plautrba pushed to selinux-policy (master). "Remove unnecessary and unused files from git"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue May 19 08:42:05 UTC 2015
From b1ef7171b66cf4b4b882ab37d08d2f3660c38a84 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba at redhat.com>
Date: Fri, 15 May 2015 12:37:18 +0200
Subject: Remove unnecessary and unused files from git
diff --git a/Changelog b/Changelog
deleted file mode 100644
index 72baf6d..0000000
--- a/Changelog
+++ /dev/null
@@ -1,820 +0,0 @@
-- Unconditional staff and user oidentd home config access from Dominick Grift.
-- Conditional mmap_zero support from Dominick Grift.
-- Added devtmpfs support.
-- Dbadm updates from KaiGai Kohei.
-- Virtio disk file context update from Mika Pfluger.
-- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
-- Add JIT usage for freshclam.
-- Remove ethereal module since the application was renamed to wireshark.
-- Remove duplicate/redundant rules, from Russell Coker.
-- Increased default number of categories to 1024, from Russell Coker.
-- Added modules:
- accountsd (Dan Walsh)
- cgroup (Dominick Grift)
- kdumpgui (Dan Walsh)
- livecd (Dan Walsh)
- mojomojo (Lain Arnell)
- sambagui (Dan Walsh)
- shutdown (Dan Walsh)
-
-* Mon May 24 2010 Chris PeBenito <selinux at tresys.com> - 2.20100524
-- Merged a significant portion of Fedora policy.
-- Move rules from mta mailserver delivery from interface to .te to use
- attributes.
-- Remove concept of users from terminal module interfaces since the
- attributes are not specific to users.
-- Add non-drawing X client support, for consolekit usage.
-- Misc Gentoo fixes from Chris Richards.
-- AFS and abrt fixes from Dominick Grift.
-- Improved the XML docs of 55 most-used interfaces.
-- Apcupsd and amavis fixes from Dominick Grift.
-- Fix network_port() in corenetwork to correctly handle port ranges.
-- SE-Postgresql updates from KaiGai Kohei.
-- X object manager revisions from Eamon Walsh.
-- Added modules:
- aisexec (Dan Walsh)
- chronyd (Miroslav Grepl)
- cobbler (Dominick Grift)
- corosync (Dan Walsh)
- dbadm (KaiGai Kohei)
- denyhosts (Dan Walsh)
- nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
- likewise (Scott Salley)
- plymouthd (Dan Walsh)
- pyicqt (Stefan Schulze Frielinghaus)
- rhcs (Dan Walsh)
- rgmanager (Dan Walsh)
- sectoolm (Miroslav Grepl)
- usbmuxd (Dan Walsh)
- vhostmd (Dan Walsh)
-
-* Tue Nov 17 2009 Chris PeBenito <selinux at tresys.com> - 2.20091117
-- Add separate x_pointer and x_keyboard classes inheriting from x_device.
- From Eamon Walsh.
-- Deprecated the userdom_xwindows_client_template().
-- Misc Gentoo fixes from Corentin Labbe.
-- Debian policykit fixes from Martin Orr.
-- Fix unconfined_r use of unconfined_java_t.
-- Add missing x_device rules for XI2 functions, from Eamon Walsh.
-- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
-- Add btrfs and ext4 to labeling targets.
-- Fix infrastructure to expand macros in initrc_context when installing.
-- Handle unix_chkpwd usage by useradd and groupadd.
-- Add missing compatibility aliases for xdm_xserver*_t types.
-- Added modules:
- abrt (Dan Walsh)
- dkim (Stefan Schulze Frielinghaus)
- gitosis (Miroslav Grepl)
- gnomeclock (Dan Walsh)
- hddtemp (Dan Walsh)
- kdump (Dan Walsh)
- modemmanager(Dan Walsh)
- nslcd (Dan Walsh)
- puppet (Craig Grube)
- rtkit (Dan Walsh)
- seunshare (Dan Walsh)
- shorewall (Dan Walsh)
- tgtd (Matthew Ife)
- tuned (Miroslav Grepl)
- xscreensaver (Corentin Labbe)
-
-* Thu Jul 30 2009 Chris PeBenito <selinux at tresys.com> - 2.20090730
-- Gentoo fixes for init scripts and system startup.
-- Remove read_default_t tunable.
-- Greylist milter from Paul Howarth.
-- Crack db access for su to handle password expiration, from Brandon Whalen.
-- Misc fixes for unix_update from Brandon Whalen.
-- Add x_device permissions for XI2 functions, from Eamon Walsh.
-- MLS constraints for the x_selection class, from Eamon Walsh.
-- Postgresql updates from KaiGai Kohei.
-- Milter state directory patch from Paul Howarth.
-- Add MLS constrains for ingress/egress and secmark from Paul Moore.
-- Drop write permission from fs_read_rpc_sockets().
-- Remove unused udev_runtime_t type.
-- Patch for RadSec port from Glen Turner.
-- Enable network_peer_controls policy capability from Paul Moore.
-- Btrfs xattr support from Paul Moore.
-- Add db_procedure install permission from KaiGai Kohei.
-- Add support for network interfaces with access controlled by a Boolean
- from the CLIP project.
-- Several fixes from the CLIP project.
-- Add support for labeled Booleans.
-- Remove node definitions and change node usage to generic nodes.
-- Add kernel_service access vectors, from Stephen Smalley.
-- Added modules:
- certmaster (Dan Walsh)
- cpufreqselector (Dan Walsh)
- devicekit (Dan Walsh)
- fprintd (Dan Walsh)
- git (Dan Walsh)
- gpsd (Miroslav Grepl)
- guest (Dan Walsh)
- ifplugd (Dan Walsh)
- lircd (Miroslav Grepl)
- logadm (Dan Walsh)
- pads (Dan Walsh)
- pingd (Dan Walsh)
- policykit (Dan Walsh)
- pulseaudio (Dan Walsh)
- psad (Dan Walsh)
- portreserve (Dan Walsh)
- sssd (Dan Walsh)
- ulogd (Dan Walsh)
- varnishd (Dan Walsh)
- webadm (Dan Walsh)
- wm (Dan Walsh)
- xguest (Dan Walsh)
- zosremote (Dan Walsh)
-
-* Wed Dec 10 2008 Chris PeBenito <selinux at tresys.com> - 2.20081210
-- Fix consistency of audioentropy and iscsi module naming.
-- Debian file context fix for xen from Russell Coker.
-- Xserver MLS fix from Eamon Walsh.
-- Add omapi port for dhcpcd.
-- Deprecate per-role templates and rolemap support.
-- Implement user-based access control for use as role separations.
-- Move shared library calls from individual modules to the domain module.
-- Enable open permission checks policy capability.
-- Remove hierarchy from portage module as it is not a good example of
- hieararchy.
-- Remove enableaudit target from modular build as semodule -DB supplants it.
-- Added modules:
- milter (Paul Howarth)
-
-* Tue Oct 14 2008 Chris PeBenito <selinux at tresys.com> - 20081014
-- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
-- Logrotate and Bind updates from Vaclav Ovsik.
-- Init script file and domain support.
-- Glibc 2.7 fix from Vaclav Ovsik.
-- Samba/winbind update from Mike Edenfield.
-- Policy size optimization with a non-security file attribute from James
- Carter.
-- Database labeled networking update from KaiGai Kohei.
-- Several misc changes from the Fedora policy, cherry picked by David
- Hardeman.
-- Large whitespace fix from Dominick Grift.
-- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
-- Issuing commands to upstart is over a datagram socket, not the initctl
- named pipe. Updated init_telinit() to match.
-- Added modules:
- cyphesis (Dan Walsh)
- memcached (Dan Walsh)
- oident (Dominick Grift)
- w3c (Dan Walsh)
-
-* Wed Jul 02 2008 Chris PeBenito <selinux at tresys.com> - 20080702
-- Fix httpd_enable_homedirs to actually provide the access it is supposed to
- provide.
-- Add unused interface/template parameter metadata in XML.
-- Patch to handle postfix data_directory from Vaclav Ovsik.
-- SE-Postgresql policy from KaiGai Kohei.
-- Patch for X.org dbus support from Martin Orr.
-- Patch for labeled networking controls in 2.6.25 from Paul Moore.
-- Module loading now requires setsched on kernel threads.
-- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
-- X application data class from Eamon Walsh and Ted Toth.
-- Move user roles into individual modules.
-- Make hald_log_t a log file.
-- Cryptsetup runs shell scripts. Patch from Martin Orr.
-- Add file for enabling policy capabilities.
-- Patch to fix leaky interface/template call depth calculator from Vaclav
- Ovsik.
-- Added modules:
- kerneloops (Dan Walsh)
- kismet (Dan Walsh)
- podsleuth (Dan Walsh)
- prelude (Dan Walsh)
- qemu (Dan Walsh)
- virt (Dan Walsh)
-
-* Wed Apr 02 2008 Chris PeBenito <selinux at tresys.com> - 20080402
-- Add core Security Enhanced X Windows support.
-- Fix winbind socket connection interface for default location of the
- sock_file.
-- Add wireshark module based on ethereal module.
-- Revise upstart support in init module to use a tunable, as upstart is now
- used in Fedora too.
-- Add iferror.m4 rather generate it out of the Makefiles.
-- Definitions for open permisson on file and similar objects from Eric
- Paris.
-- Apt updates for ptys and logs, from Martin Orr.
-- RPC update from Vaclav Ovsik.
-- Exim updates on Debian from Devin Carrawy.
-- Pam and samba updates from Stefan Schulze Frielinghaus.
-- Backup update on Debian from Vaclav Ovsik.
-- Cracklib update on Debian from Vaclav Ovsik.
-- Label /proc/kallsyms with system_map_t.
-- 64-bit capabilities from Stephen Smalley.
-- Labeled networking peer object class updates.
-
-* Fri Dec 14 2007 Chris PeBenito <selinux at tresys.com> - 20071214
-- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
-- Improve several tunables descriptions from Dan Walsh.
-- Patch to clean up ns switch usage in the policy from Dan Walsh.
-- More complete labeled networking infrastructure from KaiGai Kohei.
-- Add interface for libselinux constructor, for libselinux-linked
- SELinux-enabled programs.
-- Patch to restructure user role templates to create restricted user roles
- from Dan Walsh.
-- Russian man page translations from Andrey Markelov.
-- Remove unused types from dbus.
-- Add infrastructure for managing all user web content.
-- Deprecate some old file and dir permission set macros in favor of the
- newer, more consistently-named macros.
-- Patch to clean up unescaped periods in several file context entries from
- Jan-Frode Myklebust.
-- Merge shlib_t into lib_t.
-- Merge strict and targeted policies. The policy will now behave like the
- strict policy if the unconfined module is not present. If it is, it will
- behave like the targeted policy. Added an unconfined role to have a mix
- of confined and unconfined users.
-- Added modules:
- exim (Dan Walsh)
- postfixpolicyd (Jan-Frode Myklebust)
-
-* Fri Sep 28 2007 Chris PeBenito <selinux at tresys.com> - 20070928
-- Add support for setting the unknown permissions handling.
-- Fix XML building for external reference builds and headers builds.
-- Patch to add missing requirements in userdomain interfaces from Shintaro
- Fujiwara.
-- Add tcpd_wrapped_domain() for services that use tcp wrappers.
-- Update MLS constraints from LSPP evaluated policy.
-- Allow initrc_t file descriptors to be inherited regardless of MLS level.
- Accordingly drop MLS permissions from daemons that inherit from any level.
-- Files and radvd updates from Stefan Schulze Frielinghaus.
-- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
- mls_write_all_levels() and mls_read_all_levels(), for consistency.
-- Add make kernel and init ranged interfaces pass the range transition MLS
- constraints. Also remove calls to mls_rangetrans_target() in modules that use
- the kernel and init interfaces, since its redundant.
-- Add interfaces for all MLS attributes except X object classes.
-- Require all sensitivities and categories for MLS and MCS policies, not just
- the low and high sensitivity and category.
-- Database userspace object manager classes from KaiGai Kohei.
-- Add third-party interface for Apache CGI.
-- Add getserv and shmemserv nscd permissions.
-- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
-- Added modules:
- application
- awstats (Stefan Schulze Frielinghaus)
- bitlbee (Devin Carraway)
- brctl (Dan Walsh)
-
-* Fri Jun 29 2007 Chris PeBenito <selinux at tresys.com> - 20070629
-- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
- libraries module.
-- Unified labeled networking policy from Paul Moore.
-- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
-- Xen updates from Dan Walsh.
-- Filesystem updates from Dan Walsh.
-- Large samba update from Dan Walsh.
-- Drop snmpd_etc_t.
-- Confine sendmail and logrotate on targeted.
-- Tunable connection to postgresql for users from KaiGai Kohei.
-- Memprotect support patch from Stephen Smalley.
-- Add logging_send_audit_msgs() interface and deprecate
- send_audit_msgs_pattern().
-- Openct updates patch from Dan Walsh.
-- Merge restorecon into setfiles.
-- Patch to begin separating out hald helper programs from Dan Walsh.
-- Fixes for squid, dovecot, and snmp from Dan Walsh.
-- Miscellaneous consolekit fixes from Dan Walsh.
-- Patch to have avahi use the nsswitch interface rather than individual
- permissions from Dan Walsh.
-- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
-- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
- to handle usage from userhelper from Dan Walsh.
-- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
-- Patch to allow slocate to getattr other filesystems and directories on those
- filesystems from Dan Walsh.
-- Fixes for RHEL4 from the CLIP project.
-- Replace the old lrrd fc entries with munin ones.
-- Move program admin template usage out of userdom_admin_user_template() to
- sysadm policy in userdomain.te to fix usage of the template for third
- parties.
-- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
- template instead of an interface.
-- Added modules:
- amtu (Dan Walsh)
- apcupsd (Dan Walsh)
- rpcbind (Dan Walsh)
- rwho (Nalin Dahyabhai)
-
-* Tue Apr 17 2007 Chris PeBenito <selinux at tresys.com> - 20070417
-- Patch for sasl's use of kerberos from Dan Walsh.
-- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
-- Man page updates from Dan Walsh.
-- Two patches from Paul Moore to for ipsec to remove redundant rules and
- have setkey read the config file.
-- Move booleans and tunables to modules when it is only used in a single
- module.
-- Add support for tunables and booleans local to a module.
-- Merge sbin_t and ls_exec_t into bin_t.
-- Remove disable_trans booleans.
-- Output different header sets for kernel and userland from flask headers.
-- Marked the pax class as deprecated, changed it to userland so
- it will be removed from the kernel.
-- Stop including netfilter contexts by default.
-- Add dontaudits for init fds and console to init_daemon_domain().
-- Patch to allow gpg to create user keys dir.
-- Patch to support kvmfs from Dan Walsh.
-- Patch for misc fixes in sudo from Dan Walsh.
-- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
-- Patch for handling restart of nscd when ran from useradd, groupadd, and
- admin passwd, from Dan Walsh.
-- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
-- Patch for setroubleshoot for validating file contexts from Dan Walsh.
-- Patch for gssd fixes from Dan Walsh.
-- Patch for lvm fixes from Dan Walsh.
-- Patch for ricci fixes from Dan Walsh.
-- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
-- Patch for kerberized telnet fixes from Dan Walsh.
-- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
-- Patch for an additional wine executable from Dan Walsh.
-- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
- corecommands, devices, and java from Dan Walsh.
-- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
-- Patch for misc fixes to bluetooth from Dan Walsh.
-- Patch for misc fixes to kerberos from Dan Walsh.
-- Patch to start deprecating usercanread attribute from Ryan Bradetich.
-- Add dccp_socket object class which was added in kernel 2.6.20.
-- Patch for prelink relabefrom it's temp files from Dan Walsh.
-- Patch for capability fix for auditd and networking fix for syslogd from
- Dan Walsh.
-- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
-- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
-- Patch to allow apmd to telinit from Dan Walsh.
-- Patch for additional labeling of samba files from Stefan Schulze
- Frielinghaus.
-- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
-- Fix ptys and ttys to be device nodes.
-- Fix explicit use of httpd_t in openca_domtrans().
-- Clean up file context regexes in apache and java, from Eamon Walsh.
-- Patches from Dan Walsh:
- Thu, 25 Jan 2007
-- Added modules:
- consolekit (Dan Walsh)
- fail2ban (Dan Walsh)
- zabbix (Dan Walsh)
-
-* Tue Dec 12 2006 Chris PeBenito <selinux at tresys.com> - 20061212
-- Add policy patterns support macros. This changes the behavior of
- the create_dir_perms and create_file_perms permission sets.
-- Association polmatch MLS constraint making unlabeled_t an exception
- is no longer needed, patch from Venkat Yekkirala.
-- Context contains checking for PAM and cron from James Antill.
-- Add a reload target to Modules.devel and change the load
- target to only insert modules that were changed.
-- Allow semanage to read from /root on strict non-MLS for
- local policy modules.
-- Gentoo init script fixes for udev.
-- Allow udev to read kernel modules.inputmap.
-- Dnsmasq fixes from testing.
-- Allow kernel NFS server to getattr filesystems so df can work
- on clients.
-- Patch from Matt Anderson for a MLS constraint exemption on a
- file that can be written to from a subject whose range is
- within the object's range.
-- Enhanced setransd support from Darrel Goeddel.
-- Patches from Dan Walsh:
- Tue, 24 Oct 2006
- Wed, 29 Nov 2006
-- Added modules:
- aide (Matt Anderson)
- ccs (Dan Walsh)
- iscsi (Dan Walsh)
- ricci (Dan Walsh)
-
-* Wed Oct 18 2006 Chris PeBenito <selinux at tresys.com> - 20061018
-- Patch from Russell Coker Thu, 5 Oct 2006
-- Move range transitions to modules.
-- Make number of MLS sensitivities, and number of MLS and MCS
- categories configurable as build options.
-- Add role infrastructure.
-- Debian updates from Erich Schubert.
-- Add nscd_socket_use() to auth_use_nsswitch().
-- Remove old selopt rules.
-- Full support for netfilter_contexts.
-- MRTG patch for daemon operation from Stefan.
-- Add authlogin interface to abstract common access for login programs.
-- Remove setbool auditallow, except for RHEL4.
-- Change eventpollfs to task SID labeling.
-- Add key support from Michael LeMay.
-- Add ftpdctl domain to ftp, from Paul Howarth.
-- Fix build system to not move type declarations out of optionals.
-- Add gcc-config domain to portage.
-- Add packet object class and support in corenetwork.
-- Add a copy of genhomedircon for monolithic policy building, so that a
- policycoreutils package update is not required for RHEL4 systems.
-- Add appletalk sockets for use in cups.
-- Add Make target to validate module linking.
-- Make duplicate template and interface declarations a fatal error.
-- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
-- Move xconsole_device_t from devices to xserver since it is
- not actually a device, it is a named pipe.
-- Handle nonexistant .fc and .if files in devel Makefile by
- automatically creating empty files.
-- Remove unused devfs_control_t.
-- Add rhel4 distro, which also implies redhat distro.
-- Remove unneeded range_transition for su_exec_t and move the
- type declaration back to the su module.
-- Constrain transitions in MCS so unconfined_t cannot have
- arbitrary category sets.
-- Change reiserfs from xattr filesystem to genfscon as it's xattrs
- are currently nonfunctional.
-- Change files and filesystem modules to use their own interfaces.
-- Add user fonts to xserver.
-- Additional interfaces in corecommands, miscfiles, and userdomain
- from Joy Latten.
-- Miscellaneous fixes from Thomas Bleher.
-- Deprecate module name as first parameter of optional_policy()
- now that optionals are allowed everywhere.
-- Enable optional blocks in base module and monolithic policy.
- This requires checkpolicy 1.30.1.
-- Fix vpn module declaration.
-- Numerous fixes from Dan Walsh.
-- Change build order to preserve m4 line number information so policy
- compile errors are useful again.
-- Additional MLS interfaces from Chad Hanson.
-- Move some rules out of domain_type() and domain_base_type()
- to the TE file, to use the domain attribute to take advantage
- of space savings from attribute use.
-- Add global stack smashing protector rule for urandom access from
- Petre Rodan.
-- Fix temporary rules at the bottom of portmap.
-- Updated comments in mls file from Chad Hanson.
-- Patches from Dan Walsh:
- Fri, 17 Mar 2006
- Wed, 29 Mar 2006
- Tue, 11 Apr 2006
- Fri, 14 Apr 2006
- Tue, 18 Apr 2006
- Thu, 20 Apr 2006
- Tue, 02 May 2006
- Mon, 15 May 2006
- Thu, 18 May 2006
- Tue, 06 Jun 2006
- Mon, 12 Jun 2006
- Tue, 20 Jun 2006
- Wed, 26 Jul 2006
- Wed, 23 Aug 2006
- Thu, 31 Aug 2006
- Fri, 01 Sep 2006
- Tue, 05 Sep 2006
- Wed, 20 Sep 2006
- Fri, 22 Sep 2006
- Mon, 25 Sep 2006
-- Added modules:
- afs
- amavis (Erich Schubert)
- apt (Erich Schubert)
- asterisk
- audioentropy
- authbind
- backup
- calamaris
- cipe
- clamav (Erich Schubert)
- clockspeed (Petre Rodan)
- courier
- dante
- dcc
- ddclient
- dpkg (Erich Schubert)
- dnsmasq
- ethereal
- evolution
- games
- gatekeeper
- gift
- gnome (James Carter)
- imaze
- ircd
- jabber
- monop
- mozilla
- mplayer
- munin
- nagios
- nessus
- netlabel (Paul Moore)
- nsd
- ntop
- nx
- oav
- oddjob (Dan Walsh)
- openca
- openvpn (Petre Rodan)
- perdition
- portslave
- postgrey
- pxe
- pyzor (Dan Walsh)
- qmail (Petre Rodan)
- razor
- resmgr
- rhgb
- rssh
- snort
- soundserver
- speedtouch
- sxid
- thunderbird
- tor (Erich Schubert)
- transproxy
- tripwire
- uptime
- uwimap
- vmware
- watchdog
- xen (Dan Walsh)
- xprint
- yam
-
-* Tue Mar 07 2006 Chris PeBenito <selinux at tresys.com> - 20060307
-- Make all interface parameters required.
-- Move boot_t, system_map_t, and modules_object_t to files module,
- and move bootloader to admin layer.
-- Add semanage policy for semodule from Dan Walsh.
-- Remove allow_execmem from targeted policy domain_base_type().
-- Add users_extra and seusers support.
-- Postfix fixes from Serge Hallyn.
-- Run python and shell directly to interpret scripts so policy
- sources need not be executable.
-- Add desc tag XML to booleans and tunables, and add summary
- to param XML tag, to make future translations possible.
-- Remove unused lvm_vg_t.
-- Many interface renames to improve naming consistency.
-- Merge xdm into xserver.
-- Remove kernel module reversed interfaces.
-- Add filename attribute to module XML tag and lineno attribute to
- interface XML tag.
-- Changed QUIET build option to a yes or no option.
-- Add a Makefile used for compiling loadable modules in a
- user's development environment, building against policy headers.
-- Add Make target for installing policy headers.
-- Separate per-userdomain template expansion from the userdomain
- module and add infrastructure to expand templates in the modules
- that own the template.
-- Enable secadm only for MLS policies.
-- Remove role change rules in su and sudo since this functionality has been
- removed from these programs.
-- Add ctags Make target from Thomas Bleher.
-- Collapse commands with grep piped to sed into one sed command.
-- Fix type_change bug in term_user_pty().
-- Move ice_tmp_t from miscfiles to xserver.
-- Login fixes from Serge Hallyn.
-- Move xserver_log_t from xdm to xserver.
-- Add lpr per-userdomain policy to lpd.
-- Miscellaneous fixes from Dan Walsh.
-- Change initrc_var_run_t interface noun from script_pid to utmp,
- for greater clarity.
-- Added modules:
- certwatch
- mono (Dan Walsh)
- mrtg
- portage
- tvtime
- userhelper
- usernetctl
- wine (Dan Walsh)
- xserver
-
-* Tue Jan 17 2006 Chris PeBenito <selinux at tresys.com> - 20060117
-- Adds support for generating corenetwork interfaces based on attributes
- in addition to types.
-- Permits the listing of multiple nodes in a network_node() that will be
- given the same type.
-- Add two new permission sets for stream sockets.
-- Rename file type transition interfaces verb from create to
- filetrans to differentiate it from create interfaces without
- type transitions.
-- Fix expansion of interfaces from disabled modules.
-- Rsync can be long running from init,
- added rules to allow this.
-- Add polyinstantiation build option.
-- Add setcontext to the association object class.
-- Add apache relay and db connect tunables.
-- Rename texrel_shlib_t to textrel_shlib_t.
-- Add swat to samba module.
-- Numerous miscellaneous fixes from Dan Walsh.
-- Added modules:
- alsa
- automount
- cdrecord
- daemontools (Petre Rodan)
- ddcprobe
- djbdns (Petre Rodan)
- fetchmail
- irc
- java
- lockdev
- logwatch (Dan Walsh)
- openct
- prelink (Dan Walsh)
- publicfile (Petre Rodan)
- readahead
- roundup
- screen
- slocate (Dan Walsh)
- slrnpull
- smartmon
- sysstat
- ucspitcp (Petre Rodan)
- usbmodules
- vbetool (Dan Walsh)
-
-* Wed Dec 07 2005 Chris PeBenito <selinux at tresys.com> - 20051207
-- Add unlabeled IPSEC association rule to domains with
- networking permissions.
-- Merge systemuser back in to users, as these files
- do not need to be split.
-- Add check for duplicate interface/template definitions.
-- Move domain, files, and corecommands modules to kernel
- layer to resolve some layering inconsistencies.
-- Move policy build options out of Makefile into build.conf.
-- Add yppasswd to nis module.
-- Change optional_policy() to refer to the module name
- rather than modulename.te.
-- Fix labeling targets to use installed file_contexts rather
- than partial file_contexts in the policy source directory.
-- Fix build process to use make's internal vpath functions
- to detect modules rather than using subshells and find.
-- Add install target for modular policy.
-- Add load target for modular policy.
-- Add appconfig dependency to the load target.
-- Miscellaneous fixes from Dan Walsh.
-- Fix corenetwork gen_context()'s to expand during the policy
- build phase instead of during the generation phase.
-- Added policies:
- amanda
- avahi
- canna
- cyrus
- dbskk
- dovecot
- distcc
- i18n_input
- irqbalance
- lpd
- networkmanager
- pegasus
- postfix
- procmail
- radius
- rdisc
- rpc
- spamassassin
- timidity
- xdm
- xfs
-
-* Wed Oct 19 2005 Chris PeBenito <selinux at tresys.com> - 20051019
-- Many fixes to make loadable modules build.
-- Add targets for sechecker.
-- Updated to sedoctool to read bool files and tunable
- files separately.
-- Changed the xml tag of <boolean> to <bool> to be consistent
- with gen_bool().
-- Modified the implementation of segenxml to use regular
- expressions.
-- Rename context_template() to gen_context() to clarify
- that its not a Reference Policy template, but a support
- macro.
-- Add disable_*_trans bool support for targeted policy.
-- Add MLS module to handle MLS constraint exceptions,
- such as reading up and writing down.
-- Fix errors uncovered by sediff.
-- Added policies:
- anaconda
- apache
- apm
- arpwatch
- bluetooth
- dmidecode
- finger
- ftp
- kudzu
- mailman
- ppp
- radvd
- sasl
- webalizer
-
-* Thu Sep 22 2005 Chris PeBenito <selinux at tresys.com> - 20050922
-- Make logrotate, sendmail, sshd, and rpm policies
- unconfined in the targeted policy so no special
- modules.conf is required.
-- Add experimental MCS support.
-- Add appconfig for MLS.
-- Add equivalents for old can_resolve(), can_ldap(), and
- can_portmap() to sysnetwork.
-- Fix base module compile issues.
-- Added policies:
- cpucontrol
- cvs
- ktalk
- portmap
- postgresql
- rlogin
- samba
- snmp
- stunnel
- telnet
- tftp
- uucp
- vpn
- zebra
-
-* Wed Sep 07 2005 Chris PeBenito <selinux at tresys.com> - 20050907
-- Fix errors uncovered by sediff.
-- Doc tool will explicitly say a module does not have interfaces
- or templates on the module page.
-- Added policies:
- comsat
- dbus
- dhcp
- dictd
- hal
- inn
- ntp
- squid
-
-* Fri Aug 26 2005 Chris PeBenito <selinux at tresys.com> - 20050826
-- Add Makefile support for building loadable modules.
-- Add genclassperms.py tool to add require blocks
- for loadable modules.
-- Change sedoctool to make required modules part of base
- by default, otherwise make as modules, in modules.conf.
-- Fix segenxml to handle modules with no interfaces.
-- Rename ipsec connect interface for consistency.
-- Add missing parts of unix stream socket connect interface
- of ipsec.
-- Rename inetd connect interface for consistency.
-- Rename interface for purging contents of tmp, for clarity,
- since it allows deletion of classes other than file.
-- Misc. cleanups.
-- Added policies:
- acct
- bind
- firstboot
- gpm
- howl
- ldap
- loadkeys
- mysql
- privoxy
- quota
- rshd
- rsync
- su
- sudo
- tcpd
- tmpreaper
- updfstab
-
-* Tue Aug 2 2005 Chris PeBenito <selinux at tresys.com> - 20050802
-- Fix comparison bug in fc_sort.
-- Fix handling of ordered and unordered HTML lists.
-- Corenetwork now supports multiple network interfaces having the
- same type.
-- Doc tool now creates pages for global Booleans and global tunables.
-- Doc tool now links directly to the interface/template in the
- module page when it is selected in the interface/template index.
-- Added support for layer summaries.
-- Added policies:
- ipsec
- nscd
- pcmcia
- raid
-
-* Thu Jul 7 2005 Chris PeBenito <selinux at tresys.com> - 20050707
-- Changed xml to have modules encapsulated by layer tags, rather
- than putting layer="foo" in the module tags. Also in the future
- we can put a summary and description for each layer.
-- Added tool to infer interface, module, and layer tags. This will
- now list all interfaces, even if they are missing xml docs.
-- Shortened xml tag names.
-- Added macros to declare interfaces and templates.
-- Added interface call trace.
-- Updated all xml documentation for shorter and inferred tags.
-- Doc tool now displays templates in the web pages.
-- Doc tool retains the user's settings in modules.conf and
- tunables.conf if the files already exist.
-- Modules.conf behavior has been changed to be a list of all
- available modules, and the user can specify if the module is
- built as a loadable module, included in the monolithic policy,
- or excluded.
-- Added policies:
- fstools (fsck, mkfs, swapon, etc. tools)
- logrotate
- inetd
- kerberos
- nis (ypbind and ypserv)
- ssh (server, client, and agent)
- unconfined
-- Added infrastructure for targeted policy support, only missing
- transition boolean support.
-
-* Wed Jun 15 2005 Chris PeBenito <selinux at tresys.com> - 20050615
- - Initial release
diff --git a/INSTALL b/INSTALL
deleted file mode 100644
index 12885d2..0000000
--- a/INSTALL
+++ /dev/null
@@ -1,48 +0,0 @@
-Reference Policy has a requirement of checkpolicy 1.33.1 and
-libsepol-1.16.2. Red Hat Enterprise Linux 4 and Fedora Core 4 RPMs
-are available on the CLIP download page at http://oss.tresys.com,
-and can be installed thusly:
-
-Red Hat Enterprise Linux 4:
-
- rpm -i libsepol-1.11.7-1.i386.rpm
- rpm -U checkpolicy-1.28-4.i386.rpm
-
-Fedora Core 4:
-
- rpm -U libsepol-1.11.7-1.i386.rpm checkpolicy-1.28-4.i386.rpm
-
-To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
-
- make install-src
-
-This will back up a pre-existing source policy to the
-/etc/selinux/refpolicy/src/policy.bak directory.
-
-If you do not have a modules.conf, one can be generated:
-
- make conf
-
-This will create a default modules.conf. Options for the policy
-build process can be found in build.conf. After installing the policy sources,
-the old Make targets have been maintained for the monolithic policy:
-
-Local policy development:
-
- make policy
-
-Compile and install the policy:
-
- make install
-
-Compile, install, and load the policy:
-
- make load
-
-Filesystem labeling:
-
- make relabel
- make checklabels
- make restorelabels
-
-See the README for more information on available make targets.
diff --git a/README b/README
deleted file mode 100644
index 184c6ef..0000000
--- a/README
+++ /dev/null
@@ -1,269 +0,0 @@
-1) Reference Policy make targets:
-
-General Make targets:
-
-install-src Install the policy sources into
- /etc/selinux/NAME/src/policy, where NAME is defined in
- the Makefile. If not defined, the TYPE, as defined in
- the Makefile, is used. The default NAME is refpolicy.
- A pre-existing source policy will be moved to
- /etc/selinux/NAME/src/policy.bak.
-
-conf Regenerate policy.xml, and update/create modules.conf
- and booleans.conf. This should be done after adding
- or removing modules, or after running the bare target.
- If the configuration files exist, their settings will
- be preserved. This must be ran on policy sources that
- are checked out from the CVS repository before they can
- be used.
-
-clean Delete all temporary files, compiled policies,
- and file_contexts. Configuration files are left intact.
-
-bare Do the clean make target and also delete configuration
- files, web page documentation, and policy.xml.
-
-html Regenerate policy.xml and create web page documentation
- in the doc/html directory.
-
-Make targets specific to modular (loadable modules) policies:
-
-base Compile and package the base module. This is the
- default target for modular policies.
-
-modules Compile and package all Reference Policy modules
- configured to be built as loadable modules.
-
-MODULENAME.pp Compile and package the MODULENAME Reference Policy
- module.
-
-all Compile and package the base module and all Reference
- Policy modules configured to be built as loadable
- modules.
-
-install Compile, package, and install the base module and
- Reference Policy modules configured to be built as
- loadable modules.
-
-load Compile, package, and install the base module and
- Reference Policy modules configured to be built as
- loadable modules, then insert them into the module
- store.
-
-validate Validate if the configured modules can successfully
- link and expand.
-
-install-headers Install the policy headers into /usr/share/selinux/NAME.
- The headers are sufficient for building a policy
- module locally, without requiring the complete
- Reference Policy sources. The build.conf settings
- for this policy configuration should be set before
- using this target.
-
-Make targets specific to monolithic policies:
-
-policy Compile a policy locally for development and testing.
- This is the default target for monolithic policies.
-
-install Compile and install the policy and file contexts.
-
-load Compile and install the policy and file contexts, then
- load the policy.
-
-enableaudit Remove all dontaudit rules from policy.conf.
-
-relabel Relabel the filesystem.
-
-checklabels Check the labels on the filesystem, and report when
- a file would be relabeled, but do not change its label.
-
-restorelabels Relabel the filesystem and report each file that is
- relabeled.
-
-
-2) Reference Policy Build Options (build.conf)
-
-TYPE String. Available options are standard, mls, and mcs.
- For a type enforcement only system, set standard.
- This optionally enables multi-level security (MLS) or
- multi-category security (MCS) features. This option
- controls enable_mls, and enable_mcs policy blocks.
-
-NAME String (optional). Sets the name of the policy; the
- NAME is used when installing files to e.g.,
- /etc/selinux/NAME and /usr/share/selinux/NAME. If not
- set, the policy type (TYPE) is used.
-
-DISTRO String (optional). Enable distribution-specific policy.
- Available options are redhat, rhel4, gentoo, debian,
- and suse. This option controls distro_redhat,
- distro_rhel4, distro_gentoo, distro_debian, and
- distro_suse policy blocks.
-
-MONOLITHIC Boolean. If set, a monolithic policy is built,
- otherwise a modular policy is built.
-
-DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
- run init scripts, instead of requiring the run_init
- tool. This is a build option instead of a tunable since
- role transitions do not work in conditional policy.
- This option controls direct_sysadm_daemon policy
- blocks.
-
-OUTPUT_POLICY Integer. Set the version of the policy created when
- building a monolithic policy. This option has no effect
- on modular policy.
-
-UNK_PERMS String. Set the kernel behavior for handling of
- permissions defined in the kernel but missing from the
- policy. The permissions can either be allowed, denied,
- or the policy loading can be rejected.
-
-UBAC Boolean. If set, the SELinux user will be used
- additionally for approximate role separation.
-
-MLS_SENS Integer. Set the number of sensitivities in the MLS
- policy. Ignored on standard and MCS policies.
-
-MLS_CATS Integer. Set the number of categories in the MLS
- policy. Ignored on standard and MCS policies.
-
-MCS_CATS Integer. Set the number of categories in the MCS
- policy. Ignored on standard and MLS policies.
-
-QUIET Boolean. If set, the build system will only display
- status messages and error messages. This option has no
- effect on policy.
-
-
-3) Reference Policy Files and Directories
-All directories relative to the root of the Reference Policy sources directory.
-
-Makefile General rules for building the policy.
-
-Rules.modular Makefile rules specific to building loadable module
- policies.
-
-Rules.monolithic Makefile rules specific to building monolithic policies.
-
-build.conf Options which influence the building of the policy,
- such as the policy type and distribution.
-
-config/appconfig-* Application configuration files for all configurations
- of the Reference Policy (targeted/strict with or without
- MLS or MCS). These are used by SELinux-aware programs.
-
-config/local.users The file read by load policy for adding SELinux users
- to the policy on the fly.
-
-doc/html/* This contains the contents of the in-policy XML
- documentation, presented in web page form.
-
-doc/policy.dtd The doc/policy.xml file is validated against this DTD.
-
-doc/policy.xml This file is generated/updated by the conf and html make
- targets. It contains the complete XML documentation
- included in the policy.
-
-doc/templates/* Templates used for documentation web pages.
-
-policy/booleans.conf This file is generated/updated by the conf make target.
- It contains the booleans in the policy, and their
- default values. If tunables are implemented as
- booleans, tunables will also be included. This file
- will be installed as the /etc/selinux/NAME/booleans
- file.
-
-policy/constraints This file defines additional constraints on permissions
- in the form of boolean expressions that must be
- satisfied in order for specified permissions to be
- granted. These constraints are used to further refine
- the type enforcement rules and the role allow rules.
- Typically, these constraints are used to restrict
- changes in user identity or role to certain domains.
-
-policy/global_booleans This file defines all booleans that have a global scope,
- their default value, and documentation.
-
-policy/global_tunables This file defines all tunables that have a global scope,
- their default value, and documentation.
-
-policy/flask/initial_sids This file has declarations for each initial SID.
-
-policy/flask/security_classes This file has declarations for each security class.
-
-policy/flask/access_vectors This file defines the access vectors. Common
- prefixes for access vectors may be defined at the
- beginning of the file. After the common prefixes are
- defined, an access vector may be defined for each
- security class.
-
-policy/mcs The multi-category security (MCS) configuration.
-
-policy/mls The multi-level security (MLS) configuration.
-
-policy/modules/* Each directory represents a layer in Reference Policy
- all of the modules are contained in one of these layers.
-
-policy/modules.conf This file contains a listing of available modules, and
- how they will be used when building Reference Policy. To
- prevent a module from being used, set the module to
- "off". For monolithic policies, modules set to "base"
- and "module" will be included in the policy. For
- modular policies, modules set to "base" will be included
- in the base module; those set to "module" will be
- compiled as individual loadable modules.
-
-policy/rolemap This file contains prefix and user domain type that
- corresponds to each user role. The contents of this
- file will be used to expand the per-user domain
- templates for each module.
-
-policy/support/* Support macros.
-
-policy/users This file defines the users included in the policy.
-
-support/* Tools used in the build process.
-
-
-4) Building policy modules using Reference Policy headers:
-
-The system must first have the Reference Policy headers installed, typically
-by the distribution. Otherwise, the headers can be installed using the
-install-headers target from the full Reference Policy sources.
-
-To set up a directory to build a local module, one must simply place a .te
-file in a directory. A sample Makefile to use in the directory is the
-Makefile.example in the doc directory. This may be installed in
-/usr/share/doc, under the directory for the distribution's policy.
-Alternatively, the primary Makefile in the headers directory (typically
-/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
-option.
-
-Larger projects can set up a structure of layers, just as in Reference
-Policy, by creating policy/modules/LAYERNAME directories. Each layer also
-must have a metadata.xml file which is an XML file with a summary tag and
-optional desc (long description) tag. This should describe the purpose of
-the layer.
-
-Metadata.xml example:
-
-<summary>ABC modules for the XYZ components.</summary>
-
-Make targets for modules built from headers:
-
-MODULENAME.pp Compile and package the MODULENAME local module.
-
-all Compile and package the modules in the current
- directory.
-
-load Compile and package the modules in the current
- directory, then insert them into the module store.
-
-refresh Attempts to reinsert all modules that are currently
- in the module store from the local and system module
- packages.
-
-xml Build a policy.xml from the XML included with the
- base policy headers and any XML in the modules in
- the current directory.
diff --git a/doc/Makefile.example b/doc/Makefile.example
deleted file mode 100644
index 9f2a8d5..0000000
--- a/doc/Makefile.example
+++ /dev/null
@@ -1,8 +0,0 @@
-
-AWK ?= gawk
-
-NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
-SHAREDIR ?= /usr/share/selinux
-HEADERDIR := $(SHAREDIR)/$(NAME)/include
-
-include $(HEADERDIR)/Makefile
diff --git a/doc/example.fc b/doc/example.fc
deleted file mode 100644
index 9cf7c4c..0000000
--- a/doc/example.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# myapp executable will have:
-# label: system_u:object_r:myapp_exec_t
-# MLS sensitivity: s0
-# MCS categories: <none>
-
-/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
diff --git a/doc/example.if b/doc/example.if
deleted file mode 100644
index 54d42ae..0000000
--- a/doc/example.if
+++ /dev/null
@@ -1,54 +0,0 @@
-## <summary>Myapp example policy</summary>
-## <desc>
-## <p>
-## More descriptive text about myapp. The desc
-## tag can also use p, ul, and ol
-## html tags for formatting.
-## </p>
-## <p>
-## This policy supports the following myapp features:
-## <ul>
-## <li>Feature A</li>
-## <li>Feature B</li>
-## <li>Feature C</li>
-## </ul>
-## </p>
-## </desc>
-#
-
-########################################
-## <summary>
-## Execute a domain transition to run myapp.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`myapp_domtrans',`
- gen_require(`
- type myapp_t, myapp_exec_t;
- ')
-
- domtrans_pattern($1,myapp_exec_t,myapp_t)
-')
-
-########################################
-## <summary>
-## Read myapp log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to read the log files.
-## </summary>
-## </param>
-#
-interface(`myapp_read_log',`
- gen_require(`
- type myapp_log_t;
- ')
-
- logging_search_logs($1)
- allow $1 myapp_log_t:file read_file_perms;
-')
diff --git a/doc/example.te b/doc/example.te
deleted file mode 100644
index 8238355..0000000
--- a/doc/example.te
+++ /dev/null
@@ -1,28 +0,0 @@
-
-policy_module(myapp,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type myapp_t;
-type myapp_exec_t;
-domain_type(myapp_t)
-domain_entry_file(myapp_t, myapp_exec_t)
-
-type myapp_log_t;
-logging_log_file(myapp_log_t)
-
-type myapp_tmp_t;
-files_tmp_file(myapp_tmp_t)
-
-########################################
-#
-# Myapp local policy
-#
-
-allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
-
-allow myapp_t myapp_tmp_t:file manage_file_perms;
-files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
diff --git a/doc/policy.dtd b/doc/policy.dtd
deleted file mode 100644
index b797f71..0000000
--- a/doc/policy.dtd
+++ /dev/null
@@ -1,44 +0,0 @@
-<!ENTITY % inline.class "pre|p|ul|ol|li">
-
-<!ELEMENT policy (layer+,(tunable|bool)*)>
-<!ELEMENT layer (summary,module+)>
-<!ATTLIST layer
- name CDATA #REQUIRED>
-<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
-<!ATTLIST module
- name CDATA #REQUIRED
- filename CDATA #REQUIRED>
-<!ELEMENT required (#PCDATA)>
-<!ATTLIST required
- val (true|false) "false">
-<!ELEMENT tunable (desc)>
-<!ATTLIST tunable
- name CDATA #REQUIRED
- dftval CDATA #REQUIRED>
-<!ELEMENT bool (desc)>
-<!ATTLIST bool
- name CDATA #REQUIRED
- dftval CDATA #REQUIRED>
-<!ELEMENT summary (#PCDATA)>
-<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
-<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
-<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
-<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
-<!ELEMENT desc (#PCDATA|%inline.class;)*>
-<!ELEMENT param (summary)>
-<!ATTLIST param
- name CDATA #REQUIRED
- optional (true|false) "false"
- unused (true|false) "false">
-<!ELEMENT infoflow EMPTY>
-<!ATTLIST infoflow
- type CDATA #REQUIRED
- weight CDATA #IMPLIED>
-<!ELEMENT rolebase EMPTY>
-<!ELEMENT rolecap EMPTY>
-
-<!ATTLIST pre caption CDATA #IMPLIED>
-<!ELEMENT p (#PCDATA|%inline.class;)*>
-<!ELEMENT ul (li+)>
-<!ELEMENT ol (li+)>
-<!ELEMENT li (#PCDATA|%inline.class;)*>
diff --git a/doc/templates/bool_list.html b/doc/templates/bool_list.html
deleted file mode 100644
index 2d852da..0000000
--- a/doc/templates/bool_list.html
+++ /dev/null
@@ -1,23 +0,0 @@
-<h3>Master boolean index:</h3>
-
-[[for bool in booleans]]
-<div id="interfacesmall">
-[[if bool.has_key('mod_layer')]]
-Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'>
-[[bool['mod_name']]]</a><p/>
-Layer: <a href='[[bool['mod_layer']]].html'>
-[[bool['mod_layer']]]</a><p/>
-[[else]]
-Global
-[[end]]
-<div id="codeblock">
-[[bool['bool_name']]]
-<small>(Default: [[bool['def_val']]])</small>
-</div>
-[[if bool['desc']]]
-<div id="description">
-[[bool['desc']]]
-</div>
-[[end]]
-</div>
-[[end]]
diff --git a/doc/templates/boolean.html b/doc/templates/boolean.html
deleted file mode 100644
index ea5a260..0000000
--- a/doc/templates/boolean.html
+++ /dev/null
@@ -1,13 +0,0 @@
-[[for bool in booleans]]
-<a name="link_[[bool['bool_name']]]"></a>
-<div id="interface">
-<div id="codeblock">[[bool['bool_name']]]</div>
-<div id="description">
-<h5>Default value</h5>
-<p>[[bool['def_val']]]</p>
-[[if bool['desc']]]
-<h5>Description</h5>
-[[bool['desc']]]
-[[end]]
-</div></div>
-[[end]]
diff --git a/doc/templates/global_bool_list.html b/doc/templates/global_bool_list.html
deleted file mode 100644
index a8065af..0000000
--- a/doc/templates/global_bool_list.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<h3>Global booleans:</h3>
-
-[[for bool in booleans]]
-<div id="interface">
-<div id="codeblock">[[bool['bool_name']]]</div>
-<div id="description">
-<h5>Default value</h5>
-<p>[[bool['def_val']]]</p>
-[[if bool['desc']]]
-<h5>Description</h5>
-[[bool['desc']]]
-[[end]]
-</div></div>
-[[end]]
diff --git a/doc/templates/global_tun_list.html b/doc/templates/global_tun_list.html
deleted file mode 100644
index 6ed8013..0000000
--- a/doc/templates/global_tun_list.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<h3>Global tunables:</h3>
-
-[[for tun in tunables]]
-<div id="interface">
-<div id="codeblock">[[tun['tun_name']]]</div>
-<div id="description">
-<h5>Default value</h5>
-<p>[[tun['def_val']]]</p>
-[[if tun['desc']]]
-<h5>Description</h5>
-[[tun['desc']]]
-[[end]]
-</div></div>
-[[end]]
diff --git a/doc/templates/header.html b/doc/templates/header.html
deleted file mode 100644
index 9ef487c..0000000
--- a/doc/templates/header.html
+++ /dev/null
@@ -1,15 +0,0 @@
-<html>
-<head>
-<title>
- Security Enhanced Linux Reference Policy
- </title>
-<style type="text/css" media="all">@import "style.css";</style>
-</head>
-<body>
-<div id="Header">Security Enhanced Linux Reference Policy</div>
-[[menu]]
-<div id="Content">
-[[content]]
-</div>
-</body>
-</html>
diff --git a/doc/templates/int_list.html b/doc/templates/int_list.html
deleted file mode 100644
index b95c343..0000000
--- a/doc/templates/int_list.html
+++ /dev/null
@@ -1,33 +0,0 @@
-<h3>Master interface index:</h3>
-
-[[for int in interfaces]]
-<div id="interfacesmall">
-Module: <a href='[[int['mod_layer']+ "_" + int['mod_name'] + ".html#link_" + int['interface_name']]]'>
-[[int['mod_name']]]</a><p/>
-Layer: <a href='[[int['mod_layer']]].html'>
-[[int['mod_layer']]]</a><p/>
-<div id="codeblock">
-[[exec i = 0]]
-<b>[[int['interface_name']]]</b>(
- [[for arg in int['interface_parameters']]]
- [[if i != 0]]
- ,
- [[end]]
- [[exec i = 1]]
- [[if arg['optional'] == 'yes']]
- [
- [[end]]
- [[arg['name']]]
- [[if arg['optional'] == 'yes']]
- ]
- [[end]]
- [[end]]
- )<br>
-</div>
-[[if int['interface_summary']]]
-<div id="description">
-[[int['interface_summary']]]
-</div>
-[[end]]
-</div>
-[[end]]
diff --git a/doc/templates/interface.html b/doc/templates/interface.html
deleted file mode 100644
index 90eb436..0000000
--- a/doc/templates/interface.html
+++ /dev/null
@@ -1,50 +0,0 @@
-[[for int in interfaces]]
-<a name="link_[[int['interface_name']]]"></a>
-<div id="interface">
-[[if int.has_key("mod_layer")]]
- Layer: [[mod_layer]]<br>
-[[end]]
-[[if int.has_key("mod_name")]]
- Module: [[mod_name]]<br>
-[[end]]
-<div id="codeblock">
-[[exec i = 0]]
-<b>[[int['interface_name']]]</b>(
- [[for arg in int['interface_parameters']]]
- [[if i != 0]]
- ,
- [[end]]
- [[exec i = 1]]
- [[if arg['optional'] == 'yes']]
- [
- [[end]]
- [[arg['name']]]
- [[if arg['optional'] == 'yes']]
- ]
- [[end]]
- [[end]]
- )<br>
-</div>
-<div id="description">
-[[if int['interface_summary']]]
-<h5>Summary</h5>
-[[int['interface_summary']]]
-[[end]]
-[[if int['interface_desc']]]
-<h5>Description</h5>
-[[int['interface_desc']]]
-[[end]]
-<h5>Parameters</h5>
-<table border="1" cellspacing="0" cellpadding="3" width="65%">
-<tr><th >Parameter:</th><th >Description:</th></tr>
-[[for arg in int['interface_parameters']]]
-<tr><td>
-[[arg['name']]]
-</td><td>
-[[arg['desc']]]
-</td></tr>
-[[end]]
-</table>
-</div>
-</div>
-[[end]]
diff --git a/doc/templates/menu.html b/doc/templates/menu.html
deleted file mode 100644
index 9472b2c..0000000
--- a/doc/templates/menu.html
+++ /dev/null
@@ -1,26 +0,0 @@
-<div id='Menu'>
- [[for layer_name, layer_mods in menulist]]
- <a href="[[layer_name]].html">+
- [[layer_name]]</a></br/>
- <div id='subitem'>
- [[for module, s in layer_mods]]
- - <a href='[[layer_name + "_" + module]].html'>
- [[module]]</a><br/>
- [[end]]
- </div>
- [[end]]
- <br/><p/>
- <a href="global_booleans.html">* Global Booleans </a>
- <br/><p/>
- <a href="global_tunables.html">* Global Tunables </a>
- <p/><br/><p/>
- <a href="index.html">* Layer Index</a>
- <br/><p/>
- <a href="booleans.html">* Boolean Index</a>
- <br/><p/>
- <a href="tunables.html">* Tunable Index</a>
- <br/><p/>
- <a href="interfaces.html">* Interface Index</a>
- <br/><p/>
- <a href="templates.html">* Template Index</a>
-</div>
diff --git a/doc/templates/module.html b/doc/templates/module.html
deleted file mode 100644
index a8d008a..0000000
--- a/doc/templates/module.html
+++ /dev/null
@@ -1,52 +0,0 @@
-<a name="top":></a>
-<h1>Layer: [[mod_layer]]</h1><p/>
-<h2>Module: [[mod_name]]</h2><p/>
-[[if booleans]]
-<a href=#booleans>Booleans</a>
-[[end]]
-[[if tunables]]
-<a href=#tunables>Tunables</a>
-[[end]]
-[[if interfaces]]
-<a href=#interfaces>Interfaces</a>
-[[end]]
-[[if templates]]
-<a href=#templates>Templates</a>
-[[end]]
-<h3>Description:</h3>
-[[if mod_desc]]
-<p>[[mod_desc]]</p>
-[[else]]
-<p>[[mod_summary]]</p>
-[[end]]
-[[if mod_req]]
-<p>This module is required to be included in all policies.</p>
-[[end]]
-<hr>
-[[if booleans]]
-<a name="booleans"></a>
-<h3>Booleans: </h3>
-[[booleans]]
-<a href=#top>Return</a>
-[[end]]
-[[if tunables]]
-<a name="tunables"></a>
-<h3>Tunables: </h3>
-[[tunables]]
-<a href=#top>Return</a>
-[[end]]
-[[if interfaces]]
-<a name="interfaces"></a>
-<h3>Interfaces: </h3>
-[[interfaces]]
-<a href=#top>Return</a>
-[[end]]
-[[if templates]]
-<a name="templates"></a>
-<h3>Templates: </h3>
-[[templates]]
-<a href=#top>Return</a>
-[[end]]
-[[if not templates and not interfaces and not tunables]]
-<h3>No booleans, tunables, interfaces, or templates.</h3>
-[[end]]
diff --git a/doc/templates/module_list.html b/doc/templates/module_list.html
deleted file mode 100644
index 7317a6b..0000000
--- a/doc/templates/module_list.html
+++ /dev/null
@@ -1,19 +0,0 @@
-[[if mod_layer]]
-<h1>Layer: [[mod_layer]]</h1><p/>
-[[if layer_summary]]
-<p>[[layer_summary]]</p><br/>
-[[end]]
-[[end]]
-<table border="1" cellspacing="0" cellpadding="3" width="75%">
-<tr><td class="title">Module:</td><td class="title">Description:</td></tr>
- [[for layer_name, layer_mods in menulist]]
- [[for module, s in layer_mods]]
- <tr><td>
- <a href='[[layer_name + "_" + module]].html'>
- [[module]]</a></td>
- <td>[[s]]</td>
- [[end]]
- </td></tr>
- [[end]]
-</table>
-<p/><br/><br/>
diff --git a/doc/templates/style.css b/doc/templates/style.css
deleted file mode 100644
index 9bac0d9..0000000
--- a/doc/templates/style.css
+++ /dev/null
@@ -1,216 +0,0 @@
-body {
- margin:0px;
- padding:0px;
- font-family:verdana, arial, helvetica, sans-serif;
- color:#333;
- background-color:white;
- }
-h1 {
- margin:0px 0px 5px 0px;
- padding:0px;
- font-size:150%
- line-height:28px;
- font-weight:900;
- color:#ccc;
- }
-h2 {
- font-size:125%;
- margin:0px;
- padding:5px 0px 10px 0px;
- }
-h3 {
- font-size:110%;
- margin:0px;
- padding:5px 0px 10px 5px;
- }
-h4 {
- font-size:100%;
- margin:0px;
- padding:5px 0px 10px 5px;
- }
-h5 {
- font-size:100%;
- margin:0px;
- font-weight:600;
- padding:0px 0px 5px 0px;
- margin:0px 0px 0px 5px;
-}
-li {
- font:11px/20px verdana, arial, helvetica, sans-serif;
- margin:0px 0px 0px 10px;
- padding:0px;
- }
-p {
- /* normal */
- font:11px/20px verdana, arial, helvetica, sans-serif;
- margin:0px 0px 0px 10px;
- padding:0px;
- }
-
-tt {
- /* inline code */
- font-family: monospace;
- }
-
-table {
- background-color:#efefef;
- /*background-color: white;*/
- border-style:solid;
- border-color:black;
- border-width:0px 1px 1px 0px;
- color: black;
- text-align: left;
- font:11px/20px verdana, arial, helvetica, sans-serif;
- margin-left: 5%;
- margin-right: 5%;
-}
-
-th {
- font-weight:500;
- background-color: #eaeaef;
- text-align: center;
-}
-
-td.header {
- font-weight: bold;
-}
-
-#Content>p {margin:0px;}
-#Content>p+p {text-indent:30px;}
-a {
- color:#09c;
- font-size:11px;
- text-decoration:none;
- font-weight:600;
- font-family:verdana, arial, helvetica, sans-serif;
- }
-a:link {color:#09c;}
-a:visited {color:#07a;}
-a:hover {background-color:#eee;}
-
-#Codeblock {
- margin:5px 50px 5px 10px;
- padding:5px 0px 5px 15px;
- border-style:solid;
- border-color:lightgrey;
- border-width:1px 1px 1px 1px;
- background-color:#f5f5ff;
- font-size:100%;
- font-weight:600;
- text-decoration:none;
- font-family:monospace;
-}
-#Interface {
- margin:5px 0px 25px 5px;
- padding:5px 0px 5px 5px;
- border-style:solid;
- border-color:black;
- border-width:1px 1px 1px 1px;
- background-color:#fafafa;
- font-size:14px;
- font-weight:400;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-#Interfacesmall {
- margin:0px 0px 5px 0px;
- padding:5px 0px 0px 5px;
- border-style:solid;
- border-color:black;
- border-width:1px 1px 1px 1px;
- background-color:#fafafa;
- font-size:14px;
- font-weight:400;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-#Template {
- margin:5px 0px 25px 5px;
- padding:5px 0px 5px 5px;
- border-style:solid;
- border-color:black;
- border-width:1px 1px 1px 1px;
- background-color:#fafafa;
- font-size:14px;
- font-weight:400;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-#Templatesmall {
- margin:0px 0px 5px 0px;
- padding:5px 0px 0px 5px;
- border-style:solid;
- border-color:black;
- border-width:1px 1px 1px 1px;
- background-color:#fafafa;
- font-size:14px;
- font-weight:400;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-#Description {
- margin:0px 0px 0px 5px;
- padding:0px 0px 0px 5px;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
- font-size:12px;
- font-weight:400;
-}
-pre {
- margin:0px;
- padding:0px;
- font-size:14px;
- text-decoration:none;
- font-family:verdana, arial, helvetica, sans-serif;
-}
-dl {
- /* definition text block */
- font:11px/20px verdana, arial, helvetica, sans-serif;
- margin:0px 0px 16px 0px;
- padding:0px;
- }
-dt {
- /* definition term */
- font-weight: bold;
- }
-
-#Header {
- margin:50px 0px 10px 0px;
- padding:17px 0px 0px 20px;
- /* For IE5/Win's benefit height = [correct height] + [top padding] + [top and bottom border widths] */
- height:33px; /* 14px + 17px + 2px = 33px */
- border-style:solid;
- border-color:black;
- border-width:1px 0px; /* top and bottom borders: 1px; left and right borders: 0px */
- line-height:11px;
- font-size:110%;
- background-color:#eee;
- voice-family: "\"}\"";
- voice-family:inherit;
- height:14px; /* the correct height */
- }
-body>#Header {height:14px;}
-#Content {
- margin:0px 50px 0px 200px;
- padding:10px;
- }
-
-#Menu {
- position:absolute;
- top:100px;
- left:20px;
- width:162px;
- padding:10px;
- background-color:#eee;
- border:1px solid #aaa;
- line-height:17px;
- text-align:left;
- voice-family: "\"}\"";
- voice-family:inherit;
- width:160px;
- }
-#Menu subitem {
- font-size: 5px;
-}
-
-body>#Menu {width:160px;}
diff --git a/doc/templates/temp_list.html b/doc/templates/temp_list.html
deleted file mode 100644
index 9d635d8..0000000
--- a/doc/templates/temp_list.html
+++ /dev/null
@@ -1,33 +0,0 @@
-<h3>Master template index:</h3>
-
-[[for temp in templates]]
-<div id="templatesmall">
-Module: <a href='[[temp['mod_layer']+ "_" + temp['mod_name'] + ".html#link_" + temp['template_name']]]'>
-[[temp['mod_name']]]</a><p/>
-Layer: <a href='[[temp['mod_layer']]].html'>
-[[temp['mod_layer']]]</a><p/>
-<div id="codeblock">
-[[exec i = 0]]
-<b>[[temp['template_name']]]</b>(
- [[for arg in temp['template_parameters']]]
- [[if i != 0]]
- ,
- [[end]]
- [[exec i = 1]]
- [[if arg['optional'] == 'yes']]
- [
- [[end]]
- [[arg['name']]]
- [[if arg['optional'] == 'yes']]
- ]
- [[end]]
- [[end]]
- )<br>
-</div>
-[[if temp['template_summary']]]
-<div id="description">
-[[temp['template_summary']]]
-</div>
-[[end]]
-</div>
-[[end]]
diff --git a/doc/templates/template.html b/doc/templates/template.html
deleted file mode 100644
index 251d227..0000000
--- a/doc/templates/template.html
+++ /dev/null
@@ -1,50 +0,0 @@
-[[for temp in templates]]
-<a name="link_[[temp['template_name']]]"></a>
-<div id="template">
-[[if temp.has_key("mod_layer")]]
- Layer: [[mod_layer]]<br>
-[[end]]
-[[if temp.has_key("mod_name")]]
- Module: [[mod_name]]<br>
-[[end]]
-<div id="codeblock">
-[[exec i = 0]]
-<b>[[temp['template_name']]]</b>(
- [[for arg in temp['template_parameters']]]
- [[if i != 0]]
- ,
- [[end]]
- [[exec i = 1]]
- [[if arg['optional'] == 'yes']]
- [
- [[end]]
- [[arg['name']]]
- [[if arg['optional'] == 'yes']]
- ]
- [[end]]
- [[end]]
- )<br>
-</div>
-<div id="description">
-[[if temp['template_summary']]]
-<h5>Summary</h5>
-[[temp['template_summary']]]
-[[end]]
-[[if temp['template_desc']]]
-<h5>Description</h5>
-[[temp['template_desc']]]
-[[end]]
-<h5>Parameters</h5>
-<table border="1" cellspacing="0" cellpadding="3" width="65%">
-<tr><th >Parameter:</th><th >Description:</th></tr>
-[[for arg in temp['template_parameters']]]
-<tr><td>
-[[arg['name']]]
-</td><td>
-[[arg['desc']]]
-</td></tr>
-[[end]]
-</table>
-</div>
-</div>
-[[end]]
diff --git a/doc/templates/tun_list.html b/doc/templates/tun_list.html
deleted file mode 100644
index 278f284..0000000
--- a/doc/templates/tun_list.html
+++ /dev/null
@@ -1,23 +0,0 @@
-<h3>Master tunable index:</h3>
-
-[[for tun in tunables]]
-<div id="interfacesmall">
-[[if tun.has_key('mod_layer')]]
-Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'>
-[[tun['mod_name']]]</a><p/>
-Layer: <a href='[[tun['mod_layer']]].html'>
-[[tun['mod_layer']]]</a><p/>
-[[else]]
-Global
-[[end]]
-<div id="codeblock">
-[[tun['tun_name']]]
-<small>(Default: [[tun['def_val']]])</small>
-</div>
-[[if tun['desc']]]
-<div id="description">
-[[tun['desc']]]
-</div>
-[[end]]
-</div>
-[[end]]
diff --git a/doc/templates/tunable.html b/doc/templates/tunable.html
deleted file mode 100644
index 9316779..0000000
--- a/doc/templates/tunable.html
+++ /dev/null
@@ -1,13 +0,0 @@
-[[for tun in tunables]]
-<a name="link_[[tun['tun_name']]]"></a>
-<div id="interface">
-<div id="codeblock">[[tun['tun_name']]]</div>
-<div id="description">
-<h5>Default value</h5>
-<p>[[tun['def_val']]]</p>
-[[if tun['desc']]]
-<h5>Description</h5>
-[[tun['desc']]]
-[[end]]
-</div></div>
-[[end]]
diff --git a/exclude b/exclude
deleted file mode 100644
index ea28d71..0000000
--- a/exclude
+++ /dev/null
@@ -1,28 +0,0 @@
-CVS
-*2004*
-*h
-*~
-.#*
-*.spec
-*.orig
-*.rej
-*.suse
-*.strict
-policy.conf
-policy.15
-tmp
-debian
-#*
-policy.conf
-policy.xml
-modules.conf
-booleans.conf
-base.conf
-base.fc
-*.pyc
-fc_sort
-CVS
-CVSROOT
-.svn
-svn
-.git
diff --git a/modules-mls.conf b/modules-mls.conf
deleted file mode 100644
index 63d3dab..0000000
--- a/modules-mls.conf
+++ /dev/null
@@ -1,2048 +0,0 @@
-#
-# This file contains a listing of available modules.
-# To prevent a module from being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module. "module" will be compiled
-# as individual loadable modules.
-#
-
-# Layer: services
-# Module: accountsd
-#
-# An application to view and modify user accounts information
-#
-accountsd = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-#
-acct = module
-
-# Layer: admin
-# Module: alsa
-#
-# Ainit ALSA configuration tool
-#
-alsa = module
-
-# Layer: services
-# Module: cachefilesd
-#
-# CacheFiles userspace management daemon
-#
-cachefilesd = module
-
-# Layer: services
-# Module: colord
-#
-# color device daemon
-#
-colord = module
-
-# Layer: apps
-# Module: cpufreqselector
-#
-# cpufreqselector executable
-#
-cpufreqselector = module
-
-# Layer: apps
-# Module: chrome
-#
-# chrome sandbox
-#
-chrome = module
-
-# Layer: modules
-# Module: awstats
-#
-# awstats executable
-#
-awstats = module
-
-# Layer: admin
-# Module: amanda
-#
-# Automated backup program.
-#
-amanda = module
-
-# Layer: services
-# Module: afs
-#
-# Andrew Filesystem server
-#
-afs = module
-
-# Layer: services
-# Module: amavis
-#
-# Anti-virus
-#
-amavis = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Policy for the Anaconda installer.
-#
-anaconda = module
-
-# Layer: services
-# Module: apache
-#
-# Apache web server
-#
-apache = module
-
-# Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-#
-apm = module
-
-# Layer: system
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-#
-application = module
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-#
-arpwatch = module
-
-# Layer: services
-# Module: entropy
-#
-# Generate entropy from audio input
-#
-entropyd = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-#
-authlogin = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-#
-automount = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
-#
-avahi = module
-
-# Layer: services
-# Module: boinc
-#
-# Berkeley Open Infrastructure for Network Computing
-#
-boinc = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-#
-bind = module
-
-# Layer: services
-# Module: bugzilla
-#
-# Bugzilla server
-#
-bugzilla = module
-
-# Layer: services
-# Module: dnsmasq
-#
-# A lightweight DHCP and caching DNS server.
-#
-dnsmasq = module
-
-# Layer: services
-# Module: dnssec
-#
-# A dnssec server application
-#
-dnssec = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-#
-bluetooth = module
-
-# Layer: kernel
-# Module: ubac
-#
-#
-#
-ubac = base
-
-#
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-#
-bootloader = module
-
-
-# Layer: services
-# Module: canna
-#
-# Canna - kana-kanji conversion server
-#
-canna = module
-
-# Layer: services
-# Module: ccs
-#
-# policy for ccs
-#
-ccs = module
-
-# Layer: apps
-# Module: calamaris
-#
-#
-# Squid log analysis
-#
-calamaris = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Policy for cdrecord
-#
-cdrecord = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking
-#
-certwatch = module
-
-# Layer: admin
-# Module: certmaster
-#
-# Digital Certificate master
-#
-certmaster = module
-
-# Layer: services
-# Module: certmonger
-#
-# Certificate status monitor and PKI enrollment client
-#
-certmonger = module
-
-# Layer: services
-# Module: chronyd
-#
-# Daemon for maintaining clock time
-#
-chronyd = module
-
-q# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon
-#
-cipe = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-#
-comsat = module
-
-# Layer: services
-# Module: corosync
-#
-# Corosync Cluster Engine Executive
-#
-corosync = module
-
-# Layer: services
-# Module: clamav
-#
-# ClamAV Virus Scanner
-#
-clamav = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-#
-clock = module
-
-# Layer: services
-# Module: consolekit
-#
-# ConsoleKit is a system daemon for tracking what users are logged
-#
-consolekit = module
-
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-#
-consoletype = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-#
-cpucontrol = module
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-#
-cron = module
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system
-#
-cups = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system
-#
-cvs = module
-
-# Layer: services
-# Module: cyphesis
-#
-# cyphesis game server
-#
-cyphesis = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers
-#
-cyrus = module
-
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services
-#
-daemontools = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-#
-dbskk = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus
-#
-dbus = module
-
-# Layer: services
-# Module: dcc
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-dcc = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information
-#
-ddcprobe = off
-
-# Layer: services
-# Module: devicekit
-#
-# devicekit-daemon
-#
-devicekit = module
-
-# Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-#
-devices = base
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol (DHCP) server
-#
-dhcp = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon
-#
-dictd = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon
-#
-distcc = off
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-#
-dmesg = module
-
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-#
-dmidecode = module
-
-# Layer: system
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-#
-domain = base
-
-# Layer: services
-# Module: dovecot
-#
-# Dovecot POP and IMAP mail server
-#
-dovecot = module
-
-# Layer: services
-# Module: git
-#
-# Policy for the stupid content tracker
-#
-git = module
-
-# Layer: apps
-# Module: gitosis
-#
-# Policy for gitosis
-#
-gitosis = module
-
-# Layer: services
-# Module: glance
-#
-# Policy for glance
-#
-glance = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-#
-gpg = module
-
-# Layer: services
-# Module: gpsd
-#
-# gpsd monitor daemon
-#
-#
-gpsd = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-#
-gpm = module
-
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-#
-fail2ban = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility
-#
-fetchmail = module
-
-# Layer: kernel
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-#
-files = base
-
-# Layer: kernel
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-#
-filesystem = base
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-#
-finger = module
-
-# Layer: admin
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-#
-firstboot = module
-
-# Layer: apps
-# Module: firewallgui
-#
-# policy for system-config-firewall
-#
-firewallgui = module
-
-# Layer: services
-# Module: fprintd
-#
-# finger print server
-#
-fprintd = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-#
-fstools = module
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service
-#
-ftp = module
-
-# Layer: apps
-# Module: games
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-games = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-#
-getty = module
-
-# Layer: apps
-# Module: gnome
-#
-# gnome session and gconf
-#
-gnome = module
-
-# Layer: services
-# Module: plymouthd
-#
-# Plymouth
-#
-plymouthd = module
-
-# Layer: services
-# Module: policykit
-#
-# Hardware abstraction layer
-#
-policykit = module
-
-# Layer: apps
-# Module: ptchown
-#
-# helper function for grantpt(3), changes ownship and permissions of pseudotty
-#
-ptchown = module
-
-# Layer: services
-# Module: psad
-#
-# Analyze iptables log for hostile traffic
-#
-psad = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-#
-hostname = module
-
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-#
-inetd = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-#
-init = module
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server
-#
-inn = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-#
-iptables = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-#
-ipsec = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy
-#
-irc = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon
-#
-irqbalance = module
-
-# Layer: system
-# Module: iscsi
-#
-# Open-iSCSI daemon
-#
-iscsi = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server
-#
-i18n_input = off
-
-
-# Layer: services
-# Module: jabber
-#
-# Jabber instant messaging server
-#
-jabber = module
-
-# Layer: admin
-# Module: kdump
-#
-# kdump is kernel crash dumping mechanism
-#
-kdump = module
-
-# Layer: apps
-# Module: kdumpgui
-#
-# system-config-kdump policy
-#
-kdumpgui = module
-
-# Layer: services
-# Module: ksmtuned
-#
-# Kernel Samepage Merging (KSM) Tuning Daemon
-#
-ksmtuned = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-#
-kerberos = module
-
-# Layer: kernel
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-#
-kernel = base
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon
-#
-ktalk = module
-
-# Layer: services
-# Module: lircd
-#
-# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
-#
-lircd = module
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-#
-ldap = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-#
-libraries = module
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-#
-loadkeys = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-#
-locallogin = module
-
-# Layer: apps
-# Module: lockdev
-#
-# device locking policy for lockdev
-#
-lockdev = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-#
-logging = module
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-#
-logrotate = module
-
-# Layer: services
-# Module: logwatch
-#
-# logwatch executable
-#
-logwatch = module
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon
-#
-lpd = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-#
-lvm = module
-
-# Layer: services
-# Module: matahari
-#
-# Matahari system maangement tools
-#
-matahari = module
-
-# Layer: admin
-# Module: mcelog
-#
-# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines.
-#
-mcelog = module
-
-# Layer: services
-# Module: mailman
-#
-# Mailman is for managing electronic mail discussion and e-newsletter lists
-#
-mailman = module
-
-# Layer: kernel
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-#
-mcs = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-#
-miscfiles = module
-
-# Layer: kernel
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-#
-mls = base
-
-# Layer: services
-# Module: modemmanager
-#
-# Manager for dynamically switching between modems.
-#
-modemmanager = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-#
-modutils = module
-
-# Layer: services
-# Module: mojomojo
-#
-# Wiki server
-#
-mojomojo = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-#
-mount = module
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers
-#
-mozilla = module
-
-# Layer: services
-# Module: ntop
-#
-# Policy for ntop
-#
-ntop = module
-
-# Layer: services
-# Module: nslcd
-#
-# Policy for nslcd
-#
-nslcd = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Policy for Mozilla and related web browsers
-#
-mplayer = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for Mozilla and related web browsers
-#
-gpg = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing
-#
-mrtg = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-#
-mta = module
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-#
-mysql = module
-
-# Layer: services
-# Module: nagios
-#
-# policy for nagios Host/service/network monitoring program
-#
-nagios = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Tool to modify the network configuration of a system
-#
-ncftool = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-#
-netutils = module
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-#
-networkmanager = module
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-#
-nis = module
-
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-#
-nscd = module
-
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon
-#
-ntp = module
-
-# Layer: services
-# Module: nx
-#
-# NX Remote Desktop
-#
-nx = module
-
-
-# Layer: services
-# Module: oddjob
-#
-# policy for oddjob
-#
-oddjob = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-#
-openct = off
-
-# Layer: services
-# Module: openvpn
-#
-# Policy for OPENVPN full-featured SSL VPN solution
-#
-openvpn = module
-
-
-# Layer: service
-# Module: pcscd
-#
-# PC/SC Smart Card Daemon
-#
-pcscd = module
-
-# Layer: service
-# Module: openct
-#
-# Middleware framework for smart card terminals
-#
-openct = module
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-#
-pcmcia = module
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-pegasus = module
-
-# Layer: services
-# Module: piranha
-#
-# piranha - various tools to administer and configure the Linux Virtual Server
-#
-piranha = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-#
-postgresql = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-#
-portmap = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server
-#
-postfix = module
-
-o# Layer: services
-# Module: postgrey
-#
-# email scanner
-#
-postgrey = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks
-#
-ppp = module
-
-# Layer: admin
-# Module: prelink
-#
-# Manage temporary directory sizes and file ages
-#
-prelink = module
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent
-#
-procmail = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-#
-privoxy = module
-
-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP
-#
-publicfile = module
-
-# Layer: apps
-# Module: pulseaudio
-#
-# The PulseAudio Sound System
-#
-pulseaudio = module
-
-# Layer: services
-# Module: qmail
-#
-# Policy for qmail
-#
-qmail = module
-
-# Layer: services
-# Module: qpidd
-#
-# Policy for qpidd
-#
-qpid = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-#
-quota = module
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = module
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-#
-radius = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon
-#
-radvd = module
-
-# Layer: admin
-# Module: readahead
-#
-# Readahead, read files into page cache for improved performance
-#
-readahead = module
-
-# Layer: services
-# Module: rgmanager
-#
-# Red Hat Resource Group Manager
-#
-rgmanager = module
-
-# Layer: services
-# Module: rhgb
-#
-# X windows login display manager
-#
-rhgb = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon
-#
-rdisc = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-#
-remotelogin = module
-
-# Layer: services
-# Module: ricci
-#
-# policy for ricci
-#
-ricci = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon
-#
-rlogin = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System policy
-#
-roundup = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon for managment of network based process communication
-#
-rpc = module
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-#
-rpm = module
-
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-#
-rshd = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-#
-rsync = module
-
-# Layer: services
-# Module: rtkit
-#
-# Real Time Kit Daemon
-#
-rtkit = module
-
-# Layer: services
-# Module: rwho
-#
-# who is logged in on local machines
-#
-rwho = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-#
-sasl = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-#
-seunshare = module
-
-# Layer: services
-# Module: samba
-#
-# SMB and CIFS client/server programs for UNIX and
-# name Service Switch daemon for resolving names
-# from Windows NT servers.
-#
-samba = module
-
-# Layer: apps
-# Module: sandbox
-#
-# Experimental policy for running apps within a sandbox
-#
-sandbox = module
-
-# Layer: apps
-# Module: sambagui
-#
-# policy for system-config-samba
-#
-sambagui = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer
-#
-screen = module
-
-# Layer: kernel
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-#
-selinux = base
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-#
-selinuxutil = module
-
-# Layer: system
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-#
-setrans = module
-
-# Layer: services
-# Module: setroubleshoot
-#
-# Policy for the SELinux troubleshooting utility
-#
-setroubleshoot = module
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-#
-slrnpull = off
-
-# Layer: apps
-# Module: slocate
-#
-# Update database for mlocate
-#
-slocate = module
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon policy
-#
-smartmon = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services
-#
-snmp = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-#
-spamassassin = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server
-#
-squid = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-#
-ssh = module
-
-# Layer: services
-# Module: sssd
-#
-# System Security Services Daemon
-#
-sssd = module
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-#
-storage = base
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy
-#
-stunnel = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-#
-su = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-#
-sudo = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-#
-systemd = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-#
-sysnetwork = module
-
-# Layer: services
-# Module: sysstat
-#
-# Policy for sysstat. Reports on various system states
-#
-sysstat = module
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-#
-tcpd = module
-
-# Layer: services
-# Module: tcsd
-#
-# tcsd - daemon that manages Trusted Computing resources
-#
-tcsd = module
-
-# Layer: services
-# Module: tgtd
-#
-# Linux Target Framework Daemon.
-#
-tgtd = module
-
-# Layer: apps
-# Module: thumb
-#
-# Thumbnailer confinement
-#
-thumb = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-#
-udev = module
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-#
-userdomain = module
-
-# Layer: services
-# Module: ulogd
-#
-#
-#
-ulogd = module
-
-# Layer: apps
-# Module: wine
-#
-# wine executable
-#
-wine = module
-
-# Layer: apps
-# Module: wireshark
-#
-# wireshark executable
-#
-wireshark = module
-
-# Layer: apps
-# Module: userhelper
-#
-# A helper interface to pam.
-#
-userhelper = module
-
-# Layer: services
-# Module: tor
-#
-# TOR, the onion router
-#
-tor = module
-
-# Layer: apps
-# Module: tvtime
-#
-# tvtime - a high quality television application
-#
-tvtime = module
-
-# Layer: apps
-# Module: uml
-#
-# Policy for UML
-#
-uml = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices
-#
-usbmodules = module
-
-# Layer: apps
-# Module: usernetctl
-#
-# User network interface configuration helper
-#
-usernetctl = module
-
-# Layer: system
-# Module: xen
-#
-# virtualization software
-#
-xen = module
-
-# Layer: services
-# Module: virt
-#
-# Virtualization libraries
-#
-virt = module
-
-# Layer: system
-# Module: brctl
-#
-# Utilities for configuring the linux ethernet bridge
-#
-brctl = module
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon
-#
-telnet = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service
-#
-timidity = off
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon
-#
-tftp = module
-
-# Layer: services
-# Module: tuned
-#
-# Dynamic adaptive system tuning daemon
-#
-tuned = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy
-#
-uucp = module
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis
-#
-webalizer = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-#
-xserver = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service
-#
-zebra = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-#
-usermanage = module
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-#
-updfstab = module
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client
-#
-vpn = module
-
-# Layer: kernel
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-#
-terminal = base
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-#
-tmpreaper = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility (AMTU)
-#
-amtu = module
-
-# Layer: services
-# Module: zabbix
-#
-# Open-source monitoring solution for your IT infrastructure
-#
-zabbix = module
-
-# Layer: services
-# Module: apcupsd
-#
-# daemon for most APC’s UPS for Linux
-#
-apcupsd = module
-
-# Layer: services
-# Module: aide
-#
-# Policy for aide
-#
-aide = module
-
-# Layer: services
-# Module: w3c
-#
-# w3c
-#
-w3c = module
-
-# Layer: services
-# Module: portreserve
-#
-# reserve ports to prevent portmap mapping them
-#
-portreserve = module
-
-# Layer: services
-# Module: rpcbind
-#
-# universal addresses to RPC program number mapper
-#
-rpcbind = module
-
-# Layer: apps
-# Module: telepathy
-#
-# telepathy - Policy for Telepathy framework
-#
-telepathy = module
-
-# Layer: apps
-# Module: vmware
-#
-# VMWare Workstation virtual machines
-#
-vmware = module
-
-# Layer: role
-# Module: dbadm
-#
-# Minimally prived root role for managing databases
-#
-dbadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-#
-logadm = module
-
-# Layer: role
-# Module: webadm
-#
-# Minimally prived root role for managing apache
-#
-webadm = module
-
-#
-# Layer: services
-# Module: exim
-#
-# exim mail server
-#
-exim = module
-
-
-# Layer: services
-# Module: kismet
-#
-# Wireless sniffing and monitoring
-#
-kismet = module
-
-# Layer: services
-# Module: munin
-#
-# Munin
-#
-munin = module
-
-# Layer: services
-# Module: bitlbee
-#
-# An IRC to other chat networks gateway
-#
-bitlbee = module
-
-# Layer: admin
-# Module: sosreport
-#
-# sosreport debuggin information generator
-#
-sosreport = module
-
-# Layer: services
-# Module: soundserver
-#
-# sound server for network audio server programs, nasd, yiff, etc</summary>
-#
-soundserver = module
-
-# Layer:role
-# Module: staff
-#
-# admin account
-#
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-#
-sysadm = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-#
-sysadm_secadm = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-#
-unprivuser = module
-
-# Layer: services
-# Module: prelude
-#
-prelude = module
-
-# Layer: services
-# Module: pads
-#
-pads = module
-
-# Layer: apps
-# Module: podsleuth
-#
-# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
-#
-podsleuth = module
-
-# Layer: role
-# Module: logadm
-#
-# logadm account on tty logins
-#
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-#
-secadm = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-#
-auditadm = module
-
-#
-# Layer: role
-# Module: guest
-#
-# Minimally privs guest account on tty logins
-#
-guest = module
-
-# Layer: role
-# Module: xguest
-#
-# Minimally privs guest account on X Windows logins
-#
-xguest = module
-
-# Layer: services
-# Module: cgroup
-#
-# Tools and libraries to control and monitor control groups
-#
-cgroup = module
-
-# Layer: services
-# Module: courier
-#
-# IMAP and POP3 email servers
-#
-courier = module
-
-# Layer: services
-# Module: snort
-#
-# Snort network intrusion detection system
-#
-snort = module
-
-# Layer: services
-# Module: memcached
-#
-# high-performance memory object caching system
-#
-memcached = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-#
-netlabel = module
-
-# Layer: services
-# Module: zosremote
-#
-# policy for z/OS Remote-services Audit dispatcher plugin</summary>
-#
-zosremote = module
-
-# Layer: services
-# Module: pingd
-#
-#
-pingd = module
-
-# Layer: services
-# Module: milter
-#
-#
-#
-milter = module
-
-# Layer: apps
-# Module: wm
-#
-# X windows window manager
-#
-wm = module
-
-# Layer: services
-# Module: aisexec
-#
-# RHCS - Red Hat Cluster Suite
-#
-aisexec = module
-
-# Layer: services
-# Module: rgmanager
-#
-# rgmanager
-#
-rgmanager = module
-
-# Layer: services
-# Module: clogd
-#
-# clogd - clustered mirror log server
-#
-clogd = module
-
-# Layer: services
-# Module: cmirrord
-#
-# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
-#
-cmirrord = module
-
-# Layer: services
-# Module: ricci
-#
-# policy for ricci
-#
-ricci = module
-
-# Layer: services
-# Module: rhcs
-#
-# RHCS - Red Hat Cluster Suite
-#
-rhcs = module
-
-# Layer: admin
-# Module: shorewall
-#
-# Policy for shorewall
-#
-shorewall = module
-
-# Layer: admin
-# Module: shutdown
-#
-# Policy for shutdown
-#
-shutdown = module
-
-# Layer: kernel
-# Module: unlabelednet
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: apps
-# Module: namespace
-#
-# policy for namespace.init script
-#
-namespace = module
-
-# Layer: services
-# Module: polipo
-#
-# polipo
-#
-polipo = module
-
diff --git a/seusers-mls b/seusers-mls
deleted file mode 100644
index a3fd7c0..0000000
--- a/seusers-mls
+++ /dev/null
@@ -1,3 +0,0 @@
-system_u:system_u:s0-s15:c0.c1023
-root:root:s0-s15:c0.c1023
-__default__:user_u:s0
diff --git a/seusers-targeted b/seusers-targeted
deleted file mode 100644
index 461b003..0000000
--- a/seusers-targeted
+++ /dev/null
@@ -1,3 +0,0 @@
-root:root:s0-s0:c0.c1023
-system_u:system_u:s0-s0:c0.c1023
-__default__:user_u:s0
diff --git a/support/Makefile.devel b/support/Makefile.devel
deleted file mode 100644
index c5e3ef3..0000000
--- a/support/Makefile.devel
+++ /dev/null
@@ -1,255 +0,0 @@
-
-# helper tools
-AWK ?= gawk
-INSTALL ?= install
-M4 ?= m4
-SED ?= sed
-EINFO ?= echo
-PYTHON ?= python
-CUT ?= cut
-
-NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
-SHAREDIR ?= /usr/share/selinux
-HEADERDIR ?= $(SHAREDIR)/$(NAME)/include
-
-include $(HEADERDIR)/build.conf
-
-# executables
-PREFIX := /usr
-BINDIR := $(PREFIX)/bin
-SBINDIR := $(PREFIX)/sbin
-CHECKMODULE := $(BINDIR)/checkmodule
-SEMODULE := $(SBINDIR)/semodule
-SEMOD_PKG := $(BINDIR)/semodule_package
-XMLLINT := $(BINDIR)/xmllint
-
-# set default build options if missing
-TYPE ?= standard
-DIRECT_INITRC ?= n
-POLY ?= n
-QUIET ?= y
-
-genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
-
-docs := doc
-polxml := $(docs)/policy.xml
-xmldtd := $(HEADERDIR)/support/policy.dtd
-metaxml := metadata.xml
-
-globaltun = $(HEADERDIR)/global_tunables.xml
-globalbool = $(HEADERDIR)/global_booleans.xml
-
-# enable MLS if requested.
-ifeq "$(TYPE)" "mls"
- M4PARAM += -D enable_mls
- CHECKPOLICY += -M
- CHECKMODULE += -M
-endif
-
-# enable MLS if MCS requested.
-ifeq "$(TYPE)" "mcs"
- M4PARAM += -D enable_mcs
- CHECKPOLICY += -M
- CHECKMODULE += -M
-endif
-
-# enable distribution-specific policy
-ifneq ($(DISTRO),)
- M4PARAM += -D distro_$(DISTRO)
-endif
-
-ifeq ($(DIRECT_INITRC),y)
- M4PARAM += -D direct_sysadm_daemon
-endif
-
-ifeq "$(UBAC)" "y"
- M4PARAM += -D enable_ubac
-endif
-
-# default MLS/MCS sensitivity and category settings.
-MLS_SENS ?= 16
-MLS_CATS ?= 1024
-MCS_CATS ?= 1024
-
-ifeq ($(QUIET),y)
- verbose := @
-endif
-
-M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
-
-# policy headers
-m4support = $(wildcard $(HEADERDIR)/support/*.spt)
-
-header_layers := $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
-header_xml := $(addsuffix .xml,$(header_layers))
-header_interfaces := $(foreach layer,$(header_layers),$(wildcard $(layer)/*.if))
-
-rolemap := $(HEADERDIR)/rolemap
-
-local_layers := $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
-local_xml := $(addprefix tmp/, $(addsuffix .xml,$(local_layers)))
-
-all_layer_names := $(sort $(notdir $(header_layers) $(local_layers)))
-
-3rd_party_mods := $(wildcard *.te)
-detected_mods := $(3rd_party_mods) $(foreach layer,$(local_layers),$(wildcard $(layer)/*.te))
-
-detected_ifs := $(detected_mods:.te=.if)
-detected_fcs := $(detected_mods:.te=.fc)
-all_packages := $(notdir $(detected_mods:.te=.pp))
-
-# figure out what modules we may want to reload
-loaded_mods = $(addsuffix .pp,$(shell $(SEMODULE) -l | $(CUT) -f1))
-sys_mods = $(wildcard $(SHAREDIR)/$(NAME)/*.pp)
-match_sys = $(filter $(addprefix $(SHAREDIR)/$(NAME)/,$(loaded_mods)),$(sys_mods))
-match_loc = $(filter $(all_packages),$(loaded_mods))
-
-vpath %.te $(local_layers)
-vpath %.if $(local_layers)
-vpath %.fc $(local_layers)
-
-########################################
-#
-# Functions
-#
-
-# parse-rolemap-compat modulename,outputfile
-define parse-rolemap-compat
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# parse-rolemap modulename,outputfile
-define parse-rolemap
- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-endef
-
-# peruser-expansion modulename,outputfile
-define peruser-expansion
- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
- $(call parse-rolemap,$1,$2)
- $(verbose) echo "')" >> $2
-
- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
- $(call parse-rolemap-compat,$1,$2)
- $(verbose) echo "')" >> $2
-endef
-
-.PHONY: clean all xml load reload
-.SUFFIXES:
-.SUFFIXES: .pp
-# broken in make 3.81:
-#.SECONDARY:
-
-########################################
-#
-# Main targets
-#
-
-all: $(all_packages)
-
-xml: $(polxml)
-
-########################################
-#
-# Attempt to reinstall all installed packages
-#
-refresh:
- @$(EINFO) "Refreshing $(NAME) modules"
- $(verbose) $(SEMODULE) -b $(SHAREDIR)/$(NAME)/base.pp $(foreach mod,$(match_sys) $(match_loc),-i $(mod))
-
-########################################
-#
-# Load module packages
-#
-
-load: tmp/loaded
-tmp/loaded: $(all_packages)
- @$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $?))"
- $(verbose) $(SEMODULE) $(foreach mod,$?,-i $(mod))
- @mkdir -p tmp
- @touch tmp/loaded
-
-reload: $(all_packages)
- @$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $^))"
- $(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod))
- @mkdir -p tmp
- @touch tmp/loaded
-
-########################################
-#
-# Build module packages
-#
-tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
- @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
- @test -d $(@D) || mkdir -p $(@D)
- $(call peruser-expansion,$(basename $(@F)),$@.role)
- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
-tmp/%.mod.fc: $(m4support) %.fc
- $(verbose) $(M4) $(M4PARAM) $^ > $@
-
-%.pp: tmp/%.mod tmp/%.mod.fc
- @echo "Creating $(NAME) $(@F) policy package"
- $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
-
-tmp/all_interfaces.conf: $(m4support) $(header_interfaces) $(detected_ifs)
- @test -d $(@D) || mkdir -p $(@D)
- @echo "ifdef(\`__if_error',\`m4exit(1)')" > tmp/iferror.m4
- @echo "divert(-1)" > $@
- $(verbose) $(M4) $^ tmp/iferror.m4 | sed -e s/dollarsstar/\$$\*/g >> $@
- @echo "divert" >> $@
-
-# so users dont have to make empty .fc and .if files
-$(detected_fcs):
- @touch $@
-
-$(detected_ifs):
- @echo "## <summary>$(basename $(@D))</summary>" > $@
-
-########################################
-#
-# Documentation generation
-#
-tmp/%.xml: %/*.te %/*.if
- @test -d $(@D) || mkdir -p $(@D)
- $(verbose) test -f $(HEADERDIR)/$*.xml || cat $*/$(metaxml) > $@
- $(verbose) $(genxml) -w -m $(sort $(basename $^)) >> $@
-
-vars: $(local_xml)
-
-$(polxml): $(header_xml) $(local_xml) $(globaltun) $(globalbool) $(detected_mods) $(detected_ifs)
- @echo "Creating $(@F)"
- @test -d $(@D) || mkdir -p $(@D)
- $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
- $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
- $(verbose) echo '<policy>' >> $@
- $(verbose) for i in $(all_layer_names); do \
- echo "<layer name=\"$$i\">" >> $@ ;\
- test -f $(HEADERDIR)/$$i.xml && cat $(HEADERDIR)/$$i.xml >> $@ ;\
- test -f tmp/$$i.xml && cat tmp/$$i.xml >> $@ ;\
- echo "</layer>" >> $@ ;\
- done
-ifneq "$(strip $(3rd_party_mods))" ""
- $(verbose) echo "<layer name=\"third_party\">" >> $@
- $(verbose) echo "<summary>These are all third-party modules.</summary>" >> $@
- $(verbose) $(genxml) -w -m $(addprefix ./,$(basename $(3rd_party_mods))) >> $@
- $(verbose) echo "</layer>" >> $@
-endif
- $(verbose) cat $(globaltun) $(globalbool) >> $@
- $(verbose) echo '</policy>' >> $@
- $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
- $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
- fi
-
-########################################
-#
-# Clean the environment
-#
-
-clean:
- rm -fR tmp
- rm -f *.pp
diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
deleted file mode 100644
index 20ffa6c..0000000
--- a/support/comment_move_decl.sed
+++ /dev/null
@@ -1,14 +0,0 @@
-# comment out lines that are moved by the build
-# process, so line numbers provided by m4 are preserved.
-
-# lines in require and optional blocks are not moved
-/require \{/,/} # end require/b nextline
-/optional \{/,/} # end optional/b nextline
-
-/^[[:blank:]]*(attribute|type(alias)?) /s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
-
-:nextline
diff --git a/support/divert.m4 b/support/divert.m4
deleted file mode 100644
index 7ce2db3..0000000
--- a/support/divert.m4
+++ /dev/null
@@ -1 +0,0 @@
-divert(`-1')
\ No newline at end of file
diff --git a/support/fc_sort.c b/support/fc_sort.c
deleted file mode 100644
index 6c43035..0000000
--- a/support/fc_sort.c
+++ /dev/null
@@ -1,558 +0,0 @@
-/* Copyright 2005, Tresys Technology
- *
- * Some parts of this came from matchpathcon.c in libselinux
- */
-
-/* PURPOSE OF THIS PROGRAM
- * The original setfiles sorting algorithm did not take into
- * account regular expression specificity. With the current
- * strict and targeted policies this is not an issue because
- * the file contexts are partially hand sorted and concatenated
- * in the right order so that the matches are generally correct.
- * The way reference policy and loadable policy modules handle
- * file contexts makes them come out in an unpredictable order
- * and therefore setfiles (or this standalone tool) need to sort
- * the regular expressions in a deterministic and stable way.
- */
-
-#define BUF_SIZE 4096;
-#define _GNU_SOURCE
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-typedef unsigned char bool_t;
-
-/* file_context_node
- * A node used in a linked list of file contexts.c
- * Each node contains the regular expression, the type and
- * the context, as well as information about the regular
- * expression. The regular expression data (meta, stem_len
- * and str_len) can be filled in by using the fc_fill_data
- * function after the regular expression has been loaded.
- * next points to the next node in the linked list.
- */
-typedef struct file_context_node {
- char *path;
- char *file_type;
- char *context;
- bool_t meta;
- int stem_len;
- int str_len;
- struct file_context_node *next;
-} file_context_node_t;
-
-void file_context_node_destroy(file_context_node_t *x)
-{
- free(x->path);
- free(x->file_type);
- free(x->context);
-}
-
-
-
-/* file_context_bucket
- * A node used in a linked list of buckets that contain
- * file_context_node's.
- * Each node contains a pointer to a file_context_node which
- * is the header of its linked list. This linked list is the
- * content of this bucket.
- * next points to the next bucket in the linked list.
- */
-typedef struct file_context_bucket {
- file_context_node_t *data;
- struct file_context_bucket *next;
-} file_context_bucket_t;
-
-
-
-/* fc_compare
- * Compares two file contexts' regular expressions and returns:
- * -1 if a is less specific than b
- * 0 if a and be are equally specific
- * 1 if a is more specific than b
- * The comparison is based on the following statements,
- * in order from most important to least important, given a and b:
- * If a is a regular expression and b is not,
- * -> a is less specific than b.
- * If a's stem length is shorter than b's stem length,
- * -> a is less specific than b.
- * If a's string length is shorter than b's string length,
- * -> a is less specific than b.
- * If a does not have a specified type and b does not,
- * -> a is less specific than b.
- */
-int fc_compare(file_context_node_t *a, file_context_node_t *b)
-{
- /* Check to see if either a or b have meta characters
- * and the other doesn't. */
- if (a->meta && !b->meta)
- return -1;
- if (b->meta && !a->meta)
- return 1;
-
- /* Check to see if either a or b have a shorter stem
- * length than the other. */
- if (a->stem_len < b->stem_len)
- return -1;
- if (b->stem_len < a->stem_len)
- return 1;
-
- /* Check to see if either a or b have a shorter string
- * length than the other. */
- if (a->str_len < b->str_len)
- return -1;
- if (b->str_len < a->str_len)
- return 1;
-
- /* Check to see if either a or b has a specified type
- * and the other doesn't. */
- if (!a->file_type && b->file_type)
- return -1;
- if (!b->file_type && a->file_type)
- return 1;
-
- /* If none of the above conditions were satisfied,
- * then a and b are equally specific. */
- return 0;
-}
-
-
-
-/* fc_merge
- * Merges two sorted file context linked lists into one
- * sorted one.
- * Pass two lists a and b, and after the completion of fc_merge,
- * the final list is contained in a, and b is empty.
- */
-file_context_node_t *fc_merge(file_context_node_t *a,
- file_context_node_t *b)
-{
- file_context_node_t *a_current;
- file_context_node_t *b_current;
- file_context_node_t *temp;
- file_context_node_t *jumpto;
-
-
-
- /* If a is a empty list, and b is not,
- * set a as b and proceed to the end. */
- if (!a && b)
- a = b;
- /* If b is an empty list, leave a as it is. */
- else if (!b) {
- } else {
- /* Make it so the list a has the lesser
- * first element always. */
- if (fc_compare(a, b) == 1) {
- temp = a;
- a = b;
- b = temp;
- }
- a_current = a;
- b_current = b;
-
- /* Merge by inserting b's nodes in between a's nodes. */
- while (a_current->next && b_current) {
- jumpto = a_current->next;
-
- /* Insert b's nodes in between the current a node
- * and the next a node.*/
- while (b_current && a_current->next &&
- fc_compare(a_current->next,
- b_current) != -1) {
-
-
- temp = a_current->next;
- a_current->next = b_current;
- b_current = b_current->next;
- a_current->next->next = temp;
- a_current = a_current->next;
- }
-
- /* Skip all the inserted node from b to the
- * next node in the original a. */
- a_current = jumpto;
- }
-
-
- /* if there is anything left in b to be inserted,
- put it on the end */
- if (b_current) {
- a_current->next = b_current;
- }
- }
-
- return a;
-}
-
-
-
-/* fc_merge_sort
- * Sorts file contexts from least specific to more specific.
- * The bucket linked list is passed and after the completion
- * of the fc_merge_sort function, there is only one bucket
- * (pointed to by master) that contains a linked list
- * of all the file contexts, in sorted order.
- * Explanation of the algorithm:
- * The algorithm implemented in fc_merge_sort is an iterative
- * implementation of merge sort.
- * At first, each bucket has a linked list of file contexts
- * that are 1 element each.
- * Each pass, each odd numbered bucket is merged into the bucket
- * before it. This halves the number of buckets each pass.
- * It will continue passing over the buckets (as described above)
- * until there is only one bucket left, containing the list of
- * file contexts, sorted.
- */
-void fc_merge_sort(file_context_bucket_t *master)
-{
-
-
- file_context_bucket_t *current;
- file_context_bucket_t *temp;
-
- /* Loop until master is the only bucket left
- * so that this will stop when master contains
- * the sorted list. */
- while (master->next) {
- current = master;
-
- /* This loop merges buckets two-by-two. */
- while (current) {
-
- if (current->next) {
-
- current->data =
- fc_merge(current->data,
- current->next->data);
-
-
-
- temp = current->next;
- current->next = current->next->next;
-
- free(temp);
-
- }
-
-
- current = current->next;
- }
- }
-
-
-}
-
-
-
-/* fc_fill_data
- * This processes a regular expression in a file context
- * and sets the data held in file_context_node, namely
- * meta, str_len and stem_len.
- * The following changes are made to fc_node after the
- * the completion of the function:
- * fc_node->meta = 1 if path has a meta character, 0 if not.
- * fc_node->str_len = The string length of the entire path
- * fc_node->stem_len = The number of characters up until
- * the first meta character.
- */
-void fc_fill_data(file_context_node_t *fc_node)
-{
- int c = 0;
-
- fc_node->meta = 0;
- fc_node->stem_len = 0;
- fc_node->str_len = 0;
-
- /* Process until the string termination character
- * has been reached.
- * Note: this while loop has been adapted from
- * spec_hasMetaChars in matchpathcon.c from
- * libselinux-1.22. */
- while (fc_node->path[c] != '\0') {
- switch (fc_node->path[c]) {
- case '.':
- case '^':
- case '$':
- case '?':
- case '*':
- case '+':
- case '|':
- case '[':
- case '(':
- case '{':
- /* If a meta character is found,
- * set meta to one */
- fc_node->meta = 1;
- break;
- case '\\':
- /* If a escape character is found,
- * skip the next character. */
- c++;
- default:
- /* If no meta character has been found yet,
- * add one to the stem length. */
- if (!fc_node->meta)
- fc_node->stem_len++;
- break;
- }
-
- fc_node->str_len++;
- c++;
- }
-}
-
-/* main
- * This program takes in two arguments, the input filename and the
- * output filename. The input file should be syntactically correct.
- * Overall what is done in the main is read in the file and store each
- * line of code, sort it, then output it to the output file.
- */
-int main(int argc, char *argv[])
-{
- int lines;
- size_t start, finish, regex_len, context_len;
- size_t line_len, buf_len, i, j;
- char *input_name, *output_name, *line_buf;
-
- file_context_node_t *temp;
- file_context_node_t *head;
- file_context_node_t *current;
- file_context_bucket_t *master;
- file_context_bucket_t *bcurrent;
-
- FILE *in_file, *out_file;
-
-
- /* Check for the correct number of command line arguments. */
- if (argc != 3) {
- fprintf(stderr, "Usage: %s <infile> <outfile>\n",argv[0]);
- return 1;
- }
-
- input_name = argv[1];
- output_name = argv[2];
-
- i = j = lines = 0;
-
- /* Open the input file. */
- if (!(in_file = fopen(input_name, "r"))) {
- fprintf(stderr, "Error: failure opening input file for read.\n");
- return 1;
- }
-
- /* Initialize the head of the linked list. */
- head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t));
-
- /* Parse the file into a file_context linked list. */
- line_buf = NULL;
-
- while ( getline(&line_buf, &buf_len, in_file) != -1 ){
- line_len = strlen(line_buf);
- if( line_len == 0 || line_len == 1)
- continue;
- /* Get rid of whitespace from the front of the line. */
- for (i = 0; i < line_len; i++) {
- if (!isspace(line_buf[i]))
- break;
- }
-
-
- if (i >= line_len)
- continue;
- /* Check if the line isn't empty and isn't a comment */
- if (line_buf[i] == '#')
- continue;
-
- /* We have a valid line - allocate a new node. */
- temp = (file_context_node_t *)malloc(sizeof(file_context_node_t));
- if (!temp) {
- fprintf(stderr, "Error: failure allocating memory.\n");
- return 1;
- }
- temp->next = NULL;
- memset(temp, 0, sizeof(file_context_node_t));
-
- /* Parse out the regular expression from the line. */
- start = i;
-
-
- while (i < line_len && (!isspace(line_buf[i])))
- i++;
- finish = i;
-
-
- regex_len = finish - start;
-
- if (regex_len == 0) {
- file_context_node_destroy(temp);
- free(temp);
-
-
- continue;
- }
-
- temp->path = (char*)strndup(&line_buf[start], regex_len);
- if (!temp->path) {
- file_context_node_destroy(temp);
- free(temp);
- fprintf(stderr, "Error: failure allocating memory.\n");
- return 1;
- }
-
- /* Get rid of whitespace after the regular expression. */
- for (; i < line_len; i++) {
-
- if (!isspace(line_buf[i]))
- break;
- }
-
- if (i == line_len) {
- file_context_node_destroy(temp);
- free(temp);
- continue;
- }
-
- /* Parse out the type from the line (if it
- * is there). */
- if (line_buf[i] == '-') {
- temp->file_type = (char *)malloc(sizeof(char) * 3);
- if (!(temp->file_type)) {
- fprintf(stderr, "Error: failure allocating memory.\n");
- return 1;
- }
-
- if( i + 2 >= line_len ) {
- file_context_node_destroy(temp);
- free(temp);
-
- continue;
- }
-
- /* Fill the type into the array. */
- temp->file_type[0] = line_buf[i];
- temp->file_type[1] = line_buf[i + 1];
- i += 2;
- temp->file_type[2] = 0;
-
- /* Get rid of whitespace after the type. */
- for (; i < line_len; i++) {
- if (!isspace(line_buf[i]))
- break;
- }
-
- if (i == line_len) {
-
- file_context_node_destroy(temp);
- free(temp);
- continue;
- }
- }
-
- /* Parse out the context from the line. */
- start = i;
- while (i < line_len && (!isspace(line_buf[i])))
- i++;
- finish = i;
-
- context_len = finish - start;
-
- temp->context = (char*)strndup(&line_buf[start], context_len);
- if (!temp->context) {
- file_context_node_destroy(temp);
- free(temp);
- fprintf(stderr, "Error: failure allocating memory.\n");
- return 1;
- }
-
- /* Set all the data about the regular
- * expression. */
- fc_fill_data(temp);
-
- /* Link this line of code at the end of
- * the linked list. */
- current->next = temp;
- current = current->next;
- lines++;
-
-
- free(line_buf);
- line_buf = NULL;
- }
- fclose(in_file);
-
- /* Create the bucket linked list from the earlier linked list. */
- current = head->next;
- bcurrent = master =
- (file_context_bucket_t *)
- malloc(sizeof(file_context_bucket_t));
-
- /* Go until all the nodes have been put in individual buckets. */
- while (current) {
- /* Copy over the file context line into the bucket. */
- bcurrent->data = current;
- current = current->next;
-
- /* Detatch the node in the bucket from the old list. */
- bcurrent->data->next = NULL;
-
- /* If there should be another bucket, put one at the end. */
- if (current) {
- bcurrent->next =
- (file_context_bucket_t *)
- malloc(sizeof(file_context_bucket_t));
- if (!(bcurrent->next)) {
- printf
- ("Error: failure allocating memory.\n");
- return -1;
- }
-
- /* Make sure the new bucket thinks it's the end of the
- * list. */
- bcurrent->next->next = NULL;
-
- bcurrent = bcurrent->next;
- }
-
- }
-
- /* Sort the bucket list. */
- fc_merge_sort(master);
-
- /* Open the output file. */
- if (!(out_file = fopen(argv[2], "w"))) {
- printf("Error: failure opening output file for write.\n");
- return -1;
- }
-
- /* Output the sorted file_context linked list to the output file. */
- current = master->data;
- while (current) {
- /* Output the path. */
- fprintf(out_file, "%s\t\t", current->path);
-
- /* Output the type, if there is one. */
- if (current->file_type) {
- fprintf(out_file, "%s\t", current->file_type);
- }
-
- /* Output the context. */
- fprintf(out_file, "%s\n", current->context);
-
- /* Remove the node. */
- temp = current;
- current = current->next;
-
- file_context_node_destroy(temp);
- free(temp);
-
- }
- free(master);
-
- fclose(out_file);
-
- return 0;
-}
diff --git a/support/genclassperms.py b/support/genclassperms.py
deleted file mode 100644
index 732d645..0000000
--- a/support/genclassperms.py
+++ /dev/null
@@ -1,308 +0,0 @@
-#!/usr/bin/python
-
-# Author: Donald Miner <dminer at tresys.com>
-#
-# Copyright (C) 2005 Tresys Technology, LLC
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-
-
-"""
- This script generates an object class perm definition file.
-"""
-
-import sys
-
-USERSPACE_CLASS = "userspace"
-
-class Class:
- """
- This object stores an access vector class.
- """
-
- def __init__(self, name, perms, common):
- # The name of the class.
- self.name = name
-
- # A list of permissions the class contains.
- self.perms = perms
-
- # True if the class is declared as common, False if not.
- self.common = common
-
-def get_perms(name, av_db, common):
- """
- Returns the list of permissions contained within an access vector
- class that is stored in the access vector database av_db.
- Returns an empty list if the object name is not found.
- Specifiy whether get_perms is to return the class or the
- common set of permissions with the boolean value 'common',
- which is important in the case of having duplicate names (such as
- class file and common file).
- """
-
- # Traverse through the access vector database and try to find the
- # object with the name passed.
- for obj in av_db:
- if obj.name == name and obj.common == common:
- return obj.perms
-
- return []
-
-def get_av_db(file_name):
- """
- Returns an access vector database generated from the file file_name.
- """
- # This function takes a file, reads the data, parses it and returns
- # a list of access vector classes.
- # Reading into av_data:
- # The file specified will be read line by line. Each line will have
- # its comments removed. Once comments are removed, each 'word' (text
- # seperated by whitespace) and braces will be split up into seperate
- # strings and appended to the av_data list, in the order they were
- # read.
- # Parsing av_data:
- # Parsing is done using a queue implementation of the av_data list.
- # Each time a word is used, it is dequeued afterwards. Each loop in
- # the while loop below will read in key words and dequeue expected
- # words and values. At the end of each loop, a Class containing the
- # name, permissions and whether it is a common or not will be appended
- # to the database. Lots of errors are caught here, almost all checking
- # if a token is expected but EOF is reached.
- # Now the list of Class objects is returned.
-
- av_file = open(file_name, "r")
- av_data = []
- # Read the file and strip out comments on the way.
- # At the end of the loop, av_data will contain a list of individual
- # words. i.e. ['common', 'file', '{', ...]. All comments and whitespace
- # will be gone.
- while True:
- av_line = av_file.readline()
-
- # If EOF has been reached:
- if not av_line:
- break
-
- # Check if there is a comment, and if there is, remove it.
- comment_index = av_line.find("#")
- if comment_index != -1:
- av_line = av_line[:comment_index]
-
- # Pad the braces with whitespace so that they are split into
- # their own word. It doesn't matter if there will be extra
- # white space, it'll get thrown away when the string is split.
- av_line.replace("{"," { ")
- av_line.replace("}"," } ")
-
- # Split up the words on the line and add it to av_data.
- av_data += av_line.split()
-
- av_file.close()
-
- # Parsing the file:
- # The implementation of this parse is a queue. We use the list of words
- # from av_data and use the front element, then dequeue it. Each
- # loop of this while is a common or class declaration. Several
- # expected tokens are parsed and dequeued out of av_data for each loop.
- # At the end of the loop, database will contain a list of Class objects.
- # i.e. [Class('name',['perm1','perm2',...],'True'), ...]
- # Dequeue from the beginning of the list until av_data is empty:
- database = []
- while len(av_data) != 0:
- # At the beginning of every loop, the next word should be
- # "common" or "class", meaning that each loop is a common
- # or class declaration.
- # av_data = av_data[1:] removes the first element in the
- # list, this is what is dequeueing data.
-
- # Figure out whether the next class will be a common or a class.
- if av_data[0] == "class":
- common = False
- elif av_data[0] == "common":
- common = True
- else:
- error("Unexpected token in file " + file_name + ": "\
- + av_data[0] + ".")
-
- # Dequeue the "class" or "common" key word.
- av_data = av_data[1:]
-
- if len(av_data) == 0:
- error("Missing token in file " + file_name + ".")
-
- # Get and dequeue the name of the class or common.
- name = av_data[0]
- av_data = av_data[1:]
-
- # Retrieve the permissions inherited from a common set:
- perms = []
- # If the object we are working with is a class, since only
- # classes inherit:
- if common == False:
- if len(av_data) == 0:
- error("Missing token in file " + file_name + ".")
-
- # If the class inherits from something else:
- if av_data[0] == "inherits":
- # Dequeue the "inherits" key word.
- av_data = av_data[1:]
-
- if len(av_data) == 0:
- error("Missing token in file "\
- + file_name + " for " +\
- keyword + " " + name + ".")
-
- # av_data[0] is the name of the parent.
- # Append the permissions of the parent to
- # the current class' permissions.
- perms += get_perms(av_data[0], database, True)
-
- # Dequeue the name of the parent.
- av_data = av_data[1:]
-
- # Retrieve the permissions defined with this set.
- if len(av_data) > 0 and av_data[0] == "{":
- # Dequeue the "{"
- av_data = av_data[1:]
-
- # Keep appending permissions until a close brace is
- # found.
- while av_data[0] != "}":
- if av_data[0] == "{":
- error("Extra '{' in file " +\
- file_name + ".")
-
- # Add the permission name.
- perms.append(av_data[0])
-
- # Dequeue the permission name.
- av_data = av_data[1:]
-
- if len(av_data) == 0:
- error("Missing token '}' in file "\
- + file_name + ".")
-
- # Dequeue the "}"
- av_data = av_data[1:]
-
- # Add the new access vector class to the database.
- database.append(Class(name, perms, common))
-
- return database
-
-def get_sc_db(file_name):
- """
- Returns a security class database generated from the file file_name.
- """
-
- # Read the file then close it.
- sc_file = open(file_name)
- sc_data = sc_file.readlines()
- sc_file.close()
-
- # For each line in the security classes file, add the name of the class
- # and whether it is a userspace class or not to the security class
- # database.
- database = []
- for line in sc_data:
- line = line.lstrip()
- # If the line is empty or the entire line is a comment, skip.
- if line == "" or line[0] == "#":
- continue
-
- # Check if the comment to the right of the permission matches
- # USERSPACE_CLASS.
- comment_index = line.find("#")
- if comment_index != -1 and line[comment_index+1:].strip() == USERSPACE_CLASS:
- userspace = True
- else:
- userspace = False
-
- # All lines should be in the format "class NAME", meaning
- # it should have two tokens and the first token should be
- # "class".
- split_line = line.split()
- if len(split_line) < 2 or split_line[0] != "class":
- error("Wrong syntax: " + line)
-
- # Add the class's name (split_line[1]) and whether it is a
- # userspace class or not to the database.
- # This is appending a tuple of (NAME,USERSPACE), where NAME is
- # the name of the security class and USERSPACE is True if
- # if it has "# USERSPACE_CLASS" on the end of the line, False
- # if not.
- database.append((split_line[1], userspace))
-
- return database
-
-def gen_class_perms(av_db, sc_db):
- """
- Generates a class permissions document and returns it.
- """
-
- # Define class template:
- class_perms_line = "define(`all_%s_perms',`{ %s}')\n"
-
- # Generate the defines for the individual class permissions.
- class_perms = ""
- for obj in av_db:
- # Don't output commons
- if obj.common == True:
- continue
-
- # Get the list of permissions from the specified class.
- perms = get_perms(obj.name, av_db, False)
-
- # Merge all the permissions into one string with one space
- # padding.
- perm_str = ""
- for perm in perms:
- perm_str += perm + " "
-
- # Add the line to the class_perms
- class_perms += class_perms_line % (obj.name, perm_str)
- class_perms += "\n"
-
- # Generate the kernel_class_perms and userspace_class_perms sets.
- class_line = "\tclass %s all_%s_perms;\n"
- kernel_class_perms = "define(`all_kernel_class_perms',`\n"
- userspace_class_perms = "define(`all_userspace_class_perms',`\n"
- # For each (NAME,USERSPACE) tuple, add the class to the appropriate
- # class permission set.
- for name, userspace in sc_db:
- if userspace:
- userspace_class_perms += class_line % (name, name)
- else:
- kernel_class_perms += class_line % (name, name)
- kernel_class_perms += "')\n\n"
- userspace_class_perms += "')\n"
-
- # Throw all the strings together and return the string.
- return class_perms + kernel_class_perms + userspace_class_perms
-
-def error(error):
- """
- Print an error message and exit.
- """
-
- sys.stderr.write("%s exiting for: " % sys.argv[0])
- sys.stderr.write("%s\n" % error)
- sys.stderr.flush()
- sys.exit(1)
-
-# MAIN PROGRAM
-app_name = sys.argv[0]
-
-if len(sys.argv) != 3:
- error("Incorrect input.\nUsage: " + sys.argv[0] + " access_vectors security_classes" )
-
-# argv[1] is the access vector file.
-av_file = sys.argv[1]
-
-# argv[2] is the security class file.
-sc_file = sys.argv[2]
-
-# Output the class permissions document.
-sys.stdout.write(gen_class_perms(get_av_db(av_file), get_sc_db(sc_file)))
diff --git a/support/genhomedircon b/support/genhomedircon
deleted file mode 100644
index 01ef91d..0000000
--- a/support/genhomedircon
+++ /dev/null
@@ -1,481 +0,0 @@
-#! /usr/bin/env python
-# Copyright (C) 2004 Tresys Technology, LLC
-# see file 'COPYING' for use and warranty information
-#
-# genhomedircon - this script is used to generate file context
-# configuration entries for user home directories based on their
-# default roles and is run when building the policy. Specifically, we
-# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
-# generic and user-specific values.
-#
-# Based off original script by Dan Walsh, <dwalsh at redhat.com>
-#
-# ASSUMPTIONS:
-#
-# The file CONTEXTDIR/files/homedir_template exists. This file is used to
-# set up the home directory context for each real user.
-#
-# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
-# the first role in the list.
-#
-# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user
-#
-# "Real" users (as opposed to system users) are those whose UID is greater than
-# or equal STARTING_UID (usually 500) and whose login is not a member of
-# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users
-# are always "real" (including root, in the default configuration).
-#
-#
-# Old ASSUMPTIONS:
-#
-# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
-# the first role in the list.
-#
-# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
-# the user's home dir will be found in one of the HOME_ROOTs.
-#
-# "Real" users (as opposed to system users) are those whose UID is greater than
-# or equal STARTING_UID (usually 500) and whose login is not a member of
-# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users
-# are always "real" (including root, in the default configuration).
-#
-
-import commands, sys, os, pwd, string, getopt, re
-
-EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
-
-def getStartingUID():
- starting_uid = sys.maxint
- rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
- if rc[0] == 0:
- uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
- uid_min = uid_min.split("#")[0]
- uid_min = uid_min.strip()
- if int(uid_min) < starting_uid:
- starting_uid = int(uid_min)
- rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
- if rc[0] == 0:
- lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
- lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
- lu_uidnumber = lu_uidnumber.split("#")[0]
- lu_uidnumber = lu_uidnumber.strip()
- if int(lu_uidnumber) < starting_uid:
- starting_uid = int(lu_uidnumber)
- if starting_uid == sys.maxint:
- starting_uid = 500
- return starting_uid
-
-#############################################################################
-#
-# This section is just for backwards compatability
-#
-#############################################################################
-def getPrefixes():
- ulist = pwd.getpwall()
- STARTING_UID=getStartingUID()
- prefixes = {}
- for u in ulist:
- if u[2] >= STARTING_UID and \
- not u[6] in EXCLUDE_LOGINS and \
- u[5] != "/" and \
- string.count(u[5], "/") > 1:
- prefix = u[5][:string.rfind(u[5], "/")]
- if not prefixes.has_key(prefix):
- prefixes[prefix] = ""
- return prefixes
-
-def getUsers(filecontextdir):
- rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
- udict = {}
- if rc[0] == 0:
- ulist = rc[1].strip().split("\n")
- for u in ulist:
- user = u.split()
- try:
- if user[1] == "user_u" or user[1] == "system_u":
- continue
- # !!! chooses first role in the list to use in the file context !!!
- role = user[3]
- if role == "{":
- role = user[4]
- role = role.split("_r")[0]
- home = pwd.getpwnam(user[1])[5]
- if home == "/":
- continue
- prefs = {}
- prefs["role"] = role
- prefs["home"] = home
- udict[user[1]] = prefs
- except KeyError:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
- return udict
-
-def update(filecontext, user, prefs):
- rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
- if rc[0] == 0:
- print rc[1]
- else:
- errorExit(string.join("grep/sed error ", rc[1]))
- return rc
-
-def oldgenhomedircon(filecontextdir, filecontext):
- sys.stderr.flush()
-
- if os.path.isdir(filecontextdir) == 0:
- sys.stderr.write("New usage is the following\n")
- usage()
- #We are going to define home directory used by libuser and show-utils as a home directory root
- prefixes = {}
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
- sys.stderr.flush()
-
-
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
-
- #the idea is that we need to find all of the home_root_t directories we do this by just accepting
- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
- #we then get the potential home directory roots from /etc/passwd or nis or wherever and look at
- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
- #is then checked to see if it has an explicite context defined in the file_contexts. Explicit
- #is any regex that would match it which does not end with .*$ or .+$ since those are general
- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against
- #[pattern]
- potential_prefixes = getPrefixes()
- prefix_regex = {}
- #this works by grepping the file_contexts for
- # 1. ^/ makes sure this is not a comment
- # 2. prints only the regex in the first column first cut on \t then on space
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) )
- if rc[0] == 0:
- prefix_regex = rc[1].split("\n")
- else:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
- sys.stderr.flush()
- for potential in potential_prefixes.keys():
- addme = 1
- for regex in prefix_regex:
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
- regex = re.sub("\(/\*\)\?$", "", regex)
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- #match a trailing .*
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex, potential, 0):
- addme = 0
- if addme == 1:
- if not prefixes.has_key(potential):
- prefixes[potential] = ""
-
-
- if prefixes.__eq__({}):
- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
- sys.stderr.write("HOME= not set in /etc/default/useradd\n")
- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
- sys.stderr.write("Assuming /home is the root of home directories\n")
- sys.stderr.flush()
- prefixes["/home"] = ""
-
- # There may be a more elegant sed script to expand a macro to multiple lines, but this works
- sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
-
- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
- rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
- if rc[0] == 0:
- print rc[1]
- else:
- errorExit(string.join("sed error ", rc[1]))
-
- users = getUsers(filecontextdir)
- print "\n#\n# User-specific file contexts\n#\n"
-
- # Fill in HOME and ROLE for users that are defined
- for u in users.keys():
- update(filecontext, u, users[u])
-
-#############################################################################
-#
-# End of backwards compatability section
-#
-#############################################################################
-
-def getDefaultHomeDir():
- ret = []
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not homedir in ret:
- ret.append(homedir)
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
- sys.stderr.flush()
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not homedir in ret:
- ret.append(homedir)
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
- sys.stderr.flush()
- if ret == []:
- ret.append("/home")
- return ret
-
-def getSELinuxType(directory):
- rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory)
- if rc[0]==0:
- return rc[1].split("=")[-1].strip()
- return "targeted"
-
-def usage(error = ""):
- if error != "":
- sys.stderr.write("%s\n" % error)
- sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0])
- sys.stderr.flush()
- sys.exit(1)
-
-def warning(warning = ""):
- sys.stderr.write("%s\n" % warning)
- sys.stderr.flush()
-
-def errorExit(error):
- sys.stderr.write("%s exiting for: " % sys.argv[0])
- sys.stderr.write("%s\n" % error)
- sys.stderr.flush()
- sys.exit(1)
-
-class selinuxConfig:
- def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1):
- self.type=type
- self.selinuxdir=selinuxdir +"/"
- self.contextdir="/contexts"
- self.filecontextdir=self.contextdir+"/files"
- self.usepwd=usepwd
-
- def getFileContextDir(self):
- return self.selinuxdir+self.type+self.filecontextdir
-
- def getFileContextFile(self):
- return self.getFileContextDir()+"/file_contexts"
-
- def getContextDir(self):
- return self.selinuxdir+self.type+self.contextdir
-
- def getHomeDirTemplate(self):
- return self.getFileContextDir()+"/homedir_template"
-
- def getHomeRootContext(self, homedir):
- rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
- if rc[0] == 0:
- return rc[1]+"\n"
- else:
- errorExit(string.join("sed error ", rc[1]))
-
- def getUsersFile(self):
- return self.selinuxdir+self.type+"/users/local.users"
-
- def getSystemUsersFile(self):
- return self.selinuxdir+self.type+"/users/system.users"
-
- def heading(self):
- ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
- ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
- return ret
-
- def getUsers(self):
- users=""
- rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile())
- if rc[0] == 0:
- users+=rc[1]+"\n"
- rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile())
- if rc[0] == 0:
- users+=rc[1]
- udict = {}
- prefs = {}
- if users != "":
- ulist = users.split("\n")
- for u in ulist:
- user = u.split()
- try:
- if len(user)==0 or user[1] == "user_u" or user[1] == "system_u":
- continue
- # !!! chooses first role in the list to use in the file context !!!
- role = user[3]
- if role == "{":
- role = user[4]
- role = role.split("_r")[0]
- home = pwd.getpwnam(user[1])[5]
- if home == "/":
- continue
- prefs = {}
- prefs["role"] = role
- prefs["home"] = home
- udict[user[1]] = prefs
- except KeyError:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
- return udict
-
- def getHomeDirContext(self, user, home, role):
- ret="\n\n#\n# Context for user %s\n#\n\n" % user
- rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
- return ret + rc[1] + "\n"
-
- def genHomeDirContext(self):
- users = self.getUsers()
- ret=""
- # Fill in HOME and ROLE for users that are defined
- for u in users.keys():
- ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"])
- return ret+"\n"
-
- def checkExists(self, home):
- if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0:
- return 0
- #this works by grepping the file_contexts for
- # 1. ^/ makes sure this is not a comment
- # 2. prints only the regex in the first column first cut on \t then on space
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % self.getFileContextFile() )
- if rc[0] == 0:
- prefix_regex = rc[1].split("\n")
- else:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
- sys.stderr.flush()
- exists=1
- for regex in prefix_regex:
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
- regex = re.sub("\(/\*\)\?$", "", regex)
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- #match a trailing .*
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex, home, 0):
- exists = 0
- break
- if exists == 1:
- return 1
- else:
- return 0
-
-
- def getHomeDirs(self):
- homedirs = []
- homedirs = homedirs + getDefaultHomeDir()
- starting_uid=getStartingUID()
- if self.usepwd==0:
- return homedirs
- ulist = pwd.getpwall()
- for u in ulist:
- if u[2] >= starting_uid and \
- not u[6] in EXCLUDE_LOGINS and \
- u[5] != "/" and \
- string.count(u[5], "/") > 1:
- homedir = u[5][:string.rfind(u[5], "/")]
- if not homedir in homedirs:
- if self.checkExists(homedir)==0:
- warning("%s is already defined in %s,\n%s will not create a new context." % (homedir, self.getFileContextFile(), sys.argv[0]))
- else:
- homedirs.append(homedir)
-
- homedirs.sort()
- return homedirs
-
- def genoutput(self):
- ret= self.heading()
- for h in self.getHomeDirs():
- ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user")
- ret += self.getHomeRootContext(h)
- ret += self.genHomeDirContext()
- return ret
-
- def printout(self):
- print self.genoutput()
-
- def write(self):
- try:
- fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w")
- fd.write(self.genoutput())
- fd.close()
- except IOError, error:
- sys.stderr.write("%s: %s\n" % ( sys.argv[0], error ))
-
-
-
-#
-# This script will generate home dir file context
-# based off the homedir_template file, entries in the password file, and
-#
-try:
- usepwd=1
- directory="/etc/selinux"
- type=None
- gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help',
- 'type=',
- 'nopasswd',
- 'dir='])
- for o,a in gopts:
- if o == '--type' or o == "-t":
- type=a
- if o == '--nopasswd' or o == "-n":
- usepwd=0
- if o == '--dir' or o == "-d":
- directory=a
- if o == '--help':
- usage()
-
-
- if type==None:
- type=getSELinuxType(directory)
-
- if len(cmds) == 2:
- oldgenhomedircon(cmds[0], cmds[1])
- sys.exit(0)
-
- if len(cmds) != 0:
- usage()
- selconf=selinuxConfig(directory, type, usepwd)
- selconf.write()
-
-except getopt.error, error:
- errorExit(string.join("Options Error ", error))
-except ValueError, error:
- errorExit(string.join("ValueError ", error))
-except IndexError, error:
- errorExit("IndexError")
diff --git a/support/gennetfilter.py b/support/gennetfilter.py
deleted file mode 100644
index 866db91..0000000
--- a/support/gennetfilter.py
+++ /dev/null
@@ -1,163 +0,0 @@
-#!/usr/bin/python
-
-# Author: Chris PeBenito <cpebenito at tresys.com>
-#
-# Copyright (C) 2006 Tresys Technology, LLC
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-
-import sys,string,getopt,re
-
-NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
-
-DEFAULT_INPUT_PACKET = "server_packet_t"
-DEFAULT_OUTPUT_PACKET = "client_packet_t"
-DEFAULT_MCS = "s0"
-DEFAULT_MLS = "s0"
-
-PACKET_INPUT = "_server_packet_t"
-PACKET_OUTPUT = "_client_packet_t"
-
-class Port:
- def __init__(self, proto, num, mls_sens, mcs_cats=""):
- # protocol of the port
- self.proto = proto
-
- # port number
- self.num = num
-
- # MLS sensitivity
- self.mls_sens = mls_sens
-
- # MCS categories
- # not currently supported, so we always get s0
- self.mcs_cats = DEFAULT_MCS
-
-class Packet:
- def __init__(self, prefix, ports):
- # prefix
- self.prefix = prefix
-
- # A list of Ports
- self.ports = ports
-
-def print_input_rules(packets,mls,mcs):
- line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
- if mls:
- line += ":"+DEFAULT_MLS
- elif mcs:
- line += ":"+DEFAULT_MCS
-
- print line
-
- for i in packets:
- for j in i.ports:
- line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
- if mls:
- line += ":"+j.mls_sens
- elif mcs:
- line += ":"+j.mcs_cats
- print line
-
- print "post -A selinux_new_input -j CONNSECMARK --save"
- print "post -A selinux_new_input -j RETURN"
-
-def print_output_rules(packets,mls,mcs):
- line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
- if mls:
- line += ":"+DEFAULT_MLS
- elif mcs:
- line += ":"+DEFAULT_MCS
- print line
-
- for i in packets:
- for j in i.ports:
- line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
- if mls:
- line += ":"+j.mls_sens
- elif mcs:
- line += ":"+j.mcs_cats
- print line
-
- print "post -A selinux_new_output -j CONNSECMARK --save"
- print "post -A selinux_new_output -j RETURN"
-
-def parse_corenet(file_name):
- packets = []
-
- corenet_te_in = open(file_name, "r")
-
- while True:
- corenet_line = corenet_te_in.readline()
-
- # If EOF has been reached:
- if not corenet_line:
- break
-
- if NETPORT.match(corenet_line):
- corenet_line = corenet_line.strip();
-
- # parse out the parameters
- openparen = string.find(corenet_line,'(')+1
- closeparen = string.find(corenet_line,')',openparen)
- parms = re.split('\W+',corenet_line[openparen:closeparen])
- name = parms[0]
- del parms[0];
-
- ports = []
- while len(parms) > 0:
- # add a port combination.
- ports.append(Port(parms[0],parms[1],parms[2]))
- del parms[:3]
-
- packets.append(Packet(name,ports))
-
- corenet_te_in.close()
-
- return packets
-
-def print_netfilter_config(packets,mls,mcs):
- print "pre *mangle"
- print "pre :PREROUTING ACCEPT [0:0]"
- print "pre :INPUT ACCEPT [0:0]"
- print "pre :FORWARD ACCEPT [0:0]"
- print "pre :OUTPUT ACCEPT [0:0]"
- print "pre :POSTROUTING ACCEPT [0:0]"
- print "pre :selinux_input - [0:0]"
- print "pre :selinux_output - [0:0]"
- print "pre :selinux_new_input - [0:0]"
- print "pre :selinux_new_output - [0:0]"
- print "pre -A INPUT -j selinux_input"
- print "pre -A OUTPUT -j selinux_output"
- print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
- print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
- print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
- print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
- print_input_rules(packets,mls,mcs)
- print_output_rules(packets,mls,mcs)
- print "post COMMIT"
-
-mls = False
-mcs = False
-
-try:
- opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs'])
-except getopt.GetoptError, error:
- print "Invalid options."
- sys.exit(1)
-
-for o, a in opts:
- if o in ("-c","--mcs"):
- mcs = True
- if o in ("-m","--mls"):
- mls = True
-
-if len(paths) == 0:
- sys.stderr.write("Need a path for corenetwork.te.in!\n")
- sys.exit(1)
-elif len(paths) > 1:
- sys.stderr.write("Ignoring extra specified paths\n")
-
-packets=parse_corenet(paths[0])
-print_netfilter_config(packets,mls,mcs)
diff --git a/support/get_type_attr_decl.sed b/support/get_type_attr_decl.sed
deleted file mode 100644
index a113f21..0000000
--- a/support/get_type_attr_decl.sed
+++ /dev/null
@@ -1,13 +0,0 @@
-#n
-# print out type and attribute declarations that
-# are not inside require and optional blocks.
-
-/require \{/,/} # end require/b nextline
-/optional \{/,/} # end optional/b nextline
-
-/^[[:blank:]]*(attribute|type(alias)?|bool) /{
- s/^[[:blank:]]+//
- p
-}
-
-:nextline
diff --git a/support/iferror.m4 b/support/iferror.m4
deleted file mode 100644
index a3f36f8..0000000
--- a/support/iferror.m4
+++ /dev/null
@@ -1 +0,0 @@
-ifdef(`__if_error',`m4exit(1)')
diff --git a/support/pyplate.py b/support/pyplate.py
deleted file mode 100644
index c7532cc..0000000
--- a/support/pyplate.py
+++ /dev/null
@@ -1,364 +0,0 @@
-"""PyPlate : a simple Python-based templating program
-
-PyPlate parses a file and replaces directives (in double square brackets [[ ... ]])
-by various means using a given dictionary of variables. Arbitrary Python code
-can be run inside many of the directives, making this system highly flexible.
-
-Usage:
-# Load and parse template file
-template = pyplate.Template("output") (filename or string)
-# Execute it with a dictionary of variables
-template.execute_file(output_stream, locals())
-
-PyPlate defines the following directives:
- [[...]] evaluate the arbitrary Python expression and insert the
- result into the output
-
- [[# ... #]] comment.
-
- [[exec ...]] execute arbitrary Python code in the sandbox namespace
-
- [[if ...]] conditional expressions with usual Python semantics
- [[elif ...]]
- [[else]]
- [[end]]
-
- [[for ... in ...]] for-loop with usual Python semantics
- [[end]]
-
- [[def ...(...)]] define a "function" out of other templating elements
- [[end]]
-
- [[call ...]] call a templating function (not a regular Python function)
-"""
-
-#
-# Copyright (C) 2002 Michael Droettboom
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-
-from __future__ import nested_scopes
-import sys, string, re, cStringIO
-
-re_directive = re.compile("\[\[(.*)\]\]")
-re_for_loop = re.compile("for (.*) in (.*)")
-re_if = re.compile("if (.*)")
-re_elif = re.compile("elif (.*)")
-re_def = re.compile("def (.*?)\((.*)\)")
-re_call = re.compile("call (.*?)\((.*)\)")
-re_exec = re.compile("exec (.*)")
-re_comment = re.compile("#(.*)#")
-
-############################################################
-# Template parser
-class ParserException(Exception):
- def __init__(self, lineno, s):
- Exception.__init__(self, "line %d: %s" % (lineno, s))
-
-class Template:
- def __init__(self, filename=None):
- if filename != None:
- try:
- self.parse_file(filename)
- except:
- self.parse_string(filename)
-
- def parse_file(self, filename):
- file = open(filename, 'r')
- self.parse(file)
- file.close()
-
- def parse_string(self, template):
- file = cStringIO.StringIO(template)
- self.parse(file)
- file.close()
-
- def parse(self, file):
- self.file = file
- self.line = self.file.read()
- self.lineno = 0
- self.functions = {}
- self.tree = TopLevelTemplateNode(self)
-
- def parser_get(self):
- if self.line == '':
- return None
- return self.line
-
- def parser_eat(self, chars):
- self.lineno = self.lineno + self.line[:chars].count("\n")
- self.line = self.line[chars:]
-
- def parser_exception(self, s):
- raise ParserException(self.lineno, s)
-
- def execute_file(self, filename, data):
- file = open(filename, 'w')
- self.execute(file, data)
- file.close()
-
- def execute_string(self, data):
- s = cStringIO.StringIO()
- self.execute(s, data)
- return s.getvalue()
-
- def execute_stdout(self, data):
- self.execute(sys.stdout, data)
-
- def execute(self, stream=sys.stdout, data={}):
- self.tree.execute(stream, data)
-
- def __repr__(self):
- return repr(self.tree)
-
-
-############################################################
-# NODES
-class TemplateNode:
- def __init__(self, parent, s):
- self.parent = parent
- self.s = s
- self.node_list = []
- while 1:
- new_node = TemplateNodeFactory(parent)
- if self.add_node(new_node):
- break
-
- def add_node(self, node):
- if node == 'end':
- return 1
- elif node != None:
- self.node_list.append(node)
- else:
- raise self.parent.parser_exception(
- "[[%s]] does not have a matching [[end]]" % self.s)
-
- def execute(self, stream, data):
- for node in self.node_list:
- node.execute(stream, data)
-
- def __repr__(self):
- r = "<" + self.__class__.__name__ + " "
- for i in self.node_list:
- r = r + repr(i)
- r = r + ">"
- return r
-
-class TopLevelTemplateNode(TemplateNode):
- def __init__(self, parent):
- TemplateNode.__init__(self, parent, '')
-
- def add_node(self, node):
- if node != None:
- self.node_list.append(node)
- else:
- return 1
-
-class ForTemplateNode(TemplateNode):
- def __init__(self, parent, s):
- TemplateNode.__init__(self, parent, s)
- match = re_for_loop.match(s)
- if match == None:
- raise self.parent.parser_exception(
- "[[%s]] is not a valid for-loop expression" % self.s)
- else:
- self.vars_temp = match.group(1).split(",")
- self.vars = []
- for v in self.vars_temp:
- self.vars.append(v.strip())
- #print self.vars
- self.expression = match.group(2)
-
- def execute(self, stream, data):
- remember_vars = {}
- for var in self.vars:
- if data.has_key(var):
- remember_vars[var] = data[var]
- for list in eval(self.expression, globals(), data):
- if is_sequence(list):
- for index, value in enumerate(list):
- data[self.vars[index]] = value
- else:
- data[self.vars[0]] = list
- TemplateNode.execute(self, stream, data)
- for key, value in remember_vars.items():
- data[key] = value
-
-class IfTemplateNode(TemplateNode):
- def __init__(self, parent, s):
- self.else_node = None
- TemplateNode.__init__(self, parent, s)
- match = re_if.match(s)
- if match == None:
- raise self.parent.parser_exception(
- "[[%s]] is not a valid if expression" % self.s)
- else:
- self.expression = match.group(1)
-
- def add_node(self, node):
- if node == 'end':
- return 1
- elif isinstance(node, ElseTemplateNode):
- self.else_node = node
- return 1
- elif isinstance(node, ElifTemplateNode):
- self.else_node = node
- return 1
- elif node != None:
- self.node_list.append(node)
- else:
- raise self.parent.parser_exception(
- "[[%s]] does not have a matching [[end]]" % self.s)
-
- def execute(self, stream, data):
- if eval(self.expression, globals(), data):
- TemplateNode.execute(self, stream, data)
- elif self.else_node != None:
- self.else_node.execute(stream, data)
-
-class ElifTemplateNode(IfTemplateNode):
- def __init__(self, parent, s):
- self.else_node = None
- TemplateNode.__init__(self, parent, s)
- match = re_elif.match(s)
- if match == None:
- self.parent.parser_exception(
- "[[%s]] is not a valid elif expression" % self.s)
- else:
- self.expression = match.group(1)
-
-class ElseTemplateNode(TemplateNode):
- pass
-
-class FunctionTemplateNode(TemplateNode):
- def __init__(self, parent, s):
- TemplateNode.__init__(self, parent, s)
- match = re_def.match(s)
- if match == None:
- self.parent.parser_exception(
- "[[%s]] is not a valid function definition" % self.s)
- self.function_name = match.group(1)
- self.vars_temp = match.group(2).split(",")
- self.vars = []
- for v in self.vars_temp:
- self.vars.append(v.strip())
- #print self.vars
- self.parent.functions[self.function_name] = self
-
- def execute(self, stream, data):
- pass
-
- def call(self, args, stream, data):
- remember_vars = {}
- for index, var in enumerate(self.vars):
- if data.has_key(var):
- remember_vars[var] = data[var]
- data[var] = args[index]
- TemplateNode.execute(self, stream, data)
- for key, value in remember_vars.items():
- data[key] = value
-
-class LeafTemplateNode(TemplateNode):
- def __init__(self, parent, s):
- self.parent = parent
- self.s = s
-
- def execute(self, stream, data):
- stream.write(self.s)
-
- def __repr__(self):
- return "<" + self.__class__.__name__ + ">"
-
-class CommentTemplateNode(LeafTemplateNode):
- def execute(self, stream, data):
- pass
-
-class ExpressionTemplateNode(LeafTemplateNode):
- def execute(self, stream, data):
- stream.write(str(eval(self.s, globals(), data)))
-
-class ExecTemplateNode(LeafTemplateNode):
- def __init__(self, parent, s):
- LeafTemplateNode.__init__(self, parent, s)
- match = re_exec.match(s)
- if match == None:
- self.parent.parser_exception(
- "[[%s]] is not a valid statement" % self.s)
- self.s = match.group(1)
-
- def execute(self, stream, data):
- exec(self.s, globals(), data)
- pass
-
-class CallTemplateNode(LeafTemplateNode):
- def __init__(self, parent, s):
- LeafTemplateNode.__init__(self, parent, s)
- match = re_call.match(s)
- if match == None:
- self.parent.parser_exception(
- "[[%s]] is not a valid function call" % self.s)
- self.function_name = match.group(1)
- self.vars = "(" + match.group(2).strip() + ",)"
-
- def execute(self, stream, data):
- self.parent.functions[self.function_name].call(
- eval(self.vars, globals(), data), stream, data)
-
-
-############################################################
-# Node factory
-template_factory_type_map = {
- 'if' : IfTemplateNode,
- 'for' : ForTemplateNode,
- 'elif' : ElifTemplateNode,
- 'else' : ElseTemplateNode,
- 'def' : FunctionTemplateNode,
- 'call' : CallTemplateNode,
- 'exec' : ExecTemplateNode }
-template_factory_types = template_factory_type_map.keys()
-
-def TemplateNodeFactory(parent):
- src = parent.parser_get()
-
- if src == None:
- return None
- match = re_directive.search(src)
- if match == None:
- parent.parser_eat(len(src))
- return LeafTemplateNode(parent, src)
- elif src == '' or match.start() != 0:
- parent.parser_eat(match.start())
- return LeafTemplateNode(parent, src[:match.start()])
- else:
- directive = match.group()[2:-2].strip()
- parent.parser_eat(match.end())
- if directive == 'end':
- return 'end'
- elif re_comment.match(directive):
- return CommentTemplateNode(parent, directive)
- else:
- for i in template_factory_types:
- if directive[0:len(i)] == i:
- return template_factory_type_map[i](parent, directive)
- return ExpressionTemplateNode(parent, directive)
-
-def is_sequence(object):
- try:
- test = object[0:0]
- except:
- return False
- else:
- return True
diff --git a/support/sedoctool.py b/support/sedoctool.py
deleted file mode 100644
index 5bbaf76..0000000
--- a/support/sedoctool.py
+++ /dev/null
@@ -1,847 +0,0 @@
-#!/usr/bin/python
-
-# Author: Joshua Brindle <jbrindle at tresys.com>
-# Caleb Case <ccase at tresys.com>
-#
-# Copyright (C) 2005 - 2006 Tresys Technology, LLC
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-
-"""
- This module generates configuration files and documentation from the
- SELinux reference policy XML format.
-"""
-
-import sys
-import getopt
-import pyplate
-import os
-import string
-from xml.dom.minidom import parse, parseString
-
-#modules enabled and disabled values
-MOD_BASE = "base"
-MOD_ENABLED = "module"
-MOD_DISABLED = "off"
-
-#booleans enabled and disabled values
-BOOL_ENABLED = "true"
-BOOL_DISABLED = "false"
-
-#tunables enabled and disabled values
-TUN_ENABLED = "true"
-TUN_DISABLED = "false"
-
-
-def read_policy_xml(filename):
- """
- Takes in XML from a file and returns a parsed file.
- """
-
- try:
- xml_fh = open(filename)
- except:
- error("error opening " + filename)
-
- try:
- doc = parseString(xml_fh.read())
- except:
- xml_fh.close()
- error("Error while parsing xml")
-
- xml_fh.close()
- return doc
-
-def gen_booleans_conf(doc, file_name, namevalue_list):
- """
- Generates the booleans configuration file using the XML provided and the
- previous booleans configuration.
- """
-
- for node in doc.getElementsByTagName("bool"):
- for desc in node.getElementsByTagName("desc"):
- bool_desc = format_txt_desc(desc)
- s = string.split(bool_desc, "\n")
- file_name.write("#\n")
- for line in s:
- file_name.write("# %s\n" % line)
-
- bool_name = bool_val = None
- for (name, value) in node.attributes.items():
- if name == "name":
- bool_name = value
- elif name == "dftval":
- bool_val = value
-
- if [bool_name,BOOL_ENABLED] in namevalue_list:
- bool_val = BOOL_ENABLED
- elif [bool_name,BOOL_DISABLED] in namevalue_list:
- bool_val = BOOL_DISABLED
-
- if bool_name and bool_val:
- file_name.write("%s = %s\n\n" % (bool_name, bool_val))
- bool_name = bool_val = None
-
- # tunables are currently implemented as booleans
- for node in doc.getElementsByTagName("tunable"):
- for desc in node.getElementsByTagName("desc"):
- bool_desc = format_txt_desc(desc)
- s = string.split(bool_desc, "\n")
- file_name.write("#\n")
- for line in s:
- file_name.write("# %s\n" % line)
-
- bool_name = bool_val = None
- for (name, value) in node.attributes.items():
- if name == "name":
- bool_name = value
- elif name == "dftval":
- bool_val = value
-
- if [bool_name,BOOL_ENABLED] in namevalue_list:
- bool_val = BOOL_ENABLED
- elif [bool_name,BOOL_DISABLED] in namevalue_list:
- bool_val = BOOL_DISABLED
-
- if bool_name and bool_val:
- file_name.write("%s = %s\n\n" % (bool_name, bool_val))
- bool_name = bool_val = None
-
-def gen_module_conf(doc, file_name, namevalue_list):
- """
- Generates the module configuration file using the XML provided and the
- previous module configuration.
- """
- # If file exists, preserve settings and modify if needed.
- # Otherwise, create it.
-
- file_name.write("#\n# This file contains a listing of available modules.\n")
- file_name.write("# To prevent a module from being used in policy\n")
- file_name.write("# creation, set the module name to \"%s\".\n#\n" % MOD_DISABLED)
- file_name.write("# For monolithic policies, modules set to \"%s\" and \"%s\"\n" % (MOD_BASE, MOD_ENABLED))
- file_name.write("# will be built into the policy.\n#\n")
- file_name.write("# For modular policies, modules set to \"%s\" will be\n" % MOD_BASE)
- file_name.write("# included in the base module. \"%s\" will be compiled\n" % MOD_ENABLED)
- file_name.write("# as individual loadable modules.\n#\n\n")
-
- # For required in [True,False] is present so that the requiered modules
- # are at the top of the config file.
- for required in [True,False]:
- for node in doc.getElementsByTagName("module"):
- mod_req = False
- for req in node.getElementsByTagName("required"):
- if req.getAttribute("val") == "true":
- mod_req = True
-
- # Skip if we arnt working on the right set of modules.
- if mod_req and not required or not mod_req and required:
- continue
-
-
- mod_name = mod_layer = None
-
- mod_name = node.getAttribute("name")
- mod_layer = node.parentNode.getAttribute("name")
-
- if mod_name and mod_layer:
- file_name.write("# Layer: %s\n# Module: %s\n" % (mod_layer,mod_name))
- if required:
- file_name.write("# Required in base\n")
- file_name.write("#\n")
-
- for desc in node.getElementsByTagName("summary"):
- if not desc.parentNode == node:
- continue
- s = string.split(format_txt_desc(desc), "\n")
- for line in s:
- file_name.write("# %s\n" % line)
-
- # If the module is set as disabled.
- if [mod_name, MOD_DISABLED] in namevalue_list:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_DISABLED))
- # If the module is set as enabled.
- elif [mod_name, MOD_ENABLED] in namevalue_list:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
- # If the module is set as base.
- elif [mod_name, MOD_BASE] in namevalue_list:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
- # If the module is a new module.
- else:
- # Set the module to base if it is marked as required.
- if mod_req:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
- # Set the module to enabled if it is not required.
- else:
- file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
-
-def get_conf(conf):
- """
- Returns a list of [name, value] pairs from a config file with the format
- name = value
- """
-
- conf_lines = conf.readlines()
-
- namevalue_list = []
- for i in range(0,len(conf_lines)):
- line = conf_lines[i]
- if line.strip() != '' and line.strip()[0] != "#":
- namevalue = line.strip().split("=")
- if len(namevalue) != 2:
- warning("line %d: \"%s\" is not a valid line, skipping"\
- % (i, line.strip()))
- continue
-
- namevalue[0] = namevalue[0].strip()
- if len(namevalue[0].split()) > 1:
- warning("line %d: \"%s\" is not a valid line, skipping"\
- % (i, line.strip()))
- continue
-
- namevalue[1] = namevalue[1].strip()
- if len(namevalue[1].split()) > 1:
- warning("line %d: \"%s\" is not a valid line, skipping"\
- % (i, line.strip()))
- continue
-
- namevalue_list.append(namevalue)
-
- return namevalue_list
-
-def first_cmp(a, b):
- """
- Compares the two first elements of a list instead of the entire list.
- """
-
- return cmp(a[0], b[0])
-
-def int_cmp(a, b):
- """
- Compares two interfaces.
- """
-
- return cmp(a["interface_name"], b["interface_name"])
-
-def temp_cmp(a, b):
- """
- Compares two templates.
- """
-
- return cmp(a["template_name"], b["template_name"])
-
-def tun_cmp(a, b):
- """
- Compares two tunables.
- """
-
- return cmp(a["tun_name"], b["tun_name"])
-def bool_cmp(a, b):
- """
- Compares two booleans.
- """
-
- return cmp(a["bool_name"], b["bool_name"])
-
-def gen_doc_menu(mod_layer, module_list):
- """
- Generates the HTML document menu.
- """
-
- menu = []
- for layer, value in module_list.iteritems():
- cur_menu = (layer, [])
- menu.append(cur_menu)
- if layer != mod_layer and mod_layer != None:
- continue
- #we are in our layer so fill in the other modules or we want them all
- for mod, desc in value.iteritems():
- cur_menu[1].append((mod, desc))
-
- menu.sort(first_cmp)
- for x in menu:
- x[1].sort(first_cmp)
- return menu
-
-def format_html_desc(node):
- """
- Formats a XML node into a HTML format.
- """
-
- desc_buf = ''
- for desc in node.childNodes:
- if desc.nodeName == "#text":
- if desc.data is not '':
- if desc.parentNode.nodeName != "p":
- desc_buf += "<p>" + desc.data + "</p>"
- else:
- desc_buf += desc.data
- else:
- desc_buf += "<" + desc.nodeName + ">" \
- + format_html_desc(desc) \
- + "</" + desc.nodeName +">"
-
- return desc_buf
-
-def format_txt_desc(node):
- """
- Formats a XML node into a plain text format.
- """
-
- desc_buf = ''
- for desc in node.childNodes:
- if desc.nodeName == "#text":
- desc_buf += desc.data + "\n"
- elif desc.nodeName == "p":
- desc_buf += desc.firstChild.data + "\n"
- for chld in desc.childNodes:
- if chld.nodeName == "ul":
- desc_buf += "\n"
- for li in chld.getElementsByTagName("li"):
- desc_buf += "\t -" + li.firstChild.data + "\n"
-
- return desc_buf.strip() + "\n"
-
-def gen_docs(doc, working_dir, templatedir):
- """
- Generates all the documentation.
- """
-
- try:
- #get the template data ahead of time so we don't reopen them over and over
- bodyfile = open(templatedir + "/header.html", "r")
- bodydata = bodyfile.read()
- bodyfile.close()
- intfile = open(templatedir + "/interface.html", "r")
- intdata = intfile.read()
- intfile.close()
- templatefile = open(templatedir + "/template.html", "r")
- templatedata = templatefile.read()
- templatefile.close()
- tunfile = open(templatedir + "/tunable.html", "r")
- tundata = tunfile.read()
- tunfile.close()
- boolfile = open(templatedir + "/boolean.html", "r")
- booldata = boolfile.read()
- boolfile.close()
- menufile = open(templatedir + "/menu.html", "r")
- menudata = menufile.read()
- menufile.close()
- indexfile = open(templatedir + "/module_list.html","r")
- indexdata = indexfile.read()
- indexfile.close()
- modulefile = open(templatedir + "/module.html","r")
- moduledata = modulefile.read()
- modulefile.close()
- intlistfile = open(templatedir + "/int_list.html", "r")
- intlistdata = intlistfile.read()
- intlistfile.close()
- templistfile = open(templatedir + "/temp_list.html", "r")
- templistdata = templistfile.read()
- templistfile.close()
- tunlistfile = open(templatedir + "/tun_list.html", "r")
- tunlistdata = tunlistfile.read()
- tunlistfile.close()
- boollistfile = open(templatedir + "/bool_list.html", "r")
- boollistdata = boollistfile.read()
- boollistfile.close()
- gboollistfile = open(templatedir + "/global_bool_list.html", "r")
- gboollistdata = gboollistfile.read()
- gboollistfile.close()
- gtunlistfile = open(templatedir + "/global_tun_list.html", "r")
- gtunlistdata = gtunlistfile.read()
- gtunlistfile.close()
- except:
- error("Could not open templates")
-
-
- try:
- os.chdir(working_dir)
- except:
- error("Could not chdir to target directory")
-
-
-#arg, i have to go through this dom tree ahead of time to build up the menus
- module_list = {}
- for node in doc.getElementsByTagName("module"):
- mod_name = mod_layer = interface_buf = ''
-
- mod_name = node.getAttribute("name")
- mod_layer = node.parentNode.getAttribute("name")
-
- for desc in node.getElementsByTagName("summary"):
- if desc.parentNode == node and desc:
- mod_summary = format_html_desc(desc)
- if not module_list.has_key(mod_layer):
- module_list[mod_layer] = {}
-
- module_list[mod_layer][mod_name] = mod_summary
-
-#generate index pages
- main_content_buf = ''
- for mod_layer,modules in module_list.iteritems():
- menu = gen_doc_menu(mod_layer, module_list)
-
- layer_summary = None
- for desc in doc.getElementsByTagName("summary"):
- if desc.parentNode.getAttribute("name") == mod_layer:
- layer_summary = format_html_desc(desc)
-
- menu_args = { "menulist" : menu,
- "mod_layer" : mod_layer,
- "layer_summary" : layer_summary }
- menu_tpl = pyplate.Template(menudata)
- menu_buf = menu_tpl.execute_string(menu_args)
-
- content_tpl = pyplate.Template(indexdata)
- content_buf = content_tpl.execute_string(menu_args)
-
- main_content_buf += content_buf
-
- body_args = { "menu" : menu_buf,
- "content" : content_buf }
-
- index_file = mod_layer + ".html"
- index_fh = open(index_file, "w")
- body_tpl = pyplate.Template(bodydata)
- body_tpl.execute(index_fh, body_args)
- index_fh.close()
-
- menu = gen_doc_menu(None, module_list)
- menu_args = { "menulist" : menu,
- "mod_layer" : None }
- menu_tpl = pyplate.Template(menudata)
- menu_buf = menu_tpl.execute_string(menu_args)
-
- body_args = { "menu" : menu_buf,
- "content" : main_content_buf }
-
- index_file = "index.html"
- index_fh = open(index_file, "w")
- body_tpl = pyplate.Template(bodydata)
- body_tpl.execute(index_fh, body_args)
- index_fh.close()
-#now generate the individual module pages
-
- all_interfaces = []
- all_templates = []
- all_tunables = []
- all_booleans = []
- for node in doc.getElementsByTagName("module"):
- mod_name = mod_layer = mod_desc = interface_buf = ''
-
- mod_name = node.getAttribute("name")
- mod_layer = node.parentNode.getAttribute("name")
-
- mod_req = None
- for req in node.getElementsByTagName("required"):
- if req.getAttribute("val") == "true":
- mod_req = True
-
- for desc in node.getElementsByTagName("summary"):
- if desc.parentNode == node:
- mod_summary = format_html_desc(desc)
- for desc in node.getElementsByTagName("desc"):
- if desc.parentNode == node:
- mod_desc = format_html_desc(desc)
-
- interfaces = []
- for interface in node.getElementsByTagName("interface"):
- interface_parameters = []
- interface_desc = interface_summary = None
- interface_name = interface.getAttribute("name")
- interface_line = interface.getAttribute("lineno")
- for desc in interface.childNodes:
- if desc.nodeName == "desc":
- interface_desc = format_html_desc(desc)
- elif desc.nodeName == "summary":
- interface_summary = format_html_desc(desc)
-
- for args in interface.getElementsByTagName("param"):
- for desc in args.getElementsByTagName("summary"):
- paramdesc = format_html_desc(desc)
- paramname = args.getAttribute("name")
- if args.getAttribute("optional") == "true":
- paramopt = "Yes"
- else:
- paramopt = "No"
- if args.getAttribute("unused") == "true":
- paramunused = "Yes"
- else:
- paramunused = "No"
- parameter = { "name" : paramname,
- "desc" : paramdesc,
- "optional" : paramopt,
- "unused" : paramunused }
- interface_parameters.append(parameter)
- interfaces.append( { "interface_name" : interface_name,
- "interface_summary" : interface_summary,
- "interface_desc" : interface_desc,
- "interface_parameters" : interface_parameters })
- #all_interfaces is for the main interface index with all interfaces
- all_interfaces.append( { "interface_name" : interface_name,
- "interface_summary" : interface_summary,
- "interface_desc" : interface_desc,
- "interface_parameters" : interface_parameters,
- "mod_name": mod_name,
- "mod_layer" : mod_layer })
- interfaces.sort(int_cmp)
- interface_tpl = pyplate.Template(intdata)
- interface_buf = interface_tpl.execute_string({"interfaces" : interfaces})
-
-
-# now generate individual template pages
- templates = []
- for template in node.getElementsByTagName("template"):
- template_parameters = []
- template_desc = template_summary = None
- template_name = template.getAttribute("name")
- template_line = template.getAttribute("lineno")
- for desc in template.childNodes:
- if desc.nodeName == "desc":
- template_desc = format_html_desc(desc)
- elif desc.nodeName == "summary":
- template_summary = format_html_desc(desc)
-
- for args in template.getElementsByTagName("param"):
- for desc in args.getElementsByTagName("summary"):
- paramdesc = format_html_desc(desc)
- paramname = args.getAttribute("name")
- if args.getAttribute("optional") == "true":
- paramopt = "Yes"
- else:
- paramopt = "No"
- if args.getAttribute("unused") == "true":
- paramunused = "Yes"
- else:
- paramunused = "No"
- parameter = { "name" : paramname,
- "desc" : paramdesc,
- "optional" : paramopt,
- "unused": paramunused }
- template_parameters.append(parameter)
- templates.append( { "template_name" : template_name,
- "template_summary" : template_summary,
- "template_desc" : template_desc,
- "template_parameters" : template_parameters })
- #all_templates is for the main interface index with all templates
- all_templates.append( { "template_name" : template_name,
- "template_summary" : template_summary,
- "template_desc" : template_desc,
- "template_parameters" : template_parameters,
- "mod_name": mod_name,
- "mod_layer" : mod_layer })
-
- templates.sort(temp_cmp)
- template_tpl = pyplate.Template(templatedata)
- template_buf = template_tpl.execute_string({"templates" : templates})
-
- #generate 'boolean' pages
- booleans = []
- for boolean in node.getElementsByTagName("bool"):
- boolean_parameters = []
- boolean_desc = None
- boolean_name = boolean.getAttribute("name")
- boolean_dftval = boolean.getAttribute("dftval")
- for desc in boolean.childNodes:
- if desc.nodeName == "desc":
- boolean_desc = format_html_desc(desc)
-
- booleans.append({ "bool_name" : boolean_name,
- "desc" : boolean_desc,
- "def_val" : boolean_dftval })
- #all_booleans is for the main boolean index with all booleans
- all_booleans.append({ "bool_name" : boolean_name,
- "desc" : boolean_desc,
- "def_val" : boolean_dftval,
- "mod_name": mod_name,
- "mod_layer" : mod_layer })
- booleans.sort(bool_cmp)
- boolean_tpl = pyplate.Template(booldata)
- boolean_buf = boolean_tpl.execute_string({"booleans" : booleans})
-
- #generate 'tunable' pages
- tunables = []
- for tunable in node.getElementsByTagName("tunable"):
- tunable_parameters = []
- tunable_desc = None
- tunable_name = tunable.getAttribute("name")
- tunable_dftval = tunable.getAttribute("dftval")
- for desc in tunable.childNodes:
- if desc.nodeName == "desc":
- tunable_desc = format_html_desc(desc)
-
- tunables.append({ "tun_name" : tunable_name,
- "desc" : tunable_desc,
- "def_val" : tunable_dftval })
- #all_tunables is for the main tunable index with all tunables
- all_tunables.append({ "tun_name" : tunable_name,
- "desc" : tunable_desc,
- "def_val" : tunable_dftval,
- "mod_name": mod_name,
- "mod_layer" : mod_layer })
- tunables.sort(tun_cmp)
- tunable_tpl = pyplate.Template(tundata)
- tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
-
-
- menu = gen_doc_menu(mod_layer, module_list)
-
- menu_tpl = pyplate.Template(menudata)
- menu_buf = menu_tpl.execute_string({ "menulist" : menu })
-
-
- # pyplate's execute_string gives us a line of whitespace in
- # template_buf or interface_buf if there are no interfaces or
- # templates for this module. This is problematic because the
- # HTML templates use a conditional if on interface_buf or
- # template_buf being 'None' to decide if the "Template:" or
- # "Interface:" headers need to be printed in the module pages.
- # This detects if either of these are just whitespace, and sets
- # their values to 'None' so that when applying it to the
- # templates, they are properly recognized as not existing.
- if not interface_buf.strip():
- interface_buf = None
- if not template_buf.strip():
- template_buf = None
- if not tunable_buf.strip():
- tunable_buf = None
- if not boolean_buf.strip():
- boolean_buf = None
-
- module_args = { "mod_layer" : mod_layer,
- "mod_name" : mod_name,
- "mod_summary" : mod_summary,
- "mod_desc" : mod_desc,
- "mod_req" : mod_req,
- "interfaces" : interface_buf,
- "templates" : template_buf,
- "tunables" : tunable_buf,
- "booleans" : boolean_buf }
-
- module_tpl = pyplate.Template(moduledata)
- module_buf = module_tpl.execute_string(module_args)
-
- body_args = { "menu" : menu_buf,
- "content" : module_buf }
-
- module_file = mod_layer + "_" + mod_name + ".html"
- module_fh = open(module_file, "w")
- body_tpl = pyplate.Template(bodydata)
- body_tpl.execute(module_fh, body_args)
- module_fh.close()
-
-
- menu = gen_doc_menu(None, module_list)
- menu_args = { "menulist" : menu,
- "mod_layer" : None }
- menu_tpl = pyplate.Template(menudata)
- menu_buf = menu_tpl.execute_string(menu_args)
-
- #build the interface index
- all_interfaces.sort(int_cmp)
- interface_tpl = pyplate.Template(intlistdata)
- interface_buf = interface_tpl.execute_string({"interfaces" : all_interfaces})
- int_file = "interfaces.html"
- int_fh = open(int_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : interface_buf }
-
- body_tpl.execute(int_fh, body_args)
- int_fh.close()
-
-
- #build the template index
- all_templates.sort(temp_cmp)
- template_tpl = pyplate.Template(templistdata)
- template_buf = template_tpl.execute_string({"templates" : all_templates})
- temp_file = "templates.html"
- temp_fh = open(temp_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : template_buf }
-
- body_tpl.execute(temp_fh, body_args)
- temp_fh.close()
-
-
- #build the global tunable index
- global_tun = []
- for tunable in doc.getElementsByTagName("tunable"):
- if tunable.parentNode.nodeName == "policy":
- tunable_name = tunable.getAttribute("name")
- default_value = tunable.getAttribute("dftval")
- for desc in tunable.getElementsByTagName("desc"):
- description = format_html_desc(desc)
- global_tun.append( { "tun_name" : tunable_name,
- "def_val" : default_value,
- "desc" : description } )
- global_tun.sort(tun_cmp)
- global_tun_tpl = pyplate.Template(gtunlistdata)
- global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun})
- global_tun_file = "global_tunables.html"
- global_tun_fh = open(global_tun_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : global_tun_buf }
-
- body_tpl.execute(global_tun_fh, body_args)
- global_tun_fh.close()
-
- #build the tunable index
- all_tunables = all_tunables + global_tun
- all_tunables.sort(tun_cmp)
- tunable_tpl = pyplate.Template(tunlistdata)
- tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables})
- temp_file = "tunables.html"
- temp_fh = open(temp_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : tunable_buf }
-
- body_tpl.execute(temp_fh, body_args)
- temp_fh.close()
-
- #build the global boolean index
- global_bool = []
- for boolean in doc.getElementsByTagName("bool"):
- if boolean.parentNode.nodeName == "policy":
- bool_name = boolean.getAttribute("name")
- default_value = boolean.getAttribute("dftval")
- for desc in boolean.getElementsByTagName("desc"):
- description = format_html_desc(desc)
- global_bool.append( { "bool_name" : bool_name,
- "def_val" : default_value,
- "desc" : description } )
- global_bool.sort(bool_cmp)
- global_bool_tpl = pyplate.Template(gboollistdata)
- global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool})
- global_bool_file = "global_booleans.html"
- global_bool_fh = open(global_bool_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : global_bool_buf }
-
- body_tpl.execute(global_bool_fh, body_args)
- global_bool_fh.close()
-
- #build the boolean index
- all_booleans = all_booleans + global_bool
- all_booleans.sort(bool_cmp)
- boolean_tpl = pyplate.Template(boollistdata)
- boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans})
- temp_file = "booleans.html"
- temp_fh = open(temp_file, "w")
- body_tpl = pyplate.Template(bodydata)
-
- body_args = { "menu" : menu_buf,
- "content" : boolean_buf }
-
- body_tpl.execute(temp_fh, body_args)
- temp_fh.close()
-
-
-
-def error(error):
- """
- Print an error message and exit.
- """
-
- sys.stderr.write("%s exiting for: " % sys.argv[0])
- sys.stderr.write("%s\n" % error)
- sys.stderr.flush()
- sys.exit(1)
-
-def warning(warn):
- """
- Print a warning message.
- """
-
- sys.stderr.write("%s warning: " % sys.argv[0])
- sys.stderr.write("%s\n" % warn)
-
-def usage():
- """
- Describes the proper usage of this tool.
- """
-
- sys.stdout.write("%s [-tmdT] -x <xmlfile>\n\n" % sys.argv[0])
- sys.stdout.write("Options:\n")
- sys.stdout.write("-b --booleans <file> -- write boolean config to <file>\n")
- sys.stdout.write("-m --modules <file> -- write module config to <file>\n")
- sys.stdout.write("-d --docs <dir> -- write interface documentation to <dir>\n")
- sys.stdout.write("-x --xml <file> -- filename to read xml data from\n")
- sys.stdout.write("-T --templates <dir> -- template directory for documents\n")
-
-
-# MAIN PROGRAM
-try:
- opts, args = getopt.getopt(sys.argv[1:], "b:m:d:x:T:", ["booleans","modules","docs","xml", "templates"])
-except getopt.GetoptError:
- usage()
- sys.exit(1)
-
-booleans = modules = docsdir = None
-templatedir = "templates/"
-xmlfile = "policy.xml"
-
-for opt, val in opts:
- if opt in ("-b", "--booleans"):
- booleans = val
- if opt in ("-m", "--modules"):
- modules = val
- if opt in ("-d", "--docs"):
- docsdir = val
- if opt in ("-x", "--xml"):
- xmlfile = val
- if opt in ("-T", "--templates"):
- templatedir = val
-
-doc = read_policy_xml(xmlfile)
-
-if booleans:
- namevalue_list = []
- if os.path.exists(booleans):
- try:
- conf = open(booleans, 'r')
- except:
- error("Could not open booleans file for reading")
-
- namevalue_list = get_conf(conf)
-
- conf.close()
-
- try:
- conf = open(booleans, 'w')
- except:
- error("Could not open booleans file for writing")
-
- gen_booleans_conf(doc, conf, namevalue_list)
- conf.close()
-
-
-if modules:
- namevalue_list = []
- if os.path.exists(modules):
- try:
- conf = open(modules, 'r')
- except:
- error("Could not open modules file for reading")
- namevalue_list = get_conf(conf)
- conf.close()
-
- try:
- conf = open(modules, 'w')
- except:
- error("Could not open modules file for writing")
- gen_module_conf(doc, conf, namevalue_list)
- conf.close()
-
-if docsdir:
- gen_docs(doc, docsdir, templatedir)
diff --git a/support/segenxml.py b/support/segenxml.py
deleted file mode 100644
index d6c4fd5..0000000
--- a/support/segenxml.py
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/python
-
-# Author(s): Donald Miner <dminer at tresys.com>
-# Dave Sugar <dsugar at tresys.com>
-# Brian Williams <bwilliams at tresys.com>
-# Caleb Case <ccase at tresys.com>
-#
-# Copyright (C) 2005 - 2006 Tresys Technology, LLC
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-
-"""
- This script generates XML documentation information for layers specified
- by the user.
-"""
-
-import sys
-import os
-import glob
-import re
-import getopt
-
-# GLOBALS
-
-# Default values of command line arguments:
-warn = False
-meta = "metadata"
-third_party = "third-party"
-layers = {}
-tunable_files = []
-bool_files = []
-xml_tunable_files = []
-xml_bool_files = []
-output_dir = ""
-
-# Pre compiled regular expressions:
-
-# Matches either an interface or a template declaration. Will give the tuple:
-# ("interface" or "template", name)
-# Some examples:
-# "interface(`kernel_read_system_state',`"
-# -> ("interface", "kernel_read_system_state")
-# "template(`base_user_template',`"
-# -> ("template", "base_user_template")
-INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
-
-# Matches either a gen_bool or a gen_tunable statement. Will give the tuple:
-# ("tunable" or "bool", name, "true" or "false")
-# Some examples:
-# "gen_bool(secure_mode, false)"
-# -> ("bool", "secure_mode", "false")
-# "gen_tunable(allow_kerberos, false)"
-# -> ("tunable", "allow_kerberos", "false")
-BOOLEAN = re.compile("^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)")
-
-# Matches a XML comment in the policy, which is defined as any line starting
-# with two # and at least one character of white space. Will give the single
-# valued tuple:
-# ("comment")
-# Some Examples:
-# "## <summary>"
-# -> ("<summary>")
-# "## The domain allowed access. "
-# -> ("The domain allowed access.")
-XML_COMMENT = re.compile("^##\s+(.*?)\s*$")
-
-
-# FUNCTIONS
-def getModuleXML(file_name):
- '''
- Returns the XML data for a module in a list, one line per list item.
- '''
-
- # Gather information.
- module_dir = os.path.dirname(file_name)
- module_name = os.path.basename(file_name)
- module_te = "%s/%s.te" % (module_dir, module_name)
- module_if = "%s/%s.if" % (module_dir, module_name)
-
- # Try to open the file, if it cant, just ignore it.
- try:
- module_file = open(module_if, "r")
- module_code = module_file.readlines()
- module_file.close()
- except:
- warning("cannot open file %s for read, skipping" % file_name)
- return []
-
- module_buf = []
-
- # Infer the module name, which is the base of the file name.
- module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
- % (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))
-
- temp_buf = []
- interface = None
-
- # finding_header is a flag to denote whether we are still looking
- # for the XML documentation at the head of the file.
- finding_header = True
-
- # Get rid of whitespace at top of file
- while(module_code and module_code[0].isspace()):
- module_code = module_code[1:]
-
- # Go line by line and figure out what to do with it.
- line_num = 0
- for line in module_code:
- line_num += 1
- if finding_header:
- # If there is a XML comment, add it to the temp buffer.
- comment = XML_COMMENT.match(line)
- if comment:
- temp_buf.append(comment.group(1) + "\n")
- continue
-
- # Once a line that is not an XML comment is reached,
- # either put the XML out to module buffer as the
- # module's documentation, or attribute it to an
- # interface/template.
- elif temp_buf:
- finding_header = False
- interface = INTERFACE.match(line)
- if not interface:
- module_buf += temp_buf
- temp_buf = []
- continue
-
- # Skip over empty lines
- if line.isspace():
- continue
-
- # Grab a comment and add it to the temprorary buffer, if it
- # is there.
- comment = XML_COMMENT.match(line)
- if comment:
- temp_buf.append(comment.group(1) + "\n")
- continue
-
- # Grab the interface information. This is only not true when
- # the interface is at the top of the file and there is no
- # documentation for the module.
- if not interface:
- interface = INTERFACE.match(line)
- if interface:
- # Add the opening tag for the interface/template
- groups = interface.groups()
- module_buf.append("<%s name=\"%s\" lineno=\"%s\">\n" % (groups[0], groups[1], line_num))
-
- # Add all the comments attributed to this interface to
- # the module buffer.
- if temp_buf:
- module_buf += temp_buf
- temp_buf = []
-
- # Add default summaries and parameters so that the
- # DTD is happy.
- else:
- warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))
- module_buf.append("<summary>\n")
- module_buf.append("Summary is missing!\n")
- module_buf.append("</summary>\n")
- module_buf.append("<param name=\"?\">\n")
- module_buf.append("<summary>\n")
- module_buf.append("Parameter descriptions are missing!\n")
- module_buf.append("</summary>\n")
- module_buf.append("</param>\n")
-
- # Close the interface/template tag.
- module_buf.append("</%s>\n" % interface.group(1))
-
- interface = None
- continue
-
-
-
- # If the file just had a header, add the comments to the module buffer.
- if finding_header:
- module_buf += temp_buf
- # Otherwise there are some lingering XML comments at the bottom, warn
- # the user.
- elif temp_buf:
- warning("orphan XML comments at bottom of file %s" % file_name)
-
- # Process the TE file if it exists.
- module_buf = module_buf + getTunableXML(module_te, "both")
-
- module_buf.append("</module>\n")
-
- return module_buf
-
-def getTunableXML(file_name, kind):
- '''
- Return all the XML for the tunables/bools in the file specified.
- '''
-
- # Try to open the file, if it cant, just ignore it.
- try:
- tunable_file = open(file_name, "r")
- tunable_code = tunable_file.readlines()
- tunable_file.close()
- except:
- warning("cannot open file %s for read, skipping" % file_name)
- return []
-
- tunable_buf = []
- temp_buf = []
-
- # Find tunables and booleans line by line and use the comments above
- # them.
- for line in tunable_code:
- # If it is an XML comment, add it to the buffer and go on.
- comment = XML_COMMENT.match(line)
- if comment:
- temp_buf.append(comment.group(1) + "\n")
- continue
-
- # Get the boolean/tunable data.
- boolean = BOOLEAN.match(line)
-
- # If we reach a boolean/tunable declaration, attribute all XML
- # in the temp buffer to it and add XML to the tunable buffer.
- if boolean:
- # If there is a gen_bool in a tunable file or a
- # gen_tunable in a boolean file, error and exit.
- # Skip if both kinds are valid.
- if kind != "both":
- if boolean.group(1) != kind:
- error("%s in a %s file." % (boolean.group(1), kind))
-
- tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
- tunable_buf += temp_buf
- temp_buf = []
- tunable_buf.append("</%s>\n" % boolean.group(1))
-
- # If there are XML comments at the end of the file, they arn't
- # attributed to anything. These are ignored.
- if len(temp_buf):
- warning("orphan XML comments at bottom of file %s" % file_name)
-
-
- # If the caller requested a the global_tunables and global_booleans to be
- # output to a file output them now
- if len(output_dir) > 0:
- xmlfile = os.path.split(file_name)[1] + ".xml"
-
- try:
- xml_outfile = open(output_dir + "/" + xmlfile, "w")
- for tunable_line in tunable_buf:
- xml_outfile.write (tunable_line)
- xml_outfile.close()
- except:
- warning ("cannot write to file %s, skipping creation" % xmlfile)
-
- return tunable_buf
-
-def getXMLFileContents (file_name):
- '''
- Return all the XML in the file specified.
- '''
-
- tunable_buf = []
- # Try to open the xml file for this type of file
- # append the contents to the buffer.
- try:
- tunable_xml = open(file_name, "r")
- tunable_buf += tunable_xml.readlines()
- tunable_xml.close()
- except:
- warning("cannot open file %s for read, assuming no data" % file_name)
-
- return tunable_buf
-
-def getPolicyXML():
- '''
- Return the compelete reference policy XML documentation through a list,
- one line per item.
- '''
-
- policy_buf = []
- policy_buf.append("<policy>\n")
-
- # Add to the XML each layer specified by the user.
- for layer in layers.keys ():
- policy_buf += getLayerXML(layer, layers[layer])
-
- # Add to the XML each tunable file specified by the user.
- for tunable_file in tunable_files:
- policy_buf += getTunableXML(tunable_file, "tunable")
-
- # Add to the XML each XML tunable file specified by the user.
- for tunable_file in xml_tunable_files:
- policy_buf += getXMLFileContents (tunable_file)
-
- # Add to the XML each bool file specified by the user.
- for bool_file in bool_files:
- policy_buf += getTunableXML(bool_file, "bool")
-
- # Add to the XML each XML bool file specified by the user.
- for bool_file in xml_bool_files:
- policy_buf += getXMLFileContents (bool_file)
-
- policy_buf.append("</policy>\n")
-
- return policy_buf
-
-def usage():
- """
- Displays a message describing the proper usage of this script.
- """
-
- sys.stdout.write("usage: %s [-w] [-mtb] <file>\n\n" % sys.argv[0])
- sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\
- "-m --module <file>\t\tname of module to process\n"+\
- "-t --tunable <file>\t\tname of global tunable file to process\n"+\
- "-b --boolean <file>\t\tname of global boolean file to process\n\n")
-
- sys.stdout.write("examples:\n")
- sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0])
- sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0])
-
-def warning(description):
- '''
- Warns the user of a non-critical error.
- '''
-
- if warn:
- sys.stderr.write("%s: " % sys.argv[0] )
- sys.stderr.write("warning: " + description + "\n")
-
-def error(description):
- '''
- Describes an error and exists the program.
- '''
-
- sys.stderr.write("%s: " % sys.argv[0] )
- sys.stderr.write("error: " + description + "\n")
- sys.stderr.flush()
- sys.exit(1)
-
-
-
-# MAIN PROGRAM
-
-# Defaults
-warn = False
-module = False
-tunable = False
-boolean = False
-
-# Check that there are command line arguments.
-if len(sys.argv) <= 1:
- usage()
- sys.exit(1)
-
-# Parse command line args
-try:
- opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean='])
-except getopt.GetoptError:
- usage()
- sys.exit(2)
-for o, a in opts:
- if o in ('-w', '--warn'):
- warn = True
- elif o in ('-h', '--help'):
- usage()
- sys.exit(0)
- elif o in ('-m', '--module'):
- module = a
- break
- elif o in ('-t', '--tunable'):
- tunable = a
- break
- elif o in ('-b', '--boolean'):
- boolean = a
- break
- else:
- usage()
- sys.exit(2)
-
-if module:
- sys.stdout.writelines(getModuleXML(module))
-elif tunable:
- sys.stdout.writelines(getTunableXML(tunable, "tunable"))
-elif boolean:
- sys.stdout.writelines(getTunableXML(boolean, "bool"))
-else:
- usage()
- sys.exit(2)
-
diff --git a/support/selinux-policy-refpolicy.spec b/support/selinux-policy-refpolicy.spec
deleted file mode 100644
index b5c5d61..0000000
--- a/support/selinux-policy-refpolicy.spec
+++ /dev/null
@@ -1,435 +0,0 @@
-%define distro redhat
-%define direct_initrc y
-%define monolithic n
-%define polname1 targeted
-%define type1 targeted-mcs
-%define polname2 strict
-%define type2 strict-mcs
-Summary: SELinux policy configuration
-Name: selinux-policy
-Version: 20051019
-Release: 1
-License: GPL
-Group: System Environment/Base
-Source: refpolicy-%{version}.tar.bz2
-Url: http://serefpolicy.sourceforge.net
-BuildRoot: %{_tmppath}/refpolicy-buildroot
-BuildArch: noarch
-# FIXME Need to ensure these have correct versions
-BuildRequires: checkpolicy m4 policycoreutils python make gcc
-PreReq: kernel >= 2.6.4-1.300 policycoreutils >= %{POLICYCOREUTILSVER}
-Obsoletes: policy
-
-%description
-SELinux Reference Policy - modular.
-
-%prep
-%setup -q
-make conf
-
-%build
-
-%install
-%{__rm} -fR $RPM_BUILD_ROOT
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
-%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/policy
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/contexts/files
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/local.users
-make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/system.users
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
-%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/policy
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/contexts/files
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/local.users
-make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/system.users
-
-%clean
-%{__rm} -fR $RPM_BUILD_ROOT
-
-%files
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_sysconfdir}/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/*.pp
-#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
-%dir %{_sysconfdir}/selinux/*
-%ghost %config %{_sysconfdir}/selinux/*/booleans
-%dir %{_sysconfdir}/selinux/*/policy
-#%ghost %config %{_sysconfdir}/selinux/*/policy/policy.*
-%dir %{_sysconfdir}/selinux/*/contexts
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/customizable_types
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/dbus_contexts
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_contexts
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_type
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/failsafe_context
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/initrc_context
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/removable_context
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/userhelper_context
-%config(noreplace) %{_sysconfdir}/selinux/*/contexts/x_contexts
-%dir %{_sysconfdir}/selinux/*/contexts/files
-#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts
-#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/homedir_template
-#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts.homedirs
-%config %{_sysconfdir}/selinux/*/contexts/files/media
-%dir %{_sysconfdir}/selinux/*/users
-%config %{_sysconfdir}/selinux/*/users/system.users
-%config %{_sysconfdir}/selinux/*/users/local.users
-#%ghost %dir %{_sysconfdir}/selinux/*/modules
-
-%pre
-
-%post
-
-%package base-targeted
-Summary: SELinux %{polname1} base policy
-Group: System Environment/Base
-Provides: selinux-policy-base
-
-%description base-targeted
-SELinux Reference policy targeted base module.
-
-%files base-targeted
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/%{polname1}
-%dir %{_usr}/share/selinux/%{polname1}/%{type1}
-%config %{_usr}/share/selinux/%{polname1}/%{type1}/base.pp
-%dir %{_sysconfdir}/selinux
-#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
-%dir %{_sysconfdir}/selinux/%{polname1}
-%ghost %config %{_sysconfdir}/selinux/%{polname1}/booleans
-%dir %{_sysconfdir}/selinux/%{polname1}/policy
-#%ghost %config %{_sysconfdir}/selinux/%{polname1}/policy/policy.*
-%dir %{_sysconfdir}/selinux/%{polname1}/contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/customizable_types
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/dbus_contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_type
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/failsafe_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/initrc_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/removable_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/userhelper_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/x_contexts
-%dir %{_sysconfdir}/selinux/%{polname1}/contexts/files
-#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts
-#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/homedir_template
-#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts.homedirs
-%config %{_sysconfdir}/selinux/%{polname1}/contexts/files/media
-%dir %{_sysconfdir}/selinux/%{polname1}/users
-%config %{_sysconfdir}/selinux/%{polname1}/users/system.users
-%config %{_sysconfdir}/selinux/%{polname1}/users/local.users
-#%ghost %dir %{_sysconfdir}/selinux/%{polname1}/modules
-
-%post base-targeted
-semodule -b /usr/share/selinux/%{polname1}/%{type1}/base.pp -s %{_sysconfdir}/selinux/%{polname1}
-for file in $(ls /usr/share/selinux/%{polname1}/%{type1} | grep -v base.pp)
-do semodule -i /usr/share/selinux/%{polname1}/%{type1}/$file -s %{_sysconfdir}/selinux/%{polname1}
-done
-
-%package base-strict
-Summary: SELinux %{polname2} base policy
-Group: System Environment/Base
-Provides: selinux-policy-base
-
-%description base-strict
-SELinux Reference policy strict base module.
-
-%files base-strict
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/%{polname2}
-%dir %{_usr}/share/selinux/%{polname2}/%{type2}
-%config %{_usr}/share/selinux/%{polname2}/%{type2}/base.pp
-%dir %{_sysconfdir}/selinux
-#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
-%dir %{_sysconfdir}/selinux/%{polname2}
-%ghost %config %{_sysconfdir}/selinux/%{polname2}/booleans
-%dir %{_sysconfdir}/selinux/%{polname2}/policy
-#%ghost %config %{_sysconfdir}/selinux/%{polname2}/policy/policy.*
-%dir %{_sysconfdir}/selinux/%{polname2}/contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/customizable_types
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/dbus_contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_type
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/failsafe_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/initrc_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/removable_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/userhelper_context
-%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/x_contexts
-%dir %{_sysconfdir}/selinux/%{polname2}/contexts/files
-#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts
-#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/homedir_template
-#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts.homedirs
-%config %{_sysconfdir}/selinux/%{polname2}/contexts/files/media
-%dir %{_sysconfdir}/selinux/%{polname2}/users
-%config %{_sysconfdir}/selinux/%{polname2}/users/system.users
-%config %{_sysconfdir}/selinux/%{polname2}/users/local.users
-#%ghost %dir %{_sysconfdir}/selinux/%{polname2}/modules
-
-%post base-strict
-semodule -b /usr/share/selinux/%{polname2}/%{type2}/base.pp -s %{_sysconfdir}/selinux/%{polname2}
-for file in $(ls /usr/share/selinux/%{polname2}/%{type2} | grep -v base.pp)
-do semodule -i /usr/share/selinux/%{polname2}/%{type2}/$file -s %{_sysconfdir}/selinux/%{polname2}
-done
-
-%package apache
-Summary: SELinux apache policy
-Group: System Environment/Base
-Requires: selinux-policy-base
-
-%description apache
-SELinux Reference policy apache module.
-
-%files apache
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/apache.pp
-
-%post apache
-if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ] ; then
-semodule -n -i %{_usr}/share/selinux/%{polname1}/%{type1}/apache.pp -s %{_sysconfdir}/selinux/%{polname1}
-fi
-if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ] ; then
-semodule -i %{_usr}/share/selinux/%{polname2}/%{type2}/apache.pp -s %{_sysconfdir}/selinux/%{polname2}
-fi
-
-%preun apache
-if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ]
-then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname1}
-fi
-if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ]
-then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname2}
-fi
-
-%package bind
-Summary: SELinux bind policy
-Group: System Environment/Base
-
-%description bind
-SELinux Reference policy bind module.
-
-%files bind
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/bind.pp
-
-%post bind
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/bind.pp
-
-%preun bind
-semodule -r bind
-
-%package dhcp
-Summary: SELinux dhcp policy
-Group: System Environment/Base
-
-%description dhcp
-SELinux Reference policy dhcp module.
-
-%files dhcp
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/dhcp.pp
-
-%post dhcp
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/dhcp.pp
-
-%preun dhcp
-semodule -r dhcp
-
-%package ldap
-Summary: SELinux ldap policy
-Group: System Environment/Base
-
-%description ldap
-SELinux Reference policy ldap module.
-
-%files ldap
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/ldap.pp
-
-%post ldap
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/ldap.pp
-
-%preun ldap
-semodule -r ldap
-
-%package mailman
-Summary: SELinux mailman policy
-Group: System Environment/Base
-
-%description mailman
-SELinux Reference policy mailman module.
-
-%files mailman
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/mailman.pp
-
-%post mailman
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/mailman.pp
-
-%preun mailman
-semodule -r mailman
-
-%package mysql
-Summary: SELinux mysql policy
-Group: System Environment/Base
-
-%description mysql
-SELinux Reference policy mysql module.
-
-%files mysql
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/mysql.pp
-
-%post mysql
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcsmysql.pp
-
-%preun mysql
-semodule -r mysql
-
-%package portmap
-Summary: SELinux portmap policy
-Group: System Environment/Base
-
-%description portmap
-SELinux Reference policy portmap module.
-
-%files portmap
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/portmap.pp
-
-%post portmap
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/portmap.pp
-
-%preun portmap
-semodule -r portmap
-
-%package postgresql
-Summary: SELinux postgresql policy
-Group: System Environment/Base
-
-%description postgresql
-SELinux Reference policy postgresql module.
-
-%files postgresql
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/postgresql.pp
-
-%post postgresql
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/postgresql.pp
-
-%preun postgresql
-semodule -r postgresql
-
-%package samba
-Summary: SELinux samba policy
-Group: System Environment/Base
-
-%description samba
-SELinux Reference policy samba module.
-
-%files samba
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/samba.pp
-
-%post samba
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/samba.pp
-
-%preun samba
-semodule -r samba
-
-%package snmp
-Summary: SELinux snmp policy
-Group: System Environment/Base
-
-%description snmp
-SELinux Reference policy snmp module.
-
-%files snmp
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/snmp.pp
-
-%post snmp
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/snmp.pp
-
-%preun snmp
-semodule -r snmp
-
-%package squid
-Summary: SELinux squid policy
-Group: System Environment/Base
-
-%description squid
-SELinux Reference policy squid module.
-
-%files squid
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/squid.pp
-
-%post squid
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/squid.pp
-
-%preun squid
-semodule -r squid
-
-%package webalizer
-Summary: SELinux webalizer policy
-Group: System Environment/Base
-
-%description webalizer
-SELinux Reference policy webalizer module.
-
-%files webalizer
-%defattr(-,root,root)
-%dir %{_usr}/share/selinux
-%dir %{_usr}/share/selinux/*
-%dir %{_usr}/share/selinux/*/*
-%config %{_usr}/share/selinux/*/*/webalizer.pp
-
-%post webalizer
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/webalizer.pp
-
-%preun webalizer
-semodule -r webalizer
-
-%changelog
diff --git a/support/selinux-refpolicy-sources.spec.skel b/support/selinux-refpolicy-sources.spec.skel
deleted file mode 100644
index 8973bc7..0000000
--- a/support/selinux-refpolicy-sources.spec.skel
+++ /dev/null
@@ -1,49 +0,0 @@
-%define type refpolicy
-%define POLICYDIR /etc/selinux/%{type}
-%define FILE_CON ${POLICYDIR}/contexts/files/file_contexts
-%define FC_PRE ${FILE_CON}.pre
-
-Summary: SELinux Reference Policy configuration source files
-Name: selinux-refpolicy-sources
-Version: REFPOL_VERSION
-Release: 1
-License: GPL
-Group: System Environment/Base
-PreReq: m4 make policycoreutils kernel gcc
-Requires: checkpolicy >= 1.33.1
-Requires: python make m4
-BuildRequires: make m4 python
-Obsoletes: policy-sources
-Source: refpolicy-%{version}.tar.bz2
-Url: http://oss.tresys.com/projects/refpolicy
-BuildArch: noarch
-BuildRoot: /tmp/rpmbuild/%{name}
-
-%description
-This subpackage includes the SELinux Reference Policy
-source files, which can be used to build a targeted policy
-or strict policy configuration.
-
-%prep
-%setup -q -n refpolicy
-
-%build
-sed -i -e '/^TYPE/s/strict/targeted/' Makefile
-sed -i -e 's/^#DISTRO/DISTRO/' Makefile
-sed -i -e '/^DIRECT_INITRC/s/n/y/' Makefile
-make conf
-make clean
-rm -f support/*.pyc
-
-%install
-rm -fR $RPM_BUILD_ROOT
-make DESTDIR=$RPM_BUILD_ROOT install-src
-
-%clean
-rm -fR $RPM_BUILD_ROOT
-
-%files
-%defattr(-,root,root,-)
-%{_sysconfdir}/selinux/%{type}/src/policy/
-
-%changelog
diff --git a/support/set_bools_tuns.awk b/support/set_bools_tuns.awk
deleted file mode 100644
index cedc19b..0000000
--- a/support/set_bools_tuns.awk
+++ /dev/null
@@ -1,11 +0,0 @@
-# Read booleans.conf and output M4 directives to
-# override default settings in global_booleans
-
-BEGIN {
- FS="="
-}
-
-/^[[:blank:]]*[[:alpha:]]+/{
- gsub(/[[:blank:]]*/,"")
- print "define(`"$1"_conf',`"$2"')"
-}
diff --git a/support/undivert.m4 b/support/undivert.m4
deleted file mode 100644
index 8545e47..0000000
--- a/support/undivert.m4
+++ /dev/null
@@ -1 +0,0 @@
-divert
\ No newline at end of file
diff --git a/users_extra-mls b/users_extra-mls
deleted file mode 100644
index 7d9956f..0000000
--- a/users_extra-mls
+++ /dev/null
@@ -1,5 +0,0 @@
-user root prefix staff;
-user staff_u prefix staff;
-user user_u prefix user;
-user sysadm_u prefix sysadm;
-user secadm_u prefix secadm;
diff --git a/users_extra-targeted b/users_extra-targeted
deleted file mode 100644
index cb81460..0000000
--- a/users_extra-targeted
+++ /dev/null
@@ -1,2 +0,0 @@
-user root prefix user;
-user user_u prefix user;
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=master&id=b1ef7171b66cf4b4b882ab37d08d2f3660c38a84
More information about the scm-commits
mailing list