diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 1f6bdaf..c83464e 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -21,7 +21,10 @@
#
# Build compatibility policies
-POLICYCOMPAT = -c 18
+POLICYCOMPAT = 18
+
+# Build MLS policies
+MLS=n
# set distribution
override M4PARAM += -D distro_redhat
@@ -42,14 +45,24 @@ CHECKPOLICY := $(BINDIR)/checkpolicy
LOADPOLICY := $(SBINDIR)/load_policy
SETFILES := $(SBINDIR)/setfiles
+# enable MLS if requested.
+ifeq ($(MLS),y)
+ override M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+endif
+
+ifneq ($(POLICYCOMPAT),)
+ CHECKPOLICY += -c $(POLICYCOMPAT)
+endif
+
# determine the policy version and current kernel version if possible
-PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
+PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
KV := $(shell cat /selinux/policyvers)
# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq ($(KV),)
-KV := $(PV)
+ KV := $(PV)
endif
FC := file_contexts
@@ -68,21 +81,20 @@ FCPATH = $(CONTEXTPATH)/files/file_contexts
HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
BASE_MODULE = kernel
-FLASKDIR = $(BASE_MODULE)/flask/
-MISCDIR = $(BASE_MODULE)/misc/
+FLASKDIR = flask
APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
-USER_FILES := $(MISCDIR)/users
+USER_FILES := users
DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
-ALL_MODULES := $(filter-out tmp appconfig CVS,$(DETECTED_DIRS))
+ALL_MODULES := $(filter-out tmp CVS $(APPDIR) $(FLASKDIR),$(DETECTED_DIRS))
-PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
+PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls
ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
-POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use)
+POST_TE_FILES := users constraints initial_sid_contexts fs_use
ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))
@@ -111,7 +123,7 @@ ifneq ($(PV),$(KV))
@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
@echo
endif
- $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@
+ $(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#
@@ -125,7 +137,7 @@ ifneq ($(PV),$(KV))
@echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?"
@echo
endif
- $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@
+ $(QUIET) $(CHECKPOLICY) $^ -o $@
########################################
#
diff --git a/refpolicy/policy/constraints b/refpolicy/policy/constraints
new file mode 100644
index 0000000..5f537f2
--- /dev/null
+++ b/refpolicy/policy/constraints
@@ -0,0 +1,80 @@
+# Copyright (C) 2005 Tresys Technology, LLC
+
+#
+# Define m4 macros for the constraints
+#
+
+#
+# Define the constraints
+#
+# constrain class_set perm_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_op r2
+# | t1 op t2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+#
+# op : == | !=
+# role_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# SELinux process identity change constraint:
+#
+constrain process transition
+ ( u1 == u2 or ( t1 == can_change_process_identity and t2 == userdomain )
+ifdef(`crond.te', `
+ or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
+')
+ifdef(`TODO',`
+ifdef(`userhelper.te',
+ `or (t1 == userhelperdomain)')
+ or (t1 == priv_system_role and u2 == system_u )
+') dnl end TODO
+ );
+
+#
+# SELinux process role change constraint:
+#
+constrain process transition
+ ( r1 == r2 or ( t1 == can_change_process_role and t2 == userdomain )
+ifdef(`crond.te', `
+ or (t1 == crond_t and t2 == user_crond_domain)
+')
+ifdef(`TODO',`
+ifdef(`userhelper.te',
+ `or (t1 == userhelperdomain)')
+ifdef(`postfix.te', `
+ifdef(`direct_sysadm_daemon',
+ `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
+')
+ or (t1 == priv_system_role and r2 == system_r )
+') dnl end TODO
+ );
+
+#
+# SELinux dynamic transition constraint:
+#
+constrain process dyntransition
+ ( u1 == u2 and r1 == r2);
+
+#
+# SElinux object identity change constraint:
+#
+constrain dir_file_class_set { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == can_change_object_identity );
+
+constrain socket_class_set { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == can_change_object_identity );
diff --git a/refpolicy/policy/flask/Makefile b/refpolicy/policy/flask/Makefile
new file mode 100644
index 0000000..970b9fe
--- /dev/null
+++ b/refpolicy/policy/flask/Makefile
@@ -0,0 +1,41 @@
+# flask needs to know where to export the libselinux headers.
+LIBSEL ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUXDIR ?= ../../../linux-2.6
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+ else if [ -x /bin/bash ]; then echo /bin/bash; \
+ else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = security_classes initial_sids
+AV_H_DEPEND = access_vectors
+
+FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
+AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+all: $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+ $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+ $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+
+tolib: all
+ install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
+ install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
+
+tokern: all
+ install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:
+ rm -f $(FLASK_H_FILES)
+ rm -f $(AV_H_FILES)
diff --git a/refpolicy/policy/flask/access_vectors b/refpolicy/policy/flask/access_vectors
new file mode 100644
index 0000000..1004d39
--- /dev/null
+++ b/refpolicy/policy/flask/access_vectors
@@ -0,0 +1,608 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+}
+
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+ passwd # change another user passwd
+ chfn # change another user finger info
+ chsh # change another user shell
+ rootok # pam_rootok check (skip auth)
+ crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class drawable
+{
+ create
+ destroy
+ draw
+ copy
+ getattr
+}
+
+class gc
+{
+ create
+ free
+ getattr
+ setattr
+}
+
+class window
+{
+ addchild
+ create
+ destroy
+ map
+ unmap
+ chstack
+ chproplist
+ chprop
+ listprop
+ getattr
+ setattr
+ setfocus
+ move
+ chselection
+ chparent
+ ctrllife
+ enumerate
+ transparent
+ mousemotion
+ clientcomevent
+ inputevent
+ drawevent
+ windowchangeevent
+ windowchangerequest
+ serverchangeevent
+ extensionevent
+}
+
+class font
+{
+ load
+ free
+ getattr
+ use
+}
+
+class colormap
+{
+ create
+ free
+ install
+ uninstall
+ list
+ read
+ store
+ getattr
+ setattr
+}
+
+class property
+{
+ create
+ free
+ read
+ write
+}
+
+class cursor
+{
+ create
+ createglyph
+ free
+ assign
+ setattr
+}
+
+class xclient
+{
+ kill
+}
+
+class xinput
+{
+ lookup
+ getattr
+ setattr
+ setfocus
+ warppointer
+ activegrab
+ passivegrab
+ ungrab
+ bell
+ mousemotion
+ relabelinput
+}
+
+class xserver
+{
+ screensaver
+ gethostlist
+ sethostlist
+ getfontpath
+ setfontpath
+ getattr
+ grab
+ ungrab
+}
+
+class xextension
+{
+ query
+ use
+}
+
+#
+# Define the access vector interpretation for controlling
+# PaX flags
+#
+class pax
+{
+ pageexec # Paging based non-executable pages
+ emutramp # Emulate trampolines
+ mprotect # Restrict mprotect()
+ randmmap # Randomize mmap() base
+ randexec # Randomize ET_EXEC base
+ segmexec # Segmentation based non-executable pages
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+ acquire_svc
+ send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+ getpwd
+ getgrp
+ gethost
+ getstat
+ admin
+ shmempwd
+ shmemgrp
+ shmemhost
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
diff --git a/refpolicy/policy/flask/initial_sids b/refpolicy/policy/flask/initial_sids
new file mode 100644
index 0000000..95894eb
--- /dev/null
+++ b/refpolicy/policy/flask/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/refpolicy/policy/flask/mkaccess_vector.sh b/refpolicy/policy/flask/mkaccess_vector.sh
new file mode 100755
index 0000000..b5da734
--- /dev/null
+++ b/refpolicy/policy/flask/mkaccess_vector.sh
@@ -0,0 +1,227 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="av_permissions.h"
+av_inherit="av_inherit.h"
+common_perm_to_string="common_perm_to_string.h"
+av_perm_to_string="av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$av_permissions\"
+ inheritfile = \"$av_inherit\"
+ cpermfile = \"$common_perm_to_string\"
+ avpermfile = \"$av_perm_to_string\"
+ "'
+ nextstate = "COMMON_OR_AV";
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
+;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "common" {
+ if (nextstate != "COMMON_OR_AV")
+ {
+ printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in common_defined)
+ {
+ printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ common_defined[$2] = 1;
+
+ tclass = $2;
+ common_name = $2;
+ permission = 1;
+
+ printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
+
+ nextstate = "COMMON-OPENBRACKET";
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "COMMON_OR_AV" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ tclass = $2;
+
+ if (tclass in av_defined)
+ {
+ printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
+ next;
+ }
+ av_defined[tclass] = 1;
+
+ inherits = "";
+ permission = 1;
+
+ nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "inherits" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
+ next;
+ }
+
+ if (!($2 in common_defined))
+ {
+ printf("COMMON %s is not defined (line %d).\n", $2, NR);
+ next;
+ }
+
+ inherits = $2;
+ permission = common_base[$2];
+
+ for (combined in common_perms)
+ {
+ split(combined,separate, SUBSEP);
+ if (separate[1] == inherits)
+ {
+ inherited_perms[common_perms[combined]] = separate[2];
+ }
+ }
+
+ j = 1;
+ for (i in inherited_perms) {
+ ind[j] = i + 0;
+ j++;
+ }
+ n = asort(ind);
+ for (i = 1; i <= n; i++) {
+ perm = inherited_perms[ind[i]];
+ printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
+ spaces = 40 - (length(perm) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+ for (j = 0; j < spaces; j++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", ind[i]) > outfile;
+ }
+ printf("\n") > outfile;
+ for (i in ind) delete ind[i];
+ for (i in inherited_perms) delete inherited_perms[i];
+
+ printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
+
+ nextstate = "CLASS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "{" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "COMMON-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected { on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "COMMON-OPENBRACKET")
+ nextstate = "COMMON-CLOSEBRACKET";
+ }
+/[a-z][a-z_]*/ {
+ if (nextstate != "COMMON-CLOSEBRACKET" &&
+ nextstate != "CLASS-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ if ((common_name,$1) in common_perms)
+ {
+ printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
+ next;
+ }
+
+ common_perms[common_name,$1] = permission;
+
+ printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
+
+ printf(" S_(\"%s\")\n", $1) > cpermfile;
+ }
+ else
+ {
+ if ((tclass,$1) in av_perms)
+ {
+ printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
+ next;
+ }
+
+ av_perms[tclass,$1] = permission;
+
+ if (inherits != "")
+ {
+ if ((inherits,$1) in common_perms)
+ {
+ printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
+ next;
+ }
+ }
+
+ printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
+
+ printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
+ }
+
+ spaces = 40 - (length($1) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+
+ for (i = 0; i < spaces; i++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", permission) > outfile;
+ permission = permission * 2;
+ }
+$1 == "}" {
+ if (nextstate != "CLASS-CLOSEBRACKET" &&
+ nextstate != "COMMON-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected } on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ common_base[common_name] = permission;
+ printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
+ }
+
+ printf("\n") > outfile;
+
+ nextstate = "COMMON_OR_AV";
+ }
+END {
+ if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ printf("Parse error: Unexpected end of file\n");
+
+ }'
+
+# FLASK
diff --git a/refpolicy/policy/flask/mkflask.sh b/refpolicy/policy/flask/mkflask.sh
new file mode 100755
index 0000000..9c84754
--- /dev/null
+++ b/refpolicy/policy/flask/mkflask.sh
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="flask.h"
+debug_file="class_to_string.h"
+debug_file2="initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$output_file\"
+ debugfile = \"$debug_file\"
+ debugfile2 = \"$debug_file2\"
+ "'
+ nextstate = "CLASS";
+
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+
+ printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+ printf("#define _SELINUX_FLASK_H_\n") > outfile;
+ printf("\n/*\n * Security object class definitions\n */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
+ printf("/*\n * Security object class definitions\n */\n") > debugfile;
+ printf(" S_(\"null\")\n") > debugfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
+ printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
+ printf(" \"null\",\n") > debugfile2;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "CLASS")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in class_found)
+ {
+ printf("Duplicate class definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ class_found[$2] = 1;
+
+ class_value++;
+
+ printf("#define SECCLASS_%s", toupper($2)) > outfile;
+ for (i = 0; i < 40 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", class_value) > outfile;
+
+ printf(" S_(\"%s\")\n", $2) > debugfile;
+ }
+$1 == "sid" {
+ if (nextstate == "CLASS")
+ {
+ nextstate = "SID";
+ printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
+ }
+
+ if ($2 in sid_found)
+ {
+ printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ sid_found[$2] = 1;
+ sid_value++;
+
+ printf("#define SECINITSID_%s", toupper($2)) > outfile;
+ for (i = 0; i < 37 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf(" \"%s\",\n", $2) > debugfile2;
+ }
+END {
+ if (nextstate != "SID")
+ printf("Parse error: Unexpected end of file\n");
+
+ printf("\n#define SECINITSID_NUM") > outfile;
+ for (i = 0; i < 34; i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf("\n#endif\n") > outfile;
+ printf("};\n\n") > debugfile2;
+ }'
+
+# FLASK
diff --git a/refpolicy/policy/flask/security_classes b/refpolicy/policy/flask/security_classes
new file mode 100644
index 0000000..2669c30
--- /dev/null
+++ b/refpolicy/policy/flask/security_classes
@@ -0,0 +1,86 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd
+
+# SE-X Windows stuff
+class drawable
+class window
+class gc
+class font
+class colormap
+class property
+class cursor
+class xclient
+class xinput
+class xserver
+class xextension
+
+# pax flags
+class pax
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus
+class nscd
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+# FLASK
diff --git a/refpolicy/policy/mls b/refpolicy/policy/mls
new file mode 100644
index 0000000..21f9f2d
--- /dev/null
+++ b/refpolicy/policy/mls
@@ -0,0 +1,731 @@
+# Copyright (C) 2005 Tresys Technology, LLC
+
+ifdef(`enable_mls',`
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+sensitivity s0;
+sensitivity s1;
+sensitivity s2;
+sensitivity s3;
+sensitivity s4;
+sensitivity s5;
+sensitivity s6;
+sensitivity s7;
+sensitivity s8;
+sensitivity s9;
+
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+
+
+#
+# Each MLS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c127;
+level s1:c0.c127;
+level s2:c0.c127;
+level s3:c0.c127;
+level s4:c0.c127;
+level s5:c0.c127;
+level s6:c0.c127;
+level s7:c0.c127;
+level s8:c0.c127;
+level s9:c0.c127;
+
+
+#
+# Define the MLS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name#
+#
+
+#
+# MLS policy for the file classes
+#
+
+# make sure these file classes are "single level"
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+ ( l2 eq h2 );
+
+# new file labels must be dominated by the relabling subject clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
+ ( h1 dom h2 );
+
+# the file "read" ops (note the check is dominance of the low level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain dir search
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# the "ranged" file "write" ops
+mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain dir { add_name remove_name reparent rmdir }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
+#
+# file { execute_no_trans entrypoint }
+
+# the file upgrade/downgrade rule
+mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
+ ((( l1 eq l2 ) or
+ (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( h1 eq h2 ) or
+ (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
+
+# create can also require the upgrade/downgrade checks if the creating process
+# has used setfscreate (note that both the high and low level of the object
+# default to the process sensitivity level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
+ ((( l1 eq l2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( l1 eq h2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
+
+
+#
+# MLS policy for the filesystem class
+#
+
+# new filesystem labels must be dominated by the relabling subject clearance
+mlsconstrain filesystem relabelto
+ ( h1 dom h2 );
+
+# the filesystem "read" ops (implicit single level)
+mlsconstrain filesystem { getattr quotaget }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ));
+
+# all the filesystem "write" ops (implicit single level)
+mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ));
+
+# these access vectors have no MLS restrictions
+# filesystem { transition associate }
+
+
+#
+# MLS policy for the socket classes
+#
+
+# new socket labels must be dominated by the relabling subject clearance
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+ ( h1 dom h2 );
+
+# the socket "read" ops (note that the we check dominance of the low level)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+# the socket "write" ops
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ));
+
+mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ));
+
+# these access vectors have no MLS restrictions
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
+#
+# { tcp_socket udp_socket rawip_socket } node_bind
+#
+# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
+#
+
+
+#
+# MLS policy for the ipc classes
+#
+
+# the ipc "read" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+mlsconstrain msg receive
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+# the ipc "write" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msgq enqueue
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain shm lock
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msg send
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+# these access vectors have no MLS restrictions
+# { ipc sem msgq shm } associate
+
+
+#
+# MLS policy for the fd class
+#
+
+# these access vectors have no MLS restrictions
+# fd use
+
+
+#
+# MLS policy for the node class
+#
+
+# these access vectors have no MLS restrictions
+# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
+
+
+#
+# MLS policy for the netif class
+#
+
+# these access vectors have no MLS restrictions
+# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
+
+
+#
+# MLS policy for the process class
+#
+
+# new process labels must be dominated by the relabling subject clearance and
+# sensitivity level changes require privilege
+mlsconstrain process { transition dyntransition }
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
+
+# all the process "read" ops
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (( l1 dom l2 ) or
+ (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsprocread ));
+
+# all the process "write" ops (note the check is equality on the low level)
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
+ (( l1 eq l2 ) or
+ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsprocwrite ));
+
+# these access vectors have no MLS restrictions
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
+
+
+#
+# MLS policy for the security class
+#
+
+# these access vectors have no MLS restrictions
+# security *
+
+
+#
+# MLS policy for the system class
+#
+
+# these access vectors have no MLS restrictions
+# system *
+
+
+#
+# MLS policy for the capability class
+#
+
+# these access vectors have no MLS restrictions
+# capability *
+
+
+
+#
+# MLS policy for the passwd class
+#
+
+# these access vectors have no MLS restrictions
+# passwd *
+
+
+#
+# MLS policy for the drawable class
+#
+
+# the drawable "read" ops (implicit single level)
+mlsconstrain drawable { getattr copy }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the drawable "write" ops (implicit single level)
+mlsconstrain drawable { create destroy draw copy }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the gc class
+#
+
+# the gc "read" ops (implicit single level)
+mlsconstrain gc getattr
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the gc "write" ops (implicit single level)
+mlsconstrain gc { create free setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the window class
+#
+
+# the window "read" ops (implicit single level)
+mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the window "write" ops (implicit single level)
+mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+# these access vectors have no MLS restrictions
+# window { map unmap }
+
+
+#
+# MLS policy for the font class
+#
+
+# the font "read" ops (implicit single level)
+mlsconstrain font { load getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the font "write" ops (implicit single level)
+mlsconstrain font free
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+# these access vectors have no MLS restrictions
+# font use
+
+
+#
+# MLS policy for the colormap class
+#
+
+# the colormap "read" ops (implicit single level)
+mlsconstrain colormap { list read getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the colormap "write" ops (implicit single level)
+mlsconstrain colormap { create free install uninstall store setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the property class
+#
+
+# the property "read" ops (implicit single level)
+mlsconstrain property { read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the property "write" ops (implicit single level)
+mlsconstrain property { create free write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+#
+# MLS policy for the cursor class
+#
+
+# the cursor "write" ops (implicit single level)
+mlsconstrain cursor { create createglyph free assign setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the xclient class
+#
+
+# the xclient "write" ops (implicit single level)
+mlsconstrain xclient kill
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the xinput class
+#
+
+# the xinput "read" ops (implicit single level)
+mlsconstrain xinput { lookup getattr mousemotion }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the xinput "write" ops (implicit single level)
+mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+
+
+#
+# MLS policy for the xserver class
+#
+
+# the xserver "read" ops (implicit single level)
+mlsconstrain xserver { gethostlist getfontpath getattr screensaver }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the xserver "write" ops (implicit single level)
+mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the xextension class
+#
+
+# the xextension "read" ops (implicit single level)
+mlsconstrain xextension query
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the xextension "write" ops (implicit single level)
+mlsconstrain xextension use
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the pax class
+#
+
+# these access vectors have no MLS restrictions
+# pax { pageexec emutramp mprotect randmmap randexec segmexec }
+
+
+#
+# MLS policy for the dbus class
+#
+
+# these access vectors have no MLS restrictions
+# dbus { acquire_svc send_msg }
+
+
+#
+# MLS policy for the nscd class
+#
+
+# these access vectors have no MLS restrictions
+# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
+
+
+#
+# MLS policy for the association class
+#
+
+# these access vectors have no MLS restrictions
+# association { sendto recvfrom }
+
+attribute mlsfileread;
+attribute mlsfilereadtoclr;
+attribute mlsfilewrite;
+attribute mlsfilewritetoclr;
+attribute mlsfileupgrade;
+attribute mlsfiledowngrade;
+
+attribute mlsnetread;
+attribute mlsnetreadtoclr;
+attribute mlsnetwrite;
+attribute mlsnetwritetoclr;
+attribute mlsnetupgrade;
+attribute mlsnetdowngrade;
+attribute mlsnetbindall;
+
+attribute mlsipcread;
+attribute mlsipcreadtoclr;
+attribute mlsipcwrite;
+attribute mlsipcwritetoclr;
+
+attribute mlsprocread;
+attribute mlsprocreadtoclr;
+attribute mlsprocwrite;
+attribute mlsprocwritetoclr;
+attribute mlsprocsetsl;
+
+attribute mlsxwinread;
+attribute mlsxwinreadtoclr;
+attribute mlsxwinwrite;
+attribute mlsxwinwritetoclr;
+attribute mlsxwinupgrade;
+attribute mlsxwindowngrade;
+
+attribute mlstrustedobject;
+
+attribute privrangetrans;
+attribute mlsrangetrans;
+
+') dnl end enable_mls
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
new file mode 100644
index 0000000..5027903
--- /dev/null
+++ b/refpolicy/policy/users
@@ -0,0 +1,14 @@
+# Copyright (C) 2005 Tresys Technology, LLC
+
+##################################
+#
+# Core User configuration.
+#
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+user system_u roles system_r user_mls(s0,s0 - s9:c0.c127);