[selinux-policy: 396/3172] XML: encapsulate modules in layers, rather then layer being an attribute of module tag
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:39:02 UTC 2010
commit 57869a681efec72791ab94c446447c7dbcfa6d9f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jun 20 18:40:44 2005 +0000
XML: encapsulate modules in layers, rather then layer being an attribute of
module tag
refpolicy/Makefile | 13 ++++++---
refpolicy/doc/policy.dtd | 12 +++++---
refpolicy/policy/modules/admin/dmesg.if | 2 +-
refpolicy/policy/modules/admin/rpm.if | 2 +-
refpolicy/policy/modules/admin/usermanage.if | 2 +-
refpolicy/policy/modules/apps/gpg.if | 30 ++++++++++++++++++---
refpolicy/policy/modules/kernel/bootloader.if | 2 +-
refpolicy/policy/modules/kernel/corenetwork.if.in | 2 +-
refpolicy/policy/modules/kernel/devices.if | 2 +-
refpolicy/policy/modules/kernel/filesystem.if | 2 +-
refpolicy/policy/modules/kernel/kernel.if | 2 +-
refpolicy/policy/modules/kernel/selinux.if | 2 +-
refpolicy/policy/modules/kernel/storage.if | 2 +-
refpolicy/policy/modules/kernel/terminal.if | 2 +-
refpolicy/policy/modules/services/mta.if | 2 +-
refpolicy/policy/modules/services/remotelogin.if | 2 +-
refpolicy/policy/modules/services/sendmail.if | 2 +-
refpolicy/policy/modules/system/authlogin.if | 2 +-
refpolicy/policy/modules/system/clock.if | 2 +-
refpolicy/policy/modules/system/corecommands.if | 2 +-
refpolicy/policy/modules/system/domain.if | 2 +-
refpolicy/policy/modules/system/files.if | 2 +-
refpolicy/policy/modules/system/getty.if | 2 +-
refpolicy/policy/modules/system/hostname.if | 2 +-
refpolicy/policy/modules/system/hotplug.if | 2 +-
refpolicy/policy/modules/system/init.if | 2 +-
refpolicy/policy/modules/system/iptables.if | 2 +-
refpolicy/policy/modules/system/libraries.if | 2 +-
refpolicy/policy/modules/system/locallogin.if | 2 +-
refpolicy/policy/modules/system/logging.if | 2 +-
refpolicy/policy/modules/system/lvm.if | 2 +-
refpolicy/policy/modules/system/miscfiles.if | 2 +-
refpolicy/policy/modules/system/modutils.if | 2 +-
refpolicy/policy/modules/system/mount.if | 2 +-
refpolicy/policy/modules/system/selinuxutil.if | 2 +-
refpolicy/policy/modules/system/sysnetwork.if | 2 +-
refpolicy/policy/modules/system/udev.if | 2 +-
refpolicy/policy/modules/system/userdomain.if | 2 +-
38 files changed, 78 insertions(+), 47 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index ca26e5e..4beb272 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -129,7 +129,7 @@ CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
USER_FILES := $(POLDIR)/users
DISABLEMOD := $(foreach mod,$(shell egrep -v '^[[:blank:]]*\#' $(MOD_DISABLE)),$(subst ./,,$(shell find -iname $(mod).te)))
-ALL_LAYERS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d)
+ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
@@ -153,6 +153,7 @@ POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_
DOCS = doc
POLXML = $(DOCS)/policy.xml
XMLDTD = $(DOCS)/policy.dtd
+LAYERXML = metadata.xml
HTMLDIR = $(DOCS)/html
DOCTEMPLATE = $(DOCS)/templates
@@ -364,9 +365,13 @@ $(POLXML): $(ALL_INTERFACES)
$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@
$(QUIET) echo "<policy>" >> $@
-# process this through m4 to eliminate the generated definitions templates.
-# currently these are only in corenetwork.if
- $(QUIET) m4 $(ALL_INTERFACES) $(GLOBALTUN) | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@
+# do all modules, even disabled ones:
+ $(QUIET) for i in $(ALL_LAYERS); do \
+ cat $$i/$(LAYERXML) >> $@ ;\
+ egrep -h "^##[[:blank:]]" $$i/*.if | sed -e 's/^##[[:blank:]]//g' >> $@ ;\
+ echo "</layer>" >> $@;\
+ done
+ $(QUIET) egrep -h "^##[[:blank:]]" $(GLOBALTUN) | sed -e 's/^##[[:blank:]]//g' >> $@
$(QUIET) echo "</policy>" >> $@
$(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
diff --git a/refpolicy/doc/policy.dtd b/refpolicy/doc/policy.dtd
index 3afb7e3..a5ccae7 100644
--- a/refpolicy/doc/policy.dtd
+++ b/refpolicy/doc/policy.dtd
@@ -1,10 +1,12 @@
<!ENTITY % inline.class "pre|p|ul|li">
-<!ELEMENT policy (module+,tunable*)>
-<!ELEMENT module (summary,description?,interface+)>
+<!ELEMENT policy (layer+,tunable*)>
+<!ELEMENT layer (module+)>
+<!ATTLIST layer
+ name CDATA #REQUIRED>
+<!ELEMENT module (summary,description?,(interface|template)*)>
<!ATTLIST module
- name CDATA #REQUIRED
- layer CDATA #REQUIRED>
+ name CDATA #REQUIRED>
<!ELEMENT tunable (#PCDATA)>
<!ATTLIST tunable
name CDATA #REQUIRED
@@ -12,6 +14,8 @@
<!ELEMENT summary (#PCDATA)>
<!ELEMENT interface (summary?,description?,securitydesc?,parameter+,infoflow?)>
<!ATTLIST interface name CDATA #REQUIRED>
+<!ELEMENT template (summary,description?,securitydesc?,parameter+)>
+<!ATTLIST template name CDATA #REQUIRED>
<!ELEMENT description (#PCDATA|%inline.class;)*>
<!ELEMENT securitydesc (#PCDATA|%inline.class;)*>
<!ELEMENT parameter (#PCDATA)>
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index 0c6f5b7..3e55cac 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -1,4 +1,4 @@
-## <module name="dmesg" layer="admin">
+## <module name="dmesg">
## <summary>Policy for dmesg.</summary>
########################################
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index c4c3bde..c0d2e30 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -1,4 +1,4 @@
-## <module name="rpm" layer="admin">
+## <module name="rpm">
## <summary>Policy for the RPM package manager.</summary>
########################################
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index 194411f..625aaff 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -1,4 +1,4 @@
-## <module name="usermanage" layer="admin">
+## <module name="usermanage">
## <summary>Policy for managing user accounts.</summary>
########################################
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 903524b..9f42521 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -1,9 +1,28 @@
+## <module name="gpg">
+## <summary>Policy for GNU Privacy Guard and related programs.</summary>
#######################################
-#
-# Per user domain template for this module
-#
-# gpg_per_userdomain_template(userdomain_prefix)
+## <template name="gpg_per_userdomain_template">
+## <summary>
+## The per-userdomain template for the gpg module.
+## </summary>
+## <description>
+## <p>
+## This template creates the types and rules for GPG,
+## GPG-agent, and GPG helper programs. This protects
+## the user keys and secrets, and runs the programs
+## in domains specific to the user type.
+## </p>
+## <p>
+## This is invoked automatically for each user, and
+## generally does not need to be statically invoked
+## directly by policy writers.
+## </p>
+## </description>
+## <parameter name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </parameter>
#
define(`gpg_per_userdomain_template',`
gen_require(`$0'_depend)
@@ -349,3 +368,6 @@ define(`gpg_per_userdomain_template',`
') dnl end TODO
')
+## </template>
+
+## </module>
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 753d039..5a64873 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -1,4 +1,4 @@
-## <module name="bootloader" layer="kernel">
+## <module name="bootloader">
## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
########################################
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index f1189cf..9430836 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1,4 +1,4 @@
-## <module name="corenetwork" layer="kernel">
+## <module name="corenetwork">
## <summary>Policy controlling access to network objects</summary>
########################################
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index aa87733..4611ab9 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1,4 +1,4 @@
-## <module name="devices" layer="kernel">
+## <module name="devices">
## <summary>
## Device nodes and interfaces for many basic system devices.
## </summary>
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 6d7b9f6..4528dc4 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1,4 +1,4 @@
-## <module name="filesystem" layer="kernel">
+## <module name="filesystem">
## <summary>Policy for filesystems.</summary>
########################################
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index d6deee8..df67d3e 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1,4 +1,4 @@
-## <module name="kernel" layer="kernel">
+## <module name="kernel">
## <summary>
## Policy for kernel threads, proc filesystem,
## and unlabeled processes and objects.
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index 4f36172..307e28a 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -1,4 +1,4 @@
-## <module name="selinux" layer="kernel">
+## <module name="selinux">
## <summary>
## Policy for kernel security interface, in particular, selinuxfs.
## </summary>
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 233326f..854ce59 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -1,4 +1,4 @@
-## <module name="storage" layer="kernel">
+## <module name="storage">
## <summary>Policy controlling access to storage devices</summary>
########################################
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index db943ba..90ea8a1 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -1,4 +1,4 @@
-## <module name="terminal" layer="kernel">
+## <module name="terminal">
## <summary>Policy for terminals.</summary>
########################################
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index c28b2a7..6726287 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -1,4 +1,4 @@
-## <module name="mta" layer="services">
+## <module name="mta">
## <summary>Policy common to all email tranfer agents.</summary>
#######################################
diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if
index e4e26d5..5fbe4ca 100644
--- a/refpolicy/policy/modules/services/remotelogin.if
+++ b/refpolicy/policy/modules/services/remotelogin.if
@@ -1,4 +1,4 @@
-## <module name="remotelogin" layer="services">
+## <module name="remotelogin">
## <summary>Policy for rshd, rlogind, and telnetd.</summary>
########################################
diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if
index cc202c5..99ba008 100644
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@@ -1,4 +1,4 @@
-## <module name="sendmail" layer="services">
+## <module name="sendmail">
## <summary>Policy for sendmail.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 88f96d9..740a2b1 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -1,4 +1,4 @@
-## <module name="authlogin" layer="system">
+## <module name="authlogin">
## <summary>Common policy for authentication and user login.</summary>
#######################################
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index 45a2245..42449ca 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -1,4 +1,4 @@
-## <module name="clock" layer="system">
+## <module name="clock">
## <summary>Policy for reading and setting the hardware clock.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index ac9b624..fb32f23 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -1,4 +1,4 @@
-## <module name="corecommands" layer="system">
+## <module name="corecommands">
## <summary>
## Core policy for shells, and generic programs
## in /bin, /sbin, /usr/bin, and /usr/sbin.
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index aa14bbb..018375e 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -1,4 +1,4 @@
-## <module name="domain" layer="system">
+## <module name="domain">
## <summary>Core policy for domains.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 2f78d9a..e91e72c 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1,4 +1,4 @@
-## <module name="files" layer="system">
+## <module name="files">
## <summary>
## Basic filesystem types and interfaces.
## </summary>
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index 51ce7a5..41850c1 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -1,4 +1,4 @@
-## <module name="getty" layer="system">
+## <module name="getty">
## <summary>Policy for getty.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index 3a37ecb..28b679d 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -1,4 +1,4 @@
-## <module name="hostname" layer="system">
+## <module name="hostname">
## <summary>Policy for changing the system host name.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index 4007f50..9f6dd58 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -1,4 +1,4 @@
-## <module name="hotplug" layer="system">
+## <module name="hotplug">
## <summary>
## Policy for hotplug system, for supporting the
## connection and disconnection of devices at runtime.
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 9d3013a..ce8b55e 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -1,4 +1,4 @@
-## <module name="init" layer="system">
+## <module name="init">
## <summary>System initialization programs (init and init scripts).</summary>
########################################
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
index b46ea3c..c41a5c0 100644
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@@ -1,4 +1,4 @@
-## <module name="iptables" layer="system">
+## <module name="iptables">
## <summary>Policy for iptables.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 2f7514e..f187806 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -1,4 +1,4 @@
-## <module name="libraries" layer="system">
+## <module name="libraries">
## <summary>Policy for system libraries.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index ef30cb7..281da20 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -1,4 +1,4 @@
-## <module name="locallogin" layer="system">
+## <module name="locallogin">
## <summary>Policy for local logins.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index e7e4c4e..df1b2c5 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -1,4 +1,4 @@
-## <module name="logging" layer="system">
+## <module name="logging">
## <summary>Policy for the kernel message logger and system logging daemon.</summary>
#######################################
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
index fb0c163..adc7b50 100644
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@@ -1,4 +1,4 @@
-## <module name="lvm" layer="system">
+## <module name="lvm">
## <summary>Policy for logical volume management programs.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index d8d8c60..cef50ff 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -1,4 +1,4 @@
-## <module name="miscfiles" layer="system">
+## <module name="miscfiles">
## <summary>Miscelaneous files.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index c4cefed..2c310cf 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -1,4 +1,4 @@
-## <module name="modutils" layer="system">
+## <module name="modutils">
## <summary>Policy for kernel module utilities</summary>
########################################
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index ac8cd49..e7cbdc1 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -1,4 +1,4 @@
-## <module name="mount" layer="system">
+## <module name="mount">
## <summary>Policy for mount.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 6183f14..a4108b0 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -1,4 +1,4 @@
-## <module name="selinuxutil" layer="system">
+## <module name="selinuxutil">
## <summary>Policy for SELinux policy and userland applications.</summary>
#######################################
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 08ee021..ce884dc 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -1,4 +1,4 @@
-## <module name="sysnetwork" layer="system">
+## <module name="sysnetwork">
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
#######################################
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index c1eccd0..4b986f5 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -1,4 +1,4 @@
-## <module name="udev" layer="system">
+## <module name="udev">
## <summary>Policy for udev.</summary>
########################################
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index db11429..229bd81 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1,4 +1,4 @@
-## <module name="userdomain" layer="system">
+## <module name="userdomain">
## <summary>Policy for user domains</summary>
########################################
More information about the scm-commits
mailing list