @test -d debian/stamp || mkdir -p debian/stamp
+ $(MAKE) -f debian/rules debian/stamp/dep-binary-indep
+ @echo done > $@
+# required
+binary-arch: debian/stamp/do-binary-arch
+ $(REASON)
+ $(TESTROOT)
+binary-indep: debian/stamp/do-binary-indep
+ $(REASON)
+ $(TESTROOT)
+binary: debian/stamp/do-binary-arch debian/stamp/do-binary-indep
+ $(REASON)
+ $(TESTROOT)
+ @echo arch package = $(DEB_ARCH_PACKAGES)
+ @echo indep packages = $(DEB_INDEP_PACKAGES)
+
+#######################################################################
+#######################################################################
+############### Clean ###############
+#######################################################################
+#######################################################################
+# Work here
+CLN-common::
+ $(REASON)
+ $(checkdir)
+
+# sync Work here
+CLN-arch:: CLN-common
+ $(REASON)
+ $(checkdir)
+CLN-indep:: CLN-common
+ $(REASON)
+ $(checkdir)
+# Work here
+$(patsubst %,CLEAN/%,$(DEB_ARCH_PACKAGES)) :: CLEAN/% : CLN-arch
+ $(REASON)
+ $(checkdir)
+$(patsubst %,CLEAN/%,$(DEB_INDEP_PACKAGES)) :: CLEAN/% : CLN-indep
+ $(REASON)
+ $(checkdir)
+
+clean-arch: CLN-arch $(patsubst %,CLEAN/%,$(DEB_ARCH_PACKAGES))
+ $(REASON)
+clean-indep: CLN-indep $(patsubst %,CLEAN/%,$(DEB_INDEP_PACKAGES))
+ $(REASON)
+clean: clean-indep clean-arch
+ $(REASON)
+ -test -f Makefile && $(MAKE) distclean
+ -rm -f $(FILES_TO_CLEAN) $(STAMPS_TO_CLEAN)
+ -rm -rf $(DIRS_TO_CLEAN) debian/stamp
+ -rm -f core TAGS \
+ `find . ! -regex '.*/\.git/.*' ! -regex '.*/\{arch\}/.*' \
+ ! -regex '.*/CVS/.*' ! -regex '.*/\.arch-ids/.*' \
+ ! -regex '.*/\.svn/.*' \
+ \( -name '*.orig' -o -name '*.rej' -o -name '*~' -o \
+ -name '*.bak' -o -name '#*#' -o -name '.*.orig' -o \
+ -name '.*.rej' -o -name '.SUMS' \) \
+ -print`
+
+
+#######################################################################
+#######################################################################
+############### ###############
+#######################################################################
+#######################################################################
+.PHONY: configure-arch configure-indep configure \
+ build-arch build-indep build \
+ install-arch install-indep install \
+ binary-arch binary-indep binary \
+ CLN-common CLN-indep CLN-arch clean-arch clean-indep clean \
+ $(patsubst %,CLEAN/%, $(DEB_INDEP_PACKAGES)) $(patsubst %,CLEAN/%, $(DEB_ARCH_PACKAGES)) \
+ implode explode prebuild checkpo
+
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-2.20110726.orig/debian/common/ChangeLog
+++ refpolicy-2.20110726/debian/common/ChangeLog
@@ -0,0 +1,59 @@
+2008-02-06 Manoj Srivastava
+
+ * copt.mk:
+ srivasta@debian.org--lenny/skeleton-make-rules--main--0.1--patch-4
+ The cross building support in Debian has been rewritten
+ to stop overriding the CC variable to $(MAKE) in order
+ to correctly support those packages that build internal
+ tools with the native compiler during the build. This
+ means that other packages that assume that CC will be
+ overridden by the cross-compiling build scripts now fail
+ to build. The patch is simply to set CC to
+ $(DEB_HOST_GNU_TYPE)-gcc only if a cross-build is
+ detected.
+
+2007-10-09 Manoj Srivastava
+
+ * targets.mk:
+ srivasta@debian.org--lenny/skeleton-make-rules--main--0.1--patch-1
+ fix dependency tree for targets, allow parralel
+ compilatoin. Many changes, thanks to dot.
+
+2007-09-20 Manoj Srivastava
+
+ * targets.mk (stamp-clean):
+ srivasta@debian.org--lenny/skeleton-make-rules--main--0.1--base-0
+ make clean not remove zero sized files. removed the part
+ that cleaned out zero sized files; since there are uses
+ for zero sized files (like, to nuke out files in
+ upstream sources and not inflate the diff. Any zero
+ sized files can still be nuked in the local.mk file.
+
+2006-10-02 Manoj Srivastava
+
+ * checklibs:
+ srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-15
+ New file, to detect if there are unneeded library
+ dependencies
+
+2006-10-01 Manoj Srivastava
+
+ * archvars.mk (doit):
+ srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-14
+ Add a macro to execute $(shell ...) macos verbosely to
+ help debugging.
+
+2006-09-15 Manoj Srivastava
+
+ * targets.mk (stamp-clean):
+ srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-13
+ Exclude version control directories from the generic
+ clean command.
+
+
+2006-08-23 Manoj Srivastava
+
+ * pkgvars.mk (DEB_DISTRIBUTION):
+ srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-6
+ Add variable that contains the distribution information
+
--- refpolicy-2.20110726.orig/debian/common/install_cmds.mk
+++ refpolicy-2.20110726/debian/common/install_cmds.mk
@@ -0,0 +1,58 @@
+######################### -*- Mode: Makefile-Gmake -*- ########################
+## install_cmds.mk ---
+## Author : Manoj Srivastava ( srivasta@golden-gryphon.com )
+## Created On : Fri Jun 16 14:40:20 2006
+## Created On Node : glaurung.internal.golden-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Wed Sep 6 11:43:05 2006
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 9
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: a38b6a93-2539-4034-9060-ae94d5c8a071
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+##
+###############################################################################
+
+# install commands
+INSTALL = install
+ifeq (,$(filter nostrip,$(DEB_BUILD_OPTIONS)))
+ INSTALL_PROGRAM += -s
+endif
+install_file = $(INSTALL) -p -o root -g root -m 644
+install_program = $(INSTALL) -p -o root -g root -m 755
+install_script = $(INSTALL) -p -o root -g root -m 755
+make_directory = $(INSTALL) -p -d -o root -g root -m 755
+
+define create_md5sum
+ create_md5sums_fn () { \
+ cd $$1 ; \
+ find . -type f \
+ ! -regex './DEBIAN/.*' \
+ ! -regex './var/.*' $(EXTRA_MD5SUM_EXCLUDE) \
+ -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums ; \
+ if [ -z "DEBIAN/md5sums" ] ; then \
+ rm -f "DEBIAN/md5sums" ; \
+ fi ; \
+ } ; \
+ create_md5sums_fn
+endef
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-2.20110726.orig/debian/common/targets.dot
+++ refpolicy-2.20110726/debian/common/targets.dot
@@ -0,0 +1,293 @@
+strict digraph Targets {
+ //ranksep=0.750;
+ //nodesep=0.500;
+
+ // Nodes attributes: filled == Double-colon targt (most work is done here)
+ // Oval == Target based on a time stamp
+ // Octagon == Phony target
+ // Double lines denote a mandatory target (periperies=2)
+
+ // Edge attributes: Dotted line indicates the target is called using $(MAKE)
+
+ "debian/stamp/dummy-config-common" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/pre-config-common" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-pre-config-common" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/pre-config-arch" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-pre-config-arch" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/pre-config-indep" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-pre-config-indep" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/CONFIG/foo-arch" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/CONFIG/bar-indep" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/dep-configure-arch" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/dep-configure-indep" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-configure-arch" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-configure-indep" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10]
+ "configure-arch" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "configure-indep" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "configure" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+
+ "debian/stamp/pre-build-common" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/pre-build-arch" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-pre-build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/pre-build-indep" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-pre-build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/BUILD/foo-arch" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/BUILD/bar-indep" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/dep-build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/dep-build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2]
+ "build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2]
+ "build" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2]
+ "debian/stamp/post-build-arch" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/post-build-indep" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-post-build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-post-build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10]
+
+ "debian/stamp/pre-inst-common" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/pre-inst-arch" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-pre-inst-arch" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/pre-inst-indep" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-pre-inst-indep" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/INST/foo-arch" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/INST/bar-indep" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/dep-install-arch" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/dep-install-indep" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-install-arch" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-install-indep" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10]
+ "install-arch" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "install-indep" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "install" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+
+ "debian/stamp/pre-bin-common" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/pre-bin-arch" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-pre-bin-arch" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/pre-bin-indep" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-pre-bin-indep" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/BIN/foo-arch" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/BIN/bar-indep" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/dep-binary-arch" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/dep-binary-indep" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-binary-arch" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "debian/stamp/do-binary-indep" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10]
+ "binary-arch" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2]
+ "binary-indep" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2]
+ "binary" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2]
+
+
+ "CLN-common" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "CLN-arch" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "CLN-indep" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "CLEAN/foo-arch" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "CLEAN/bar-indep" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "clean-arch" [ style="bold", color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "clean-indep" [ style="bold", color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"]
+ "clean" [ style="bold", color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2]
+
+
+ "CLN-common" -> "CLN-arch" [dir=back]
+ "CLN-common" -> "CLN-indep" [dir=back]
+ "CLN-arch" -> "CLEAN/foo-arch" [dir=back]
+ "CLN-indep" -> "CLEAN/bar-indep" [dir=back]
+ "CLN-arch" -> "clean-arch" [dir=back]
+ "CLEAN/foo-arch" -> "clean-arch" [dir=back]
+ "CLN-indep" -> "clean-indep" [dir=back]
+ "CLEAN/bar-indep" -> "clean-indep" [dir=back]
+ "clean-indep" -> "clean" [dir=back]
+ "clean-arch" -> "clean" [dir=back]
+
+// "debian/stamp/dummy-config-common" -> "debian/stamp/pre-config-common" [dir=back]
+ "debian/stamp/dummy-config-common" -> "debian/stamp/do-pre-config-common" [dir=back]
+ "debian/stamp/pre-config-common" -> "debian/stamp/do-pre-config-common" [dir=back color="Red"]
+// "CUSTOM-1" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-1" -> "debian/stamp/pre-config-common" [dir=back]
+// "debian/stamp/do-pre-config-common" -> "debian/stamp/pre-config-arch" [dir=back]
+ "debian/stamp/do-pre-config-common" -> "debian/stamp/do-pre-config-arch" [dir=back]
+ "debian/stamp/pre-config-arch" -> "debian/stamp/do-pre-config-arch" [dir=back color="Red"]
+// "CUSTOM-2" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-2" -> "debian/stamp/pre-config-arch" [dir=back]
+// "debian/stamp/do-pre-config-common" -> "debian/stamp/pre-config-indep" [dir=back]
+ "debian/stamp/do-pre-config-common" -> "debian/stamp/do-pre-config-indep" [dir=back]
+ "debian/stamp/pre-config-indep" -> "debian/stamp/do-pre-config-indep" [dir=back color="Red"]
+// "CUSTOM-3" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-3" -> "debian/stamp/pre-config-indep" [dir=back]
+// "debian/stamp/do-pre-config-arch" -> "debian/stamp/CONFIG/foo-arch" [dir=back]
+// "debian/stamp/do-pre-config-indep" -> "debian/stamp/CONFIG/bar-indep" [dir=back]
+// "debian/stamp/do-pre-config-arch" -> "debian/stamp/dep-configure-arch" [dir=back]
+ "debian/stamp/CONFIG/foo-arch" -> "debian/stamp/dep-configure-arch" [dir=back]
+// "debian/stamp/do-pre-config-indep" -> "debian/stamp/dep-configure-indep" [dir=back]
+ "debian/stamp/CONFIG/bar-indep" -> "debian/stamp/dep-configure-indep" [dir=back]
+
+ "debian/stamp/do-pre-config-arch" -> "debian/stamp/do-configure-arch" [dir=back]
+ "debian/stamp/dep-configure-arch" -> "debian/stamp/do-configure-arch" [dir=back color="Red"]
+// "CUSTOM-4" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-4" -> "debian/stamp/CONFIG/foo-arch" [dir=back]
+ "debian/stamp/do-pre-config-indep" -> "debian/stamp/do-configure-indep" [dir=back]
+ "debian/stamp/dep-configure-indep" -> "debian/stamp/do-configure-indep" [dir=back color="Red"]
+// "CUSTOM-5" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-5" -> "debian/stamp/CONFIG/bar-indep" [dir=back]
+ "debian/stamp/do-configure-arch" -> "configure-arch" [dir=back]
+ "debian/stamp/do-configure-indep" -> "configure-indep" [dir=back]
+ "debian/stamp/do-configure-arch" -> "configure" [dir=back]
+ "debian/stamp/do-configure-indep" -> "configure" [dir=back]
+
+// "debian/stamp/do-configure-arch" -> "debian/stamp/pre-build-arch" [dir=back]
+ "debian/stamp/do-configure-arch" -> "debian/stamp/do-pre-build-arch" [dir=back]
+ "debian/stamp/pre-build-common" -> "debian/stamp/do-pre-build-arch" [dir=back color="Red"]
+// "CUSTOM-6" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-6" -> "debian/stamp/pre-build-common" [dir=back]
+ "debian/stamp/pre-build-arch" -> "debian/stamp/do-pre-build-arch" [dir=back color="Red"]
+// "CUSTOM-7" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-7" -> "debian/stamp/pre-build-arch" [dir=back]
+ "debian/stamp/pre-build-common" -> "debian/stamp/do-pre-build-indep" [dir=back color="Red"]
+ "debian/stamp/do-configure-indep" -> "debian/stamp/do-pre-build-indep" [dir=back]
+// "debian/stamp/do-configure-indep" -> "debian/stamp/pre-build-indep" [dir=back]
+ "debian/stamp/pre-build-indep" -> "debian/stamp/do-pre-build-indep" [dir=back color="Red"]
+// "CUSTOM-8" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-8" -> "debian/stamp/pre-build-indep" [dir=back]
+// "debian/stamp/do-pre-build-arch" -> "debian/stamp/BUILD/foo-arch" [dir=back]
+// "debian/stamp/do-pre-build-indep" -> "debian/stamp/BUILD/bar-indep" [dir=back]
+// "debian/stamp/do-pre-build-arch" -> "debian/stamp/dep-build-arch" [dir=back]
+ "debian/stamp/BUILD/foo-arch" -> "debian/stamp/dep-build-arch" [dir=back]
+// "debian/stamp/do-pre-build-indep" -> "debian/stamp/dep-build-indep" [dir=back]
+ "debian/stamp/BUILD/bar-indep" -> "debian/stamp/dep-build-indep" [dir=back]
+ "debian/stamp/do-pre-build-arch" -> "debian/stamp/do-build-arch" [dir=back]
+ "debian/stamp/dep-build-arch" -> "debian/stamp/do-build-arch" [dir=back color="Red"]
+// "CUSTOM-9" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-9" -> "debian/stamp/BUILD/foo-arch" [dir=back]
+ "debian/stamp/do-pre-build-indep" -> "debian/stamp/do-build-indep" [dir=back]
+ "debian/stamp/dep-build-indep" -> "debian/stamp/do-build-indep" [dir=back color="Red"]
+// "CUSTOM-10" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-10" -> "debian/stamp/BUILD/bar-indep" [dir=back]
+ "debian/stamp/do-build-arch" -> "build-arch" [dir=back]
+ "debian/stamp/do-build-indep" -> "build-indep" [dir=back]
+ "debian/stamp/do-build-arch" -> "build" [dir=back]
+ "debian/stamp/do-build-indep" -> "build" [dir=back]
+// "debian/stamp/do-build-arch" -> "debian/stamp/post-build-arch" [dir=back]
+ "debian/stamp/do-build-arch" -> "debian/stamp/do-post-build-arch" [dir=back]
+ "debian/stamp/do-build-indep" -> "debian/stamp/do-post-build-indep" [dir=back]
+ "debian/stamp/post-build-arch" -> "debian/stamp/do-post-build-arch" [dir=back color="Red"]
+// "CUSTOM-11" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-11" -> "debian/stamp/post-build-arch" [dir=back]
+ "debian/stamp/post-build-indep" -> "debian/stamp/do-post-build-indep" [dir=back color="Red"]
+// "CUSTOM-12" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-12" -> "debian/stamp/post-build-indep" [dir=back]
+// "debian/stamp/do-post-build-arch" -> "debian/stamp/pre-inst-arch" [dir=back]
+ "debian/stamp/pre-inst-common" -> "debian/stamp/do-pre-inst-arch" [dir=back color="Red"]
+// "CUSTOM-13" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-13" -> "debian/stamp/pre-inst-common" [dir=back]
+ "debian/stamp/do-post-build-arch" -> "debian/stamp/do-pre-inst-arch" [dir=back]
+ "debian/stamp/pre-inst-arch" -> "debian/stamp/do-pre-inst-arch" [dir=back color="Red"]
+// "CUSTOM-14" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-14" -> "debian/stamp/pre-inst-arch" [dir=back]
+// "debian/stamp/do-post-build-indep" -> "debian/stamp/pre-inst-indep" [dir=back]
+ "debian/stamp/pre-inst-common" -> "debian/stamp/do-pre-inst-indep" [dir=back color="Red"]
+ "debian/stamp/do-post-build-indep" -> "debian/stamp/do-pre-inst-indep" [dir=back]
+ "debian/stamp/pre-inst-indep" -> "debian/stamp/do-pre-inst-indep" [dir=back color="Red"]
+// "CUSTOM-15" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-15" -> "debian/stamp/pre-inst-indep" [dir=back]
+// "debian/stamp/do-pre-inst-arch" -> "debian/stamp/INST/foo-arch" [dir=back]
+// "debian/stamp/do-pre-inst-indep" -> "debian/stamp/INST/bar-indep" [dir=back]
+// "debian/stamp/do-pre-inst-arch" -> "debian/stamp/dep-install-arch" [dir=back]
+ "debian/stamp/INST/foo-arch" -> "debian/stamp/dep-install-arch" [dir=back]
+// "debian/stamp/do-pre-inst-indep" -> "debian/stamp/dep-install-indep" [dir=back]
+ "debian/stamp/INST/bar-indep" -> "debian/stamp/dep-install-indep" [dir=back]
+ "debian/stamp/do-pre-inst-arch" -> "debian/stamp/do-install-arch" [dir=back]
+ "debian/stamp/dep-install-arch" -> "debian/stamp/do-install-arch" [dir=back color="Red"]
+// "CUSTOM-16" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-16" -> "debian/stamp/INST/foo-arch" [dir=back]
+ "debian/stamp/do-pre-inst-indep" -> "debian/stamp/do-install-indep" [dir=back]
+ "debian/stamp/dep-install-indep" -> "debian/stamp/do-install-indep" [dir=back color="Red"]
+// "CUSTOM-17" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-17" -> "debian/stamp/INST/bar-indep" [dir=back]
+ "debian/stamp/do-install-arch" -> "install-arch" [dir=back]
+ "debian/stamp/do-install-indep" -> "install-indep" [dir=back]
+ "debian/stamp/do-install-arch" -> "install" [dir=back]
+ "debian/stamp/do-install-indep" -> "install" [dir=back]
+// "debian/stamp/do-install-arch" -> "debian/stamp/pre-bin-arch" [dir=back]
+ "debian/stamp/do-install-arch" -> "debian/stamp/do-pre-bin-arch" [dir=back]
+ "debian/stamp/pre-bin-common" -> "debian/stamp/do-pre-bin-arch" [dir=back color="Red"]
+// "CUSTOM-18" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-18" -> "debian/stamp/pre-bin-common" [dir=back]
+ "debian/stamp/pre-bin-arch" -> "debian/stamp/do-pre-bin-arch" [dir=back color="Red"]
+// "CUSTOM-19" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-19" -> "debian/stamp/pre-bin-arch" [dir=back]
+// "debian/stamp/do-install-indep" -> "debian/stamp/pre-bin-indep" [dir=back]
+ "debian/stamp/pre-bin-common" -> "debian/stamp/do-pre-bin-indep" [dir=back color="Red"]
+ "debian/stamp/do-install-indep" -> "debian/stamp/do-pre-bin-indep" [dir=back]
+ "debian/stamp/pre-bin-indep" -> "debian/stamp/do-pre-bin-indep" [dir=back color="Red"]
+// "CUSTOM-20" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-20" -> "debian/stamp/pre-bin-indep" [dir=back]
+// "debian/stamp/do-pre-bin-arch" -> "debian/stamp/BIN/foo-arch" [dir=back]
+// "debian/stamp/do-pre-bin-indep" -> "debian/stamp/BIN/bar-indep" [dir=back]
+// "debian/stamp/pre-bin-arch" -> "debian/stamp/dep-binary-arch" [dir=back]
+ "debian/stamp/BIN/foo-arch" -> "debian/stamp/dep-binary-arch" [dir=back]
+// "debian/stamp/do-pre-bin-indep" -> "debian/stamp/dep-binary-indep" [dir=back]
+ "debian/stamp/BIN/bar-indep" -> "debian/stamp/dep-binary-indep" [dir=back]
+ "debian/stamp/do-pre-bin-arch" -> "debian/stamp/do-binary-arch" [dir=back]
+ "debian/stamp/dep-binary-arch" -> "debian/stamp/do-binary-arch" [dir=back color="Red"]
+// "CUSTOM-21" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-21" -> "debian/stamp/BIN/foo-arch" [dir=back]
+ "debian/stamp/do-pre-bin-indep" -> "debian/stamp/do-binary-indep" [dir=back]
+ "debian/stamp/dep-binary-indep" -> "debian/stamp/do-binary-indep" [dir=back color="Red"]
+// "CUSTOM-22" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"]
+// "CUSTOM-22" -> "debian/stamp/BIN/bar-indep" [dir=back]
+ "debian/stamp/do-binary-arch" -> "binary-arch" [dir=back]
+ "debian/stamp/do-binary-indep" -> "binary-indep" [dir=back]
+ "debian/stamp/do-binary-arch" -> "binary" [dir=back]
+ "debian/stamp/do-binary-indep" -> "binary" [dir=back]
+
+
+ "debian/stamp/dummy-config-common" -> "debian/stamp/pre-config-common" [style="invis"]
+ "debian/stamp/do-pre-config-common" -> "debian/stamp/pre-config-arch" [style="invis"]
+ "debian/stamp/do-pre-config-common" -> "debian/stamp/pre-config-indep" [style="invis"]
+ "debian/stamp/do-pre-config-arch" -> "debian/stamp/CONFIG/foo-arch" [style="invis"]
+ "debian/stamp/do-pre-config-indep" -> "debian/stamp/CONFIG/bar-indep" [style="invis"]
+
+ "debian/stamp/dep-configure-arch" -> "configure" [style="invis"]
+ "debian/stamp/dep-configure-indep" -> "configure" [style="invis"]
+ "debian/stamp/dep-configure-arch" -> "configure-arch" [style="invis"]
+ "debian/stamp/dep-configure-indep" -> "configure-arch" [style="invis"]
+ "debian/stamp/dep-configure-arch" -> "configure-indep" [style="invis"]
+ "debian/stamp/dep-configure-indep" -> "configure-indep" [style="invis"]
+ "configure-arch" -> "configure" [style="invis"]
+ "configure-indep" -> "configure" [style="invis"]
+ "configure" -> "debian/stamp/pre-build-common" [style="invis"]
+
+
+ "debian/stamp/pre-build-common" -> "debian/stamp/pre-build-indep" [style="invis"]
+ "debian/stamp/pre-build-common" -> "debian/stamp/pre-build-arch" [style="invis"]
+
+ "debian/stamp/do-pre-build-arch" -> "debian/stamp/BUILD/foo-arch" [style="invis"]
+ "debian/stamp/do-pre-build-indep" -> "debian/stamp/BUILD/bar-indep" [style="invis"]
+ "debian/stamp/do-build-arch" -> "debian/stamp/post-build-arch" [style="invis"]
+ "debian/stamp/do-build-indep" -> "debian/stamp/post-build-indep" [style="invis"]
+ "debian/stamp/do-post-build-arch" -> "build-arch" [style="invis"]
+ "debian/stamp/do-post-build-arch" -> "build" [style="invis"]
+ "debian/stamp/do-post-build-indep" -> "build-indep" [style="invis"]
+ "debian/stamp/do-post-build-indep" -> "build" [style="invis"]
+ "build-arch" -> "build" [style="invis"]
+ "build-indep" -> "build" [style="invis"]
+
+ "build" -> "debian/stamp/pre-inst-common" [style="invis"]
+
+ "debian/stamp/pre-inst-common" -> "debian/stamp/pre-inst-indep" [style="invis"]
+ "debian/stamp/pre-inst-common" -> "debian/stamp/pre-inst-arch" [style="invis"]
+ "debian/stamp/do-pre-inst-arch" -> "debian/stamp/INST/foo-arch" [style="invis"]
+ "debian/stamp/do-pre-inst-indep" -> "debian/stamp/INST/bar-indep" [style="invis"]
+
+ "install-arch" -> "install" [style="invis"]
+ "install-indep" -> "install" [style="invis"]
+
+ "debian/stamp/pre-bin-common" -> "debian/stamp/pre-bin-indep" [style="invis"]
+ "debian/stamp/pre-bin-common" -> "debian/stamp/pre-bin-arch" [style="invis"]
+
+ "install" -> "debian/stamp/pre-bin-common" [style="invis"]
+ "debian/stamp/do-pre-bin-arch" -> "debian/stamp/BIN/foo-arch" [style="invis"]
+ "debian/stamp/do-pre-bin-indep" -> "debian/stamp/BIN/bar-indep" [style="invis"]
+
+ "binary-arch" -> "binary" [style="invis"]
+ "binary-indep" -> "binary" [style="invis"]
+
+}
--- refpolicy-2.20110726.orig/debian/common/archvars.mk
+++ refpolicy-2.20110726/debian/common/archvars.mk
@@ -0,0 +1,118 @@
+############################ -*- Mode: Makefile -*- ###########################
+## archvars.mk ---
+## Author : Manoj Srivastava ( srivasta@golden-gryphon.com )
+## Created On : Sat Nov 15 02:40:56 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Tue Nov 16 23:36:15 2004
+## Last Machine Used: glaurung.internal.golden-gryphon.com
+## Update Count : 5
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description : calls dpkg-architecture and sets up various arch
+## related variables
+##
+## arch-tag: e16dd848-0fd6-4c0e-ae66-bef20d1f7c63
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+##
+###############################################################################
+
+
+DPKG_ARCH := dpkg-architecture
+
+ifeq ($(strip $(KPKG_ARCH)),um)
+ MAKING_VIRTUAL_IMAGE:=YES
+endif
+ifeq ($(strip $(KPKG_ARCH)),xen)
+ MAKING_VIRTUAL_IMAGE:=YES
+endif
+
+ifneq ($(strip $(CONFIG_UM)),)
+ MAKING_VIRTUAL_IMAGE:=YES
+ KPKG_ARCH=um
+endif
+
+ifneq ($(strip $(CONFIG_XEN)),)
+ MAKING_VIRTUAL_IMAGE:=YES
+ ifneq ($(strip $(CONFIG_X86_XEN)$(CONFIG_X86_64_XEN)),)
+ KPKG_SUBARCH=xen
+ else
+ KPKG_ARCH=xen
+ ifeq ($(strip $(CONFIG_XEN_PRIVILEGED_GUEST)),)
+ KPKG_SUBARCH=xenu
+ else
+ KPKG_SUBARCH=xen0
+ endif
+ endif
+endif
+
+ifdef KPKG_ARCH
+ ifeq ($(strip $(MAKING_VIRTUAL_IMAGE)),)
+ ifneq ($(CROSS_COMPILE),-)
+ ha:=-a$(KPKG_ARCH)
+ endif
+ endif
+endif
+
+# set the dpkg-architecture vars
+export DEB_BUILD_ARCH := $(shell $(DPKG_ARCH) -qDEB_BUILD_ARCH)
+export DEB_BUILD_GNU_CPU := $(shell $(DPKG_ARCH) -qDEB_BUILD_GNU_CPU)
+export DEB_BUILD_GNU_SYSTEM:= $(shell $(DPKG_ARCH) -qDEB_BUILD_GNU_SYSTEM)
+export DEB_BUILD_GNU_TYPE := $(shell $(DPKG_ARCH) -qDEB_BUILD_GNU_TYPE)
+export DEB_HOST_ARCH := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH)
+export DEB_HOST_ARCH_OS := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH_OS \
+ 2>/dev/null|| true)
+export DEB_HOST_ARCH_CPU := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH_CPU \
+ 2>/dev/null|| true)
+export DEB_HOST_GNU_CPU := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_CPU)
+export DEB_HOST_GNU_SYSTEM := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_SYSTEM)
+export DEB_HOST_GNU_TYPE := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_TYPE)
+
+# arrgh. future proofing
+ifeq ($(DEB_HOST_GNU_SYSTEM), linux)
+ DEB_HOST_GNU_SYSTEM=linux-gnu
+endif
+ifeq ($(DEB_HOST_ARCH_OS),)
+ ifeq ($(DEB_HOST_GNU_SYSTEM), linux-gnu)
+ DEB_HOST_ARCH_OS := linux
+ endif
+ ifeq ($(DEB_HOST_GNU_SYSTEM), kfreebsd-gnu)
+ DEB_HOST_ARCH_OS := kfreebsd
+ endif
+endif
+
+REASON = @if [ -f $@ ]; then \
+ echo "====== making $(notdir $@) because of $(notdir $?) ======";\
+ else \
+ echo "====== making target $@ [new prereqs: $(notdir $?)]======"; \
+ fi
+
+OLDREASON = @if [ -f $@ ]; then \
+ echo "====== making $(notdir $@) because of $(notdir $?) ======";\
+ else \
+ echo "====== making (creating) $(notdir $@) ======"; \
+ fi
+
+LIBREASON = @echo "====== making $(notdir $@)($(notdir $%))because of $(notdir $?)======"
+
+
+# macro outputing $(1) if DEBUG_DEBIAN_RULES is set, and resolving it
+# in all cases usage $(call doit,some shell command)
+doit = $(if $(DEBUG_DEBIAN_RULES),$(warning DEBUG: $(1)))$(shell $(1))
+
+#Local variables:
+#mode: makefile
+#End:
--- refpolicy-2.20110726.orig/debian/common/copt.mk
+++ refpolicy-2.20110726/debian/common/copt.mk
@@ -0,0 +1,44 @@
+############################ -*- Mode: Makefile -*- ###########################
+## copt.mk ---
+## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com )
+## Created On : Sat Nov 15 02:48:40 2003
+## Created On Node : glaurung.green-gryphon.com
+## Last Modified By : Manoj Srivastava
+## Last Modified On : Sat Nov 15 02:49:07 2003
+## Last Machine Used: glaurung.green-gryphon.com
+## Update Count : 1
+## Status : Unknown, Use with caution!
+## HISTORY :
+## Description :
+##
+## arch-tag: a0045c20-f1b3-4852-9a4b-1a33ebd7c1b8
+##
+###############################################################################
+
+PREFIX := /usr
+# set CC to $(DEB_HOST_GNU_TYPE)-gcc only if a cross-build is detected
+ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE))
+ CC=$(DEB_HOST_GNU_TYPE)-gcc
+else
+ CC = cc
+endif
+
+# Policy 10.1 says to make this the default
+CFLAGS = -Wall -g
+
+ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
+ CFLAGS += -O0
+else
+ CFLAGS += -O2
+endif
+
+## ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
+## endif
+
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+ STRIP += -s
+ LDFLAGS += -s
+ INT_INSTALL_TARGET = install
+else
+ INT_INSTALL_TARGET = install
+endif