rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Move booleans and tunables to modules when it is only used in a single

Browse Source 
module.
- Add support for tunables and booleans local to a module.
This commit is contained in:
Chris PeBenito 2007-03-26 18:41:45 +00:00
parent 8021cb4f63
commit 56e1b3d207
50 changed files with 852 additions and 808 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Changelog
View File

@ -1,3 +1,6 @@
- Move booleans and tunables to modules when it is only used in a single
module.
- Add support for tunables and booleans local to a module.
- Merge sbin_t and ls_exec_t into bin_t.
- Remove disable_trans booleans.
- Output different header sets for kernel and userland from flask headers.

41
Makefile
View File

@ -108,7 +108,7 @@ genhomedircon := $(PYTHON) -E $(support)/genhomedircon
# documentation paths
docs := doc
xmldtd = $(docs)/policy.dtd
layerxml = metadata.xml
metaxml = metadata.xml
doctemplate = $(docs)/templates
docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
@ -254,6 +254,10 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in
# when a generated file is already generated
detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
modxml := $(detected_mods:.te=.xml)
layerxml := $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers))))
all_metaxml := $(addsuffix /$(metaxml), $(all_layers))
# modules.conf setting for base module
configbase := base
@ -408,23 +412,36 @@ $(fcsort) : $(support)/fc_sort.c
# Documentation generation
#
# minimal dependencies here, because we don't want to rebuild
# this and its dependents every time the dependencies
# change. Also use all .if files here, rather then just the
# enabled modules.
xml: $(polxml)
$(polxml): $(detected_mods:.te=.if) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
$(modxml): %.xml: %.if %.te
$(verbose) $(genxml) -w -m $* > $@
$(layerxml): %.xml: $(modxml) $(all_metaxml)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) echo '<layer name="$(*F)">' > $@
$(verbose) cat $(addprefix $(moddir)/, $(notdir $*))/$(metaxml) >> $@
$(verbose) cat $(filter-out $(addprefix $(moddir)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(moddir)/, $(notdir $*))/%, $(modxml))) >> $@
$(verbose) echo '</layer>' >> $@
$(tunxml): $(globaltun)
$(verbose) $(genxml) -w -t $< > $@
$(boolxml): $(globalbool)
$(verbose) $(genxml) -w -b $< > $@
$(polxml): $(layerxml) $(tunxml) $(boolxml)
@echo "Creating $(@F)"
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
$(verbose) $(genxml) -w -m $(layerxml) -t $(globaltun) -b $(globalbool) -o $(docs) $(all_layers) >> $@
$(verbose) echo '<policy>' >> $@
$(verbose) cat $(layerxml) $(tunxml) $(boolxml) >> $@
$(verbose) echo '</policy>' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
fi
$(tunxml) $(boolxml): $(polxml)
xml: $(polxml)
html $(tmpdir)/html: $(polxml)
@echo "Building html interface reference documentation in $(htmldir)"
@ -517,7 +534,7 @@ $(contextpath)/users/%: $(appconf)/%_default_contexts
#
# Install policy headers
#
install-headers: $(tunxml) $(boolxml)
install-headers: $(layerxml) $(tunxml) $(boolxml)
@mkdir -p $(headerdir)
@echo "Installing $(TYPE) policy headers."
$(verbose) $(INSTALL) -m 644 $(tunxml) $(boolxml) $(headerdir)
@ -528,7 +545,7 @@ install-headers: $(tunxml) $(boolxml)
$(verbose) for i in $(notdir $(all_layers)); do \
mkdir -p $(headerdir)/$$i ;\
$(INSTALL) -m 644 $(moddir)/$$i/*.if \
$(moddir)/$$i/metadata.xml \
$(moddir)/$$i/*.xml \
$(headerdir)/$$i ;\
done
$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
@ -620,6 +637,8 @@ resetlabels:
#
bare: clean
rm -f $(polxml)
rm -f $(layerxml)
rm -f $(modxml)
rm -f $(tunxml)
rm -f $(boolxml)
rm -f $(mod_conf)

2
doc/policy.dtd
View File

@ -4,7 +4,7 @@
<!ELEMENT layer (summary,module+)>
<!ATTLIST layer
name CDATA #REQUIRED>
<!ELEMENT module (summary,desc?,required?,(interface|template)*)>
<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
<!ATTLIST module
name CDATA #REQUIRED
filename CDATA #REQUIRED>

23
doc/templates/bool_list.html vendored Normal file
View File

@ -0,0 +1,23 @@
<h3>Master boolean index:</h3>
[[for bool in booleans]]
<div id="interfacesmall">
[[if bool.has_key('mod_layer')]]
Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'>
[[bool['mod_name']]]</a><p/>
Layer: <a href='[[bool['mod_layer']]].html'>
[[bool['mod_layer']]]</a><p/>
[[else]]
Global
[[end]]
<div id="codeblock">
[[bool['bool_name']]]
<small>(Default: [[bool['def_val']]])</small>
</div>
[[if bool['desc']]]
<div id="description">
[[bool['desc']]]
</div>
[[end]]
</div>
[[end]]

13
doc/templates/boolean.html vendored Normal file
View File

@ -0,0 +1,13 @@
[[for bool in booleans]]
<a name="link_[[bool['bool_name']]]"></a>
<div id="interface">
<div id="codeblock">[[bool['bool_name']]]</div>
<div id="description">
<h5>Default value</h5>
<p>[[bool['def_val']]]</p>
[[if bool['desc']]]
<h5>Description</h5>
[[bool['desc']]]
[[end]]
</div></div>
[[end]]

4
doc/templates/menu.html vendored
View File

@ -16,6 +16,10 @@
<p/><br/><p/>
<a href="index.html">*&nbsp;Layer Index</a>
<br/><p/>
<a href="booleans.html">*&nbsp;Boolean&nbsp;Index</a>
<br/><p/>
<a href="tunables.html">*&nbsp;Tunable&nbsp;Index</a>
<br/><p/>
<a href="interfaces.html">*&nbsp;Interface&nbsp;Index</a>
<br/><p/>
<a href="templates.html">*&nbsp;Template&nbsp;Index</a>

27
doc/templates/module.html vendored
View File

@ -1,8 +1,16 @@
<a name="top":></a>
<h1>Layer: [[mod_layer]]</h1><p/>
<h2>Module: [[mod_name]]</h2><p/>
[[if interfaces and templates]]
[[if booleans]]
<a href=#booleans>Booleans</a>
[[end]]
[[if tunables]]
<a href=#tunables>Tunables</a>
[[end]]
[[if interfaces]]
<a href=#interfaces>Interfaces</a>
[[end]]
[[if templates]]
<a href=#templates>Templates</a>
[[end]]
<h3>Description:</h3>
@ -14,6 +22,19 @@
[[if mod_req]]
<p>This module is required to be included in all policies.</p>
[[end]]
<hr>
[[if booleans]]
<a name="booleans"></a>
<h3>Booleans: </h3>
[[booleans]]
<a href=#top>Return</a>
[[end]]
[[if tunables]]
<a name="tunables"></a>
<h3>Tunables: </h3>
[[tunables]]
<a href=#top>Return</a>
[[end]]
[[if interfaces]]
<a name="interfaces"></a>
<h3>Interfaces: </h3>
@ -26,6 +47,6 @@
[[templates]]
<a href=#top>Return</a>
[[end]]
[[if not templates and not interfaces]]
<h3>No interfaces or templates.</h3>
[[if not templates and not interfaces and not tunables]]
<h3>No booleans, tunables, interfaces, or templates.</h3>
[[end]]

23
doc/templates/tun_list.html vendored Normal file
View File

@ -0,0 +1,23 @@
<h3>Master tunable index:</h3>
[[for tun in tunables]]
<div id="interfacesmall">
[[if tun.has_key('mod_layer')]]
Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'>
[[tun['mod_name']]]</a><p/>
Layer: <a href='[[tun['mod_layer']]].html'>
[[tun['mod_layer']]]</a><p/>
[[else]]
Global
[[end]]
<div id="codeblock">
[[tun['tun_name']]]
<small>(Default: [[tun['def_val']]])</small>
</div>
[[if tun['desc']]]
<div id="description">
[[tun['desc']]]
</div>
[[end]]
</div>
[[end]]

13
doc/templates/tunable.html vendored Normal file
View File

@ -0,0 +1,13 @@
[[for tun in tunables]]
<a name="link_[[tun['tun_name']]]"></a>
<div id="interface">
<div id="codeblock">[[tun['tun_name']]]</div>
<div id="description">
<h5>Default value</h5>
<p>[[tun['def_val']]]</p>
[[if tun['desc']]]
<h5>Description</h5>
[[tun['desc']]]
[[end]]
</div></div>
[[end]]

472
policy/global_tunables
View File

@ -9,22 +9,6 @@
# Common tunables
#
## <desc>
## <p>
## Allow cvs daemon to read shadow
## </p>
## </desc>
#
gen_tunable(allow_cvs_read_shadow,false)
## <desc>
## <p>
## Allow zebra daemon to write it configuration files
## </p>
## </desc>
#
gen_tunable(allow_zebra_write_config,false)
## <desc>
## <p>
## Allow making the heap executable.
@ -56,82 +40,6 @@ gen_tunable(allow_execmod,false)
## </desc>
gen_tunable(allow_execstack,false)
## <desc>
## <p>
## Allow ftp servers to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write,false)
## <desc>
## <p>
## Allow ftp servers to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(allow_ftpd_full_access,false)
## <desc>
## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs,false)
## <desc>
## <p>
## Allow ftp servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs,false)
## <desc>
## <p>
## Allow gssd to read temp directory.
## </p>
## </desc>
gen_tunable(allow_gssd_read_tmp,true)
## <desc>
## <p>
## Allow Apache to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_httpd_anon_write,false)
## <desc>
## <p>
## Allow Apache to use mod_auth_pam
## </p>
## </desc>
gen_tunable(allow_httpd_mod_auth_pam,false)
## <desc>
## <p>
## Allow java executable stack
## </p>
## </desc>
gen_tunable(allow_java_execstack,false)
## <desc>
## <p>
## Allow system to run with kerberos
## </p>
## </desc>
gen_tunable(allow_kerberos,false)
## <desc>
## <p>
## Allow nfs servers to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_nfsd_anon_write,false)
## <desc>
## <p>
## Enable polyinstantiated directory support.
@ -139,30 +47,6 @@ gen_tunable(allow_nfsd_anon_write,false)
## </desc>
gen_tunable(allow_polyinstantiation,false)
## <desc>
## <p>
## Allow rsync to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_rsync_anon_write,false)
## <desc>
## <p>
## Allow sasl to read shadow
## </p>
## </desc>
gen_tunable(allow_saslauthd_read_shadow,false)
## <desc>
## <p>
## Allow samba to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_smbd_anon_write,false)
## <desc>
## <p>
## Allow system to run with NIS
@ -170,28 +54,6 @@ gen_tunable(allow_smbd_anon_write,false)
## </desc>
gen_tunable(allow_ypbind,false)
## <desc>
## <p>
## Enable extra rules in the cron domain
## to support fcron.
## </p>
## </desc>
gen_tunable(fcron_crond,false)
## <desc>
## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
gen_tunable(ftp_home_dir,false)
## <desc>
## <p>
## Allow ftpd to run directly without inetd
## </p>
## </desc>
gen_tunable(ftpd_is_daemon,false)
## <desc>
## <p>
## Enable reading of urandom for all domains.
@ -205,85 +67,6 @@ gen_tunable(ftpd_is_daemon,false)
## </desc>
gen_tunable(global_ssp,false)
## <desc>
## <p>
## Allow httpd to use built in scripting (usually php)
## </p>
## </desc>
gen_tunable(httpd_builtin_scripting,false)
## <desc>
## <p>
## Allow http daemon to tcp connect
## </p>
## </desc>
gen_tunable(httpd_can_network_connect,false)
## <desc>
## <p>
## Allow httpd to connect to mysql/posgresql
## </p>
## </desc>
gen_tunable(httpd_can_network_connect_db, false)
## <desc>
## <p>
## Allow httpd to act as a relay
## </p>
## </desc>
gen_tunable(httpd_can_network_relay, false)
## <desc>
## <p>
## Allow httpd cgi support
## </p>
## </desc>
gen_tunable(httpd_enable_cgi,false)
## <desc>
## <p>
## Allow httpd to act as a FTP server by
## listening on the ftp port.
## </p>
## </desc>
gen_tunable(httpd_enable_ftp_server,false)
## <desc>
## <p>
## Allow httpd to read home directories
## </p>
## </desc>
gen_tunable(httpd_enable_homedirs,false)
## <desc>
## <p>
## Run SSI execs in system CGI script domain.
## </p>
## </desc>
gen_tunable(httpd_ssi_exec,false)
## <desc>
## <p>
## Allow http daemon to communicate with the TTY
## </p>
## </desc>
gen_tunable(httpd_tty_comm,false)
## <desc>
## <p>
## Run CGI in the main httpd domain
## </p>
## </desc>
gen_tunable(httpd_unified,false)
## <desc>
## <p>
## Allow BIND to write the master zone files.
## Generally this is used for dynamic DNS.
## </p>
## </desc>
gen_tunable(named_write_master_zones,false)
## <desc>
## <p>
## Allow nfs to be exported read/write.
@ -298,13 +81,6 @@ gen_tunable(nfs_export_all_rw,false)
## </desc>
gen_tunable(nfs_export_all_ro,false)
## <desc>
## <p>
## Allow pppd to load kernel modules for certain modems
## </p>
## </desc>
gen_tunable(pppd_can_insmod,false)
## <desc>
## <p>
## Allow reading of default_t files.
@ -312,43 +88,6 @@ gen_tunable(pppd_can_insmod,false)
## </desc>
gen_tunable(read_default_t,false)
## <desc>
## <p>
## Allow samba to export user home directories.
## </p>
## </desc>
gen_tunable(samba_enable_home_dirs,false)
## <desc>
## <p>
## Allow samba to export NFS volumes.
## </p>
## </desc>
gen_tunable(samba_share_nfs,false)
## <desc>
## <p>
## Allow squid to connect to all ports, not just
## HTTP, FTP, and Gopher ports.
## </p>
## </desc>
gen_tunable(squid_connect_any,false)
## <desc>
## <p>
## Allow ssh logins as sysadm_r:sysadm_t
## </p>
## </desc>
gen_tunable(ssh_sysadm_login,false)
## <desc>
## <p>
## Configure stunnel to be a standalone daemon or
## inetd service.
## </p>
## </desc>
gen_tunable(stunnel_is_daemon,false)
## <desc>
## <p>
## Support NFS home directories
@ -363,115 +102,12 @@ gen_tunable(use_nfs_home_dirs,false)
## </desc>
gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
## Allow xdm logins as sysadm
## </p>
## </desc>
gen_tunable(xdm_sysadm_login,false)
########################################
#
# Strict policy specific
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Control users use of ping and traceroute
## </p>
## </desc>
gen_tunable(user_ping,false)
## <desc>
## <p>
## Allow gpg executable stack
## </p>
## </desc>
gen_tunable(allow_gpg_execstack,false)
## <desc>
## <p>
## Allow mplayer executable stack
## </p>
## </desc>
gen_tunable(allow_mplayer_execstack,false)
## <desc>
## <p>
## Allow sysadm to ptrace all processes
## </p>
## </desc>
gen_tunable(allow_ptrace,false)
## <desc>
## <p>
## allow host key based authentication
## </p>
## </desc>
gen_tunable(allow_ssh_keysign,false)
## <desc>
## <p>
## Allow users to connect to mysql
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect,false)
## <desc>
## <p>
## Allows clients to write to the X server shared
## memory segments.
## </p>
## </desc>
gen_tunable(allow_write_xshm,false)
## <desc>
## <p>
## Allow cdrecord to read various content.
## nfs, samba, removable devices, user temp
## and untrusted content files
## </p>
## </desc>
gen_tunable(cdrecord_read_content,false)
## <desc>
## <p>
## Allow system cron jobs to relabel filesystem
## for restoring file contexts.
## </p>
## </desc>
gen_tunable(cron_can_relabel,false)
## <desc>
## <p>
## force to games to run in user_t
## mapping executable (text relocation).
## </p>
## </desc>
gen_tunable(disable_games_trans,false)
## <desc>
## <p>
## Disable transitions to evolution domains.
## </p>
## </desc>
gen_tunable(disable_evolution_trans,false)
## <desc>
## <p>
## Disable transitions to user mozilla domains
## </p>
## </desc>
gen_tunable(disable_mozilla_trans,false)
## <desc>
## <p>
## Disable transitions to user thunderbird domains
## </p>
## </desc>
gen_tunable(disable_thunderbird_trans,false)
## <desc>
## <p>
## Allow email client to various content.
@ -481,20 +117,6 @@ gen_tunable(disable_thunderbird_trans,false)
## </desc>
gen_tunable(mail_read_content,false)
## <desc>
## <p>
## Control mozilla content access
## </p>
## </desc>
gen_tunable(mozilla_read_content,false)
## <desc>
## <p>
## Allow pppd to be run for a regular user
## </p>
## </desc>
gen_tunable(pppd_for_user,false)
## <desc>
## <p>
## Allow applications to read untrusted content
@ -504,65 +126,6 @@ gen_tunable(pppd_for_user,false)
## </desc>
gen_tunable(read_untrusted_content,false)
## <desc>
## <p>
## Allow ssh to run from inetd instead of as a daemon.
## </p>
## </desc>
gen_tunable(run_ssh_inetd,false)
## <desc>
## <p>
## Allow user spamassassin clients to use the network.
## </p>
## </desc>
gen_tunable(spamassassin_can_network,false)
## <desc>
## <p>
## Allow staff_r users to search the sysadm home
## dir and read files (such as ~/.bashrc)
## </p>
## </desc>
gen_tunable(staff_read_sysadm_file,false)
## <desc>
## <p>
## Use lpd server instead of cups
## </p>
## </desc>
gen_tunable(use_lpd_server,false)
## <desc>
## <p>
## Allow regular users direct mouse access
## </p>
## </desc>
gen_tunable(user_direct_mouse,false)
## <desc>
## <p>
## Allow users to read system messages.
## </p>
## </desc>
gen_tunable(user_dmesg,false)
## <desc>
## <p>
## Allow users to control network interfaces
## (also needs USERCTL=true)
## </p>
## </desc>
gen_tunable(user_net_control,false)
## <desc>
## <p>
## Allow user to r/w files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
gen_tunable(user_rw_noexattrfile,false)
## <desc>
## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
@ -572,13 +135,6 @@ gen_tunable(user_rw_noexattrfile,false)
## </desc>
gen_tunable(user_tcp_server,false)
## <desc>
## <p>
## Allow w to display everyone
## </p>
## </desc>
gen_tunable(user_ttyfile_stat,false)
## <desc>
## <p>
## Allow applications to write untrusted content
@ -588,31 +144,3 @@ gen_tunable(user_ttyfile_stat,false)
## </desc>
gen_tunable(write_untrusted_content,false)
')
########################################
#
# Targeted policy specific
#
ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow all daemons the ability to use unallocated ttys
## </p>
## </desc>
gen_tunable(allow_daemons_use_tty,false)
## <desc>
## <p>
## Allow mount to mount any file
## </p>
## </desc>
gen_tunable(allow_mount_anyfile,false)
## <desc>
## <p>
## Allow spamd to read/write user home directories.
## </p>
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
')

11
policy/modules/admin/netutils.te
View File

@ -1,11 +1,20 @@
policy_module(netutils,1.3.0)
policy_module(netutils,1.3.1)
########################################
#
# Declarations
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Control users use of ping and traceroute
## </p>
## </desc>
gen_tunable(user_ping,false)
')
type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t,netutils_exec_t)

13
policy/modules/apps/cdrecord.te
View File

@ -1,10 +1,21 @@
policy_module(cdrecord,1.1.0)
policy_module(cdrecord,1.1.1)
########################################
#
# Declarations
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Allow cdrecord to read various content.
## nfs, samba, removable devices, user temp
## and untrusted content files
## </p>
## </desc>
gen_tunable(cdrecord_read_content,false)
')
type cdrecord_exec_t;
corecmd_executable_file(cdrecord_exec_t)

9
policy/modules/apps/evolution.if
View File

@ -187,7 +187,6 @@ template(`evolution_per_role_template',`
corecmd_exec_shell($1_evolution_t)
# Run various programs
corecmd_exec_bin($1_evolution_t)
corecmd_exec_bin($1_evolution_t)
corenet_non_ipsec_sendrecv($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
@ -674,7 +673,8 @@ template(`evolution_per_role_template',`
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
allow $1_evolution_server_t $2:fd use;
# Transition from user type
domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
kernel_read_system_state($1_evolution_server_t)
@ -718,11 +718,6 @@ template(`evolution_per_role_template',`
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
# Transition from user type
tunable_policy(`!disable_evolution_trans',`
domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
')
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_evolution_server_t)

2
policy/modules/apps/evolution.te
View File

@ -1,5 +1,5 @@
policy_module(evolution,1.1.1)
policy_module(evolution,1.1.2)
########################################
#

6
policy/modules/apps/games.if
View File

@ -84,6 +84,7 @@ template(`games_per_role_template',`
can_exec($1_games_t, games_exec_t)
domain_auto_trans($2, games_exec_t, $1_games_t)
allow $2 $1_games_t:unix_stream_socket connectto;
allow $1_games_t $2:unix_stream_socket connectto;
@ -136,11 +137,6 @@ template(`games_per_role_template',`
# Suppress .icons denial until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
# Type transition
tunable_policy(`!disable_games_trans',`
domain_auto_trans($2, games_exec_t, $1_games_t)
')
tunable_policy(`allow_execmem',`
allow $1_games_t self:process execmem;
')

2
policy/modules/apps/games.te
View File

@ -1,5 +1,5 @@
policy_module(games,1.1.2)
policy_module(games,1.1.3)
########################################
#

9
policy/modules/apps/java.te
View File

@ -1,11 +1,18 @@
policy_module(java,1.3.3)
policy_module(java,1.3.4)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow java executable stack
## </p>
## </desc>
gen_tunable(allow_java_execstack,false)
type java_t;
type java_exec_t;
init_system_domain(java_t,java_exec_t)

11
policy/modules/apps/mozilla.if
View File

@ -105,6 +105,10 @@ template(`mozilla_per_role_template',`
allow $1_mozilla_t $2:process signull;
domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
@ -207,13 +211,6 @@ template(`mozilla_per_role_template',`
fs_manage_cifs_symlinks($1_mozilla_t)
')
# Type transition
tunable_policy(`! disable_mozilla_trans',`
domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
')
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints($1_mozilla_t)

11
policy/modules/apps/mozilla.te
View File

@ -1,11 +1,20 @@
policy_module(mozilla,1.1.1)
policy_module(mozilla,1.1.2)
########################################
#
# Declarations
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Control mozilla content access
## </p>
## </desc>
gen_tunable(mozilla_read_content,false)
')
type mozilla_conf_t;
files_config_file(mozilla_conf_t)

11
policy/modules/apps/mplayer.te
View File

@ -1,11 +1,20 @@
policy_module(mplayer,1.1.1)
policy_module(mplayer,1.1.2)
########################################
#
# Declarations
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Allow mplayer executable stack
## </p>
## </desc>
gen_tunable(allow_mplayer_execstack,false)
')
type mplayer_etc_t;
files_config_file(mplayer_etc_t)

6
policy/modules/apps/thunderbird.if
View File

@ -77,6 +77,7 @@ template(`thunderbird_per_role_template',`
manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
allow $2 $1_thunderbird_t:fd use;
allow $2 $1_thunderbird_t:shm { associate getattr };
allow $2 $1_thunderbird_t:unix_stream_socket connectto;
@ -166,11 +167,6 @@ template(`thunderbird_per_role_template',`
xserver_read_xdm_tmp_files($1_thunderbird_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
# Transition from user type
tunable_policy(`! disable_thunderbird_trans',`
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
')
# Access ~/.thunderbird
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_thunderbird_t)

2
policy/modules/apps/thunderbird.te
View File

@ -1,5 +1,5 @@
policy_module(thunderbird,1.1.1)
policy_module(thunderbird,1.1.2)
########################################
#

12
policy/modules/apps/usernetctl.te
View File

@ -1,11 +1,21 @@
policy_module(usernetctl,1.0.0)
policy_module(usernetctl,1.0.1)
########################################
#
# Declarations
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Allow users to control network interfaces
## (also needs USERCTL=true)
## </p>
## </desc>
gen_tunable(user_net_control,false)
')
type usernetctl_t;
type usernetctl_exec_t;
domain_type(usernetctl_t)

96
policy/modules/services/apache.te
View File

@ -1,5 +1,5 @@
policy_module(apache,1.5.4)
policy_module(apache,1.5.5)
#
# NOTES:
@ -20,6 +20,92 @@ policy_module(apache,1.5.4)
# Declarations
#
## <desc>
## <p>
## Allow Apache to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_httpd_anon_write,false)
## <desc>
## <p>
## Allow Apache to use mod_auth_pam
## </p>
## </desc>
gen_tunable(allow_httpd_mod_auth_pam,false)
## <desc>
## <p>
## Allow httpd to use built in scripting (usually php)
## </p>
## </desc>
gen_tunable(httpd_builtin_scripting,false)
## <desc>
## <p>
## Allow http daemon to tcp connect
## </p>
## </desc>
gen_tunable(httpd_can_network_connect,false)
## <desc>
## <p>
## Allow httpd to connect to mysql/posgresql
## </p>
## </desc>
gen_tunable(httpd_can_network_connect_db, false)
## <desc>
## <p>
## Allow httpd to act as a relay
## </p>
## </desc>
gen_tunable(httpd_can_network_relay, false)
## <desc>
## <p>
## Allow httpd cgi support
## </p>
## </desc>
gen_tunable(httpd_enable_cgi,false)
## <desc>
## <p>
## Allow httpd to act as a FTP server by
## listening on the ftp port.
## </p>
## </desc>
gen_tunable(httpd_enable_ftp_server,false)
## <desc>
## <p>
## Allow httpd to read home directories
## </p>
## </desc>
gen_tunable(httpd_enable_homedirs,false)
## <desc>
## <p>
## Run SSI execs in system CGI script domain.
## </p>
## </desc>
gen_tunable(httpd_ssi_exec,false)
## <desc>
## <p>
## Allow http daemon to communicate with the TTY
## </p>
## </desc>
gen_tunable(httpd_tty_comm,false)
## <desc>
## <p>
## Run CGI in the main httpd domain
## </p>
## </desc>
gen_tunable(httpd_unified,false)
attribute httpdcontent;
# domains that can exec all users scripts
@ -507,13 +593,7 @@ allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
ifdef(`targeted_policy',`
gen_tunable(httpd_suexec_disable_trans,false)
tunable_policy(`httpd_suexec_disable_trans',`',`
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
')
')
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)

10
policy/modules/services/bind.te
View File

@ -1,11 +1,19 @@
policy_module(bind,1.3.1)
policy_module(bind,1.3.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow BIND to write the master zone files.
## Generally this is used for dynamic DNS.
## </p>
## </desc>
gen_tunable(named_write_master_zones,false)
# for DNSSEC key files
type dnssec_t;
files_security_file(dnssec_t)

19
policy/modules/services/cron.te
View File

@ -1,5 +1,5 @@
policy_module(cron,1.5.1)
policy_module(cron,1.5.2)
gen_require(`
class passwd rootok;
@ -9,6 +9,23 @@ gen_require(`
#
# Declarations
#
## <desc>
## <p>
## Allow system cron jobs to relabel filesystem
## for restoring file contexts.
## </p>
## </desc>
gen_tunable(cron_can_relabel,false)
## <desc>
## <p>
## Enable extra rules in the cron domain
## to support fcron.
## </p>
## </desc>
gen_tunable(fcron_crond,false)
attribute cron_spool_type;
type anacron_exec_t;

9
policy/modules/services/cvs.te
View File

@ -1,11 +1,18 @@
policy_module(cvs,1.3.0)
policy_module(cvs,1.3.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow cvs daemon to read shadow
## </p>
## </desc>
gen_tunable(allow_cvs_read_shadow,false)
type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t,cvs_exec_t)

12
policy/modules/services/ftp.if
View File

@ -28,13 +28,11 @@ template(`ftp_per_role_template',`
type ftpd_t;
')
tunable_policy(`ftpd_is_daemon',`
userdom_manage_user_home_content_files($1,ftpd_t)
userdom_manage_user_home_content_symlinks($1,ftpd_t)
userdom_manage_user_home_content_sockets($1,ftpd_t)
userdom_manage_user_home_content_pipes($1,ftpd_t)
userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
userdom_manage_user_home_content_files($1,ftpd_t)
userdom_manage_user_home_content_symlinks($1,ftpd_t)
userdom_manage_user_home_content_sockets($1,ftpd_t)
userdom_manage_user_home_content_pipes($1,ftpd_t)
userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
########################################

61
policy/modules/services/ftp.te
View File

@ -1,11 +1,50 @@
policy_module(ftp,1.4.3)
policy_module(ftp,1.4.4)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow ftp servers to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_anon_write,false)
## <desc>
## <p>
## Allow ftp servers to login to local users and
## read/write all files on the system, governed by DAC.
## </p>
## </desc>
gen_tunable(allow_ftpd_full_access,false)
## <desc>
## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs,false)
## <desc>
## <p>
## Allow ftp servers to use nfs
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs,false)
## <desc>
## <p>
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
gen_tunable(ftp_home_dir,false)
type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t,ftpd_exec_t)
@ -13,7 +52,6 @@ init_daemon_domain(ftpd_t,ftpd_exec_t)
type ftpd_etc_t;
files_config_file(ftpd_etc_t)
# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
@ -53,6 +91,9 @@ allow ftpd_t self:udp_socket create_socket_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
@ -198,13 +239,6 @@ tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
fs_read_cifs_symlinks(ftpd_t)
')
tunable_policy(`ftpd_is_daemon',`
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
corenet_tcp_bind_ftp_port(ftpd_t)
')
optional_policy(`
tunable_policy(`ftp_home_dir',`
apache_search_sys_content(ftpd_t)
@ -232,17 +266,10 @@ optional_policy(`
')
optional_policy(`
#reh: typeattributes not allowed in conditionals yet.
#tunable_policy(`! ftpd_is_daemon',`
# inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
#')
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
optional_policy(`
tunable_policy(`! ftpd_is_daemon',`
tcpd_domtrans(tcpd_t)
')
tcpd_domtrans(tcpd_t)
')
')

9
policy/modules/services/inetd.te
View File

@ -1,5 +1,5 @@
policy_module(inetd,1.2.3)
policy_module(inetd,1.2.4)
########################################
#
@ -227,13 +227,6 @@ ifdef(`targeted_policy',`
unconfined_domain(inetd_child_t)
')
optional_policy(`
tunable_policy(`ftpd_is_daemon',`
# Allows it to check exec privs on daemon
ftp_check_exec(inetd_t)
')
')
optional_policy(`
kerberos_use(inetd_child_t)
')

9
policy/modules/services/kerberos.te
View File

@ -1,11 +1,18 @@
policy_module(kerberos,1.3.3)
policy_module(kerberos,1.3.4)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow system to run with kerberos
## </p>
## </desc>
gen_tunable(allow_kerberos,false)
type kadmind_t;
type kadmind_exec_t;
init_daemon_domain(kadmind_t,kadmind_exec_t)

9
policy/modules/services/lpd.te
View File

@ -1,11 +1,18 @@
policy_module(lpd,1.4.2)
policy_module(lpd,1.4.3)
########################################
#
# Declarations
#
## <desc>
## <p>
## Use lpd server instead of cups
## </p>
## </desc>
gen_tunable(use_lpd_server,false)
type checkpc_t;
type checkpc_exec_t;
init_system_domain(checkpc_t,checkpc_exec_t)

36
policy/modules/services/ppp.te
View File

@ -1,11 +1,27 @@
policy_module(ppp,1.3.1)
policy_module(ppp,1.3.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow pppd to load kernel modules for certain modems
## </p>
## </desc>
gen_tunable(pppd_can_insmod,false)
ifdef(`strict_policy',`
## <desc>
## <p>
## Allow pppd to be run for a regular user
## </p>
## </desc>
gen_tunable(pppd_for_user,false)
')
# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
type pppd_t;
@ -172,20 +188,6 @@ ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(pppd_t)
term_dontaudit_use_generic_ptys(pppd_t)
files_dontaudit_read_root_files(pppd_t)
optional_policy(`
gen_require(`
bool postfix_disable_trans;
')
if(!postfix_disable_trans) {
postfix_domtrans_master(pppd_t)
}
')
',`
optional_policy(`
postfix_domtrans_master(pppd_t)
')
')
optional_policy(`
@ -210,6 +212,10 @@ optional_policy(`
nscd_socket_use(pppd_t)
')
optional_policy(`
postfix_domtrans_master(pppd_t)
')
optional_policy(`
seutil_sigchld_newrole(pppd_t)
')

17
policy/modules/services/rpc.te
View File

@ -1,11 +1,26 @@
policy_module(rpc,1.4.3)
policy_module(rpc,1.4.4)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow gssd to read temp directory.
## </p>
## </desc>
gen_tunable(allow_gssd_read_tmp,true)
## <desc>
## <p>
## Allow nfs servers to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_nfsd_anon_write,false)
type exports_t;
files_type(exports_t)

10
policy/modules/services/rsync.te
View File

@ -1,11 +1,19 @@
policy_module(rsync,1.3.1)
policy_module(rsync,1.3.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow rsync to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_rsync_anon_write,false)
type rsync_t;
type rsync_exec_t;
init_daemon_domain(rsync_t,rsync_exec_t)

24
policy/modules/services/samba.te
View File

@ -1,11 +1,33 @@
policy_module(samba,1.4.2)
policy_module(samba,1.4.3)
#################################
#
# Declarations
#
## <desc>
## <p>
## Allow samba to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_smbd_anon_write,false)
## <desc>
## <p>
## Allow samba to export user home directories.
## </p>
## </desc>
gen_tunable(samba_enable_home_dirs,false)
## <desc>
## <p>
## Allow samba to export NFS volumes.
## </p>
## </desc>
gen_tunable(samba_share_nfs,false)
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t,nmbd_exec_t)

9
policy/modules/services/sasl.te
View File

@ -1,11 +1,18 @@
policy_module(sasl,1.4.1)
policy_module(sasl,1.4.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow sasl to read shadow
## </p>
## </desc>
gen_tunable(allow_saslauthd_read_shadow,false)
type saslauthd_t;
type saslauthd_exec_t;
init_daemon_domain(saslauthd_t,saslauthd_exec_t)

20
policy/modules/services/spamassassin.te
View File

@ -1,11 +1,29 @@
policy_module(spamassassin,1.5.5)
policy_module(spamassassin,1.5.6)
########################################
#
# Declarations
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Allow user spamassassin clients to use the network.
## </p>
## </desc>
gen_tunable(spamassassin_can_network,false)
')
ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow spamd to read/write user home directories.
## </p>
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
')
# spamassassin client executable
type spamc_exec_t;
corecmd_executable_file(spamc_exec_t)

10
policy/modules/services/squid.te
View File

@ -1,11 +1,19 @@
policy_module(squid,1.2.1)
policy_module(squid,1.2.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow squid to connect to all ports, not just
## HTTP, FTP, and Gopher ports.
## </p>
## </desc>
gen_tunable(squid_connect_any,false)
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t,squid_exec_t)

20
policy/modules/services/ssh.if
View File

@ -476,6 +476,7 @@ template(`ssh_server_template', `
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
@ -517,25 +518,6 @@ template(`ssh_server_template', `
fs_read_cifs_files($1_t)
')
# cjp: commenting out until typeattribute works in conditional
# and require block in optional else is resolved
#optional_policy(`
# tunable_policy(`run_ssh_inetd',`
# allow $1_t self:process signal;
# files_list_pids($1_t)
# ',`
# corenet_tcp_bind_ssh_port($1_t)
# init_use_fds($1_t)
# init_use_script_ptys($1_t)
# ')
#',`
# These rules should match the else block
# of the run_ssh_inetd tunable directly above
corenet_tcp_bind_ssh_port($1_t)
init_use_fds($1_t)
init_use_script_ptys($1_t)
#')
optional_policy(`
kerberos_use($1_t)
')

28
policy/modules/services/ssh.te
View File

@ -1,11 +1,25 @@
policy_module(ssh,1.5.1)
policy_module(ssh,1.5.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## allow host key based authentication
## </p>
## </desc>
gen_tunable(allow_ssh_keysign,false)
## <desc>
## <p>
## Allow ssh logins as sysadm_r:sysadm_t
## </p>
## </desc>
gen_tunable(ssh_sysadm_login,false)
attribute ssh_server;
# Type for the ssh-agent executable.
@ -140,6 +154,8 @@ tunable_policy(`ssh_sysadm_login',`
ifdef(`strict_policy',`
ifdef(`TODO',`
domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
# Signal the user domains.
allow sshd_extern_t user_mini_domain:process signal;
@ -159,15 +175,7 @@ ifdef(`strict_policy',`
allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
optional_policy(`
tunable_policy(`run_ssh_inetd',`
domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
',`
domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
')
',`
# These rules should match the else block
# of the run_ssh_inetd tunable directly above
domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
')
ifdef(`direct_sysadm_daemon', `

16
policy/modules/services/stunnel.te
View File

@ -1,5 +1,5 @@
policy_module(stunnel,1.2.1)
policy_module(stunnel,1.2.2)
########################################
#
@ -127,13 +127,9 @@ ifdef(`distro_gentoo', `
')
')
tunable_policy(`stunnel_is_daemon',`
allow stunnel_t self:tcp_socket create_stream_socket_perms;
# hack since this port has no interfaces since it doesnt
# have net_contexts
gen_require(`
type stunnel_port_t;
')
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
# hack since this port has no interfaces since it doesnt
# have net_contexts
gen_require(`
type stunnel_port_t;
')
allow stunnel_t stunnel_port_t:tcp_socket name_bind;

19
policy/modules/services/xserver.te
View File

@ -1,11 +1,28 @@
policy_module(xserver,1.3.3)
policy_module(xserver,1.3.4)
########################################
#
# Declarations
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Allows clients to write to the X server shared
## memory segments.
## </p>
## </desc>
gen_tunable(allow_write_xshm,false)
')
## <desc>
## <p>
## Allow xdm logins as sysadm
## </p>
## </desc>
gen_tunable(xdm_sysadm_login,false)
attribute fonts_type;
attribute fonts_cache_type;
attribute fonts_config_type;

10
policy/modules/services/zebra.te
View File

@ -1,11 +1,19 @@
policy_module(zebra,1.3.1)
policy_module(zebra,1.3.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow zebra daemon to write it configuration files
## </p>
## </desc>
#
gen_tunable(allow_zebra_write_config,false)
type zebra_t;
type zebra_exec_t;
init_daemon_domain(zebra_t,zebra_exec_t)

11
policy/modules/system/init.te
View File

@ -1,5 +1,5 @@
policy_module(init,1.5.4)
policy_module(init,1.5.5)
gen_require(`
class passwd rootok;
@ -10,6 +10,15 @@ gen_require(`
# Declarations
#
ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow all daemons the ability to use unallocated ttys
## </p>
## </desc>
gen_tunable(allow_daemons_use_tty,false)
')
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;

11
policy/modules/system/mount.te
View File

@ -1,11 +1,20 @@
policy_module(mount,1.5.0)
policy_module(mount,1.5.1)
########################################
#
# Declarations
#
ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow mount to mount any file
## </p>
## </desc>
gen_tunable(allow_mount_anyfile,false)
')
type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)

47
policy/modules/system/userdomain.te
View File

@ -1,5 +1,5 @@
policy_module(userdomain,2.1.2)
policy_module(userdomain,2.1.3)
gen_require(`
role sysadm_r, staff_r, user_r;
@ -15,6 +15,51 @@ gen_require(`
# Declarations
#
ifdef(`strict_policy',`
## <desc>
## <p>
## Allow sysadm to ptrace all processes
## </p>
## </desc>
gen_tunable(allow_ptrace,false)
## <desc>
## <p>
## Allow users to connect to mysql
## </p>
## </desc>
gen_tunable(allow_user_mysql_connect,false)
## <desc>
## <p>
## Allow regular users direct mouse access
## </p>
## </desc>
gen_tunable(user_direct_mouse,false)
## <desc>
## <p>
## Allow users to read system messages.
## </p>
## </desc>
gen_tunable(user_dmesg,false)
## <desc>
## <p>
## Allow user to r/w files on filesystems
## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
gen_tunable(user_rw_noexattrfile,false)
## <desc>
## <p>
## Allow w to display everyone
## </p>
## </desc>
gen_tunable(user_ttyfile_stat,false)
')
# admin users terminals (tty and pty)
attribute admin_terminal;

74
support/Makefile.devel
View File

@ -33,7 +33,7 @@ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
docs = doc
polxml = $(docs)/policy.xml
xmldtd = $(HEADERDIR)/support/policy.dtd
layerxml = metadata.xml
metaxml = metadata.xml
globaltun = $(HEADERDIR)/global_tunables.xml
globalbool = $(HEADERDIR)/global_booleans.xml
@ -84,26 +84,41 @@ M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$
# policy headers
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
rolemap = $(HEADERDIR)/rolemap
detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers))))
all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers))))
detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers))))
3rd_party_mods = $(wildcard *.te)
detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te))
detected_ifs = $(detected_mods:.te=.if)
detected_fcs = $(detected_mods:.te=.fc)
all_packages = $(notdir $(detected_mods:.te=.pp))
modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml))
layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR))))
hmodxml = $(all_interfaces:.if=.xml)
hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset))))
hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml))
cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te))
cmodxml = $(cmods:.te=.xml)
clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers))))
cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml))
vpath %.te $(detected_layers)
vpath %.if $(detected_layers)
vpath %.fc $(detected_layers)
# if there are modules in the current directory, add them into the third party layer
ifneq "$(3rd_party_mods)" ""
genxml += -3 .
endif
########################################
#
# Functions
@ -197,18 +212,45 @@ $(detected_ifs) $(detected_fcs):
# Documentation generation
#
# minimal dependencies here, because we don't want to rebuild
# this and its dependents every time the dependencies
# change. Also use all .if files here, rather then just the
# enabled modules.
$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
@echo "Creating $@"
@mkdir -p doc
$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml)
@test -d tmp || mkdir -p tmp
$(verbose) echo '<layer name="$(*F)">' > $@
$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
$(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@
$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
$(verbose) echo '</layer>' >> $@
$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml)
@test -d tmp || mkdir -p tmp
$(verbose) echo '<layer name="$(*F)">' > $@
$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
$(verbose) echo '</layer>' >> $@
$(cmodxml) $(modxml): %.xml: %.if %.te
$(verbose) $(genxml) -w -m $* > $@
$(layerxml): %.xml: $(modxml)
@test -d tmp || mkdir -p tmp
$(verbose) echo '<layer name="$(*F)">' > $@
$(verbose) if test -f '$(metaxml)'; then \
cat $(metaxml) >> $@; \
else \
echo '<summary>This is all third-party generated modules.</summary>' >> $@; \
fi
$(verbose) cat $(filter-out %/$(metaxml), $^) >> $@
$(verbose) echo '</layer>' >> $@
$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool)
@echo "Creating $(@F)"
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(xmldtd)">' >> $@
$(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
$(verbose) echo '<policy>' >> $@
$(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@
$(verbose) echo '</policy>' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
$(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
fi
########################################

128
support/sedoctool.py
View File

@ -1,6 +1,7 @@
#!/usr/bin/python
# Author: Joshua Brindle <jbrindle@tresys.com>
# Caleb Case <ccase@tresys.com>
#
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
# This program is free software; you can redistribute it and/or modify
@ -317,6 +318,12 @@ def gen_docs(doc, working_dir, templatedir):
templatefile = open(templatedir + "/template.html", "r")
templatedata = templatefile.read()
templatefile.close()
tunfile = open(templatedir + "/tunable.html", "r")
tundata = tunfile.read()
tunfile.close()
boolfile = open(templatedir + "/boolean.html", "r")
booldata = boolfile.read()
boolfile.close()
menufile = open(templatedir + "/menu.html", "r")
menudata = menufile.read()
menufile.close()
@ -332,12 +339,18 @@ def gen_docs(doc, working_dir, templatedir):
templistfile = open(templatedir + "/temp_list.html", "r")
templistdata = templistfile.read()
templistfile.close()
boollistfile = open(templatedir + "/global_bool_list.html", "r")
boollistdata = boollistfile.read()
boollistfile.close()
tunlistfile = open(templatedir + "/global_tun_list.html", "r")
tunlistfile = open(templatedir + "/tun_list.html", "r")
tunlistdata = tunlistfile.read()
tunlistfile.close()
boollistfile = open(templatedir + "/bool_list.html", "r")
boollistdata = boollistfile.read()
boollistfile.close()
gboollistfile = open(templatedir + "/global_bool_list.html", "r")
gboollistdata = gboollistfile.read()
gboollistfile.close()
gtunlistfile = open(templatedir + "/global_tun_list.html", "r")
gtunlistdata = gtunlistfile.read()
gtunlistfile.close()
except:
error("Could not open templates")
@ -412,6 +425,8 @@ def gen_docs(doc, working_dir, templatedir):
all_interfaces = []
all_templates = []
all_tunables = []
all_booleans = []
for node in doc.getElementsByTagName("module"):
mod_name = mod_layer = mod_desc = interface_buf = ''
@ -511,6 +526,54 @@ def gen_docs(doc, working_dir, templatedir):
template_tpl = pyplate.Template(templatedata)
template_buf = template_tpl.execute_string({"templates" : templates})
#generate 'boolean' pages
booleans = []
for boolean in node.getElementsByTagName("bool"):
boolean_parameters = []
boolean_desc = None
boolean_name = boolean.getAttribute("name")
boolean_dftval = boolean.getAttribute("dftval")
for desc in boolean.childNodes:
if desc.nodeName == "desc":
boolean_desc = format_html_desc(desc)
booleans.append({ "bool_name" : boolean_name,
"desc" : boolean_desc,
"def_val" : boolean_dftval })
#all_booleans is for the main boolean index with all booleans
all_booleans.append({ "bool_name" : boolean_name,
"desc" : boolean_desc,
"def_val" : boolean_dftval,
"mod_name": mod_name,
"mod_layer" : mod_layer })
booleans.sort(bool_cmp)
boolean_tpl = pyplate.Template(booldata)
boolean_buf = boolean_tpl.execute_string({"booleans" : booleans})
#generate 'tunable' pages
tunables = []
for tunable in node.getElementsByTagName("tunable"):
tunable_parameters = []
tunable_desc = None
tunable_name = tunable.getAttribute("name")
tunable_dftval = tunable.getAttribute("dftval")
for desc in tunable.childNodes:
if desc.nodeName == "desc":
tunable_desc = format_html_desc(desc)
tunables.append({ "tun_name" : tunable_name,
"desc" : tunable_desc,
"def_val" : tunable_dftval })
#all_tunables is for the main tunable index with all tunables
all_tunables.append({ "tun_name" : tunable_name,
"desc" : tunable_desc,
"def_val" : tunable_dftval,
"mod_name": mod_name,
"mod_layer" : mod_layer })
tunables.sort(tun_cmp)
tunable_tpl = pyplate.Template(tundata)
tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
menu = gen_doc_menu(mod_layer, module_list)
@ -531,6 +594,10 @@ def gen_docs(doc, working_dir, templatedir):
interface_buf = None
if not template_buf.strip():
template_buf = None
if not tunable_buf.strip():
tunable_buf = None
if not boolean_buf.strip():
boolean_buf = None
module_args = { "mod_layer" : mod_layer,
"mod_name" : mod_name,
@ -538,7 +605,9 @@ def gen_docs(doc, working_dir, templatedir):
"mod_desc" : mod_desc,
"mod_req" : mod_req,
"interfaces" : interface_buf,
"templates": template_buf }
"templates" : template_buf,
"tunables" : tunable_buf,
"booleans" : boolean_buf }
module_tpl = pyplate.Template(moduledata)
module_buf = module_tpl.execute_string(module_args)
@ -590,19 +659,19 @@ def gen_docs(doc, working_dir, templatedir):
#build the global tunable index
global_tun_buf = []
global_tun = []
for tunable in doc.getElementsByTagName("tunable"):
if tunable.parentNode.nodeName == "policy":
tunable_name = tunable.getAttribute("name")
default_value = tunable.getAttribute("dftval")
for desc in tunable.getElementsByTagName("desc"):
description = format_html_desc(desc)
global_tun_buf.append( { "tun_name" : tunable_name,
global_tun.append( { "tun_name" : tunable_name,
"def_val" : default_value,
"desc" : description } )
global_tun_buf.sort(tun_cmp)
global_tun_tpl = pyplate.Template(tunlistdata)
global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun_buf})
global_tun.sort(tun_cmp)
global_tun_tpl = pyplate.Template(gtunlistdata)
global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun})
global_tun_file = "global_tunables.html"
global_tun_fh = open(global_tun_file, "w")
body_tpl = pyplate.Template(bodydata)
@ -613,21 +682,35 @@ def gen_docs(doc, working_dir, templatedir):
body_tpl.execute(global_tun_fh, body_args)
global_tun_fh.close()
#build the tunable index
all_tunables = all_tunables + global_tun
all_tunables.sort(tun_cmp)
tunable_tpl = pyplate.Template(tunlistdata)
tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables})
temp_file = "tunables.html"
temp_fh = open(temp_file, "w")
body_tpl = pyplate.Template(bodydata)
body_args = { "menu" : menu_buf,
"content" : tunable_buf }
body_tpl.execute(temp_fh, body_args)
temp_fh.close()
#build the global boolean index
global_bool_buf = []
global_bool = []
for boolean in doc.getElementsByTagName("bool"):
if boolean.parentNode.nodeName == "policy":
bool_name = boolean.getAttribute("name")
default_value = boolean.getAttribute("dftval")
for desc in boolean.getElementsByTagName("desc"):
description = format_html_desc(desc)
global_bool_buf.append( { "bool_name" : bool_name,
global_bool.append( { "bool_name" : bool_name,
"def_val" : default_value,
"desc" : description } )
global_bool_buf.sort(bool_cmp)
global_bool_tpl = pyplate.Template(boollistdata)
global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool_buf})
global_bool.sort(bool_cmp)
global_bool_tpl = pyplate.Template(gboollistdata)
global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool})
global_bool_file = "global_booleans.html"
global_bool_fh = open(global_bool_file, "w")
body_tpl = pyplate.Template(bodydata)
@ -637,6 +720,21 @@ def gen_docs(doc, working_dir, templatedir):
body_tpl.execute(global_bool_fh, body_args)
global_bool_fh.close()
#build the boolean index
all_booleans = all_booleans + global_bool
all_booleans.sort(bool_cmp)
boolean_tpl = pyplate.Template(boollistdata)
boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans})
temp_file = "booleans.html"
temp_fh = open(temp_file, "w")
body_tpl = pyplate.Template(bodydata)
body_args = { "menu" : menu_buf,
"content" : boolean_buf }
body_tpl.execute(temp_fh, body_args)
temp_fh.close()

210
support/segenxml.py
View File

@ -3,6 +3,7 @@
# Author(s): Donald Miner <dminer@tresys.com>
# Dave Sugar <dsugar@tresys.com>
# Brian Williams <bwilliams@tresys.com>
# Caleb Case <ccase@tresys.com>
#
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
# This program is free software; you can redistribute it and/or modify
@ -18,6 +19,7 @@ import sys
import os
import glob
import re
import getopt
# GLOBALS
@ -70,9 +72,15 @@ def getModuleXML(file_name):
Returns the XML data for a module in a list, one line per list item.
'''
# Gather information.
module_dir = os.path.dirname(file_name)
module_name = os.path.basename(file_name)
module_te = "%s/%s.te" % (module_dir, module_name)
module_if = "%s/%s.if" % (module_dir, module_name)
# Try to open the file, if it cant, just ignore it.
try:
module_file = open(file_name, "r")
module_file = open(module_if, "r")
module_code = module_file.readlines()
module_file.close()
except:
@ -83,7 +91,7 @@ def getModuleXML(file_name):
# Infer the module name, which is the base of the file name.
module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
% (os.path.splitext(os.path.split(file_name)[-1])[0], file_name))
% (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))
temp_buf = []
interface = None
@ -175,54 +183,13 @@ def getModuleXML(file_name):
elif temp_buf:
warning("orphan XML comments at bottom of file %s" % file_name)
# Process the TE file if it exists.
module_buf = module_buf + getTunableXML(module_te, "both")
module_buf.append("</module>\n")
return module_buf
def getLayerXML (layerName, directories):
'''
Returns the XML documentation for a layer.
'''
layer_buf = []
# Infer the layer name from the directory name.
layer_buf.append("<layer name=\"%s\">\n" % layerName)
# Try to file the metadata file for this layer and if it exists,
# append the contents to the buffer.
bFoundMeta = False
for directory in directories:
metafile = directory + "/" + meta
if not bFoundMeta and os.path.isfile (metafile):
layer_meta = open (metafile, "r")
layer_buf += layer_meta.readlines ()
layer_meta.close()
bFoundMeta = True
# force the metadata for the third party layer
if not bFoundMeta:
if layerName == third_party:
layer_buf.append ("<summary>This is all third-party generated modules.</summary>\n")
bFoundMeta = True
# didn't find meta data for this layer - oh well
if not bFoundMeta:
layer_buf.append ("<summary>Summary is missing!.</summary>\n")
warning ("unable to find %s for layer %s" % (meta, layerName))
# For each module file in the layer, add its XML.
for directory in directories:
modules = glob.glob("%s/*.if" % directory)
modules.sort()
for module in modules:
layer_buf += getModuleXML(module)
layer_buf.append("</layer>\n")
return layer_buf
def getTunableXML(file_name, kind):
'''
Return all the XML for the tunables/bools in the file specified.
@ -257,8 +224,10 @@ def getTunableXML(file_name, kind):
if boolean:
# If there is a gen_bool in a tunable file or a
# gen_tunable in a boolean file, error and exit.
if boolean.group(1) != kind:
error("%s in a %s file." % (boolean.group(1), kind))
# Skip if both kinds are valid.
if kind != "both":
if boolean.group(1) != kind:
error("%s in a %s file." % (boolean.group(1), kind))
tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
tunable_buf += temp_buf
@ -341,39 +310,15 @@ def usage():
Displays a message describing the proper usage of this script.
"""
sys.stdout.write("usage: %s [-w] [-m file] "\
% sys.argv[0])
sys.stdout.write("usage: %s [-w] [-mtb] <file>\n\n" % sys.argv[0])
sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\
"-m --module <file>\t\tname of module to process\n"+\
"-t --tunable <file>\t\tname of global tunable file to process\n"+\
"-b --boolean <file>\t\tname of global boolean file to process\n\n")
sys.stdout.write("layerdirectory [layerdirectory...]\n\n")
sys.stdout.write("Options:\n")
sys.stdout.write ("-h --help -- "+\
"show command line options\n")
sys.stdout.write("-w --warn -- "+\
"show warnings\n")
sys.stdout.write("-m --meta <file> -- "+\
"the filename of the metadata in each layer\n")
sys.stdout.write("-t --tunable <file> -- "+\
"A file containing tunable declarations\n")
sys.stdout.write("-b --bool <file> -- "+\
"A file containing bool declarations\n")
sys.stdout.write("-o --output-dir <directory> -- "+\
"A directory to output global_tunables.xml and global_booleans.xml\n")
sys.stdout.write("--tunables-xml <file> -- "+\
"A file containing tunable declarations already in XML format\n")
sys.stdout.write("--booleans-xml <file> -- "+\
"A file containing bool declarations already in XML format\n")
sys.stdout.write ("-3 --third-party <directory> -- "+\
"Look for 3rd Party modules in directory.\n")
sys.stdout.write("examples:\n")
sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0])
sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0])
def warning(description):
'''
@ -397,79 +342,50 @@ def error(description):
# MAIN PROGRAM
# Defaults
warn = False
module = False
tunable = False
boolean = False
# Check that there are command line arguments.
if len(sys.argv) <= 1:
usage()
sys.exit(1)
# Parse the command line arguments
for i in range(1, len(sys.argv)):
if sys.argv[i-1] in ("-m", "--meta",\
"-t", "--tunable", "-b", "--bool",\
"-o", "--output-dir", "-3", "--third-party", \
"--tunables-xml", "--booleans-xml"):
continue
elif sys.argv[i] in ("-w", "--warn"):
# Parse command line args
try:
opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean='])
except getopt.GetoptError:
usage()
sys.exit(2)
for o, a in opts:
if o in ('-w', '--warn'):
warn = True
elif sys.argv[i] in ("-m", "--meta"):
if i < len(sys.argv)-1:
meta = sys.argv[i+1]
else:
usage()
elif sys.argv[i] in ("-t", "--tunable"):
if i < len(sys.argv)-1:
tunable_files.append(sys.argv[i+1])
else:
usage()
elif sys.argv[i] in ("-b", "--bool"):
if i < len(sys.argv)-1:
bool_files.append(sys.argv[i+1])
else:
usage()
elif sys.argv[i] == "--tunables-xml":
if i < len(sys.argv)-1:
xml_bool_files.append (sys.argv[i+1])
else:
usage ()
elif sys.argv[i] == "--booleans-xml":
if i < len(sys.argv)-1:
xml_tunable_files.append (sys.argv[i+1])
else:
usage ()
elif sys.argv[i] in ("-o", "--output-dir"):
if i < len(sys.argv)-1:
output_dir = sys.argv[i+1]
else:
usage ()
elif sys.argv[i] in ("-3", "--third-party"):
if i < len(sys.argv) -1:
if layers.has_key (third_party):
layers[third_party].append (sys.argv[i+1])
else:
layers[third_party] = [sys.argv[i+1]]
else:
usage ()
elif sys.argv[i] in ("-h", "--help"):
usage ()
sys.exit (1)
elif o in ('-h', '--help'):
usage()
sys.exit(0)
elif o in ('-m', '--module'):
module = a
break
elif o in ('-t', '--tunable'):
tunable = a
break
elif o in ('-b', '--boolean'):
boolean = a
break
else:
# store directories in hash stored by layer name
splitlayer = os.path.split(sys.argv[i])
if layers.has_key (splitlayer[1]):
layers[splitlayer[1]].append (sys.argv[i])
else:
layers[splitlayer[1]] = [sys.argv[i]]
usage()
sys.exit(2)
# Generate the XML and output it to a file
lines = getPolicyXML()
for s in lines:
sys.stdout.write(s)
if module:
sys.stdout.writelines(getModuleXML(module))
elif tunable:
sys.stdout.writelines(getTunableXML(tunable, "tunable"))
elif boolean:
sys.stdout.writelines(getTunableXML(boolean, "bool"))
else:
usage()
sys.exit(2)