From 05c3d969d7497de92055b89ccb475fc182ac5af5 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 17 Apr 2012 13:07:16 -0400
Subject: [PATCH] Add lxc context definitions

---
 booleans-mls.conf      |   5 +-
 booleans-targeted.conf |   4 -
 config.tgz             | Bin 2987 -> 71680 bytes
 genman.py              | 408 +++++++++++++++++++++++++++++++++++++++++
 modules-mls.conf       |   7 -
 modules-targeted.conf  |   7 -
 nsadiff                |   3 -
 7 files changed, 409 insertions(+), 25 deletions(-)
 create mode 100755 genman.py
 delete mode 100755 nsadiff

diff --git a/booleans-mls.conf b/booleans-mls.conf
index fb86f905..2a24df10 100644
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@@ -1,6 +1,3 @@
-# Turn off the ability for one process to read/modify another processes memory
-deny_ptrace = true
-
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
 allow_execmem = false
@@ -43,7 +40,7 @@ allow_smbd_anon_write = false
 
 # Deny all processes the ability to ptrace other processes
 # 
-deny_ptrace = false
+deny_ptrace = true
 
 # Allow system to run with NIS
 # 
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 071bc80a..877a8ea0 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -213,10 +213,6 @@ allow_daemons_use_tty = false
 # 
 allow_polyinstantiation = false
 
-# Deny all processes the ability to ptrace other processes
-# 
-deny_ptrace = false
-
 # Allow all domains to dump core
 # 
 allow_daemons_dump_core = true
diff --git a/config.tgz b/config.tgz
index 261918710c1f7eeb2c19a3dc40b614a9e6193c8c..2e7e5b54dd54452a2aea4a0920f94f4b6b784070 100644
GIT binary patch
literal 71680
zcmeHQTW{kw7S3z@E3`AulSuLnNC$mrrw<Esw*@+VSS%KX#+GBXww0CSNz!8f`yO6I
zks>9^G0j|hGQilD4lg?7N1hvxmid02-Ckdu^Dl(I`E+^#AG2{dmOsfY@^=wM@njap
zlkt3V5k}E$8eas{b9Sn(`%qR%5d;^j`(#^g>Z|&v?Y>^(Ra{xJ@lWpV*tZY6W$Ai0
zkO8)j|9mnY$I*Bi!T7^8nBw^Rm_WwyKkVt{eY#p47OQlf9JbX0E>-D6RUY3fGXAp(
z;M$D;C<@~m|I>ILUxaZyi2?uN@l73H;xCT>^0BPa-J-Zz7Wsa)sBX&e@=_ZA;zs&G
z?v6x>Y@b!d@~9%)e3@()+x#}$vvN}9JuMaKF0axjlq)yKJyLmefyXjg?H1+XC^kq>
zO&Koz?%@LG_prA5svJ1J5Aa|E=EL!j!xArt1LpO=ObaI~KYLEg`X5dwQEUB=;^_?6
ze;>0%tmgXCOeO&=N903Y_zlZ(C#}4qb`mLjPbZbM9<^y`CwX6+^|7C7mDj6Vn@;dV
zTXEZza=Uz~Y?JsH#1q;u;{W!LmX*5&z=nS!>?`_T3<?0^|AbK;UX%@Wal<~@9M-Qj
zLZ1xPKDst^`e?PKr;k`)eEO)R<;OraoK0_*(un_B<*Od=QU_0N!#}8dfPc{b!^vzq
z0sSwUhhQc`{m%jKZB-<PRaOxdrnnJbt5KOQ*){$Jt}sQXxZz)_Q43F_hx!8l0%fXX
zy@ra}XEo~7Nk+;(I<oZ{@4MrG5&vw!T$p}nM=kh|Le2gY5i>C2-`y~G)+A(IZ4+*x
z7fe5awg@QpAbn@nt7rrXX=m2SEG@}Gh+ep9qtO^lRLbfkw1xqcLUS<D*7mfv0A!+7
zdcb5a6IpBNZMxdJL23xJmAX9C{WT6BuC|@n_$%BnuK#2^-lW?*(EQ;(vHG9H3d{N*
zhLdrv|8e_2I08dl|4(B2z`}g}KM=W&IRYdpjV?*JKn!H%t0Xhxf1PC8GFhii(0@Vv
zetrHw(DjJ@XA+NR(KwnB|Nndjmr(xmFry^2>#ipc?PC+q%K;<)w-3w3D&HmGrS-G_
z6a2IIkC@;;hJR@P@iH;={lEO071e@Ffqhyr&ySa$U?b1L0VDpo?&<>j<eBXI|E!k(
zdHmmejQ(Fgvq8r{AABPFqv-Ev5T3CWBmT+azs|Pa<o^l5za0NLpFtQX%Kskbg}{IQ
z<+pTM5pRvy|LGLKb-=?YJYN$={MY_pE&x0s<X3qh+x|bEi~XP3|DyRETtbL{g^TC;
zA<TY?Po=g6^1I~TZ~2#27?|cUQoOhp*HAaD<QVE9I!Hmpm(We_u4Z58nkAmB@d9b}
zorkBdsa7NY%am~HRM-nP*zh0CTK4~F7DkAF!M}5U;V2RIfA|uTGe8S=W0T!(Mn#@i
z@-YAt%|e_LS=dO=`8ZhjksL7MpLp`WCSP1B05<%GP5d|0|6_0oVEpHiBl$FPfqx<Y
zH-nF&|I>K-no61R4-39n&reqZZ1|srBL2Jf|Ig9??`IYXDOr~P`<#Nt(5yfYTM9H`
zTQsFB4$XN}%?bJR_D1hV?}J~V>fJ8gS3$N89`i$RpTPGj50XO#9<C~b1Bu(mfNB##
zQi|4~u;{O>k({NceumoEiV^?B0(5|bnvQ&cHvBXHKRy4?@efCWG5*ImUal{S{lA&*
z)c%KiziUpv%=&uqpY4)c2TlMR{-bbS`~SrLAEE!>%Y+g57xF)||FfZ&4QYoPK|)su
zDi`iCLcq%~ovjfg{&(prOWZYS!#`wwsqxSK|5M@;K>NSDA?U1WxhnD<k$Oq+uLSYN
z3b0DQX3Lb>{@2_5?(T6g`6?@aHxRG02goc#Zi158RNmP~ym3Ab81cXQawzM_KL=g_
z8~#a7Fy;JrG{^YA^9{LD^T)q^`sw@6|N8ld0LGk6hT!L4zx(m;-v{qLTwkw?G+m|T
z?^S+xef{b4r{L3v?|%Iy`0h{!-_y)thXQoyd>=$t;q~<o|9m$J-fgPt?&kXX{{H?-
zDt?t0x7T1M*sqdeRbG=Rc1;S2X0KM&>fN`akK)3&qagTLrrT_Pc%a{}#gC6ov2QU*
zNg2>1e;D!4Pw=`r0BXbkr1Af8`+qcpBjLFJA32s!As1@DZ2!}aax2dK_Q}S6YR%Z!
zPp%&#?WdP)bNz%(6o8S=bn)`iboFhmH%9!!ssBTfR@LKzWPmtX0<hsfnv4Cvj{ljG
z{EwLb?<t5ru1u5k0Y<x)#_RkKWCk?X=xJs35)ZeL$t2%_LQCBN%9Z0fiqvP}0LMRF
zrLUYu{WRUR;6EBevQJh1pM){uzhU4RzrDBqF*h2-g9U7^aEbqlUjMww%7DZP2M{xw
z?b9+yR*+BzG=gMHJ%D9Uq|5wvpZ$@pf-jFjwMn@}AfUTURy_uH`8HcVLWRLkd+@~(
z5;7BmYz2Nhs0?alwXcF~54Y<kL6?x~W3!ib25Q<RkHHsO&x*M9M4d@h71@_Vm6EEG
zrVsFJ<eWQusvnZ&hIL^BWeHUk<m;fwx6qYplT>x}(7&``4|Z4N%d{-h5*okHs*Px}
zte@lYDhNK)$KO}U1F0}!jjYn;HsN|yR^Cv?UQ!N_|Mtl)<xP_gEJ$bm9c<ID>6WmC
z=H_L;ie!JA2H?-k@4>#pe*NbgK2B-yj~{=j3-IEEft);G<mDzmY*#@}#sSz@-lfZI
zoxu}=_Y@wCRB;b1N%tf=h!0091`sI9WOoO%VVxH+6LugfmKAxjuWU$xfIio6^d5hz
zKWpzXnHV&VGx*;(Bekv~y*&VrXz9^=R>vx@`SK^dz9^tv@V3OWGa{c=t;v72itaE8
zI9dPg`M+8Iuko1V|DI03C4~9k&p!GW7v1A8334YI0xbJ~I1fqwH!1&rJf7hB9}j~M
zO|<p@p5)(wG$WKS9dSIM37M%65%yHq5Gy8vK_yfx!LTAUwfE&9T4q!jNXzytl9Xvs
z-4YXr6`+QT-oBhNQ+n_ZvWJ@-ur~aUXD#_Zj^jD3|ET|;GP1+U3jDW0NJgJ$RHoS<
zS#lr^cxJK&K<4}0*a(1O_YEtEnD$ByoSuGg$o1SOiO)nEv`jTZ`B0e{-S}teJWt&E
zX<JtOL$JTP|HruhE2DJ2A9d1J_6caYY+Y%#X#v_!3du9jQ%`H9>8!22)^rkz)uv5>
zShr4`Zv5A_h0~Kj+wc$Gz83x=BP`ngtYhbbK-m9}&i~vB`N!<eE{4N<9o_h6<LhJp
zpTax8+WUWu^1qk4&?W!3&@D`}P5yULvb|5YiZ%j-*r!_*eU%HLqb}2<D%2$Gvz>pQ
zsS7q5rZQ+$+%R1~J+G^EwdzW~e5q$Bcqw{FH~xvf<R%HQZT}C)!v9~#|HM<ozfb(r
z^Z#lN4HTZe48Sut(v5$2Nr0{RZ~On_5c7X|nisH(BkVo#`Xx5gjel;;0fJLs0AR(x
zw*QCYIp+WKGF`Y7FY^BsH?`{y_kS+~@XU>L<G;55@de<7C}0czqv^CQ|A%k@2>pLP
zriResYek!T*o2y02WQb2gwrH|jk+!o88QaKtGAB{8BpB<yc^7EC;GrO`=$q6eCcke
z+jrUDg5;)GVjZOVYI8<^MVf%s$rHKiI=!L6a3DsEdq~|i-+EymHF6wTyH*9Yr|3Lr
z8(4^uNRdOI*0@%Qx%rXu!oepsCG&;7VM`w>9+k*nq5LxU)9&@(T@pyk`X7d1>{0B$
z@cz#+p8xW({9o|ZM96;!mhF+Gd>kn`9Z8tQ;bqQYFN}JljdbImnDyNxfwbaZi~oqi
z8OncNW}LvkNbb^%dxdcKG6v7tNDuy<C4scyKZ<7U_%HGTIMn}q%nOeHf~t3*v0Zj5
zK8?~PseSwnw#^kT7mEvx_gB&Hf^IFSX@~0sm8Sm5!Z$>8s>%ct=ezPW9$h={gn03}
z<Lc!{aa=V!xcBt@m+!^g;F|7$sWEWKe9UZYV+aSj*ME0Oz%1)OdEH-2|C>!P|NoHD
zJDp~D{;$yy$-hR!Gk>9sdHNupP(wHV-6a9D;a|)D1q(uq{=XAOb$C(C|23RfZ;`Sa
z|2+4Rg8*O~{wHBu|BGj1jQ{g8-Gq!!G&Z9DX(_K74NgAZ(?g~xdVTe^0*8C5tX*wA
zB-|UOQ)pKVUGl=}7uiTR{@o=3v*BOM{{``XnE%_)bP?x&l+;`>_QV^jUc>xfeul(r
zD;oZH+tOj`7y2v&|MvVZ?ESw)76_vW=6~@t3ykA08TuTEf7bWE&u1<Fe+=ip@%*Qk
z8PJyhAk%A48WXtNX}A|Ae^atp@*;`;dK)oQksnDpX*#O0SV~K(G<ifhni%GY{xM<n
zm;x*;iJ13~C?!2LEhhc$;Q|$d?X8HpWyU`Z_HgzFIGg-88HcL<H;!U(31a>iF-qtA
zBJi)HPEM=>GpYfo0coAIGFUo^xbDfOEu%88CerL~SJrl<$(7N2^j$V86^RZs)BR<v
z(nkEVJQ^;xemZe&_#cC@SBd|NqY1wM^?aC@Yi^}Xp=i*rHQ1M-+DE4?Cw;{Fg3?DV
zEhz>v`Qh-pl><in*GE52PyIsMx8YyQ{{r#9c>cpWbWR9_{Ri{EIN|4OtHg+Z7EtAF
z|DVnD{U80mer8g){I5pU5jk0por8;wXrS-ndKC?|w2SLxmX>58q%Lez7-~B9NtFTh
zl2Fgp%SK9}IGAX)Lr7f709GqUoG42PLzJuRFcFc%+IMJATq`C<{1Yw7P3jjqiEaCT
zsKx(7`Zu)yd07BB{tfwG2)4a+0ULQn4jA$8F7*q2GAsTe*`uQWL-_v$<3GI23gaf@
zrDbg7C2+uq|LwzavC4Nzwy)m;ds0`e_@5B`Gym@x0>4Q>IJkk){(lnJhZUChf0p8%
zz5ks|fqjZ^cOS;Z*Gpx@zq`~=lrdKPgRtM)|HpGY|LbK^>G-enKY{%J0fK=RjAE1B
zZcrWYG9+FbG2)*r{^X^8PImtbYy3|*A@SdG{MUSj=YRc71A%{W{=eD(=@g(=CqI3`
zR{V3oi2vIE2RBLX#}iV&(Fd~a|KquM|6Be3=Xr$Zzr0Kaj(>6fpBSEr<(caO>`P;B
zZ|wJ)gI^A<VMg=17Tqz>O)I$tdWh=uXmxKD3%c5PPsorL2EXt|jQDq#`fCvWA=<Ac
z|Ifl0^M84nIb#2BzGz}UNd|U9|I<|hJx3V&4ZIATqehJQCkwWl)L(<}A5Pl-|1d=R
zzoP-RR3l(7<o{;yQS`Sk?+x5G<KJ28FUldC{6A~n|HS0~m>w5H`@e_zB}Dy3#y7mJ
z2=?@L5-zgMi^7^R0CzN*+*E@hcUPxOZz|tzrwQU2*a2C|IJ&Uw3|mJ%x|_*i#Q)c<
zs1C{2l@HK{f0FE%+y6QKqbNfAzncNJ)WRVw^8Xe$|4n!7pc<O{ExdaRw|nuQ?UGvu
zP5>MJA=_^Y|M30?%>U_SdI|gs`JXKQ3pVnyCGBvdQozKi(me(Ucp0VhHDbiSyVQ@g
z<2L-qknBbE|4(WDhwyxl-PC-55bh!fE>`!+w%jz=+uv;W+w`yG_wf9WMBqOn1tcLK
zo&}OnzY>nUt!^6e?=JNtWtI*9TK>mq4kv&y{?Eru!~BmvxcqY4Fyf!5%yV@B(1!mB
z1p6rae;m!mc>c%Bq~Y?v>i^eLCX(%0P)cba;rgYXPEn!OOoRQE>#+j;^isS)KVcIG
zV5Bo$?07UU<Kn9kBmUi`ex#3K!#`wuR`Cz#e?pA^@iGOd{aeZN=%ra~1UY~lKn@@W
zkORm8<N$I2Ie;8M4j>1R1IPj70CE61fE+*$AP0~G$N}U4asWAi96$~r2ap5E0ptL3
M06BmhaKM580}Wn$0ssI2

literal 2987
zcmXX{c{tSj7aq&l!<A&skf;!qEKy@^vz3Zu87W(~(4a+MH$u2bMY4@0%O!(k$~M-f
zBIA<1E*k5I!3<``%=hz~=RUvl=li_RdEV!o_q<0nMFbHq=V*rzSn+TRrF_`aAIQ-j
z8((;e-J7BEyUTr_SWvV0?>?(bvI*Y*)cN{+8TOGOEJAvRzBG2H96TVVLRwJr3c7r@
zRD)`2))M1d_T_L>A*NMBf`1CTRPLt~xf7ADJ=CB~u2r6ls*xCCxG#%+)VqIm*Vh)2
zWAQbeiKzb3aMR)S<305?z}Q1*-9Cq+Q`jbPy`zBgnL5>=n^FmpYJX_ovV#tp9ch6f
zC+{<GQRwV9^UY=_UyDE9e6fECV^!w-_w>j=iQaR-_^gHe8Ah~p2^DLp;90hPo}sE-
z+^lkVM1HQhrCsR-#V5z6M>2TG`1<O(ghhfzjs0TfL9sBWjJ|U<*j2S;neb@Lt&I4$
z94diu(lUHP(Dbg$-0or&dR{@+M(*cJWSJ|H6o}e(o+cHyRq1tvd*tH3eEj~m`I4AV
zKx%-qMIE`oUA3R8H0iq}vtZKyg(Y>V?zC(Ujdn9C?lZkOJ6E=2|2O>#anbc-lGO6#
zVoqaI{4!O9t0!vs;m~WCh}%ndl%=Q|m!%&#Nb$Y|zCNBUFnek2pnB&+1;kxmC@aus
zPvW89j{XkiQng1z9r{ND6cP`<*)(6(oBHL`kh~a&QOn%*?bn}XGI@eg>uo33iuj+}
z><elvz3qJH-uD^J3&kzCsI8Jma^1KlJZ-pcz6MSaLAq4goYBryMq%LX<Ii0ZXto=v
zukEO2owBOoxI@GD{3CCl$=|C8RD%ecgza3P(^v!jYAzwT_m0_UT?HV-?45vAq({KN
zZ)KZx3vd!PJE7OIy1o-bGr9)gK=X^4^G)GRghYH#szD0&I{ithK@F>s<<z%oo3~e^
z2-fjU--##1T%e4EE|a~THHS^J20kq{ZpJBB{@4!Qyc8=uDxwB*6?OJLI6Gi{*73Je
z1(OyXX#^AO(mx1J6NSFl9iRF4nC))Mp2;5{+U6_locx4sWxnqj4}X>&S6x*wr|v*2
zDQ%<~k=HbJ*Y50?VWgU=XQ>Udk;T?emny4*oEVLOT*Bo$3{SQZ7KnkYt2;C$xiyS%
zJO^E01zV=aIMS~4tv37;bM6gxOI<yB*zKN2M90&3miwdfN9^*%4Dfa=C|Tb81nj5i
zoDE8?y!gO-^UqKK?ntu0r@YSQREu)aAEa9P^_p7)qO8T;w-Y0ho+RY=D9dlRB)%Mu
zy5n_EmpJYRQH|u+l#?jL=3|A2nazsQK*0`>8M^Y|pExOq#hEO}1148o9qUQtU)&B=
z<(Wc@vC4he_Eldp4EB2#vOp(e&?RIV`q7R+j7|ij@|041pVH0KU}HP#I3vVEc5;%%
znVFd>!?NvP|0I8T=g^4~Uv>#{a6BpdV7J^%Gsag{Qk2*y&CZ}0U-(L*?r_#9T`fLX
z>e=WK=?!RNrjU<|&Q<|oK~hY-K;OZT;UDyX<2PQ7`H_UQV;bGBjQRDE9><Kljdk#f
zq$UC})GTyDJ1xcA<s0IZDgVXwDMoN4hqQTvn<%HO6>}~)k$JYEo5U&%xqd2T==|*j
zw~2t2RST_F#k&FJdF&BB7a15N)fa0VF_{qDj-FzpTO|&FU4;tZ=)>K=AYK3KUpEX}
zcha&OV)_DBjIK_F*tu!GwAs9_F_2kcbf2YKmK$sBO2#4%!%B_4Yf}ch1bDiI!&R;3
zlYh2Tdt)<z{ld!lE=b@6I2FkuM-~A*(hRr_ot#GeYt~ICHsB4%*9tR1&CU81B9b#2
z=Ti5&<oLGEd#Wqx9|z<9^ewk1mG#ykpWf?{=<eR?3Ly8c)~k9ztD`^#H#*r;x?Ype
zMh}kGUJSRUt&YCau}|4*Ab$1@^VgL-Jal>L7!G+9R26x8(4kU1xdt2yFhVf#d>dPZ
z<E<8%k~{S7WgS*+EZI_CKJ`fDJLmW1sW-b(^;8X&2_|1w;^!iKkYVJ-`N?db1y|*F
zvSu0@`coMETG3<EHh&Q=+Gj(msVnNW8fuP7t^=dhpdul@9RwoKA0w(c5sO4bf$$QO
ztVnVjOw8}(t6+t`qZ6|P=;-V1>7YKPr$eB{M}$S}xFKujl8_8an@N4(!(Cg{8b%=N
zMpnp0jBG6iZxi?D)w~cwbI1IR7vPY-r%ihI$ALJN<;&>gl=uu#g-WJ-ow&qA-{B_S
z94`pS^*jNV$7|us;$DHHK2|?~<B)g#IEJ@?I1k{%lm^Qki(F!7k*kJ$=S#<`v<W1K
zv2lCGGIP>5?)l@xV=IF)rvzsoJS)cO4BB6`o^|@A^7oMhG32W4ey#MMdpHd3Q#ZJD
zPP*gYz;{w}7>bY>fQI>Ra05r6<ENa#u$Dc738_Rk!Acd)tw<3T5MxZ?K)Emu2(d#4
zw=lVIZr2hqN0S!-Ld(R;H+kmV6$!Ojq9@m=Yx`jtm!QlGJY9J-yx;Vo+*844#;xjM
zH*F@nSHRLH(e4_kLgD~+TzUgTfU|pQfFM`TBl-|mZ-8-9N`!@X1-;WSoJ&&}0HgdF
zb4@`!%megNMxbjr@CGRprk4Slq!}AL8QEP+P>w#&kQ_K2qS%X8x5@IzZlD)y!qrn{
z;*qUv48sR8mu9qUom1$^)gu{>t)qM6*3r7rd+02FuHJf3v7u;fN*FeC9nB-lRe|$F
zK7ci^27Bmi%rL~MOIvjr4l*at<e}z?&Ro4NI+KMK{{-Goe_Mnq`GxYuy!<pq56lAX
z0Vw?8G*L1Z9`do80Hc+ln+n_#kju~}P6g24eyhYwt_@0W00!GJjc<i0_aE^y^pou<
zX9N~3IC$ZK-x$MgF7%D<c)AK;zVsl#3G+q}m6UObd>a&*oFh#qU^<dI3@wB@1G+j~
zfZdbI!uXOR0rA2z*aW5#{Ou3&+nAho0F`OL0xZp`;lYwM?ggD#4L`s7Bz_v4KrjlA
zD22n0TKsR^fln=knB`{$9L2|&>Dgv7V(85r?BkBpU90h7g+40#L>aGM<#;|rW~<kl
zV0H5(sav3D2P#{xXNM+8vD5FjuNQhi_ZIIrIBnILYn?BZe<PRj?Bib!eeIDDb53pW
z@$70DF`kdLl0PW!PPLd$rtJ#f7uxg-nZI85QQYP0no)<Z!S2Xe(%vKPw)>+K+zHU#
zOB_q@4vzwhY3*$=^fb2e7kcWBJP0*CQVoXq`+18k`D9GzY8Ds#zEuEyR!G%Wy?cT3
zHgRnJW{?|vJ1NE#J0SX3F70TH19!U{dd};>Brid(rNSbdQT_qY6!e*e&KG%=34XBA
z;uDa)muy3giM?*fa7?<*gV=K+JqFuOrj5_C75BXk9N~A5llgC0WqDxzBN0$@aG(T9
zI$zi*H1=qs{JHb?6VvndX9@WuX?CVdD1$9UwFPij9Yx&)?wrsa-f#cY9SAV*i7xU&
z&rZ-<0YogLb$Sz77~KrXPHaNWoIt4eI||}8lNna~EGJk-;sG{%`qRpTbeFD;ROE;E
zlI&lg(%SsR3UN6C0%Resl<qVGopxK5KUfMycC(TKTD$o!txs)!+?uMxaYy-GchLUz
z9?H9GBX%BM(O0KimA30z%~&C8ydIgv4VFnN2ol=y4$^kaUT0KN7Ami4KJdSRBsBqY
z8pur$UM4o+Tma=|OG#|D6$Bu~KQh)SP}!X24jviKl|q37=KVZVnP1@$B(`WEIxT>A
zEnXjBlKgu5A753ceI3M1KsirTBltZ9>LsK`z#^Z)PWE2~Fu0|T5`%NgNSh#r2mA98
zfo&59)3A~<siavruq>gk&N9^K$T|=b;T(0wu^~91{zs3}bIsm@sU(A+5jofLZ*|(5
WZn{Y!{$K8zu#|#+Rv%&wf%qSSvsjb>

diff --git a/genman.py b/genman.py
new file mode 100755
index 00000000..1366c7a7
--- /dev/null
+++ b/genman.py
@@ -0,0 +1,408 @@
+#! /usr/bin/python -Es
+# Copyright (C) 2012 Red Hat 
+# AUTHOR: Dan Walsh <dwalsh@redhat.com>
+# see file 'COPYING' for use and warranty information
+#
+# semanage is a tool for managing SELinux configuration files
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of the GNU General Public License as
+#    published by the Free Software Foundation; either version 2 of
+#    the License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA     
+#                                        02111-1307  USA
+#
+#  
+import seobject
+import selinux
+import datetime
+import setools
+import sys
+
+entrypoints =  setools.seinfo(setools.ATTRIBUTE,"entry_type")[0]["types"]
+alldomains =  setools.seinfo(setools.ATTRIBUTE,"domain")[0]["types"]
+domains = []
+for d in alldomains:
+    found = False
+    if d[:-2] + "_exec_t" not in entrypoints:
+        continue
+    name = d.split("_")[0]
+    if name in domains or name == "pam":
+        continue
+    domains.append(name)
+
+domains.sort()
+
+file_types =  setools.seinfo(setools.ATTRIBUTE,"file_type")[0]["types"]
+file_types.sort()
+
+port_types =  setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]
+port_types.sort()
+
+portrecs = seobject.portRecords().get_all_by_type()
+filerecs = seobject.fcontextRecords()
+files_dict = {}
+fdict = filerecs.get_all()
+for i in fdict:
+    if fdict[i]:
+        if fdict[i][2] in files_dict:
+            files_dict[fdict[i][2]].append(i)
+        else:
+            files_dict[fdict[i][2]] = [i]
+boolrecs = seobject.booleanRecords()
+bools = seobject.booleans_dict.keys()
+
+man = {}
+date = datetime.datetime.now().strftime("%d %b %Y")
+def prettyprint(f,trim):
+    return " ".join(f[:-len(trim)].split("_"))
+
+class ManPage:
+    def __init__(self, domainname, path="/tmp"):
+        self.domainname = domainname
+        if self.domainname[-1]=='d':
+            self.short_name = self.domainname[:-1]
+        else:
+            self.short_name = domainname
+
+        self.anon_list = []
+        self.fd = open("%s/%s_selinux.8" % (path, domainname), 'w')
+
+        self.header()
+        self.booleans()
+        self.public_content()
+        self.file_context()
+        self.port_types()
+        self.process_types()
+        self.footer()
+        self.fd.close()
+
+    def header(self):
+        self.fd.write('.TH  "%(domainname)s_selinux"  "8"  "%(domainname)s" "dwalsh@redhat.com" "%(domainname)s SELinux Policy documentation"'
+                 % {'domainname':self.domainname})
+        self.fd.write(r"""
+.SH "NAME"
+%(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the %(domainname)s processes via flexible mandatory access
+control.  
+""" % {'domainname':self.domainname})
+
+
+    def explain(self, f):
+        if f.endswith("_var_run_t"):
+            return "store the %s files under the /run directory." % prettyprint(f, "_var_run_t")
+        if f.endswith("_pid_t"):
+            return "store the %s files under the /run directory." % prettyprint(f, "_pid_t")
+        if f.endswith("_var_lib_t"):
+            return "store the %s files under the /var/lib directory."  % prettyprint(f, "_var_lib_t")
+        if f.endswith("_var_t"):
+            return "store the %s files under the /var directory."  % prettyprint(f, "_var_lib_t")
+        if f.endswith("_var_spool_t"):
+            return "store the %s files under the /var/spool directory." % prettyprint(f, "_spool_t")
+        if f.endswith("_spool_t"):
+            return "store the %s files under the /var/spool directory." % prettyprint(f, "_spool_t")
+        if f.endswith("_cache_t") or f.endswith("_var_cache_t"):
+            return "store the files under the /var/cache directory."
+        if f.endswith("_keytab_t"):
+            return "treat the files as kerberos keytab files."
+        if f.endswith("_lock_t"):
+            return "treat the files as %s lock data, stored under the /var/lock directory" % prettyprint(f,"_lock_t")
+        if f.endswith("_log_t"):
+            return "treat the data as %s log data, usually stored under the /var/log directory." % prettyprint(f,"_log_t")
+        if f.endswith("_config_t"):
+            return "treat the files as %s configuration data, usually stored under the /etc directory." % prettyprint(f,"_config_t")
+        if f.endswith("_conf_t"):
+            return "treat the files as %s configuration data, usually stored under the /etc directory." % prettyprint(f,"_conf_t")
+        if f.endswith("_exec_t"):
+            return "transition an executable to the %s_t domain." % f[:-len("_exec_t")]
+        if f.endswith("_cgi_content_t"):
+            return "treat the files as %s cgi content." % prettyprint(f, "_cgi_content_t")
+        if f.endswith("_rw_content_t"):
+            return "treat the files as %s read/write content." % prettyprint(f,"_rw_content_t")
+        if f.endswith("_rw_t"):
+            return "treat the files as %s read/write content." % prettyprint(f,"_rw_t")
+        if f.endswith("_write_t"):
+            return "treat the files as %s read/write content." % prettyprint(f,"_write_t")
+        if f.endswith("_db_t"):
+            return "treat the files as %s database content." % prettyprint(f,"_db_t")
+        if f.endswith("_ra_content_t"):
+            return "treat the files as %s read/append content." % prettyprint(f,"_ra_conten_t")
+        if f.endswith("_cert_t"):
+            return "treat the files as %s certificate data." % prettyprint(f,"_cert_t")
+        if f.endswith("_key_t"):
+            return "treat the files as %s key data." % prettyprint(f,"_key_t")
+
+        if f.endswith("_secret_t"):
+            return "treat the files as %s secret data." % prettyprint(f,"_key_t")
+
+        if f.endswith("_ra_t"):
+            return "treat the files as %s read/append content." % prettyprint(f,"_ra_t")
+
+        if f.endswith("_ro_t"):
+            return "treat the files as %s read/only content." % prettyprint(f,"_ro_t")
+
+        if f.endswith("_modules_t"):
+            return "treat the files as %s modules." % prettyprint(f, "_modules_t")
+
+        if f.endswith("_content_t"):
+            return "treat the files as %s content." % prettyprint(f, "_content_t")
+
+        if f.endswith("_state_t"):
+            return "treat the files as %s state data." % prettyprint(f, "_state_t")
+
+        if f.endswith("_files_t"):
+            return "treat the files as %s content." % prettyprint(f, "_files_t")
+
+        if f.endswith("_file_t"):
+            return "treat the files as %s content." % prettyprint(f, "_file_t")
+
+        if f.endswith("_data_t"):
+            return "treat the files as %s content." % prettyprint(f, "_data_t")
+
+        if f.endswith("_file_t"):
+            return "treat the data as %s content." % prettyprint(f, "_file_t")
+
+        if f.endswith("_tmp_t"):
+            return "store %s temporary files in the /tmp directories." % prettyprint(f, "_tmp_t")
+        if f.endswith("_etc_t"):
+            return "store %s files in the /etc directories." % prettyprint(f, "_tmp_t")
+        if f.endswith("_home_t"):
+            return "store %s files in the users home directory." % prettyprint(f, "_home_t")
+        if f.endswith("_tmpfs_t"):
+            return "store %s files on a tmpfs file system." % prettyprint(f, "_tmpfs_t")
+        if f.endswith("_unit_file_t"):
+            return "treat files as a systemd unit file." 
+        if f.endswith("_htaccess_t"):
+            return "treat the file as a %s access file." % prettyprint(f, "_htaccess_t")
+
+        return "treat the files as %s data." % prettyprint(f,"_t")
+
+    def booleans(self):
+        self.booltext = ""
+        for b in bools:
+            if b.find(self.short_name) >= 0:
+                if b.endswith("anon_write"):
+                    self.anon_list.append(b)
+                else:
+                    desc = seobject.booleans_dict[b][2][0].lower() + seobject.booleans_dict[b][2][1:-1]
+                    self.booltext += """
+.PP
+If you want to %s, you must turn on the %s boolean.
+
+.EX
+.B setsebool -P %s 1
+.EE
+""" % (desc, b, b)
+    
+        if self.booltext != "":        
+            self.fd.write("""
+.SH BOOLEANS
+SELinux policy is customizable based on least access required.  %s policy is extremely flexible and has several booleans that allow you to manipulate the policy and run %s with the tightest access possible.
+
+""" % (self.domainname, self.domainname))
+
+            self.fd.write(self.booltext)
+
+    def process_types(self):
+        ptypes = []
+        for f in alldomains:
+            if f.startswith(self.short_name):
+                ptypes.append(f)
+        if len(ptypes) == 0:
+            return
+        self.fd.write(r"""
+.SH PROCESS TYPES
+SELinux defines process types (domains) for each process running on the system
+.PP
+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
+.PP
+Policy governs the access confined processes have to files. 
+SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible.
+.PP 
+The following process types are defined for %(domainname)s:
+""" % {'domainname':self.domainname})
+        self.fd.write("""
+.EX
+.B %s 
+.EE""" % ", ".join(ptypes))
+        self.fd.write("""
+.PP
+Note: 
+.B semanage permississive -a PROCESS_TYPE 
+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
+""")
+
+    def port_types(self):
+        self.ports = []
+        for f in port_types:
+            if f.startswith(self.short_name):
+                self.ports.append(f)
+
+        if len(self.ports) == 0:
+            return
+        self.fd.write("""
+.SH PORT TYPES
+SELinux defines port types to represent TCP and UDP ports. 
+.PP
+You can see the types associated with a port by using the following command: 
+
+.B semanage port -l
+
+.PP
+Policy governs the access confined processes have to these ports. 
+SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible.
+.PP 
+The following port types are defined for %(domainname)s:""" % {'domainname':self.domainname})
+
+        for p in self.ports:
+            self.fd.write("""
+
+.EX
+.TP 5
+.B %s 
+.TP 10
+.EE
+""" % p)
+            once = True
+            for p in ( "tcp", "udp" ):
+                if (f,p) in portrecs:
+                    if once:
+                        self.fd.write("""
+
+Default Defined Ports:""")
+                    once = False
+                    self.fd.write(r"""
+%s %s
+.EE""" % (p, ",".join(portrecs[(f,p)])))
+
+    def file_context(self):
+        self.fd.write(r"""
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type. 
+.PP
+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
+.PP
+Policy governs the access confined processes have to these files. 
+SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible.
+.PP 
+The following file types are defined for %(domainname)s:
+""" % {'domainname':self.domainname})
+        for f in file_types:
+            if f.startswith(self.domainname):
+                self.fd.write("""
+
+.EX
+.PP
+.B %s 
+.EE
+
+- Set files with the %s type, if you want to %s
+""" % (f, f, self.explain(f)))
+
+                if f in files_dict:
+                    plural = ""
+                    if len(files_dict[f]) > 1:
+                        plural = "s"
+                        self.fd.write("""
+.br
+.TP 5
+Path%s: 
+%s""" % (plural, files_dict[f][0][0]))
+                        for x in files_dict[f][1:]:
+                            self.fd.write(", %s" % x[0])
+
+        self.fd.write("""
+
+.PP
+Note: File context can be temporarily modified with the chcon command.  If you want to permanantly change the file context you need to use the 
+.B semanage fcontext 
+command.  This will modify the SELinux labeling database.  You will need to use
+.B restorecon
+to apply the labels.
+""")
+
+    def public_content(self):
+        if len(self.anon_list) > 0:
+            self.fd.write("""
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
+.TP
+Allow %(domainname)s servers to read the /var/%(domainname)s directory by adding the public_content_t file type to the directory and by restoring the file type.
+.PP
+.B
+semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
+.br
+.B restorecon -F -R -v /var/%(domainname)s
+.pp
+.TP
+Allow %(domainname)s servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type.  This also requires the allow_%(domainname)sd_anon_write boolean to be set.
+.PP
+.B
+semanage fcontext -a -t public_content_rw_t "/var/%(domainname)s/incoming(/.*)?"
+.br
+.B restorecon -F -R -v /var/%(domainname)s/incoming
+
+"""  % {'domainname':self.domainname})
+            for b in self.anon_list:
+                desc = seobject.booleans_dict[b][2][0].lower() + seobject.booleans_dict[b][2][1:]
+                self.fd.write("""
+.PP
+If you want to %s, you must turn on the %s boolean.
+
+.EX
+.B setsebool -P %s 1
+.EE
+""" % (desc, b, b))
+
+    def footer(self):
+        self.fd.write("""
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
+.PP
+.B semanage permissive
+can also be used to manipulate whether or not a process type is permissive.
+.PP
+.B semanage module
+can also be used to enable/disable/install/remove policy modules.
+""")
+
+        if len(self.ports) > 0:
+            self.fd.write("""
+.B semanage port
+can also be used to manipulate the port definitions
+""")
+
+        if self.booltext != "":        
+            self.fd.write("""
+.B semanage boolean
+can also be used to manipulate the booleans
+""")
+
+        self.fd.write("""
+.PP
+.B system-config-selinux 
+is a GUI tool available to customize SELinux policy settings.
+
+.SH AUTHOR	
+This manual page was autogenerated by genman.py.
+
+.SH "SEE ALSO"
+selinux(8), %s(8), semanage(8), restorecon(8), chcon(1)
+""" % self.domainname)
+
+        if self.booltext != "":        
+            self.fd.write(", setsebool(8)")
+
+for domainname in domains:
+    ManPage(domainname, sys.argv[1])
diff --git a/modules-mls.conf b/modules-mls.conf
index 83c0af9f..60fb3040 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1662,13 +1662,6 @@ vbetool = module
 # 
 webalizer = module
 
-# Layer: services
-# Module: xfs
-#
-# X Windows Font Server
-# 
-xfs = module
-
 # Layer: services
 # Module: xserver
 #
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 0e334d7f..fdc539d5 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2006,13 +2006,6 @@ vbetool = module
 # 
 webalizer = module
 
-# Layer: services
-# Module: xfs
-#
-# X Windows Font Server
-# 
-xfs = module
-
 # Layer: services
 # Module: xserver
 #
diff --git a/nsadiff b/nsadiff
deleted file mode 100755
index 3865f5c3..00000000
--- a/nsadiff
+++ /dev/null
@@ -1,3 +0,0 @@
-cd nsaserefpolicy
-git diff origin > /tmp/diff
-