ia64/xen-unstable

changeset 18437:294fc8fc4ba0

xsm, flask: sample flask policy

- The patch includes a policy for xen that can be booted into
enforcing mode and supports creation and management of
paravirtualized guests. The policy follows the dom0/domU usage
model, extension to other models or the addition of management or IO
permissions should be much more straightforward now. The option
flask_enforcing=1 can be passed on the xen line in grub to boot
into enforcing mode.

- The policy provides a basic policy for booting the platform and
creating a domU with the label system_u:object_r:domU_t. The policy
can be easily extended to support new types by modifying the xen.te
source file.

- The policy includes some basic macros which may be helpful in
extending the policy.

- The policy is compatible with and requires the most recent XSM
patch, xsm-flask-io-sysctl-hooks-090308.diff.

- The policy is not built as part of the make all as it requires the
SELinux policy compiler which may/may not be installed on all
systems. Users must go into the tools/flask/policy directory and
explicitly compile the policy.

Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>
author Keir Fraser <keir.fraser@citrix.com>
date Thu Sep 04 11:26:25 2008 +0100 (2008-09-04)
parents 44f039c4aee4
children a5bf2535e7bb
files tools/flask/policy/Makefile tools/flask/policy/Rules.modular tools/flask/policy/Rules.monolithic tools/flask/policy/policy/constraints tools/flask/policy/policy/flask/Makefile tools/flask/policy/policy/flask/access_vectors tools/flask/policy/policy/flask/initial_sids tools/flask/policy/policy/flask/mkaccess_vector.sh tools/flask/policy/policy/flask/mkflask.sh tools/flask/policy/policy/flask/security_classes tools/flask/policy/policy/global_booleans tools/flask/policy/policy/global_tunables tools/flask/policy/policy/mcs tools/flask/policy/policy/mls tools/flask/policy/policy/modules.conf tools/flask/policy/policy/modules/xen/xen.if tools/flask/policy/policy/modules/xen/xen.te tools/flask/policy/policy/support/loadable_module.spt tools/flask/policy/policy/support/misc_macros.spt tools/flask/policy/policy/systemuser tools/flask/policy/policy/users
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/tools/flask/policy/Makefile	Thu Sep 04 11:26:25 2008 +0100
     1.3 @@ -0,0 +1,234 @@
     1.4 +#
     1.5 +# Makefile for the security policy.
     1.6 +#
     1.7 +# Targets:
     1.8 +# 
     1.9 +# install       - compile and install the policy configuration, and context files.
    1.10 +# load          - compile, install, and load the policy configuration.
    1.11 +# reload        - compile, install, and load/reload the policy configuration.
    1.12 +# policy        - compile the policy configuration locally for testing/development.
    1.13 +#
    1.14 +# The default target is 'policy'.
    1.15 +#
    1.16 +
    1.17 +########################################
    1.18 +#
    1.19 +# Configurable portions of the Makefile
    1.20 +#
    1.21 +
    1.22 +# Policy version
    1.23 +# By default, checkpolicy will create the highest
    1.24 +# version policy it supports.  Setting this will
    1.25 +# override the version.
    1.26 +OUTPUT_POLICY = 20
    1.27 +
    1.28 +# Policy Type
    1.29 +# strict, targeted,
    1.30 +# strict-mls, targeted-mls,
    1.31 +# strict-mcs, targeted-mcs
    1.32 +TYPE = strict
    1.33 +
    1.34 +# Policy Name
    1.35 +# If set, this will be used as the policy
    1.36 +# name.  Otherwise the policy type will be
    1.37 +# used for the name.
    1.38 +NAME = xenrefpolicy
    1.39 +
    1.40 +# Distribution
    1.41 +# Some distributions have portions of policy
    1.42 +# for programs or configurations specific to the
    1.43 +# distribution.  Setting this will enable options
    1.44 +# for the distribution.
    1.45 +# redhat, gentoo, debian, and suse are current options.
    1.46 +# Fedora users should enable redhat.
    1.47 +#DISTRO = 
    1.48 +
    1.49 +# Build monolithic policy.  Putting n here
    1.50 +# will build a loadable module policy.
    1.51 +MONOLITHIC=y
    1.52 +
    1.53 +# Uncomment this to disable command echoing
    1.54 +#QUIET:=@
    1.55 +
    1.56 +########################################
    1.57 +#
    1.58 +# NO OPTIONS BELOW HERE
    1.59 +#
    1.60 +
    1.61 +# executable paths
    1.62 +PREFIX := /usr
    1.63 +BINDIR := $(PREFIX)/bin
    1.64 +SBINDIR := $(PREFIX)/sbin
    1.65 +CHECKPOLICY := $(BINDIR)/checkpolicy
    1.66 +CHECKMODULE := $(BINDIR)/checkmodule
    1.67 +SEMOD_PKG := $(BINDIR)/semodule_package
    1.68 +LOADPOLICY := $(SBINDIR)/flask-loadpolicy
    1.69 +
    1.70 +CFLAGS := -Wall
    1.71 +
    1.72 +# policy source layout
    1.73 +POLDIR := policy
    1.74 +MODDIR := $(POLDIR)/modules
    1.75 +FLASKDIR := $(POLDIR)/flask
    1.76 +SECCLASS := $(FLASKDIR)/security_classes
    1.77 +ISIDS := $(FLASKDIR)/initial_sids
    1.78 +AVS := $(FLASKDIR)/access_vectors
    1.79 +
    1.80 +#policy building support tools
    1.81 +SUPPORT := support
    1.82 +FCSORT := tmp/fc_sort
    1.83 +
    1.84 +# config file paths
    1.85 +GLOBALTUN := $(POLDIR)/global_tunables
    1.86 +GLOBALBOOL := $(POLDIR)/global_booleans
    1.87 +MOD_CONF := $(POLDIR)/modules.conf
    1.88 +TUNABLES := $(POLDIR)/tunables.conf
    1.89 +BOOLEANS := $(POLDIR)/booleans.conf
    1.90 +
    1.91 +# install paths
    1.92 +TOPDIR = $(DESTDIR)/etc/xen/
    1.93 +INSTALLDIR = $(TOPDIR)/$(NAME)
    1.94 +SRCPATH = $(INSTALLDIR)/src
    1.95 +USERPATH = $(INSTALLDIR)/users
    1.96 +CONTEXTPATH = $(INSTALLDIR)/contexts
    1.97 +
    1.98 +# enable MLS if requested.
    1.99 +ifneq ($(findstring -mls,$(TYPE)),)
   1.100 +	override M4PARAM += -D enable_mls
   1.101 +	CHECKPOLICY += -M
   1.102 +	CHECKMODULE += -M
   1.103 +endif
   1.104 +
   1.105 +# enable MLS if MCS requested.
   1.106 +ifneq ($(findstring -mcs,$(TYPE)),)
   1.107 +	override M4PARAM += -D enable_mcs
   1.108 +	CHECKPOLICY += -M
   1.109 +	CHECKMODULE += -M
   1.110 +endif
   1.111 +
   1.112 +# compile targeted policy if requested.
   1.113 +ifneq ($(findstring targeted,$(TYPE)),)
   1.114 +	override M4PARAM += -D targeted_policy
   1.115 +endif
   1.116 +
   1.117 +# enable distribution-specific policy
   1.118 +ifneq ($(DISTRO),)
   1.119 +	override M4PARAM += -D distro_$(DISTRO)
   1.120 +endif
   1.121 +
   1.122 +ifneq ($(OUTPUT_POLICY),)
   1.123 +	CHECKPOLICY += -c $(OUTPUT_POLICY)
   1.124 +endif
   1.125 +
   1.126 +ifeq ($(NAME),)
   1.127 +	NAME := $(TYPE)
   1.128 +endif
   1.129 +
   1.130 +# determine the policy version and current kernel version if possible
   1.131 +PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
   1.132 +KV := $(shell cat /selinux/policyvers)
   1.133 +
   1.134 +# dont print version warnings if we are unable to determine
   1.135 +# the currently running kernel's policy version
   1.136 +ifeq ($(KV),)
   1.137 +	KV := $(PV)
   1.138 +endif
   1.139 +
   1.140 +FC := file_contexts
   1.141 +POLVER := policy.$(PV)
   1.142 +
   1.143 +M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
   1.144 +
   1.145 +APPCONF := config/appconfig-$(TYPE)
   1.146 +APPDIR := $(CONTEXTPATH)
   1.147 +APPFILES := $(INSTALLDIR)/booleans
   1.148 +CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
   1.149 +USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
   1.150 +
   1.151 +ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
   1.152 +
   1.153 +GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
   1.154 +GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
   1.155 +GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc.in)))
   1.156 +
   1.157 +# sort here since it removes duplicates, which can happen
   1.158 +# when a generated file is already generated
   1.159 +DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) $(GENERATED_TE))
   1.160 +
   1.161 +# modules.conf setting for base module
   1.162 +MODBASE := base
   1.163 +
   1.164 +# modules.conf setting for module
   1.165 +MODMOD := module
   1.166 +
   1.167 +# extract settings from modules.conf
   1.168 +BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
   1.169 +MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
   1.170 +
   1.171 +HOMEDIR_TEMPLATE = tmp/homedir_template
   1.172 +
   1.173 +########################################
   1.174 +#
   1.175 +# Load appropriate rules
   1.176 +#
   1.177 +
   1.178 +ifeq ($(MONOLITHIC),y)
   1.179 +	include Rules.monolithic
   1.180 +else
   1.181 +	include Rules.modular
   1.182 +endif
   1.183 +
   1.184 +########################################
   1.185 +#
   1.186 +# Create config files
   1.187 +#
   1.188 +conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
   1.189 +
   1.190 +$(MOD_CONF) $(BOOLEANS): $(POLXML)
   1.191 +	@echo "Updating $(MOD_CONF) and $(BOOLEANS)"
   1.192 +	$(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML)
   1.193 +
   1.194 +########################################
   1.195 +#
   1.196 +# Appconfig files
   1.197 +#
   1.198 +install-appconfig: $(APPFILES)
   1.199 +
   1.200 +$(INSTALLDIR)/booleans: $(BOOLEANS)
   1.201 +	@mkdir -p $(INSTALLDIR)
   1.202 +	$(QUIET) egrep '^[[:blank:]]*[[:alpha:]]' $(BOOLEANS) \
   1.203 +		| sed -e 's/false/0/g' -e 's/true/1/g' > tmp/booleans
   1.204 +	$(QUIET) install -m 644 tmp/booleans $@
   1.205 +
   1.206 +########################################
   1.207 +#
   1.208 +# Install policy sources
   1.209 +#
   1.210 +install-src:
   1.211 +	rm -rf $(SRCPATH)/policy.old
   1.212 +	-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
   1.213 +	mkdir -p $(SRCPATH)/policy
   1.214 +	cp -R . $(SRCPATH)/policy
   1.215 +
   1.216 +########################################
   1.217 +#
   1.218 +# Clean everything
   1.219 +#
   1.220 +bare: clean
   1.221 +	rm -f $(POLXML)
   1.222 +	rm -f $(SUPPORT)/*.pyc
   1.223 +	rm -f $(FCSORT)
   1.224 +	rm -f $(MOD_CONF)
   1.225 +	rm -f $(BOOLEANS)
   1.226 +	rm -fR $(HTMLDIR)
   1.227 +ifneq ($(GENERATED_TE),)
   1.228 +	rm -f $(GENERATED_TE)
   1.229 +endif
   1.230 +ifneq ($(GENERATED_IF),)
   1.231 +	rm -f $(GENERATED_IF)
   1.232 +endif
   1.233 +ifneq ($(GENERATED_FC),)
   1.234 +	rm -f $(GENERATED_FC)
   1.235 +endif
   1.236 +
   1.237 +.PHONY: install-src install-appconfig conf html bare
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/tools/flask/policy/Rules.modular	Thu Sep 04 11:26:25 2008 +0100
     2.3 @@ -0,0 +1,166 @@
     2.4 +########################################
     2.5 +#
     2.6 +# Rules and Targets for building modular policies
     2.7 +#
     2.8 +
     2.9 +ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
    2.10 +ALL_INTERFACES := $(ALL_MODULES:.te=.if)
    2.11 +
    2.12 +BASE_PKG := base.pp
    2.13 +BASE_FC := base.fc
    2.14 +
    2.15 +BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
    2.16 +
    2.17 +BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
    2.18 +BASE_TE_FILES := $(BASE_MODS)
    2.19 +BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
    2.20 +BASE_FC_FILES := $(BASE_MODS:.te=.fc)
    2.21 +
    2.22 +MOD_MODULES := $(MOD_MODS:.te=.mod)
    2.23 +MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp))
    2.24 +
    2.25 +# search layer dirs for source files
    2.26 +vpath %.te $(ALL_LAYERS)
    2.27 +vpath %.if $(ALL_LAYERS)
    2.28 +vpath %.fc $(ALL_LAYERS)
    2.29 +
    2.30 +########################################
    2.31 +#
    2.32 +# default action: create all module packages
    2.33 +#
    2.34 +default: base
    2.35 +
    2.36 +base: $(BASE_PKG)
    2.37 +
    2.38 +modules: $(MOD_PKGS)
    2.39 +
    2.40 +#policy: $(POLVER)
    2.41 +#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
    2.42 +#load: tmp/load
    2.43 +
    2.44 +########################################
    2.45 +#
    2.46 +# Create a base module package
    2.47 +#
    2.48 +$(BASE_PKG): tmp/base.mod $(BASE_FC)
    2.49 +	@echo "Creating $(NAME) base module package"
    2.50 +	$(QUIET) $(SEMOD_PKG) $@ $^
    2.51 +
    2.52 +########################################
    2.53 +#
    2.54 +# Compile a base module
    2.55 +#
    2.56 +tmp/base.mod: base.conf
    2.57 +	@echo "Compiling $(NAME) base module"
    2.58 +	$(QUIET) $(CHECKMODULE) $^ -o $@
    2.59 +
    2.60 +########################################
    2.61 +#
    2.62 +# Construct a base module policy.conf
    2.63 +#
    2.64 +base.conf: $(BASE_SECTIONS)
    2.65 +	@echo "Creating $(NAME) base module policy.conf"
    2.66 +# checkpolicy can use the #line directives provided by -s for error reporting:
    2.67 +	$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
    2.68 +	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
    2.69 +# the ordering of these ocontexts matters:
    2.70 +	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
    2.71 +	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
    2.72 +	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true
    2.73 +
    2.74 +tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES)
    2.75 +	@test -d tmp || mkdir -p tmp
    2.76 +	$(QUIET) cat $^ > $@
    2.77 +
    2.78 +tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES)
    2.79 +	@test -d tmp || mkdir -p tmp
    2.80 +# define all available object classes
    2.81 +	$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
    2.82 +# per-userdomain templates
    2.83 +	$(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
    2.84 +	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
    2.85 +		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
    2.86 +			>> $@ ;\
    2.87 +	done
    2.88 +	$(QUIET) echo "')" >> $@
    2.89 +# define foo.te
    2.90 +	$(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \
    2.91 +		echo "define(\`$$i')" >> $@ ;\
    2.92 +	done
    2.93 +	$(QUIET) $(SETTUN) $(BOOLEANS) >> $@
    2.94 +
    2.95 +tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
    2.96 +ifeq ($(ALL_INTERFACES),)
    2.97 +	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
    2.98 +endif
    2.99 +	@test -d tmp || mkdir -p tmp
   2.100 +	$(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
   2.101 +
   2.102 +tmp/all_te_files.conf: $(BASE_TE_FILES)
   2.103 +ifeq ($(BASE_TE_FILES),)
   2.104 +	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
   2.105 +endif
   2.106 +	@test -d tmp || mkdir -p tmp
   2.107 +	$(QUIET) cat $^ > $@
   2.108 +
   2.109 +tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
   2.110 +	@test -d tmp || mkdir -p tmp
   2.111 +	$(QUIET) cat $^ > $@
   2.112 +
   2.113 +# extract attributes and put them first. extract post te stuff
   2.114 +# like genfscon and put last.  portcon, nodecon, and netifcon
   2.115 +# is delayed since they are generated by m4
   2.116 +tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
   2.117 +	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
   2.118 +	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
   2.119 +	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
   2.120 +	$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
   2.121 +	$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
   2.122 +	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
   2.123 +	$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
   2.124 +			-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
   2.125 +			< tmp/all_te_files.conf > tmp/only_te_rules.conf
   2.126 +
   2.127 +########################################
   2.128 +#
   2.129 +# Construct base module file contexts
   2.130 +#
   2.131 +$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
   2.132 +ifeq ($(BASE_FC_FILES),)
   2.133 +	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
   2.134 +endif
   2.135 +	@echo "Creating $(NAME) base module file contexts."
   2.136 +	@test -d tmp || mkdir -p tmp
   2.137 +	$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) > tmp/$@.tmp
   2.138 +	$(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
   2.139 +	$(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
   2.140 +	$(QUIET) $(FCSORT) tmp/$@.tmp $@
   2.141 +
   2.142 +########################################
   2.143 +#
   2.144 +# Build module packages
   2.145 +#
   2.146 +tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
   2.147 +	@if test -z "$(filter $^,$(MOD_MODS))"; then \
   2.148 +		echo "The $(notdir $(basename $@)) module is not configured to be compiled as a lodable module." ;\
   2.149 +		false ;\
   2.150 +	fi
   2.151 +	@echo "Compliling $(NAME) $(@F) module"
   2.152 +	$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
   2.153 +	$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
   2.154 +
   2.155 +%.pp: tmp/%.mod %.fc
   2.156 +	@echo "Creating $(NAME) $(@F) policy package"
   2.157 +	$(QUIET) $(SEMOD_PKG) $@ $^
   2.158 +
   2.159 +########################################
   2.160 +#
   2.161 +# Clean the sources
   2.162 +#
   2.163 +clean:
   2.164 +	rm -fR tmp
   2.165 +	rm -f base.conf
   2.166 +	rm -f *.pp
   2.167 +	rm -f $(BASE_FC)
   2.168 +
   2.169 +.PHONY: default base modules clean
     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/tools/flask/policy/Rules.monolithic	Thu Sep 04 11:26:25 2008 +0100
     3.3 @@ -0,0 +1,196 @@
     3.4 +########################################
     3.5 +#
     3.6 +# Rules and Targets for building monolithic policies
     3.7 +#
     3.8 +
     3.9 +# install paths
    3.10 +POLICYPATH = $(INSTALLDIR)/policy
    3.11 +LOADPATH = $(POLICYPATH)/$(POLVER)
    3.12 +FCPATH = $(CONTEXTPATH)/files/file_contexts
    3.13 +HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
    3.14 +
    3.15 +# for monolithic policy use all base and module to create policy
    3.16 +ENABLEMOD := $(BASE_MODS) $(MOD_MODS)
    3.17 +
    3.18 +ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS))
    3.19 +
    3.20 +ALL_INTERFACES := $(ALL_MODULES:.te=.if)
    3.21 +ALL_TE_FILES := $(ALL_MODULES)
    3.22 +ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
    3.23 +
    3.24 +PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
    3.25 +POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
    3.26 +
    3.27 +POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
    3.28 +
    3.29 +########################################
    3.30 +#
    3.31 +# default action: build policy locally
    3.32 +#
    3.33 +default: policy
    3.34 +
    3.35 +policy: $(POLVER)
    3.36 +
    3.37 +install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
    3.38 +
    3.39 +load: tmp/load
    3.40 +
    3.41 +########################################
    3.42 +#
    3.43 +# Build a binary policy locally
    3.44 +#
    3.45 +$(POLVER): policy.conf
    3.46 +	@echo "Compiling $(NAME) $(POLVER)"
    3.47 +ifneq ($(PV),$(KV))
    3.48 +	@echo
    3.49 +	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
    3.50 +	@echo
    3.51 +endif
    3.52 +	$(QUIET) $(CHECKPOLICY) $^ -o $@
    3.53 +
    3.54 +########################################
    3.55 +#
    3.56 +# Install a binary policy
    3.57 +#
    3.58 +$(LOADPATH): policy.conf
    3.59 +	@mkdir -p $(POLICYPATH)
    3.60 +	@echo "Compiling and installing $(NAME) $(LOADPATH)"
    3.61 +ifneq ($(PV),$(KV))
    3.62 +	@echo
    3.63 +	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
    3.64 +	@echo
    3.65 +endif
    3.66 +	$(QUIET) $(CHECKPOLICY) $^ -o $@
    3.67 +
    3.68 +########################################
    3.69 +#
    3.70 +# Load the binary policy
    3.71 +#
    3.72 +reload tmp/load: $(LOADPATH) $(FCPATH)
    3.73 +	@echo "Loading $(NAME) $(LOADPATH)"
    3.74 +	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
    3.75 +	@touch tmp/load
    3.76 +
    3.77 +########################################
    3.78 +#
    3.79 +# Construct a monolithic policy.conf
    3.80 +#
    3.81 +policy.conf: $(POLICY_SECTIONS)
    3.82 +	@echo "Creating $(NAME) policy.conf"
    3.83 +# checkpolicy can use the #line directives provided by -s for error reporting:
    3.84 +	$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
    3.85 +	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
    3.86 +
    3.87 +tmp/pre_te_files.conf: $(PRE_TE_FILES)
    3.88 +	@test -d tmp || mkdir -p tmp
    3.89 +	$(QUIET) cat $^ > $@
    3.90 +
    3.91 +tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
    3.92 +# per-userdomain templates:
    3.93 +	@test -d tmp || mkdir -p tmp
    3.94 +	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
    3.95 +	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
    3.96 +		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
    3.97 +			>> $@ ;\
    3.98 +	done
    3.99 +	$(QUIET) echo "')" >> $@
   3.100 +# define foo.te
   3.101 +	$(QUIET) for i in $(notdir $(ALL_MODULES)); do \
   3.102 +		echo "define(\`$$i')" >> $@ ;\
   3.103 +	done
   3.104 +#	$(QUIET) $(SETTUN) $(BOOLEANS) >> $@
   3.105 +
   3.106 +tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
   3.107 +ifeq ($(ALL_INTERFACES),)
   3.108 +	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
   3.109 +endif
   3.110 +	@test -d tmp || mkdir -p tmp
   3.111 +	$(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
   3.112 +
   3.113 +tmp/all_te_files.conf: $(ALL_TE_FILES)
   3.114 +ifeq ($(ALL_TE_FILES),)
   3.115 +	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
   3.116 +endif
   3.117 +	@test -d tmp || mkdir -p tmp
   3.118 +	$(QUIET) cat $^ > $@
   3.119 +
   3.120 +tmp/post_te_files.conf: $(POST_TE_FILES)
   3.121 +	@test -d tmp || mkdir -p tmp
   3.122 +	$(QUIET) cat $^ > $@
   3.123 +
   3.124 +# extract attributes and put them first. extract post te stuff
   3.125 +# like genfscon and put last.  portcon, nodecon, and netifcon
   3.126 +# is delayed since they are generated by m4
   3.127 +tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
   3.128 +	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
   3.129 +	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
   3.130 +	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
   3.131 +	$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
   3.132 +	$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
   3.133 +	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
   3.134 +	$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
   3.135 +			-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
   3.136 +			< tmp/all_te_files.conf > tmp/only_te_rules.conf
   3.137 +
   3.138 +########################################
   3.139 +#
   3.140 +# Remove the dontaudit rules from the policy.conf
   3.141 +#
   3.142 +enableaudit: policy.conf
   3.143 +	@test -d tmp || mkdir -p tmp
   3.144 +	@echo "Removing dontaudit rules from policy.conf"
   3.145 +	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
   3.146 +	$(QUIET) mv tmp/policy.audit policy.conf
   3.147 +
   3.148 +########################################
   3.149 +#
   3.150 +# Construct file_contexts
   3.151 +#
   3.152 +$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES)
   3.153 +ifeq ($(ALL_FC_FILES),)
   3.154 +	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
   3.155 +endif
   3.156 +	@echo "Creating $(NAME) file_contexts."
   3.157 +	@test -d tmp || mkdir -p tmp
   3.158 +	$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) > tmp/$@.tmp
   3.159 +#	$(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
   3.160 +#	$(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
   3.161 +#	$(QUIET) $(FCSORT) tmp/$@.tmp $@
   3.162 +	$(QUIET) touch $(HOMEDIR_TEMPLATE)
   3.163 +	$(QUIET) touch $@
   3.164 +
   3.165 +########################################
   3.166 +#
   3.167 +# Install file_contexts
   3.168 +#
   3.169 +$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
   3.170 +	@echo "Validating $(NAME) file_contexts."
   3.171 +#	$(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC)
   3.172 +	@echo "Installing file_contexts."
   3.173 +	@mkdir -p $(CONTEXTPATH)/files
   3.174 +	$(QUIET) install -m 644 $(FC) $(FCPATH)
   3.175 +	$(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
   3.176 +#	$(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD)
   3.177 +
   3.178 +########################################
   3.179 +#
   3.180 +# Run policy source checks
   3.181 +#
   3.182 +check: policy.conf $(FC)
   3.183 +	$(SECHECK) -s --profile=development --policy=policy.conf --fcfile=$(FC) > $@.res
   3.184 +
   3.185 +longcheck: policy.conf $(FC)
   3.186 +	$(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res
   3.187 +
   3.188 +########################################
   3.189 +#
   3.190 +# Clean the sources
   3.191 +#
   3.192 +clean:
   3.193 +	rm -fR tmp
   3.194 +	rm -f policy.conf
   3.195 +	rm -f policy.$(PV)
   3.196 +	rm -f $(FC)
   3.197 +	rm -f *.res
   3.198 +
   3.199 +.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
     4.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.2 +++ b/tools/flask/policy/policy/constraints	Thu Sep 04 11:26:25 2008 +0100
     4.3 @@ -0,0 +1,27 @@
     4.4 +
     4.5 +#
     4.6 +# Define the constraints
     4.7 +#
     4.8 +# constrain class_set perm_set expression ;
     4.9 +#
    4.10 +# expression : ( expression ) 
    4.11 +#	     | not expression
    4.12 +#	     | expression and expression
    4.13 +#	     | expression or expression
    4.14 +#	     | u1 op u2
    4.15 +#	     | r1 role_op r2
    4.16 +#	     | t1 op t2
    4.17 +#	     | u1 op names
    4.18 +#	     | u2 op names
    4.19 +#	     | r1 op names
    4.20 +#	     | r2 op names
    4.21 +#	     | t1 op names
    4.22 +#	     | t2 op names
    4.23 +#
    4.24 +# op : == | != 
    4.25 +# role_op : == | != | eq | dom | domby | incomp
    4.26 +#
    4.27 +# names : name | { name_list }
    4.28 +# name_list : name | name_list name		
    4.29 +#
    4.30 +
     5.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     5.2 +++ b/tools/flask/policy/policy/flask/Makefile	Thu Sep 04 11:26:25 2008 +0100
     5.3 @@ -0,0 +1,41 @@
     5.4 +# flask needs to know where to export the libselinux headers.
     5.5 +LIBSEL ?= ../../libselinux
     5.6 +
     5.7 +# flask needs to know where to export the kernel headers.
     5.8 +LINUXDIR ?= ../../../linux-2.6
     5.9 +
    5.10 +AWK = awk
    5.11 +
    5.12 +CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
    5.13 +          else if [ -x /bin/bash ]; then echo /bin/bash; \
    5.14 +          else echo sh; fi ; fi)
    5.15 +
    5.16 +FLASK_H_DEPEND = security_classes initial_sids
    5.17 +AV_H_DEPEND = access_vectors
    5.18 +
    5.19 +FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
    5.20 +AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
    5.21 +ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
    5.22 +
    5.23 +all:  $(ALL_H_FILES)
    5.24 +
    5.25 +$(FLASK_H_FILES): $(FLASK_H_DEPEND)
    5.26 +	$(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
    5.27 +
    5.28 +$(AV_H_FILES): $(AV_H_DEPEND)
    5.29 +	$(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
    5.30 +
    5.31 +tolib: all
    5.32 +	install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
    5.33 +	install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
    5.34 +
    5.35 +tokern: all
    5.36 +	install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
    5.37 +
    5.38 +install: all
    5.39 +
    5.40 +relabel:
    5.41 +
    5.42 +clean:  
    5.43 +	rm -f $(FLASK_H_FILES)
    5.44 +	rm -f $(AV_H_FILES)
     6.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     6.2 +++ b/tools/flask/policy/policy/flask/access_vectors	Thu Sep 04 11:26:25 2008 +0100
     6.3 @@ -0,0 +1,166 @@
     6.4 +#
     6.5 +# Define common prefixes for access vectors
     6.6 +#
     6.7 +# common common_name { permission_name ... }
     6.8 +
     6.9 +#
    6.10 +# Define a common prefix for file access vectors.
    6.11 +#
    6.12 +
    6.13 +
    6.14 +#
    6.15 +# Define the access vectors.
    6.16 +#
    6.17 +# class class_name [ inherits common_name ] { permission_name ... }
    6.18 +
    6.19 +
    6.20 +#
    6.21 +# Define the access vector interpretation for file-related objects.
    6.22 +#
    6.23 +
    6.24 +class xen
    6.25 +{
    6.26 +	scheduler
    6.27 +	settime
    6.28 +	tbufcontrol
    6.29 +	readconsole
    6.30 +	clearconsole
    6.31 +	perfcontrol
    6.32 +	mtrr_add
    6.33 +	mtrr_del
    6.34 +	mtrr_read
    6.35 +	microcode
    6.36 +	physinfo
    6.37 +	quirk
    6.38 +    writeconsole
    6.39 +    readapic
    6.40 +    writeapic
    6.41 +    privprofile
    6.42 +    nonprivprofile
    6.43 +    kexec
    6.44 +	firmware
    6.45 +	sleep
    6.46 +	frequency
    6.47 +	getidle
    6.48 +	debug
    6.49 +	getcpuinfo
    6.50 +	heap
    6.51 +}
    6.52 +
    6.53 +class domain
    6.54 +{
    6.55 +	setvcpucontext
    6.56 +	pause
    6.57 +	unpause
    6.58 +    resume
    6.59 +    create
    6.60 +    transition
    6.61 +    max_vcpus
    6.62 +    destroy
    6.63 +    setvcpuaffinity
    6.64 +	getvcpuaffinity
    6.65 +	scheduler
    6.66 +	getdomaininfo
    6.67 +	getvcpuinfo
    6.68 +	getvcpucontext
    6.69 +	setdomainmaxmem
    6.70 +	setdomainhandle
    6.71 +	setdebugging
    6.72 +	hypercall
    6.73 +    settime
    6.74 +    set_target
    6.75 +    shutdown
    6.76 +    setaddrsize
    6.77 +    getaddrsize
    6.78 +	trigger
    6.79 +	getextvcpucontext
    6.80 +	setextvcpucontext
    6.81 +}
    6.82 +
    6.83 +class hvm
    6.84 +{
    6.85 +    sethvmc
    6.86 +    gethvmc
    6.87 +    setparam
    6.88 +    getparam
    6.89 +    pcilevel
    6.90 +    irqlevel
    6.91 +    pciroute
    6.92 +	bind_irq
    6.93 +	cacheattr
    6.94 +}
    6.95 +
    6.96 +class event
    6.97 +{
    6.98 +	bind
    6.99 +	send
   6.100 +	status
   6.101 +	notify
   6.102 +	create
   6.103 +    vector
   6.104 +    reset
   6.105 +}
   6.106 +
   6.107 +class grant
   6.108 +{
   6.109 +	map_read
   6.110 +	map_write
   6.111 +	unmap
   6.112 +	transfer
   6.113 +	setup
   6.114 +    copy
   6.115 +    query
   6.116 +}
   6.117 +
   6.118 +class mmu
   6.119 +{
   6.120 +	map_read
   6.121 +	map_write
   6.122 +	pageinfo
   6.123 +	pagelist
   6.124 +    adjust
   6.125 +    stat
   6.126 +    translategp
   6.127 +	updatemp
   6.128 +    physmap
   6.129 +    pinpage
   6.130 +    mfnlist
   6.131 +    memorymap
   6.132 +}
   6.133 +
   6.134 +class shadow
   6.135 +{
   6.136 +	disable
   6.137 +	enable
   6.138 +    logdirty
   6.139 +}
   6.140 +
   6.141 +class resource
   6.142 +{
   6.143 +	add
   6.144 +	remove
   6.145 +	use
   6.146 +	add_irq
   6.147 +	remove_irq
   6.148 +	add_ioport
   6.149 +	remove_ioport
   6.150 +	add_iomem
   6.151 +	remove_iomem
   6.152 +	stat_device
   6.153 +	add_device
   6.154 +	remove_device
   6.155 +}
   6.156 +
   6.157 +class security
   6.158 +{
   6.159 +	compute_av
   6.160 +	compute_create
   6.161 +	compute_member
   6.162 +	check_context
   6.163 +	load_policy
   6.164 +	compute_relabel
   6.165 +	compute_user
   6.166 +	setenforce
   6.167 +	setbool
   6.168 +	setsecparam
   6.169 +}
     7.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     7.2 +++ b/tools/flask/policy/policy/flask/initial_sids	Thu Sep 04 11:26:25 2008 +0100
     7.3 @@ -0,0 +1,17 @@
     7.4 +# FLASK
     7.5 +
     7.6 +#
     7.7 +# Define initial security identifiers 
     7.8 +#
     7.9 +sid xen
    7.10 +sid dom0
    7.11 +sid domU
    7.12 +sid domio
    7.13 +sid domxen
    7.14 +sid unlabeled
    7.15 +sid security
    7.16 +sid ioport
    7.17 +sid iomem
    7.18 +sid pirq
    7.19 +sid device
    7.20 +# FLASK
     8.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     8.2 +++ b/tools/flask/policy/policy/flask/mkaccess_vector.sh	Thu Sep 04 11:26:25 2008 +0100
     8.3 @@ -0,0 +1,227 @@
     8.4 +#!/bin/sh -
     8.5 +#
     8.6 +
     8.7 +# FLASK
     8.8 +
     8.9 +set -e
    8.10 +
    8.11 +awk=$1
    8.12 +shift
    8.13 +
    8.14 +# output files
    8.15 +av_permissions="av_permissions.h"
    8.16 +av_inherit="av_inherit.h"
    8.17 +common_perm_to_string="common_perm_to_string.h"
    8.18 +av_perm_to_string="av_perm_to_string.h"
    8.19 +
    8.20 +cat $* | $awk "
    8.21 +BEGIN	{
    8.22 +		outfile = \"$av_permissions\"
    8.23 +		inheritfile = \"$av_inherit\"
    8.24 +		cpermfile = \"$common_perm_to_string\"
    8.25 +		avpermfile = \"$av_perm_to_string\"
    8.26 +		"'
    8.27 +		nextstate = "COMMON_OR_AV";
    8.28 +		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
    8.29 +		printf("/* This file is automatically generated.  Do not edit. */\n") > inheritfile;
    8.30 +		printf("/* This file is automatically generated.  Do not edit. */\n") > cpermfile;
    8.31 +		printf("/* This file is automatically generated.  Do not edit. */\n") > avpermfile;
    8.32 +;
    8.33 +	}
    8.34 +/^[ \t]*#/	{ 
    8.35 +			next;
    8.36 +		}
    8.37 +$1 == "common"	{ 
    8.38 +			if (nextstate != "COMMON_OR_AV")
    8.39 +			{
    8.40 +				printf("Parse error:  Unexpected COMMON definition on line %d\n", NR);
    8.41 +				next;	
    8.42 +			}
    8.43 +
    8.44 +			if ($2 in common_defined)
    8.45 +			{
    8.46 +				printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
    8.47 +				next;
    8.48 +			}	
    8.49 +			common_defined[$2] = 1;
    8.50 +
    8.51 +			tclass = $2;
    8.52 +			common_name = $2; 
    8.53 +			permission = 1;
    8.54 +
    8.55 +			printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
    8.56 +
    8.57 +			nextstate = "COMMON-OPENBRACKET";
    8.58 +			next;
    8.59 +		}
    8.60 +$1 == "class"	{
    8.61 +			if (nextstate != "COMMON_OR_AV" &&
    8.62 +			    nextstate != "CLASS_OR_CLASS-OPENBRACKET")
    8.63 +			{
    8.64 +				printf("Parse error:  Unexpected class definition on line %d\n", NR);
    8.65 +				next;	
    8.66 +			}
    8.67 +
    8.68 +			tclass = $2;
    8.69 +
    8.70 +			if (tclass in av_defined)
    8.71 +			{
    8.72 +				printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
    8.73 +				next;
    8.74 +			} 
    8.75 +			av_defined[tclass] = 1;
    8.76 +
    8.77 +			inherits = "";
    8.78 +			permission = 1;
    8.79 +
    8.80 +			nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
    8.81 +			next;
    8.82 +		}
    8.83 +$1 == "inherits" {			
    8.84 +			if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
    8.85 +			{
    8.86 +				printf("Parse error:  Unexpected INHERITS definition on line %d\n", NR);
    8.87 +				next;	
    8.88 +			}
    8.89 +
    8.90 +			if (!($2 in common_defined))
    8.91 +			{
    8.92 +				printf("COMMON %s is not defined (line %d).\n", $2, NR);
    8.93 +				next;
    8.94 +			}
    8.95 +
    8.96 +			inherits = $2;
    8.97 +			permission = common_base[$2];
    8.98 +
    8.99 +			for (combined in common_perms)
   8.100 +			{
   8.101 +				split(combined,separate, SUBSEP);
   8.102 +				if (separate[1] == inherits)
   8.103 +				{
   8.104 +					inherited_perms[common_perms[combined]] = separate[2];
   8.105 +				}
   8.106 +			}
   8.107 +
   8.108 +                        j = 1;
   8.109 +                        for (i in inherited_perms) {
   8.110 +                            ind[j] = i + 0;
   8.111 +                            j++;
   8.112 +                        }
   8.113 +                        n = asort(ind);
   8.114 +			for (i = 1; i <= n; i++) {
   8.115 +				perm = inherited_perms[ind[i]];
   8.116 +				printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; 
   8.117 +				spaces = 40 - (length(perm) + length(tclass));
   8.118 +				if (spaces < 1)
   8.119 +				      spaces = 1;
   8.120 +				for (j = 0; j < spaces; j++) 
   8.121 +					printf(" ") > outfile; 
   8.122 +				printf("0x%08xUL\n", ind[i]) > outfile; 
   8.123 +			}
   8.124 +			printf("\n") > outfile;
   8.125 +                        for (i in ind) delete ind[i];
   8.126 +                        for (i in inherited_perms) delete inherited_perms[i];
   8.127 +
   8.128 +			printf("   S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; 
   8.129 +
   8.130 +			nextstate = "CLASS_OR_CLASS-OPENBRACKET";
   8.131 +			next;
   8.132 +		}
   8.133 +$1 == "{"	{ 
   8.134 +			if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
   8.135 +			    nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
   8.136 +			    nextstate != "COMMON-OPENBRACKET")
   8.137 +			{
   8.138 +				printf("Parse error:  Unexpected { on line %d\n", NR);
   8.139 +				next;
   8.140 +			}
   8.141 +
   8.142 +			if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
   8.143 +				nextstate = "CLASS-CLOSEBRACKET";
   8.144 +
   8.145 +			if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
   8.146 +				nextstate = "CLASS-CLOSEBRACKET";
   8.147 +
   8.148 +			if (nextstate == "COMMON-OPENBRACKET")
   8.149 +				nextstate = "COMMON-CLOSEBRACKET";
   8.150 +		}
   8.151 +/[a-z][a-z_]*/	{
   8.152 +			if (nextstate != "COMMON-CLOSEBRACKET" &&
   8.153 +			    nextstate != "CLASS-CLOSEBRACKET")
   8.154 +			{
   8.155 +				printf("Parse error:  Unexpected symbol %s on line %d\n", $1, NR);		
   8.156 +				next;
   8.157 +			}
   8.158 +
   8.159 +			if (nextstate == "COMMON-CLOSEBRACKET")
   8.160 +			{
   8.161 +				if ((common_name,$1) in common_perms)
   8.162 +				{
   8.163 +					printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
   8.164 +					next;
   8.165 +				}
   8.166 +
   8.167 +				common_perms[common_name,$1] = permission;
   8.168 +
   8.169 +				printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; 
   8.170 +
   8.171 +				printf("    S_(\"%s\")\n", $1) > cpermfile;
   8.172 +			}
   8.173 +			else
   8.174 +			{
   8.175 +				if ((tclass,$1) in av_perms)
   8.176 +				{
   8.177 +					printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
   8.178 +					next;
   8.179 +				}
   8.180 +
   8.181 +				av_perms[tclass,$1] = permission;
   8.182 +		
   8.183 +				if (inherits != "")
   8.184 +				{
   8.185 +					if ((inherits,$1) in common_perms)
   8.186 +					{
   8.187 +						printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
   8.188 +						next;
   8.189 +					}
   8.190 +				}
   8.191 +
   8.192 +				printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; 
   8.193 +
   8.194 +				printf("   S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; 
   8.195 +			}
   8.196 +
   8.197 +			spaces = 40 - (length($1) + length(tclass));
   8.198 +			if (spaces < 1)
   8.199 +			      spaces = 1;
   8.200 +
   8.201 +			for (i = 0; i < spaces; i++) 
   8.202 +				printf(" ") > outfile; 
   8.203 +			printf("0x%08xUL\n", permission) > outfile; 
   8.204 +			permission = permission * 2;
   8.205 +		}
   8.206 +$1 == "}"	{
   8.207 +			if (nextstate != "CLASS-CLOSEBRACKET" && 
   8.208 +			    nextstate != "COMMON-CLOSEBRACKET")
   8.209 +			{
   8.210 +				printf("Parse error:  Unexpected } on line %d\n", NR);
   8.211 +				next;
   8.212 +			}
   8.213 +
   8.214 +			if (nextstate == "COMMON-CLOSEBRACKET")
   8.215 +			{
   8.216 +				common_base[common_name] = permission;
   8.217 +				printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; 
   8.218 +			}
   8.219 +
   8.220 +			printf("\n") > outfile;
   8.221 +
   8.222 +			nextstate = "COMMON_OR_AV";
   8.223 +		}
   8.224 +END	{
   8.225 +		if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
   8.226 +			printf("Parse error:  Unexpected end of file\n");
   8.227 +
   8.228 +	}'
   8.229 +
   8.230 +# FLASK
     9.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     9.2 +++ b/tools/flask/policy/policy/flask/mkflask.sh	Thu Sep 04 11:26:25 2008 +0100
     9.3 @@ -0,0 +1,95 @@
     9.4 +#!/bin/sh -
     9.5 +#
     9.6 +
     9.7 +# FLASK
     9.8 +
     9.9 +set -e
    9.10 +
    9.11 +awk=$1
    9.12 +shift 1
    9.13 +
    9.14 +# output file
    9.15 +output_file="flask.h"
    9.16 +debug_file="class_to_string.h"
    9.17 +debug_file2="initial_sid_to_string.h"
    9.18 +
    9.19 +cat $* | $awk "
    9.20 +BEGIN	{
    9.21 +		outfile = \"$output_file\"
    9.22 +		debugfile = \"$debug_file\"
    9.23 +		debugfile2 = \"$debug_file2\"
    9.24 +		"'
    9.25 +		nextstate = "CLASS";
    9.26 +
    9.27 +		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
    9.28 +
    9.29 +		printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
    9.30 +		printf("#define _SELINUX_FLASK_H_\n") > outfile;
    9.31 +		printf("\n/*\n * Security object class definitions\n */\n") > outfile;
    9.32 +		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile;
    9.33 +		printf("/*\n * Security object class definitions\n */\n") > debugfile;
    9.34 +		printf("    S_(\"null\")\n") > debugfile;
    9.35 +		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile2;
    9.36 +		printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
    9.37 +		printf("    \"null\",\n") > debugfile2;
    9.38 +	}
    9.39 +/^[ \t]*#/	{ 
    9.40 +			next;
    9.41 +		}
    9.42 +$1 == "class"	{ 
    9.43 +			if (nextstate != "CLASS")
    9.44 +			{
    9.45 +				printf("Parse error:  Unexpected class definition on line %d\n", NR);
    9.46 +				next;	
    9.47 +			}
    9.48 +
    9.49 +			if ($2 in class_found)
    9.50 +			{
    9.51 +				printf("Duplicate class definition for %s on line %d.\n", $2, NR);
    9.52 +				next;
    9.53 +			}	
    9.54 +			class_found[$2] = 1;
    9.55 +
    9.56 +			class_value++;
    9.57 +
    9.58 +			printf("#define SECCLASS_%s", toupper($2)) > outfile;
    9.59 +			for (i = 0; i < 40 - length($2); i++) 
    9.60 +				printf(" ") > outfile; 
    9.61 +			printf("%d\n", class_value) > outfile; 
    9.62 +
    9.63 +			printf("    S_(\"%s\")\n", $2) > debugfile;
    9.64 +		}
    9.65 +$1 == "sid"	{ 
    9.66 +			if (nextstate == "CLASS")
    9.67 +			{
    9.68 +			    nextstate = "SID";
    9.69 +			    printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;			    
    9.70 +			}
    9.71 +
    9.72 +			if ($2 in sid_found)
    9.73 +			{
    9.74 +				printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
    9.75 +				next;
    9.76 +			}	
    9.77 +			sid_found[$2] = 1;
    9.78 +			sid_value++;
    9.79 +
    9.80 +			printf("#define SECINITSID_%s", toupper($2)) > outfile;
    9.81 +			for (i = 0; i < 37 - length($2); i++) 
    9.82 +				printf(" ") > outfile; 
    9.83 +			printf("%d\n", sid_value) > outfile; 
    9.84 +			printf("    \"%s\",\n", $2) > debugfile2;
    9.85 +		}
    9.86 +END	{
    9.87 +		if (nextstate != "SID")
    9.88 +			printf("Parse error:  Unexpected end of file\n");
    9.89 +
    9.90 +		printf("\n#define SECINITSID_NUM") > outfile;
    9.91 +		for (i = 0; i < 34; i++) 
    9.92 +			printf(" ") > outfile; 
    9.93 +		printf("%d\n", sid_value) > outfile; 
    9.94 +		printf("\n#endif\n") > outfile;
    9.95 +		printf("};\n\n") > debugfile2;
    9.96 +	}'
    9.97 +
    9.98 +# FLASK
    10.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    10.2 +++ b/tools/flask/policy/policy/flask/security_classes	Thu Sep 04 11:26:25 2008 +0100
    10.3 @@ -0,0 +1,20 @@
    10.4 +# FLASK
    10.5 +
    10.6 +#
    10.7 +# Define the security object classes 
    10.8 +#
    10.9 +
   10.10 +# Classes marked as userspace are classes
   10.11 +# for userspace object managers
   10.12 +
   10.13 +class xen
   10.14 +class domain
   10.15 +class hvm
   10.16 +class mmu
   10.17 +class resource
   10.18 +class shadow
   10.19 +class event
   10.20 +class grant
   10.21 +class security
   10.22 +
   10.23 +# FLASK
    11.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    11.2 +++ b/tools/flask/policy/policy/global_booleans	Thu Sep 04 11:26:25 2008 +0100
    11.3 @@ -0,0 +1,5 @@
    11.4 +#
    11.5 +# This file is for the declaration of global booleans.
    11.6 +# To change the default value at build time, the booleans.conf
    11.7 +# file should be used.
    11.8 +#
    12.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    12.2 +++ b/tools/flask/policy/policy/global_tunables	Thu Sep 04 11:26:25 2008 +0100
    12.3 @@ -0,0 +1,6 @@
    12.4 +#
    12.5 +# This file is for the declaration of global tunables.
    12.6 +# To change the default value at build time, the booleans.conf
    12.7 +# file should be used.
    12.8 +#
    12.9 +
    13.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    13.2 +++ b/tools/flask/policy/policy/mcs	Thu Sep 04 11:26:25 2008 +0100
    13.3 @@ -0,0 +1,324 @@
    13.4 +ifdef(`enable_mcs',`
    13.5 +#
    13.6 +# Define sensitivities 
    13.7 +#
    13.8 +# Each sensitivity has a name and zero or more aliases.
    13.9 +#
   13.10 +# MCS is single-sensitivity.
   13.11 +#
   13.12 +sensitivity s0;
   13.13 +
   13.14 +#
   13.15 +# Define the ordering of the sensitivity levels (least to greatest)
   13.16 +#
   13.17 +dominance { s0 }
   13.18 +
   13.19 +
   13.20 +#
   13.21 +# Define the categories
   13.22 +#
   13.23 +# Each category has a name and zero or more aliases.
   13.24 +#
   13.25 +category c0;
   13.26 +category c1;
   13.27 +category c2;
   13.28 +category c3;
   13.29 +category c4;
   13.30 +category c5;
   13.31 +category c6;
   13.32 +category c7;
   13.33 +category c8;
   13.34 +category c9;
   13.35 +category c10;
   13.36 +category c11;
   13.37 +category c12;
   13.38 +category c13;
   13.39 +category c14;
   13.40 +category c15;
   13.41 +category c16;
   13.42 +category c17;
   13.43 +category c18;
   13.44 +category c19;
   13.45 +category c20;
   13.46 +category c21;
   13.47 +category c22;
   13.48 +category c23;
   13.49 +category c24;
   13.50 +category c25;
   13.51 +category c26;
   13.52 +category c27;
   13.53 +category c28;
   13.54 +category c29;
   13.55 +category c30;
   13.56 +category c31;
   13.57 +category c32;
   13.58 +category c33;
   13.59 +category c34;
   13.60 +category c35;
   13.61 +category c36;
   13.62 +category c37;
   13.63 +category c38;
   13.64 +category c39;
   13.65 +category c40;
   13.66 +category c41;
   13.67 +category c42;
   13.68 +category c43;
   13.69 +category c44;
   13.70 +category c45;
   13.71 +category c46;
   13.72 +category c47;
   13.73 +category c48;
   13.74 +category c49;
   13.75 +category c50;
   13.76 +category c51;
   13.77 +category c52;
   13.78 +category c53;
   13.79 +category c54;
   13.80 +category c55;
   13.81 +category c56;
   13.82 +category c57;
   13.83 +category c58;
   13.84 +category c59;
   13.85 +category c60;
   13.86 +category c61;
   13.87 +category c62;
   13.88 +category c63;
   13.89 +category c64;
   13.90 +category c65;
   13.91 +category c66;
   13.92 +category c67;
   13.93 +category c68;
   13.94 +category c69;
   13.95 +category c70;
   13.96 +category c71;
   13.97 +category c72;
   13.98 +category c73;
   13.99 +category c74;
  13.100 +category c75;
  13.101 +category c76;
  13.102 +category c77;
  13.103 +category c78;
  13.104 +category c79;
  13.105 +category c80;
  13.106 +category c81;
  13.107 +category c82;
  13.108 +category c83;
  13.109 +category c84;
  13.110 +category c85;
  13.111 +category c86;
  13.112 +category c87;
  13.113 +category c88;
  13.114 +category c89;
  13.115 +category c90;
  13.116 +category c91;
  13.117 +category c92;
  13.118 +category c93;
  13.119 +category c94;
  13.120 +category c95;
  13.121 +category c96;
  13.122 +category c97;
  13.123 +category c98;
  13.124 +category c99;
  13.125 +category c100;
  13.126 +category c101;
  13.127 +category c102;
  13.128 +category c103;
  13.129 +category c104;
  13.130 +category c105;
  13.131 +category c106;
  13.132 +category c107;
  13.133 +category c108;
  13.134 +category c109;
  13.135 +category c110;
  13.136 +category c111;
  13.137 +category c112;
  13.138 +category c113;
  13.139 +category c114;
  13.140 +category c115;
  13.141 +category c116;
  13.142 +category c117;
  13.143 +category c118;
  13.144 +category c119;
  13.145 +category c120;
  13.146 +category c121;
  13.147 +category c122;
  13.148 +category c123;
  13.149 +category c124;
  13.150 +category c125;
  13.151 +category c126;
  13.152 +category c127;
  13.153 +category c128;
  13.154 +category c129;
  13.155 +category c130;
  13.156 +category c131;
  13.157 +category c132;
  13.158 +category c133;
  13.159 +category c134;
  13.160 +category c135;
  13.161 +category c136;
  13.162 +category c137;
  13.163 +category c138;
  13.164 +category c139;
  13.165 +category c140;
  13.166 +category c141;
  13.167 +category c142;
  13.168 +category c143;
  13.169 +category c144;
  13.170 +category c145;
  13.171 +category c146;
  13.172 +category c147;
  13.173 +category c148;
  13.174 +category c149;
  13.175 +category c150;
  13.176 +category c151;
  13.177 +category c152;
  13.178 +category c153;
  13.179 +category c154;
  13.180 +category c155;
  13.181 +category c156;
  13.182 +category c157;
  13.183 +category c158;
  13.184 +category c159;
  13.185 +category c160;
  13.186 +category c161;
  13.187 +category c162;
  13.188 +category c163;
  13.189 +category c164;
  13.190 +category c165;
  13.191 +category c166;
  13.192 +category c167;
  13.193 +category c168;
  13.194 +category c169;
  13.195 +category c170;
  13.196 +category c171;
  13.197 +category c172;
  13.198 +category c173;
  13.199 +category c174;
  13.200 +category c175;
  13.201 +category c176;
  13.202 +category c177;
  13.203 +category c178;
  13.204 +category c179;
  13.205 +category c180;
  13.206 +category c181;
  13.207 +category c182;
  13.208 +category c183;
  13.209 +category c184;
  13.210 +category c185;
  13.211 +category c186;
  13.212 +category c187;
  13.213 +category c188;
  13.214 +category c189;
  13.215 +category c190;
  13.216 +category c191;
  13.217 +category c192;
  13.218 +category c193;
  13.219 +category c194;
  13.220 +category c195;
  13.221 +category c196;
  13.222 +category c197;
  13.223 +category c198;
  13.224 +category c199;
  13.225 +category c200;
  13.226 +category c201;
  13.227 +category c202;
  13.228 +category c203;
  13.229 +category c204;
  13.230 +category c205;
  13.231 +category c206;
  13.232 +category c207;
  13.233 +category c208;
  13.234 +category c209;
  13.235 +category c210;
  13.236 +category c211;
  13.237 +category c212;
  13.238 +category c213;
  13.239 +category c214;
  13.240 +category c215;
  13.241 +category c216;
  13.242 +category c217;
  13.243 +category c218;
  13.244 +category c219;
  13.245 +category c220;
  13.246 +category c221;
  13.247 +category c222;
  13.248 +category c223;
  13.249 +category c224;
  13.250 +category c225;
  13.251 +category c226;
  13.252 +category c227;
  13.253 +category c228;
  13.254 +category c229;
  13.255 +category c230;
  13.256 +category c231;
  13.257 +category c232;
  13.258 +category c233;
  13.259 +category c234;
  13.260 +category c235;
  13.261 +category c236;
  13.262 +category c237;
  13.263 +category c238;
  13.264 +category c239;
  13.265 +category c240;
  13.266 +category c241;
  13.267 +category c242;
  13.268 +category c243;
  13.269 +category c244;
  13.270 +category c245;
  13.271 +category c246;
  13.272 +category c247;
  13.273 +category c248;
  13.274 +category c249;
  13.275 +category c250;
  13.276 +category c251;
  13.277 +category c252;
  13.278 +category c253;
  13.279 +category c254;
  13.280 +category c255;
  13.281 +
  13.282 +
  13.283 +#
  13.284 +# Each MCS level specifies a sensitivity and zero or more categories which may
  13.285 +# be associated with that sensitivity.
  13.286 +#
  13.287 +level s0:c0.c255;
  13.288 +
  13.289 +#
  13.290 +# Define the MCS policy
  13.291 +#
  13.292 +# mlsconstrain class_set perm_set expression ;
  13.293 +#
  13.294 +# mlsvalidatetrans class_set expression ;
  13.295 +#
  13.296 +# expression : ( expression )
  13.297 +#	     | not expression
  13.298 +#	     | expression and expression
  13.299 +#	     | expression or expression
  13.300 +#	     | u1 op u2
  13.301 +#	     | r1 role_mls_op r2
  13.302 +#	     | t1 op t2
  13.303 +#	     | l1 role_mls_op l2
  13.304 +#	     | l1 role_mls_op h2
  13.305 +#	     | h1 role_mls_op l2
  13.306 +#	     | h1 role_mls_op h2
  13.307 +#	     | l1 role_mls_op h1
  13.308 +#	     | l2 role_mls_op h2
  13.309 +#	     | u1 op names
  13.310 +#	     | u2 op names
  13.311 +#	     | r1 op names
  13.312 +#	     | r2 op names
  13.313 +#	     | t1 op names
  13.314 +#	     | t2 op names
  13.315 +#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
  13.316 +#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
  13.317 +#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
  13.318 +#
  13.319 +# op : == | !=
  13.320 +# role_mls_op : == | != | eq | dom | domby | incomp
  13.321 +#
  13.322 +# names : name | { name_list }
  13.323 +# name_list : name | name_list name
  13.324 +#
  13.325 +
  13.326 +
  13.327 +') dnl end enable_mcs
    14.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    14.2 +++ b/tools/flask/policy/policy/mls	Thu Sep 04 11:26:25 2008 +0100
    14.3 @@ -0,0 +1,354 @@
    14.4 +
    14.5 +ifdef(`enable_mls',`
    14.6 +#
    14.7 +# Define sensitivities 
    14.8 +#
    14.9 +# Each sensitivity has a name and zero or more aliases.
   14.10 +#
   14.11 +sensitivity s0;
   14.12 +sensitivity s1;
   14.13 +sensitivity s2;
   14.14 +sensitivity s3;
   14.15 +sensitivity s4;
   14.16 +sensitivity s5;
   14.17 +sensitivity s6;
   14.18 +sensitivity s7;
   14.19 +sensitivity s8;
   14.20 +sensitivity s9;
   14.21 +sensitivity s10;
   14.22 +sensitivity s11;
   14.23 +sensitivity s12;
   14.24 +sensitivity s13;
   14.25 +sensitivity s14;
   14.26 +sensitivity s15;
   14.27 +
   14.28 +#
   14.29 +# Define the ordering of the sensitivity levels (least to greatest)
   14.30 +#
   14.31 +dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
   14.32 +
   14.33 +
   14.34 +#
   14.35 +# Define the categories
   14.36 +#
   14.37 +# Each category has a name and zero or more aliases.
   14.38 +#
   14.39 +category c0;
   14.40 +category c1;
   14.41 +category c2;
   14.42 +category c3;
   14.43 +category c4;
   14.44 +category c5;
   14.45 +category c6;
   14.46 +category c7;
   14.47 +category c8;
   14.48 +category c9;
   14.49 +category c10;
   14.50 +category c11;
   14.51 +category c12;
   14.52 +category c13;
   14.53 +category c14;
   14.54 +category c15;
   14.55 +category c16;
   14.56 +category c17;
   14.57 +category c18;
   14.58 +category c19;
   14.59 +category c20;
   14.60 +category c21;
   14.61 +category c22;
   14.62 +category c23;
   14.63 +category c24;
   14.64 +category c25;
   14.65 +category c26;
   14.66 +category c27;
   14.67 +category c28;
   14.68 +category c29;
   14.69 +category c30;
   14.70 +category c31;
   14.71 +category c32;
   14.72 +category c33;
   14.73 +category c34;
   14.74 +category c35;
   14.75 +category c36;
   14.76 +category c37;
   14.77 +category c38;
   14.78 +category c39;
   14.79 +category c40;
   14.80 +category c41;
   14.81 +category c42;
   14.82 +category c43;
   14.83 +category c44;
   14.84 +category c45;
   14.85 +category c46;
   14.86 +category c47;
   14.87 +category c48;
   14.88 +category c49;
   14.89 +category c50;
   14.90 +category c51;
   14.91 +category c52;
   14.92 +category c53;
   14.93 +category c54;
   14.94 +category c55;
   14.95 +category c56;
   14.96 +category c57;
   14.97 +category c58;
   14.98 +category c59;
   14.99 +category c60;
  14.100 +category c61;
  14.101 +category c62;
  14.102 +category c63;
  14.103 +category c64;
  14.104 +category c65;
  14.105 +category c66;
  14.106 +category c67;
  14.107 +category c68;
  14.108 +category c69;
  14.109 +category c70;
  14.110 +category c71;
  14.111 +category c72;
  14.112 +category c73;
  14.113 +category c74;
  14.114 +category c75;
  14.115 +category c76;
  14.116 +category c77;
  14.117 +category c78;
  14.118 +category c79;
  14.119 +category c80;
  14.120 +category c81;
  14.121 +category c82;
  14.122 +category c83;
  14.123 +category c84;
  14.124 +category c85;
  14.125 +category c86;
  14.126 +category c87;
  14.127 +category c88;
  14.128 +category c89;
  14.129 +category c90;
  14.130 +category c91;
  14.131 +category c92;
  14.132 +category c93;
  14.133 +category c94;
  14.134 +category c95;
  14.135 +category c96;
  14.136 +category c97;
  14.137 +category c98;
  14.138 +category c99;
  14.139 +category c100;
  14.140 +category c101;
  14.141 +category c102;
  14.142 +category c103;
  14.143 +category c104;
  14.144 +category c105;
  14.145 +category c106;
  14.146 +category c107;
  14.147 +category c108;
  14.148 +category c109;
  14.149 +category c110;
  14.150 +category c111;
  14.151 +category c112;
  14.152 +category c113;
  14.153 +category c114;
  14.154 +category c115;
  14.155 +category c116;
  14.156 +category c117;
  14.157 +category c118;
  14.158 +category c119;
  14.159 +category c120;
  14.160 +category c121;
  14.161 +category c122;
  14.162 +category c123;
  14.163 +category c124;
  14.164 +category c125;
  14.165 +category c126;
  14.166 +category c127;
  14.167 +category c128;
  14.168 +category c129;
  14.169 +category c130;
  14.170 +category c131;
  14.171 +category c132;
  14.172 +category c133;
  14.173 +category c134;
  14.174 +category c135;
  14.175 +category c136;
  14.176 +category c137;
  14.177 +category c138;
  14.178 +category c139;
  14.179 +category c140;
  14.180 +category c141;
  14.181 +category c142;
  14.182 +category c143;
  14.183 +category c144;
  14.184 +category c145;
  14.185 +category c146;
  14.186 +category c147;
  14.187 +category c148;
  14.188 +category c149;
  14.189 +category c150;
  14.190 +category c151;
  14.191 +category c152;
  14.192 +category c153;
  14.193 +category c154;
  14.194 +category c155;
  14.195 +category c156;
  14.196 +category c157;
  14.197 +category c158;
  14.198 +category c159;
  14.199 +category c160;
  14.200 +category c161;
  14.201 +category c162;
  14.202 +category c163;
  14.203 +category c164;
  14.204 +category c165;
  14.205 +category c166;
  14.206 +category c167;
  14.207 +category c168;
  14.208 +category c169;
  14.209 +category c170;
  14.210 +category c171;
  14.211 +category c172;
  14.212 +category c173;
  14.213 +category c174;
  14.214 +category c175;
  14.215 +category c176;
  14.216 +category c177;
  14.217 +category c178;
  14.218 +category c179;
  14.219 +category c180;
  14.220 +category c181;
  14.221 +category c182;
  14.222 +category c183;
  14.223 +category c184;
  14.224 +category c185;
  14.225 +category c186;
  14.226 +category c187;
  14.227 +category c188;
  14.228 +category c189;
  14.229 +category c190;
  14.230 +category c191;
  14.231 +category c192;
  14.232 +category c193;
  14.233 +category c194;
  14.234 +category c195;
  14.235 +category c196;
  14.236 +category c197;
  14.237 +category c198;
  14.238 +category c199;
  14.239 +category c200;
  14.240 +category c201;
  14.241 +category c202;
  14.242 +category c203;
  14.243 +category c204;
  14.244 +category c205;
  14.245 +category c206;
  14.246 +category c207;
  14.247 +category c208;
  14.248 +category c209;
  14.249 +category c210;
  14.250 +category c211;
  14.251 +category c212;
  14.252 +category c213;
  14.253 +category c214;
  14.254 +category c215;
  14.255 +category c216;
  14.256 +category c217;
  14.257 +category c218;
  14.258 +category c219;
  14.259 +category c220;
  14.260 +category c221;
  14.261 +category c222;
  14.262 +category c223;
  14.263 +category c224;
  14.264 +category c225;
  14.265 +category c226;
  14.266 +category c227;
  14.267 +category c228;
  14.268 +category c229;
  14.269 +category c230;
  14.270 +category c231;
  14.271 +category c232;
  14.272 +category c233;
  14.273 +category c234;
  14.274 +category c235;
  14.275 +category c236;
  14.276 +category c237;
  14.277 +category c238;
  14.278 +category c239;
  14.279 +category c240;
  14.280 +category c241;
  14.281 +category c242;
  14.282 +category c243;
  14.283 +category c244;
  14.284 +category c245;
  14.285 +category c246;
  14.286 +category c247;
  14.287 +category c248;
  14.288 +category c249;
  14.289 +category c250;
  14.290 +category c251;
  14.291 +category c252;
  14.292 +category c253;
  14.293 +category c254;
  14.294 +category c255;
  14.295 +
  14.296 +
  14.297 +#
  14.298 +# Each MLS level specifies a sensitivity and zero or more categories which may
  14.299 +# be associated with that sensitivity.
  14.300 +#
  14.301 +level s0:c0.c255;
  14.302 +level s1:c0.c255;
  14.303 +level s2:c0.c255;
  14.304 +level s3:c0.c255;
  14.305 +level s4:c0.c255;
  14.306 +level s5:c0.c255;
  14.307 +level s6:c0.c255;
  14.308 +level s7:c0.c255;
  14.309 +level s8:c0.c255;
  14.310 +level s9:c0.c255;
  14.311 +level s10:c0.c255;
  14.312 +level s11:c0.c255;
  14.313 +level s12:c0.c255;
  14.314 +level s13:c0.c255;
  14.315 +level s14:c0.c255;
  14.316 +level s15:c0.c255;
  14.317 +
  14.318 +
  14.319 +#
  14.320 +# Define the MLS policy
  14.321 +#
  14.322 +# mlsconstrain class_set perm_set expression ;
  14.323 +#
  14.324 +# mlsvalidatetrans class_set expression ;
  14.325 +#
  14.326 +# expression : ( expression )
  14.327 +#	     | not expression
  14.328 +#	     | expression and expression
  14.329 +#	     | expression or expression
  14.330 +#	     | u1 op u2
  14.331 +#	     | r1 role_mls_op r2
  14.332 +#	     | t1 op t2
  14.333 +#	     | l1 role_mls_op l2
  14.334 +#	     | l1 role_mls_op h2
  14.335 +#	     | h1 role_mls_op l2
  14.336 +#	     | h1 role_mls_op h2
  14.337 +#	     | l1 role_mls_op h1
  14.338 +#	     | l2 role_mls_op h2
  14.339 +#	     | u1 op names
  14.340 +#	     | u2 op names
  14.341 +#	     | r1 op names
  14.342 +#	     | r2 op names
  14.343 +#	     | t1 op names
  14.344 +#	     | t2 op names
  14.345 +#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
  14.346 +#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
  14.347 +#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
  14.348 +#
  14.349 +# op : == | !=
  14.350 +# role_mls_op : == | != | eq | dom | domby | incomp
  14.351 +#
  14.352 +# names : name | { name_list }
  14.353 +# name_list : name | name_list name
  14.354 +#
  14.355 +
  14.356 +
  14.357 +') dnl end enable_mls
    15.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    15.2 +++ b/tools/flask/policy/policy/modules.conf	Thu Sep 04 11:26:25 2008 +0100
    15.3 @@ -0,0 +1,21 @@
    15.4 +#
    15.5 +# This file contains a listing of available modules.
    15.6 +# To prevent a module from  being used in policy
    15.7 +# creation, set the module name to "off".
    15.8 +#
    15.9 +# For monolithic policies, modules set to "base" and "module"
   15.10 +# will be built into the policy.
   15.11 +#
   15.12 +# For modular policies, modules set to "base" will be
   15.13 +# included in the base module.  "module" will be compiled
   15.14 +# as individual loadable modules.
   15.15 +#
   15.16 +
   15.17 +# Layer: xen
   15.18 +# Module: xen
   15.19 +# Required in base
   15.20 +#
   15.21 +# Policy for xen.
   15.22 +# 
   15.23 +xen = base
   15.24 +
    16.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    16.2 +++ b/tools/flask/policy/policy/modules/xen/xen.if	Thu Sep 04 11:26:25 2008 +0100
    16.3 @@ -0,0 +1,1 @@
    16.4 +#
    17.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    17.2 +++ b/tools/flask/policy/policy/modules/xen/xen.te	Thu Sep 04 11:26:25 2008 +0100
    17.3 @@ -0,0 +1,135 @@
    17.4 +attribute xen_type;
    17.5 +attribute domain_type;
    17.6 +attribute resource_type;
    17.7 +attribute event_type;
    17.8 +
    17.9 +type xen_t, xen_type, domain_type;
   17.10 +
   17.11 +type dom0_t, domain_type;
   17.12 +
   17.13 +type domio_t, domain_type;
   17.14 +
   17.15 +type domxen_t, domain_type;
   17.16 +
   17.17 +type unlabeled_t, domain_type;
   17.18 +
   17.19 +type security_t, domain_type;
   17.20 +
   17.21 +type pirq_t, resource_type;
   17.22 +type ioport_t, resource_type;
   17.23 +type iomem_t, resource_type;
   17.24 +type device_t, resource_type;
   17.25 +
   17.26 +################################################################################
   17.27 +#
   17.28 +# create_domain(priv_dom, domain, channel)
   17.29 +#
   17.30 +################################################################################
   17.31 +define(`create_domain', `
   17.32 +	type $2, domain_type;
   17.33 +	allow $1 $2:domain {create max_vcpus setdomainmaxmem 
   17.34 +				setaddrsize getdomaininfo hypercall 
   17.35 +				setvcpucontext scheduler unpause 
   17.36 +				getvcpuinfo getaddrsize getvcpuaffinity};
   17.37 +	allow $1 $2:shadow {enable};
   17.38 +	allow $1 $2:mmu {map_read map_write memorymap adjust pinpage};
   17.39 +	allow $2 $2:mmu {map_read map_write pinpage};
   17.40 +	allow $2 domio_t:mmu {map_read};
   17.41 +	allow $2 $2:grant {query setup};
   17.42 +	allow $1 $2:grant {map_read unmap};
   17.43 +	allow $1 $3:event {create};
   17.44 +')
   17.45 +
   17.46 +################################################################################
   17.47 +#
   17.48 +# manage_domain(priv_dom, domain)
   17.49 +#
   17.50 +################################################################################
   17.51 +define(`manage_domain', `
   17.52 +	allow $1 $2:domain {pause destroy};
   17.53 +')
   17.54 +
   17.55 +################################################################################
   17.56 +#
   17.57 +# create_channel(caller, peer, channel)
   17.58 +#
   17.59 +################################################################################
   17.60 +define(`create_channel', `
   17.61 +	type $3, event_type;
   17.62 +	type_transition $1 $2:event $3;
   17.63 +	allow $1 $3:event {create};
   17.64 +	allow $3 $2:event {bind};
   17.65 +')
   17.66 +
   17.67 +################################################################################
   17.68 +#
   17.69 +# Boot the hypervisor and dom0
   17.70 +#
   17.71 +################################################################################
   17.72 +allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del 
   17.73 +scheduler physinfo heap quirk readconsole writeconsole settime microcode};
   17.74 +
   17.75 +allow dom0_t domio_t:mmu {map_read map_write};
   17.76 +allow dom0_t iomem_t:mmu {map_read map_write};
   17.77 +allow dom0_t pirq_t:event {vector};
   17.78 +allow dom0_t xen_t:mmu {memorymap};
   17.79 +
   17.80 +allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust};
   17.81 +allow dom0_t dom0_t:grant {query setup};
   17.82 +allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo getvcpuaffinity};
   17.83 +
   17.84 +allow xen_t dom0_t:domain {create};
   17.85 +allow xen_t dom0_t:resource {add remove};
   17.86 +allow xen_t ioport_t:resource {add_ioport remove_ioport};
   17.87 +allow dom0_t ioport_t:resource {use};
   17.88 +allow xen_t iomem_t:resource {add_iomem remove_iomem};
   17.89 +allow dom0_t iomem_t:resource {use};
   17.90 +allow xen_t pirq_t:resource {add_irq remove_irq};
   17.91 +allow dom0_t pirq_t:resource {use};
   17.92 +
   17.93 +allow dom0_t security_t:security {compute_av compute_create compute_member 
   17.94 +check_context load_policy compute_relabel compute_user setenforce setbool
   17.95 +setsecparam};
   17.96 +
   17.97 +create_channel(dom0_t, dom0_t, evchn0-0_t)
   17.98 +allow dom0_t evchn0-0_t:event {send};
   17.99 +
  17.100 +################################################################################
  17.101 +#
  17.102 +# Create and manage a domU w/ dom0 IO
  17.103 +#
  17.104 +################################################################################
  17.105 +create_domain(dom0_t, domU_t, evchnU-0_t)
  17.106 +
  17.107 +create_channel(domU_t, domU_t, evchnU-U_t)
  17.108 +allow domU_t evchnU-U_t:event {send};
  17.109 +
  17.110 +create_channel(dom0_t, domU_t, evchn0-U_t)
  17.111 +allow dom0_t evchn0-U_t:event {send};
  17.112 +
  17.113 +create_channel(domU_t, dom0_t, evchnU-0_t)
  17.114 +allow domU_t evchnU-0_t:event {send};
  17.115 +
  17.116 +manage_domain(dom0_t, domU_t)
  17.117 +
  17.118 +################################################################################
  17.119 +#
  17.120 +#
  17.121 +#
  17.122 +################################################################################
  17.123 +sid xen gen_context(system_u:system_r:xen_t,s0)
  17.124 +sid dom0 gen_context(system_u:system_r:dom0_t,s0)
  17.125 +sid domU gen_context(system_u:system_r:domU_t,s0)
  17.126 +sid domxen gen_context(system_u:system_r:domxen_t,s0)
  17.127 +sid domio gen_context(system_u:system_r:domio_t,s0)
  17.128 +sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
  17.129 +sid security gen_context(system_u:system_r:security_t,s0)
  17.130 +sid pirq gen_context(system_u:object_r:pirq_t,s0)
  17.131 +sid iomem gen_context(system_u:object_r:iomem_t,s0)
  17.132 +sid ioport gen_context(system_u:object_r:ioport_t,s0)
  17.133 +sid device gen_context(system_u:object_r:device_t,s0)
  17.134 +
  17.135 +role system_r types { xen_type domain_type };
  17.136 +role user_r types { xen_type domain_type };
  17.137 +role sysadm_r types { xen_type domain_type };
  17.138 +role staff_r types { xen_type domain_type };
    18.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    18.2 +++ b/tools/flask/policy/policy/support/loadable_module.spt	Thu Sep 04 11:26:25 2008 +0100
    18.3 @@ -0,0 +1,166 @@
    18.4 +########################################
    18.5 +#
    18.6 +# Macros for switching between source policy
    18.7 +# and loadable policy module support
    18.8 +#
    18.9 +
   18.10 +##############################
   18.11 +#
   18.12 +# For adding the module statement
   18.13 +#
   18.14 +define(`policy_module',`
   18.15 +	ifdef(`self_contained_policy',`',`
   18.16 +		module $1 $2;
   18.17 +
   18.18 +		require {
   18.19 +			role system_r;
   18.20 +			all_kernel_class_perms
   18.21 +		}
   18.22 +	')
   18.23 +')
   18.24 +
   18.25 +##############################
   18.26 +#
   18.27 +# For use in interfaces, to optionally insert a require block
   18.28 +#
   18.29 +define(`gen_require',`
   18.30 +	ifdef(`self_contained_policy',`',`
   18.31 +		define(`in_gen_require_block')
   18.32 +		require {
   18.33 +			$1
   18.34 +		}
   18.35 +		undefine(`in_gen_require_block')
   18.36 +	')
   18.37 +')
   18.38 +
   18.39 +##############################
   18.40 +#
   18.41 +# In the future interfaces should be in loadable modules
   18.42 +#
   18.43 +# template(name,rules)
   18.44 +#
   18.45 +define(`template',`
   18.46 +	`define(`$1',`
   18.47 +##### begin $1(dollarsstar)
   18.48 +		$2
   18.49 +##### end $1(dollarsstar)
   18.50 +	'')
   18.51 +')
   18.52 +
   18.53 +# helper function, since m4 wont expand macros
   18.54 +# if a line is a comment (#):
   18.55 +define(`policy_m4_comment',`dnl
   18.56 +##### $2 depth: $1
   18.57 +')dnl
   18.58 +
   18.59 +##############################
   18.60 +#
   18.61 +# In the future interfaces should be in loadable modules
   18.62 +#
   18.63 +# interface(name,rules)
   18.64 +#
   18.65 +define(`interface',`
   18.66 +	`define(`$1',`
   18.67 +
   18.68 +	define(`policy_temp',incr(policy_call_depth))
   18.69 +	pushdef(`policy_call_depth',policy_temp)
   18.70 +	undefine(`policy_temp')
   18.71 +
   18.72 +	policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar))
   18.73 +
   18.74 +	$2
   18.75 +
   18.76 +	define(`policy_temp',decr(policy_call_depth))
   18.77 +	pushdef(`policy_call_depth',policy_temp)
   18.78 +	undefine(`policy_temp')
   18.79 +
   18.80 +	policy_m4_comment(policy_call_depth,end `$1'(dollarsstar))
   18.81 +
   18.82 +	'')
   18.83 +')
   18.84 +
   18.85 +define(`policy_call_depth',0)
   18.86 +
   18.87 +##############################
   18.88 +#
   18.89 +# Optional policy handling
   18.90 +#
   18.91 +define(`optional_policy',`
   18.92 +	ifdef(`self_contained_policy',`
   18.93 +		ifdef(`$1',`$2',`$3')
   18.94 +	',`
   18.95 +		optional {
   18.96 +			$2
   18.97 +		ifelse(`$3',`',`',`
   18.98 +		} else {
   18.99 +			$3
  18.100 +		')
  18.101 +		}
  18.102 +	')
  18.103 +')
  18.104 +
  18.105 +##############################
  18.106 +#
  18.107 +# Determine if we should use the default
  18.108 +# tunable value as specified by the policy
  18.109 +# or if the override value should be used
  18.110 +#
  18.111 +define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
  18.112 +
  18.113 +##############################
  18.114 +#
  18.115 +# Extract booleans out of an expression.
  18.116 +# This needs to be reworked so expressions
  18.117 +# with parentheses can work.
  18.118 +
  18.119 +define(`delcare_required_symbols',`
  18.120 +ifelse(regexp($1, `\w'), -1, `', `dnl
  18.121 +bool regexp($1, `\(\w+\)', `\1');
  18.122 +delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
  18.123 +') dnl
  18.124 +')
  18.125 +
  18.126 +##############################
  18.127 +#
  18.128 +# Tunable declaration
  18.129 +#
  18.130 +define(`gen_tunable',`
  18.131 +	ifdef(`self_contained_policy',`
  18.132 +		bool $1 dflt_or_overr(`$1'_conf,$2);
  18.133 +	',`
  18.134 +		# loadable module tunable
  18.135 +		# declaration will go here
  18.136 +		# instead of bool when
  18.137 +		# loadable modules support
  18.138 +		# tunables
  18.139 +		bool $1 dflt_or_overr(`$1'_conf,$2);
  18.140 +	')
  18.141 +')
  18.142 +
  18.143 +##############################
  18.144 +#
  18.145 +# Tunable policy handling
  18.146 +#
  18.147 +define(`tunable_policy',`
  18.148 +	ifdef(`self_contained_policy',`
  18.149 +		if (`$1') {
  18.150 +			$2
  18.151 +		} else {
  18.152 +			$3
  18.153 +		}
  18.154 +	',`
  18.155 +		# structure for tunables
  18.156 +		# will go here instead of a
  18.157 +		# conditional when loadable
  18.158 +		# modules support tunables
  18.159 +		gen_require(`
  18.160 +			delcare_required_symbols(`$1')
  18.161 +		')
  18.162 +
  18.163 +		if (`$1') {
  18.164 +			$2
  18.165 +		} else {
  18.166 +			$3
  18.167 +		}
  18.168 +	')
  18.169 +')
    19.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    19.2 +++ b/tools/flask/policy/policy/support/misc_macros.spt	Thu Sep 04 11:26:25 2008 +0100
    19.3 @@ -0,0 +1,32 @@
    19.4 +
    19.5 +########################################
    19.6 +#
    19.7 +# Helper macros
    19.8 +#
    19.9 +
   19.10 +#
   19.11 +# shiftn(num,list...)
   19.12 +#
   19.13 +# shift the list num times
   19.14 +#
   19.15 +define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
   19.16 +
   19.17 +########################################
   19.18 +#
   19.19 +# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
   19.20 +#
   19.21 +define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
   19.22 +
   19.23 +########################################
   19.24 +#
   19.25 +# gen_context(context,mls_sensitivity,[mcs_categories])
   19.26 +#
   19.27 +define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
   19.28 +
   19.29 +########################################
   19.30 +#
   19.31 +# gen_bool(name,default_value)
   19.32 +#
   19.33 +define(`gen_bool',`
   19.34 +	bool $1 dflt_or_overr(`$1'_conf,$2);
   19.35 +')
    20.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    20.2 +++ b/tools/flask/policy/policy/systemuser	Thu Sep 04 11:26:25 2008 +0100
    20.3 @@ -0,0 +1,19 @@
    20.4 +##################################
    20.5 +#
    20.6 +# System User configuration.
    20.7 +#
    20.8 +
    20.9 +#
   20.10 +# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
   20.11 +#
   20.12 +
   20.13 +#
   20.14 +# system_u is the user identity for system processes and objects.
   20.15 +# There should be no corresponding Unix user identity for system,
   20.16 +# and a user process should never be assigned the system user
   20.17 +# identity.
   20.18 +#
   20.19 +gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
   20.20 +
   20.21 +# Normal users should not be added to this file,
   20.22 +# but instead added to the users file.
    21.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
    21.2 +++ b/tools/flask/policy/policy/users	Thu Sep 04 11:26:25 2008 +0100
    21.3 @@ -0,0 +1,39 @@
    21.4 +
    21.5 +##################################
    21.6 +#
    21.7 +# Core User configuration.
    21.8 +#
    21.9 +
   21.10 +#
   21.11 +# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
   21.12 +#
   21.13 +
   21.14 +#
   21.15 +# user_u is a generic user identity for Linux users who have no
   21.16 +# SELinux user identity defined.  The modified daemons will use
   21.17 +# this user identity in the security context if there is no matching
   21.18 +# SELinux user identity for a Linux user.  If you do not want to
   21.19 +# permit any access to such users, then remove this entry.
   21.20 +#
   21.21 +ifdef(`targeted_policy',`
   21.22 +gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
   21.23 +',`
   21.24 +gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
   21.25 +')
   21.26 +
   21.27 +#
   21.28 +# The following users correspond to Unix identities.
   21.29 +# These identities are typically assigned as the user attribute
   21.30 +# when login starts the user shell.  Users with access to the sysadm_r
   21.31 +# role should use the staff_r role instead of the user_r role when
   21.32 +# not in the sysadm_r.
   21.33 +#
   21.34 +ifdef(`targeted_policy',`
   21.35 +	gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
   21.36 +',`
   21.37 +	ifdef(`direct_sysadm_daemon',`
   21.38 +		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127)
   21.39 +	',`
   21.40 +		gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
   21.41 +	')
   21.42 +')