WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [SPAM] [xen-unstable] xsm, flask: sample flask policy

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [SPAM] [xen-unstable] xsm, flask: sample flask policy
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 06 Sep 2008 01:40:11 -0700
Delivery-date: Sat, 06 Sep 2008 01:40:50 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
Importance: Low
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1220523985 -3600
# Node ID 294fc8fc4ba05c1fe91754dfe3b770834c56231b
# Parent  44f039c4aee498ef47103c94cc9e7b78575b0e85
xsm, flask: sample flask policy

- The patch includes a policy for xen that can be booted into
  enforcing mode and supports creation and management of
  paravirtualized guests.  The policy follows the dom0/domU usage
  model, extension to other models or the addition of management or IO
  permissions should be much more straightforward now. The option
  flask_enforcing=1 can be passed on the xen line in grub to boot
  into enforcing mode.

- The policy provides a basic policy for booting the platform and
  creating a domU with the label system_u:object_r:domU_t.  The policy
  can be easily extended to support new types by modifying the xen.te
  source file.

- The policy includes some basic macros which may be helpful in
  extending the policy.

- The policy is compatible with and requires the most recent XSM
  patch, xsm-flask-io-sysctl-hooks-090308.diff.

- The policy is not built as part of the make all as it requires the
  SELinux policy compiler which may/may not be installed on all
  systems.  Users must go into the tools/flask/policy directory and
  explicitly compile the policy.

Signed-off-by: George Coker <gscoker@xxxxxxxxxxxxxx>
---
 tools/flask/policy/Makefile                           |  234 +++++++++++
 tools/flask/policy/Rules.modular                      |  166 ++++++++
 tools/flask/policy/Rules.monolithic                   |  196 +++++++++
 tools/flask/policy/policy/constraints                 |   27 +
 tools/flask/policy/policy/flask/Makefile              |   41 ++
 tools/flask/policy/policy/flask/access_vectors        |  166 ++++++++
 tools/flask/policy/policy/flask/initial_sids          |   17 
 tools/flask/policy/policy/flask/mkaccess_vector.sh    |  227 +++++++++++
 tools/flask/policy/policy/flask/mkflask.sh            |   95 ++++
 tools/flask/policy/policy/flask/security_classes      |   20 +
 tools/flask/policy/policy/global_booleans             |    5 
 tools/flask/policy/policy/global_tunables             |    6 
 tools/flask/policy/policy/mcs                         |  324 ++++++++++++++++
 tools/flask/policy/policy/mls                         |  354 ++++++++++++++++++
 tools/flask/policy/policy/modules.conf                |   21 +
 tools/flask/policy/policy/modules/xen/xen.if          |    1 
 tools/flask/policy/policy/modules/xen/xen.te          |  135 ++++++
 tools/flask/policy/policy/support/loadable_module.spt |  166 ++++++++
 tools/flask/policy/policy/support/misc_macros.spt     |   32 +
 tools/flask/policy/policy/systemuser                  |   19 
 tools/flask/policy/policy/users                       |   39 +
 21 files changed, 2291 insertions(+)

diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/Makefile       Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,234 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+# 
+# install       - compile and install the policy configuration, and context 
files.
+# load          - compile, install, and load the policy configuration.
+# reload        - compile, install, and load/reload the policy configuration.
+# policy        - compile the policy configuration locally for 
testing/development.
+#
+# The default target is 'policy'.
+#
+
+########################################
+#
+# Configurable portions of the Makefile
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports.  Setting this will
+# override the version.
+OUTPUT_POLICY = 20
+
+# Policy Type
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
+TYPE = strict
+
+# Policy Name
+# If set, this will be used as the policy
+# name.  Otherwise the policy type will be
+# used for the name.
+NAME = xenrefpolicy
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution.  Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, and suse are current options.
+# Fedora users should enable redhat.
+#DISTRO = 
+
+# Build monolithic policy.  Putting n here
+# will build a loadable module policy.
+MONOLITHIC=y
+
+# Uncomment this to disable command echoing
+#QUIET:=@
+
+########################################
+#
+# NO OPTIONS BELOW HERE
+#
+
+# executable paths
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKPOLICY := $(BINDIR)/checkpolicy
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+LOADPOLICY := $(SBINDIR)/flask-loadpolicy
+
+CFLAGS := -Wall
+
+# policy source layout
+POLDIR := policy
+MODDIR := $(POLDIR)/modules
+FLASKDIR := $(POLDIR)/flask
+SECCLASS := $(FLASKDIR)/security_classes
+ISIDS := $(FLASKDIR)/initial_sids
+AVS := $(FLASKDIR)/access_vectors
+
+#policy building support tools
+SUPPORT := support
+FCSORT := tmp/fc_sort
+
+# config file paths
+GLOBALTUN := $(POLDIR)/global_tunables
+GLOBALBOOL := $(POLDIR)/global_booleans
+MOD_CONF := $(POLDIR)/modules.conf
+TUNABLES := $(POLDIR)/tunables.conf
+BOOLEANS := $(POLDIR)/booleans.conf
+
+# install paths
+TOPDIR = $(DESTDIR)/etc/xen/
+INSTALLDIR = $(TOPDIR)/$(NAME)
+SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
+CONTEXTPATH = $(INSTALLDIR)/contexts
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+       override M4PARAM += -D enable_mls
+       CHECKPOLICY += -M
+       CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+       override M4PARAM += -D enable_mcs
+       CHECKPOLICY += -M
+       CHECKMODULE += -M
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+       override M4PARAM += -D targeted_policy
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+       override M4PARAM += -D distro_$(DISTRO)
+endif
+
+ifneq ($(OUTPUT_POLICY),)
+       CHECKPOLICY += -c $(OUTPUT_POLICY)
+endif
+
+ifeq ($(NAME),)
+       NAME := $(TYPE)
+endif
+
+# determine the policy version and current kernel version if possible
+PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+KV := $(shell cat /selinux/policyvers)
+
+# dont print version warnings if we are unable to determine
+# the currently running kernel's policy version
+ifeq ($(KV),)
+       KV := $(PV)
+endif
+
+FC := file_contexts
+POLVER := policy.$(PV)
+
+M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
+
+APPCONF := config/appconfig-$(TYPE)
+APPDIR := $(CONTEXTPATH)
+APPFILES := $(INSTALLDIR)/booleans
+CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
+USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
+
+ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) 
-maxdepth 0 -type d))
+
+GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard 
$(dir)/*.te.in)))
+GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard 
$(dir)/*.if.in)))
+GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard 
$(dir)/*.fc.in)))
+
+# sort here since it removes duplicates, which can happen
+# when a generated file is already generated
+DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) 
$(GENERATED_TE))
+
+# modules.conf setting for base module
+MODBASE := base
+
+# modules.conf setting for module
+MODMOD := module
+
+# extract settings from modules.conf
+BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == 
"$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find 
-iname $(mod).te)))
+MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == 
"$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find 
-iname $(mod).te)))
+
+HOMEDIR_TEMPLATE = tmp/homedir_template
+
+########################################
+#
+# Load appropriate rules
+#
+
+ifeq ($(MONOLITHIC),y)
+       include Rules.monolithic
+else
+       include Rules.modular
+endif
+
+########################################
+#
+# Create config files
+#
+conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
+
+$(MOD_CONF) $(BOOLEANS): $(POLXML)
+       @echo "Updating $(MOD_CONF) and $(BOOLEANS)"
+       $(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) 
-x ../$(POLXML)
+
+########################################
+#
+# Appconfig files
+#
+install-appconfig: $(APPFILES)
+
+$(INSTALLDIR)/booleans: $(BOOLEANS)
+       @mkdir -p $(INSTALLDIR)
+       $(QUIET) egrep '^[[:blank:]]*[[:alpha:]]' $(BOOLEANS) \
+               | sed -e 's/false/0/g' -e 's/true/1/g' > tmp/booleans
+       $(QUIET) install -m 644 tmp/booleans $@
+
+########################################
+#
+# Install policy sources
+#
+install-src:
+       rm -rf $(SRCPATH)/policy.old
+       -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
+       mkdir -p $(SRCPATH)/policy
+       cp -R . $(SRCPATH)/policy
+
+########################################
+#
+# Clean everything
+#
+bare: clean
+       rm -f $(POLXML)
+       rm -f $(SUPPORT)/*.pyc
+       rm -f $(FCSORT)
+       rm -f $(MOD_CONF)
+       rm -f $(BOOLEANS)
+       rm -fR $(HTMLDIR)
+ifneq ($(GENERATED_TE),)
+       rm -f $(GENERATED_TE)
+endif
+ifneq ($(GENERATED_IF),)
+       rm -f $(GENERATED_IF)
+endif
+ifneq ($(GENERATED_FC),)
+       rm -f $(GENERATED_FC)
+endif
+
+.PHONY: install-src install-appconfig conf html bare
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/Rules.modular
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/Rules.modular  Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,166 @@
+########################################
+#
+# Rules and Targets for building modular policies
+#
+
+ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+
+BASE_PKG := base.pp
+BASE_FC := base.fc
+
+BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf 
tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) 
tmp/only_te_rules.conf tmp/all_post.conf
+
+BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls 
$(POLDIR)/mcs
+BASE_TE_FILES := $(BASE_MODS)
+BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
+BASE_FC_FILES := $(BASE_MODS:.te=.fc)
+
+MOD_MODULES := $(MOD_MODS:.te=.mod)
+MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp))
+
+# search layer dirs for source files
+vpath %.te $(ALL_LAYERS)
+vpath %.if $(ALL_LAYERS)
+vpath %.fc $(ALL_LAYERS)
+
+########################################
+#
+# default action: create all module packages
+#
+default: base
+
+base: $(BASE_PKG)
+
+modules: $(MOD_PKGS)
+
+#policy: $(POLVER)
+#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
+#load: tmp/load
+
+########################################
+#
+# Create a base module package
+#
+$(BASE_PKG): tmp/base.mod $(BASE_FC)
+       @echo "Creating $(NAME) base module package"
+       $(QUIET) $(SEMOD_PKG) $@ $^
+
+########################################
+#
+# Compile a base module
+#
+tmp/base.mod: base.conf
+       @echo "Compiling $(NAME) base module"
+       $(QUIET) $(CHECKMODULE) $^ -o $@
+
+########################################
+#
+# Construct a base module policy.conf
+#
+base.conf: $(BASE_SECTIONS)
+       @echo "Creating $(NAME) base module policy.conf"
+# checkpolicy can use the #line directives provided by -s for error reporting:
+       $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
+       $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp 
> $@
+# the ordering of these ocontexts matters:
+       $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
+       $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
+       $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true
+
+tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES)
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ > $@
+
+tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES)
+       @test -d tmp || mkdir -p tmp
+# define all available object classes
+       $(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
+# per-userdomain templates
+       $(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
+       $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
+               echo 
"ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')"
 \
+                       >> $@ ;\
+       done
+       $(QUIET) echo "')" >> $@
+# define foo.te
+       $(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \
+               echo "define(\`$$i')" >> $@ ;\
+       done
+       $(QUIET) $(SETTUN) $(BOOLEANS) >> $@
+
+tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ifeq ($(ALL_INTERFACES),)
+       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
+endif
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+tmp/all_te_files.conf: $(BASE_TE_FILES)
+ifeq ($(BASE_TE_FILES),)
+       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
+endif
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ > $@
+
+tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.  portcon, nodecon, and netifcon
+# is delayed since they are generated by m4
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: 
tmp/all_te_files.conf tmp/post_te_files.conf
+       $(QUIET) grep ^attribute tmp/all_te_files.conf > 
tmp/all_attrs_types.conf || true
+       $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
+       $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+       $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+       $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> 
tmp/all_post.conf || true
+       $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || 
true
+       $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
+                       -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
+                       < tmp/all_te_files.conf > tmp/only_te_rules.conf
+
+########################################
+#
+# Construct base module file contexts
+#
+$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) 
$(FCSORT)
+ifeq ($(BASE_FC_FILES),)
+       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
+endif
+       @echo "Creating $(NAME) base module file contexts."
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf 
$(BASE_FC_FILES) > tmp/$@.tmp
+       $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
+       $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
+       $(QUIET) $(FCSORT) tmp/$@.tmp $@
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf 
%.te
+       @if test -z "$(filter $^,$(MOD_MODS))"; then \
+               echo "The $(notdir $(basename $@)) module is not configured to 
be compiled as a lodable module." ;\
+               false ;\
+       fi
+       @echo "Compliling $(NAME) $(@F) module"
+       $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+       $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+%.pp: tmp/%.mod %.fc
+       @echo "Creating $(NAME) $(@F) policy package"
+       $(QUIET) $(SEMOD_PKG) $@ $^
+
+########################################
+#
+# Clean the sources
+#
+clean:
+       rm -fR tmp
+       rm -f base.conf
+       rm -f *.pp
+       rm -f $(BASE_FC)
+
+.PHONY: default base modules clean
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/Rules.monolithic
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/Rules.monolithic       Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,196 @@
+########################################
+#
+# Rules and Targets for building monolithic policies
+#
+
+# install paths
+POLICYPATH = $(INSTALLDIR)/policy
+LOADPATH = $(POLICYPATH)/$(POLVER)
+FCPATH = $(CONTEXTPATH)/files/file_contexts
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
+
+# for monolithic policy use all base and module to create policy
+ENABLEMOD := $(BASE_MODS) $(MOD_MODS)
+
+ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS))
+
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+ALL_TE_FILES := $(ALL_MODULES)
+ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
+
+PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls 
$(POLDIR)/mcs
+POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
+
+POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf 
tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) 
tmp/only_te_rules.conf tmp/all_post.conf
+
+########################################
+#
+# default action: build policy locally
+#
+default: policy
+
+policy: $(POLVER)
+
+install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
+
+load: tmp/load
+
+########################################
+#
+# Build a binary policy locally
+#
+$(POLVER): policy.conf
+       @echo "Compiling $(NAME) $(POLVER)"
+ifneq ($(PV),$(KV))
+       @echo
+       @echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set 
correctly?"
+       @echo
+endif
+       $(QUIET) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Install a binary policy
+#
+$(LOADPATH): policy.conf
+       @mkdir -p $(POLICYPATH)
+       @echo "Compiling and installing $(NAME) $(LOADPATH)"
+ifneq ($(PV),$(KV))
+       @echo
+       @echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set 
correctly?"
+       @echo
+endif
+       $(QUIET) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Load the binary policy
+#
+reload tmp/load: $(LOADPATH) $(FCPATH)
+       @echo "Loading $(NAME) $(LOADPATH)"
+       $(QUIET) $(LOADPOLICY) -q $(LOADPATH)
+       @touch tmp/load
+
+########################################
+#
+# Construct a monolithic policy.conf
+#
+policy.conf: $(POLICY_SECTIONS)
+       @echo "Creating $(NAME) policy.conf"
+# checkpolicy can use the #line directives provided by -s for error reporting:
+       $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
+       $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp 
> $@
+
+tmp/pre_te_files.conf: $(PRE_TE_FILES)
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ > $@
+
+tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
+# per-userdomain templates:
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
+       $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
+               echo 
"ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')"
 \
+                       >> $@ ;\
+       done
+       $(QUIET) echo "')" >> $@
+# define foo.te
+       $(QUIET) for i in $(notdir $(ALL_MODULES)); do \
+               echo "define(\`$$i')" >> $@ ;\
+       done
+#      $(QUIET) $(SETTUN) $(BOOLEANS) >> $@
+
+tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ifeq ($(ALL_INTERFACES),)
+       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
+endif
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+tmp/all_te_files.conf: $(ALL_TE_FILES)
+ifeq ($(ALL_TE_FILES),)
+       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
+endif
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ > $@
+
+tmp/post_te_files.conf: $(POST_TE_FILES)
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) cat $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.  portcon, nodecon, and netifcon
+# is delayed since they are generated by m4
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: 
tmp/all_te_files.conf tmp/post_te_files.conf
+       $(QUIET) grep ^attribute tmp/all_te_files.conf > 
tmp/all_attrs_types.conf || true
+       $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
+       $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+       $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+       $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> 
tmp/all_post.conf || true
+       $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || 
true
+       $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
+                       -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
+                       < tmp/all_te_files.conf > tmp/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: policy.conf
+       @test -d tmp || mkdir -p tmp
+       @echo "Removing dontaudit rules from policy.conf"
+       $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
+       $(QUIET) mv tmp/policy.audit policy.conf
+
+########################################
+#
+# Construct file_contexts
+#
+$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES)
+ifeq ($(ALL_FC_FILES),)
+       $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be 
generated by using "make conf")
+endif
+       @echo "Creating $(NAME) file_contexts."
+       @test -d tmp || mkdir -p tmp
+       $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf 
$(ALL_FC_FILES) > tmp/$@.tmp
+#      $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
+#      $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
+#      $(QUIET) $(FCSORT) tmp/$@.tmp $@
+       $(QUIET) touch $(HOMEDIR_TEMPLATE)
+       $(QUIET) touch $@
+
+########################################
+#
+# Install file_contexts
+#
+$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
+       @echo "Validating $(NAME) file_contexts."
+#      $(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC)
+       @echo "Installing file_contexts."
+       @mkdir -p $(CONTEXTPATH)/files
+       $(QUIET) install -m 644 $(FC) $(FCPATH)
+       $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+#      $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD)
+
+########################################
+#
+# Run policy source checks
+#
+check: policy.conf $(FC)
+       $(SECHECK) -s --profile=development --policy=policy.conf --fcfile=$(FC) 
> $@.res
+
+longcheck: policy.conf $(FC)
+       $(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res
+
+########################################
+#
+# Clean the sources
+#
+clean:
+       rm -fR tmp
+       rm -f policy.conf
+       rm -f policy.$(PV)
+       rm -f $(FC)
+       rm -f *.res
+
+.PHONY: default policy install load reload enableaudit checklabels 
restorelabels relabel check longcheck clean
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/constraints
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/constraints     Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,27 @@
+
+#
+# Define the constraints
+#
+# constrain class_set perm_set expression ;
+#
+# expression : ( expression ) 
+#           | not expression
+#           | expression and expression
+#           | expression or expression
+#           | u1 op u2
+#           | r1 role_op r2
+#           | t1 op t2
+#           | u1 op names
+#           | u2 op names
+#           | r1 op names
+#           | r2 op names
+#           | t1 op names
+#           | t2 op names
+#
+# op : == | != 
+# role_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name            
+#
+
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/flask/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/flask/Makefile  Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,41 @@
+# flask needs to know where to export the libselinux headers.
+LIBSEL ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUXDIR ?= ../../../linux-2.6
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+          else if [ -x /bin/bash ]; then echo /bin/bash; \
+          else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = security_classes initial_sids
+AV_H_DEPEND = access_vectors
+
+FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
+AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h 
av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+all:  $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+       $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+       $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+
+tolib: all
+       install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
+       install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h 
av_perm_to_string.h $(LIBSEL)/src
+
+tokern: all
+       install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:  
+       rm -f $(FLASK_H_FILES)
+       rm -f $(AV_H_FILES)
diff -r 44f039c4aee4 -r 294fc8fc4ba0 
tools/flask/policy/policy/flask/access_vectors
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/flask/access_vectors    Thu Sep 04 11:26:25 
2008 +0100
@@ -0,0 +1,166 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+#
+# Define a common prefix for file access vectors.
+#
+
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class xen
+{
+       scheduler
+       settime
+       tbufcontrol
+       readconsole
+       clearconsole
+       perfcontrol
+       mtrr_add
+       mtrr_del
+       mtrr_read
+       microcode
+       physinfo
+       quirk
+    writeconsole
+    readapic
+    writeapic
+    privprofile
+    nonprivprofile
+    kexec
+       firmware
+       sleep
+       frequency
+       getidle
+       debug
+       getcpuinfo
+       heap
+}
+
+class domain
+{
+       setvcpucontext
+       pause
+       unpause
+    resume
+    create
+    transition
+    max_vcpus
+    destroy
+    setvcpuaffinity
+       getvcpuaffinity
+       scheduler
+       getdomaininfo
+       getvcpuinfo
+       getvcpucontext
+       setdomainmaxmem
+       setdomainhandle
+       setdebugging
+       hypercall
+    settime
+    set_target
+    shutdown
+    setaddrsize
+    getaddrsize
+       trigger
+       getextvcpucontext
+       setextvcpucontext
+}
+
+class hvm
+{
+    sethvmc
+    gethvmc
+    setparam
+    getparam
+    pcilevel
+    irqlevel
+    pciroute
+       bind_irq
+       cacheattr
+}
+
+class event
+{
+       bind
+       send
+       status
+       notify
+       create
+    vector
+    reset
+}
+
+class grant
+{
+       map_read
+       map_write
+       unmap
+       transfer
+       setup
+    copy
+    query
+}
+
+class mmu
+{
+       map_read
+       map_write
+       pageinfo
+       pagelist
+    adjust
+    stat
+    translategp
+       updatemp
+    physmap
+    pinpage
+    mfnlist
+    memorymap
+}
+
+class shadow
+{
+       disable
+       enable
+    logdirty
+}
+
+class resource
+{
+       add
+       remove
+       use
+       add_irq
+       remove_irq
+       add_ioport
+       remove_ioport
+       add_iomem
+       remove_iomem
+       stat_device
+       add_device
+       remove_device
+}
+
+class security
+{
+       compute_av
+       compute_create
+       compute_member
+       check_context
+       load_policy
+       compute_relabel
+       compute_user
+       setenforce
+       setbool
+       setsecparam
+}
diff -r 44f039c4aee4 -r 294fc8fc4ba0 
tools/flask/policy/policy/flask/initial_sids
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/flask/initial_sids      Thu Sep 04 11:26:25 
2008 +0100
@@ -0,0 +1,17 @@
+# FLASK
+
+#
+# Define initial security identifiers 
+#
+sid xen
+sid dom0
+sid domU
+sid domio
+sid domxen
+sid unlabeled
+sid security
+sid ioport
+sid iomem
+sid pirq
+sid device
+# FLASK
diff -r 44f039c4aee4 -r 294fc8fc4ba0 
tools/flask/policy/policy/flask/mkaccess_vector.sh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/flask/mkaccess_vector.sh        Thu Sep 04 
11:26:25 2008 +0100
@@ -0,0 +1,227 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="av_permissions.h"
+av_inherit="av_inherit.h"
+common_perm_to_string="common_perm_to_string.h"
+av_perm_to_string="av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN  {
+               outfile = \"$av_permissions\"
+               inheritfile = \"$av_inherit\"
+               cpermfile = \"$common_perm_to_string\"
+               avpermfile = \"$av_perm_to_string\"
+               "'
+               nextstate = "COMMON_OR_AV";
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > outfile;
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > inheritfile;
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > cpermfile;
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > avpermfile;
+;
+       }
+/^[ \t]*#/     { 
+                       next;
+               }
+$1 == "common" { 
+                       if (nextstate != "COMMON_OR_AV")
+                       {
+                               printf("Parse error:  Unexpected COMMON 
definition on line %d\n", NR);
+                               next;   
+                       }
+
+                       if ($2 in common_defined)
+                       {
+                               printf("Duplicate COMMON definition for %s on 
line %d.\n", $2, NR);
+                               next;
+                       }       
+                       common_defined[$2] = 1;
+
+                       tclass = $2;
+                       common_name = $2; 
+                       permission = 1;
+
+                       printf("TB_(common_%s_perm_to_string)\n", $2) > 
cpermfile;
+
+                       nextstate = "COMMON-OPENBRACKET";
+                       next;
+               }
+$1 == "class"  {
+                       if (nextstate != "COMMON_OR_AV" &&
+                           nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+                       {
+                               printf("Parse error:  Unexpected class 
definition on line %d\n", NR);
+                               next;   
+                       }
+
+                       tclass = $2;
+
+                       if (tclass in av_defined)
+                       {
+                               printf("Duplicate access vector definition for 
%s on line %d\n", tclass, NR);
+                               next;
+                       } 
+                       av_defined[tclass] = 1;
+
+                       inherits = "";
+                       permission = 1;
+
+                       nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+                       next;
+               }
+$1 == "inherits" {                     
+                       if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
+                       {
+                               printf("Parse error:  Unexpected INHERITS 
definition on line %d\n", NR);
+                               next;   
+                       }
+
+                       if (!($2 in common_defined))
+                       {
+                               printf("COMMON %s is not defined (line %d).\n", 
$2, NR);
+                               next;
+                       }
+
+                       inherits = $2;
+                       permission = common_base[$2];
+
+                       for (combined in common_perms)
+                       {
+                               split(combined,separate, SUBSEP);
+                               if (separate[1] == inherits)
+                               {
+                                       inherited_perms[common_perms[combined]] 
= separate[2];
+                               }
+                       }
+
+                        j = 1;
+                        for (i in inherited_perms) {
+                            ind[j] = i + 0;
+                            j++;
+                        }
+                        n = asort(ind);
+                       for (i = 1; i <= n; i++) {
+                               perm = inherited_perms[ind[i]];
+                               printf("#define %s__%s", toupper(tclass), 
toupper(perm)) > outfile; 
+                               spaces = 40 - (length(perm) + length(tclass));
+                               if (spaces < 1)
+                                     spaces = 1;
+                               for (j = 0; j < spaces; j++) 
+                                       printf(" ") > outfile; 
+                               printf("0x%08xUL\n", ind[i]) > outfile; 
+                       }
+                       printf("\n") > outfile;
+                        for (i in ind) delete ind[i];
+                        for (i in inherited_perms) delete inherited_perms[i];
+
+                       printf("   S_(SECCLASS_%s, %s, 0x%08xUL)\n", 
toupper(tclass), inherits, permission) > inheritfile; 
+
+                       nextstate = "CLASS_OR_CLASS-OPENBRACKET";
+                       next;
+               }
+$1 == "{"      { 
+                       if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+                           nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+                           nextstate != "COMMON-OPENBRACKET")
+                       {
+                               printf("Parse error:  Unexpected { on line 
%d\n", NR);
+                               next;
+                       }
+
+                       if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+                               nextstate = "CLASS-CLOSEBRACKET";
+
+                       if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+                               nextstate = "CLASS-CLOSEBRACKET";
+
+                       if (nextstate == "COMMON-OPENBRACKET")
+                               nextstate = "COMMON-CLOSEBRACKET";
+               }
+/[a-z][a-z_]*/ {
+                       if (nextstate != "COMMON-CLOSEBRACKET" &&
+                           nextstate != "CLASS-CLOSEBRACKET")
+                       {
+                               printf("Parse error:  Unexpected symbol %s on 
line %d\n", $1, NR);              
+                               next;
+                       }
+
+                       if (nextstate == "COMMON-CLOSEBRACKET")
+                       {
+                               if ((common_name,$1) in common_perms)
+                               {
+                                       printf("Duplicate permission %s for 
common %s on line %d.\n", $1, common_name, NR);
+                                       next;
+                               }
+
+                               common_perms[common_name,$1] = permission;
+
+                               printf("#define COMMON_%s__%s", 
toupper(common_name), toupper($1)) > outfile; 
+
+                               printf("    S_(\"%s\")\n", $1) > cpermfile;
+                       }
+                       else
+                       {
+                               if ((tclass,$1) in av_perms)
+                               {
+                                       printf("Duplicate permission %s for %s 
on line %d.\n", $1, tclass, NR);
+                                       next;
+                               }
+
+                               av_perms[tclass,$1] = permission;
+               
+                               if (inherits != "")
+                               {
+                                       if ((inherits,$1) in common_perms)
+                                       {
+                                               printf("Permission %s in %s on 
line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
+                                               next;
+                                       }
+                               }
+
+                               printf("#define %s__%s", toupper(tclass), 
toupper($1)) > outfile; 
+
+                               printf("   S_(SECCLASS_%s, %s__%s, \"%s\")\n", 
toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; 
+                       }
+
+                       spaces = 40 - (length($1) + length(tclass));
+                       if (spaces < 1)
+                             spaces = 1;
+
+                       for (i = 0; i < spaces; i++) 
+                               printf(" ") > outfile; 
+                       printf("0x%08xUL\n", permission) > outfile; 
+                       permission = permission * 2;
+               }
+$1 == "}"      {
+                       if (nextstate != "CLASS-CLOSEBRACKET" && 
+                           nextstate != "COMMON-CLOSEBRACKET")
+                       {
+                               printf("Parse error:  Unexpected } on line 
%d\n", NR);
+                               next;
+                       }
+
+                       if (nextstate == "COMMON-CLOSEBRACKET")
+                       {
+                               common_base[common_name] = permission;
+                               printf("TE_(common_%s_perm_to_string)\n\n", 
common_name) > cpermfile; 
+                       }
+
+                       printf("\n") > outfile;
+
+                       nextstate = "COMMON_OR_AV";
+               }
+END    {
+               if (nextstate != "COMMON_OR_AV" && nextstate != 
"CLASS_OR_CLASS-OPENBRACKET")
+                       printf("Parse error:  Unexpected end of file\n");
+
+       }'
+
+# FLASK
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/flask/mkflask.sh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/flask/mkflask.sh        Thu Sep 04 11:26:25 
2008 +0100
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="flask.h"
+debug_file="class_to_string.h"
+debug_file2="initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN  {
+               outfile = \"$output_file\"
+               debugfile = \"$debug_file\"
+               debugfile2 = \"$debug_file2\"
+               "'
+               nextstate = "CLASS";
+
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > outfile;
+
+               printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+               printf("#define _SELINUX_FLASK_H_\n") > outfile;
+               printf("\n/*\n * Security object class definitions\n */\n") > 
outfile;
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > debugfile;
+               printf("/*\n * Security object class definitions\n */\n") > 
debugfile;
+               printf("    S_(\"null\")\n") > debugfile;
+               printf("/* This file is automatically generated.  Do not edit. 
*/\n") > debugfile2;
+               printf("static char *initial_sid_to_string[] =\n{\n") > 
debugfile2;
+               printf("    \"null\",\n") > debugfile2;
+       }
+/^[ \t]*#/     { 
+                       next;
+               }
+$1 == "class"  { 
+                       if (nextstate != "CLASS")
+                       {
+                               printf("Parse error:  Unexpected class 
definition on line %d\n", NR);
+                               next;   
+                       }
+
+                       if ($2 in class_found)
+                       {
+                               printf("Duplicate class definition for %s on 
line %d.\n", $2, NR);
+                               next;
+                       }       
+                       class_found[$2] = 1;
+
+                       class_value++;
+
+                       printf("#define SECCLASS_%s", toupper($2)) > outfile;
+                       for (i = 0; i < 40 - length($2); i++) 
+                               printf(" ") > outfile; 
+                       printf("%d\n", class_value) > outfile; 
+
+                       printf("    S_(\"%s\")\n", $2) > debugfile;
+               }
+$1 == "sid"    { 
+                       if (nextstate == "CLASS")
+                       {
+                           nextstate = "SID";
+                           printf("\n/*\n * Security identifier indices for 
initial entities\n */\n") > outfile;                           
+                       }
+
+                       if ($2 in sid_found)
+                       {
+                               printf("Duplicate SID definition for %s on line 
%d.\n", $2, NR);
+                               next;
+                       }       
+                       sid_found[$2] = 1;
+                       sid_value++;
+
+                       printf("#define SECINITSID_%s", toupper($2)) > outfile;
+                       for (i = 0; i < 37 - length($2); i++) 
+                               printf(" ") > outfile; 
+                       printf("%d\n", sid_value) > outfile; 
+                       printf("    \"%s\",\n", $2) > debugfile2;
+               }
+END    {
+               if (nextstate != "SID")
+                       printf("Parse error:  Unexpected end of file\n");
+
+               printf("\n#define SECINITSID_NUM") > outfile;
+               for (i = 0; i < 34; i++) 
+                       printf(" ") > outfile; 
+               printf("%d\n", sid_value) > outfile; 
+               printf("\n#endif\n") > outfile;
+               printf("};\n\n") > debugfile2;
+       }'
+
+# FLASK
diff -r 44f039c4aee4 -r 294fc8fc4ba0 
tools/flask/policy/policy/flask/security_classes
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/flask/security_classes  Thu Sep 04 11:26:25 
2008 +0100
@@ -0,0 +1,20 @@
+# FLASK
+
+#
+# Define the security object classes 
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class xen
+class domain
+class hvm
+class mmu
+class resource
+class shadow
+class event
+class grant
+class security
+
+# FLASK
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/global_booleans
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/global_booleans Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,5 @@
+#
+# This file is for the declaration of global booleans.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/global_tunables
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/global_tunables Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,6 @@
+#
+# This file is for the declaration of global tunables.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
+
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/mcs
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/mcs     Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,324 @@
+ifdef(`enable_mcs',`
+#
+# Define sensitivities 
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
+
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+#           | not expression
+#           | expression and expression
+#           | expression or expression
+#           | u1 op u2
+#           | r1 role_mls_op r2
+#           | t1 op t2
+#           | l1 role_mls_op l2
+#           | l1 role_mls_op h2
+#           | h1 role_mls_op l2
+#           | h1 role_mls_op h2
+#           | l1 role_mls_op h1
+#           | l2 role_mls_op h2
+#           | u1 op names
+#           | u2 op names
+#           | r1 op names
+#           | r2 op names
+#           | t1 op names
+#           | t2 op names
+#           | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+#           | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+#           | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+
+') dnl end enable_mcs
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/mls
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/mls     Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,354 @@
+
+ifdef(`enable_mls',`
+#
+# Define sensitivities 
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+sensitivity s0;
+sensitivity s1;
+sensitivity s2;
+sensitivity s3;
+sensitivity s4;
+sensitivity s5;
+sensitivity s6;
+sensitivity s7;
+sensitivity s8;
+sensitivity s9;
+sensitivity s10;
+sensitivity s11;
+sensitivity s12;
+sensitivity s13;
+sensitivity s14;
+sensitivity s15;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
+
+
+#
+# Each MLS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+level s1:c0.c255;
+level s2:c0.c255;
+level s3:c0.c255;
+level s4:c0.c255;
+level s5:c0.c255;
+level s6:c0.c255;
+level s7:c0.c255;
+level s8:c0.c255;
+level s9:c0.c255;
+level s10:c0.c255;
+level s11:c0.c255;
+level s12:c0.c255;
+level s13:c0.c255;
+level s14:c0.c255;
+level s15:c0.c255;
+
+
+#
+# Define the MLS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+#           | not expression
+#           | expression and expression
+#           | expression or expression
+#           | u1 op u2
+#           | r1 role_mls_op r2
+#           | t1 op t2
+#           | l1 role_mls_op l2
+#           | l1 role_mls_op h2
+#           | h1 role_mls_op l2
+#           | h1 role_mls_op h2
+#           | l1 role_mls_op h1
+#           | l2 role_mls_op h2
+#           | u1 op names
+#           | u2 op names
+#           | r1 op names
+#           | r2 op names
+#           | t1 op names
+#           | t2 op names
+#           | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+#           | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+#           | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+
+') dnl end enable_mls
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/modules.conf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/modules.conf    Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,21 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from  being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module.  "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: xen
+# Module: xen
+# Required in base
+#
+# Policy for xen.
+# 
+xen = base
+
diff -r 44f039c4aee4 -r 294fc8fc4ba0 
tools/flask/policy/policy/modules/xen/xen.if
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/modules/xen/xen.if      Thu Sep 04 11:26:25 
2008 +0100
@@ -0,0 +1,1 @@
+#
diff -r 44f039c4aee4 -r 294fc8fc4ba0 
tools/flask/policy/policy/modules/xen/xen.te
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/modules/xen/xen.te      Thu Sep 04 11:26:25 
2008 +0100
@@ -0,0 +1,135 @@
+attribute xen_type;
+attribute domain_type;
+attribute resource_type;
+attribute event_type;
+
+type xen_t, xen_type, domain_type;
+
+type dom0_t, domain_type;
+
+type domio_t, domain_type;
+
+type domxen_t, domain_type;
+
+type unlabeled_t, domain_type;
+
+type security_t, domain_type;
+
+type pirq_t, resource_type;
+type ioport_t, resource_type;
+type iomem_t, resource_type;
+type device_t, resource_type;
+
+################################################################################
+#
+# create_domain(priv_dom, domain, channel)
+#
+################################################################################
+define(`create_domain', `
+       type $2, domain_type;
+       allow $1 $2:domain {create max_vcpus setdomainmaxmem 
+                               setaddrsize getdomaininfo hypercall 
+                               setvcpucontext scheduler unpause 
+                               getvcpuinfo getaddrsize getvcpuaffinity};
+       allow $1 $2:shadow {enable};
+       allow $1 $2:mmu {map_read map_write memorymap adjust pinpage};
+       allow $2 $2:mmu {map_read map_write pinpage};
+       allow $2 domio_t:mmu {map_read};
+       allow $2 $2:grant {query setup};
+       allow $1 $2:grant {map_read unmap};
+       allow $1 $3:event {create};
+')
+
+################################################################################
+#
+# manage_domain(priv_dom, domain)
+#
+################################################################################
+define(`manage_domain', `
+       allow $1 $2:domain {pause destroy};
+')
+
+################################################################################
+#
+# create_channel(caller, peer, channel)
+#
+################################################################################
+define(`create_channel', `
+       type $3, event_type;
+       type_transition $1 $2:event $3;
+       allow $1 $3:event {create};
+       allow $3 $2:event {bind};
+')
+
+################################################################################
+#
+# Boot the hypervisor and dom0
+#
+################################################################################
+allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del 
+scheduler physinfo heap quirk readconsole writeconsole settime microcode};
+
+allow dom0_t domio_t:mmu {map_read map_write};
+allow dom0_t iomem_t:mmu {map_read map_write};
+allow dom0_t pirq_t:event {vector};
+allow dom0_t xen_t:mmu {memorymap};
+
+allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust};
+allow dom0_t dom0_t:grant {query setup};
+allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo 
getvcpuaffinity};
+
+allow xen_t dom0_t:domain {create};
+allow xen_t dom0_t:resource {add remove};
+allow xen_t ioport_t:resource {add_ioport remove_ioport};
+allow dom0_t ioport_t:resource {use};
+allow xen_t iomem_t:resource {add_iomem remove_iomem};
+allow dom0_t iomem_t:resource {use};
+allow xen_t pirq_t:resource {add_irq remove_irq};
+allow dom0_t pirq_t:resource {use};
+
+allow dom0_t security_t:security {compute_av compute_create compute_member 
+check_context load_policy compute_relabel compute_user setenforce setbool
+setsecparam};
+
+create_channel(dom0_t, dom0_t, evchn0-0_t)
+allow dom0_t evchn0-0_t:event {send};
+
+################################################################################
+#
+# Create and manage a domU w/ dom0 IO
+#
+################################################################################
+create_domain(dom0_t, domU_t, evchnU-0_t)
+
+create_channel(domU_t, domU_t, evchnU-U_t)
+allow domU_t evchnU-U_t:event {send};
+
+create_channel(dom0_t, domU_t, evchn0-U_t)
+allow dom0_t evchn0-U_t:event {send};
+
+create_channel(domU_t, dom0_t, evchnU-0_t)
+allow domU_t evchnU-0_t:event {send};
+
+manage_domain(dom0_t, domU_t)
+
+################################################################################
+#
+#
+#
+################################################################################
+sid xen gen_context(system_u:system_r:xen_t,s0)
+sid dom0 gen_context(system_u:system_r:dom0_t,s0)
+sid domU gen_context(system_u:system_r:domU_t,s0)
+sid domxen gen_context(system_u:system_r:domxen_t,s0)
+sid domio gen_context(system_u:system_r:domio_t,s0)
+sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
+sid security gen_context(system_u:system_r:security_t,s0)
+sid pirq gen_context(system_u:object_r:pirq_t,s0)
+sid iomem gen_context(system_u:object_r:iomem_t,s0)
+sid ioport gen_context(system_u:object_r:ioport_t,s0)
+sid device gen_context(system_u:object_r:device_t,s0)
+
+role system_r types { xen_type domain_type };
+role user_r types { xen_type domain_type };
+role sysadm_r types { xen_type domain_type };
+role staff_r types { xen_type domain_type };
diff -r 44f039c4aee4 -r 294fc8fc4ba0 
tools/flask/policy/policy/support/loadable_module.spt
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/support/loadable_module.spt     Thu Sep 04 
11:26:25 2008 +0100
@@ -0,0 +1,166 @@
+########################################
+#
+# Macros for switching between source policy
+# and loadable policy module support
+#
+
+##############################
+#
+# For adding the module statement
+#
+define(`policy_module',`
+       ifdef(`self_contained_policy',`',`
+               module $1 $2;
+
+               require {
+                       role system_r;
+                       all_kernel_class_perms
+               }
+       ')
+')
+
+##############################
+#
+# For use in interfaces, to optionally insert a require block
+#
+define(`gen_require',`
+       ifdef(`self_contained_policy',`',`
+               define(`in_gen_require_block')
+               require {
+                       $1
+               }
+               undefine(`in_gen_require_block')
+       ')
+')
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# template(name,rules)
+#
+define(`template',`
+       `define(`$1',`
+##### begin $1(dollarsstar)
+               $2
+##### end $1(dollarsstar)
+       '')
+')
+
+# helper function, since m4 wont expand macros
+# if a line is a comment (#):
+define(`policy_m4_comment',`dnl
+##### $2 depth: $1
+')dnl
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# interface(name,rules)
+#
+define(`interface',`
+       `define(`$1',`
+
+       define(`policy_temp',incr(policy_call_depth))
+       pushdef(`policy_call_depth',policy_temp)
+       undefine(`policy_temp')
+
+       policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar))
+
+       $2
+
+       define(`policy_temp',decr(policy_call_depth))
+       pushdef(`policy_call_depth',policy_temp)
+       undefine(`policy_temp')
+
+       policy_m4_comment(policy_call_depth,end `$1'(dollarsstar))
+
+       '')
+')
+
+define(`policy_call_depth',0)
+
+##############################
+#
+# Optional policy handling
+#
+define(`optional_policy',`
+       ifdef(`self_contained_policy',`
+               ifdef(`$1',`$2',`$3')
+       ',`
+               optional {
+                       $2
+               ifelse(`$3',`',`',`
+               } else {
+                       $3
+               ')
+               }
+       ')
+')
+
+##############################
+#
+# Determine if we should use the default
+# tunable value as specified by the policy
+# or if the override value should be used
+#
+define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
+
+##############################
+#
+# Extract booleans out of an expression.
+# This needs to be reworked so expressions
+# with parentheses can work.
+
+define(`delcare_required_symbols',`
+ifelse(regexp($1, `\w'), -1, `', `dnl
+bool regexp($1, `\(\w+\)', `\1');
+delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
+
+##############################
+#
+# Tunable declaration
+#
+define(`gen_tunable',`
+       ifdef(`self_contained_policy',`
+               bool $1 dflt_or_overr(`$1'_conf,$2);
+       ',`
+               # loadable module tunable
+               # declaration will go here
+               # instead of bool when
+               # loadable modules support
+               # tunables
+               bool $1 dflt_or_overr(`$1'_conf,$2);
+       ')
+')
+
+##############################
+#
+# Tunable policy handling
+#
+define(`tunable_policy',`
+       ifdef(`self_contained_policy',`
+               if (`$1') {
+                       $2
+               } else {
+                       $3
+               }
+       ',`
+               # structure for tunables
+               # will go here instead of a
+               # conditional when loadable
+               # modules support tunables
+               gen_require(`
+                       delcare_required_symbols(`$1')
+               ')
+
+               if (`$1') {
+                       $2
+               } else {
+                       $3
+               }
+       ')
+')
diff -r 44f039c4aee4 -r 294fc8fc4ba0 
tools/flask/policy/policy/support/misc_macros.spt
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/support/misc_macros.spt Thu Sep 04 11:26:25 
2008 +0100
@@ -0,0 +1,32 @@
+
+########################################
+#
+# Helper macros
+#
+
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+########################################
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range 
$4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
+
+########################################
+#
+# gen_context(context,mls_sensitivity,[mcs_categories])
+#
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')
 dnl
+
+########################################
+#
+# gen_bool(name,default_value)
+#
+define(`gen_bool',`
+       bool $1 dflt_or_overr(`$1'_conf,$2);
+')
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/systemuser
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/systemuser      Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,19 @@
+##################################
+#
+# System User configuration.
+#
+
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
+
+# Normal users should not be added to this file,
+# but instead added to the users file.
diff -r 44f039c4aee4 -r 294fc8fc4ba0 tools/flask/policy/policy/users
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/policy/policy/users   Thu Sep 04 11:26:25 2008 +0100
@@ -0,0 +1,39 @@
+
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+ifdef(`targeted_policy',`
+gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+',`
+gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
+')
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+ifdef(`targeted_policy',`
+       gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
+',`
+       ifdef(`direct_sysadm_daemon',`
+               gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, 
c0.c127)
+       ',`
+               gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
+       ')
+')

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [SPAM] [xen-unstable] xsm, flask: sample flask policy, Xen patchbot-unstable <=