- Move booleans and tunables to modules when it is only used in a single

module. - Add support for tunables and booleans local to a module.
2007-03-26 18:41:45 +00:00 · 2007-03-26 18:41:45 +00:00 · 56e1b3d207
parent 8021cb4f63
commit 56e1b3d207
50 changed files with 852 additions and 808 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+- Move booleans and tunables to modules when it is only used in a single
+  module.
+- Add support for tunables and booleans local to a module.
 - Merge sbin_t and ls_exec_t into bin_t.
 - Remove disable_trans booleans.
 - Output different header sets for kernel and userland from flask headers.
--- a/41
+++ b/41
@ -108,7 +108,7 @@ genhomedircon := $(PYTHON) -E $(support)/genhomedircon
 # documentation paths
 docs := doc
 xmldtd = $(docs)/policy.dtd
-layerxml = metadata.xml
+metaxml = metadata.xml
 doctemplate = $(docs)/templates
 docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)

@ -254,6 +254,10 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in
 # when a generated file is already generated
 detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))

+modxml := $(detected_mods:.te=.xml)
+layerxml := $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers))))
+all_metaxml := $(addsuffix /$(metaxml), $(all_layers))
+
 # modules.conf setting for base module
 configbase := base

@ -408,23 +412,36 @@ $(fcsort) : $(support)/fc_sort.c
 # Documentation generation
 #

-# minimal dependencies here, because we don't want to rebuild 
-# this and its dependents every time the dependencies
-# change.  Also use all .if files here, rather then just the
-# enabled modules.
-xml: $(polxml)
-$(polxml): $(detected_mods:.te=.if) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
+$(modxml): %.xml: %.if %.te
+	$(verbose) $(genxml) -w -m $* > $@
+
+$(layerxml): %.xml: $(modxml) $(all_metaxml)
+	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+	$(verbose) echo '<layer name="$(*F)">' > $@
+	$(verbose) cat $(addprefix $(moddir)/, $(notdir $*))/$(metaxml) >> $@
+	$(verbose) cat $(filter-out $(addprefix $(moddir)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(moddir)/, $(notdir $*))/%, $(modxml))) >> $@
+	$(verbose) echo '</layer>' >> $@
+
+$(tunxml): $(globaltun)
+	$(verbose) $(genxml) -w -t $< > $@
+
+$(boolxml): $(globalbool)
+	$(verbose) $(genxml) -w -b $< > $@
+
+$(polxml): $(layerxml) $(tunxml) $(boolxml)
 	@echo "Creating $(@F)"
 	@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
 	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
 	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
-	$(verbose) $(genxml) -w -m $(layerxml) -t $(globaltun) -b $(globalbool) -o $(docs) $(all_layers) >> $@
+	$(verbose) echo '<policy>' >> $@
+	$(verbose) cat $(layerxml) $(tunxml) $(boolxml) >> $@
+	$(verbose) echo '</policy>' >> $@
 	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
 		$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
 	fi

-$(tunxml) $(boolxml): $(polxml)
+xml: $(polxml)

 html $(tmpdir)/html: $(polxml)
 	@echo "Building html interface reference documentation in $(htmldir)"
@ -517,7 +534,7 @@ $(contextpath)/users/%: $(appconf)/%_default_contexts
 #
 # Install policy headers
 #
-install-headers: $(tunxml) $(boolxml)
+install-headers: $(layerxml) $(tunxml) $(boolxml)
 	@mkdir -p $(headerdir)
 	@echo "Installing $(TYPE) policy headers."
 	$(verbose) $(INSTALL) -m 644 $(tunxml) $(boolxml) $(headerdir)
@ -528,7 +545,7 @@ install-headers: $(tunxml) $(boolxml)
 	$(verbose) for i in $(notdir $(all_layers)); do \
 		mkdir -p $(headerdir)/$$i ;\
 		$(INSTALL) -m 644 $(moddir)/$$i/*.if \
-			$(moddir)/$$i/metadata.xml \
+			$(moddir)/$$i/*.xml \
 			$(headerdir)/$$i ;\
 	done
 	$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
@ -620,6 +637,8 @@ resetlabels:
 #
 bare: clean
 	rm -f $(polxml)
+	rm -f $(layerxml)
+	rm -f $(modxml)
 	rm -f $(tunxml)
 	rm -f $(boolxml)
 	rm -f $(mod_conf)
--- a/doc/policy.dtd
+++ b/doc/policy.dtd
@ -4,7 +4,7 @@
 <!ELEMENT layer (summary,module+)>
 <!ATTLIST layer
      name CDATA #REQUIRED>
-<!ELEMENT module (summary,desc?,required?,(interface|template)*)>
+<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
 <!ATTLIST module 
      name CDATA #REQUIRED
      filename CDATA #REQUIRED>
--- a/doc/templates/bool_list.html
+++ b/doc/templates/bool_list.html
@ -0,0 +1,23 @@
+<h3>Master boolean index:</h3>
+
+[[for bool in booleans]]
+<div id="interfacesmall">
+[[if bool.has_key('mod_layer')]]
+Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'>
+[[bool['mod_name']]]</a><p/>
+Layer: <a href='[[bool['mod_layer']]].html'>
+[[bool['mod_layer']]]</a><p/>
+[[else]]
+Global
+[[end]]
+<div id="codeblock">
+[[bool['bool_name']]]
+<small>(Default: [[bool['def_val']]])</small>
+</div>
+[[if bool['desc']]]
+<div id="description">
+[[bool['desc']]]
+</div>
+[[end]]
+</div>
+[[end]]
--- a/doc/templates/boolean.html
+++ b/doc/templates/boolean.html
@ -0,0 +1,13 @@
+[[for bool in booleans]]
+<a name="link_[[bool['bool_name']]]"></a>
+<div id="interface">
+<div id="codeblock">[[bool['bool_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[bool['def_val']]]</p>
+[[if bool['desc']]]
+<h5>Description</h5>
+[[bool['desc']]]
+[[end]]
+</div></div>
+[[end]]
--- a/doc/templates/menu.html
+++ b/doc/templates/menu.html
@ -16,6 +16,10 @@
 	<p/><br/><p/>
 	<a href="index.html">*&nbsp;Layer Index</a>
 	<br/><p/>
+	<a href="booleans.html">*&nbsp;Boolean&nbsp;Index</a>
+	<br/><p/>
+	<a href="tunables.html">*&nbsp;Tunable&nbsp;Index</a>
+	<br/><p/>
 	<a href="interfaces.html">*&nbsp;Interface&nbsp;Index</a>
 	<br/><p/>
 	<a href="templates.html">*&nbsp;Template&nbsp;Index</a>
--- a/doc/templates/module.html
+++ b/doc/templates/module.html
@ -1,8 +1,16 @@
 <a name="top":></a>
 <h1>Layer: [[mod_layer]]</h1><p/>
 <h2>Module: [[mod_name]]</h2><p/>
-[[if interfaces and templates]]
+[[if booleans]]
+<a href=#booleans>Booleans</a>
+[[end]]
+[[if tunables]]
+<a href=#tunables>Tunables</a>
+[[end]]
+[[if interfaces]]
 <a href=#interfaces>Interfaces</a>
+[[end]]
+[[if templates]]
 <a href=#templates>Templates</a>
 [[end]]
 <h3>Description:</h3>
@ -14,6 +22,19 @@
 [[if mod_req]]
 <p>This module is required to be included in all policies.</p>
 [[end]]
+<hr>
+[[if booleans]]
+<a name="booleans"></a>
+<h3>Booleans: </h3>
+[[booleans]]
+<a href=#top>Return</a>
+[[end]]
+[[if tunables]]
+<a name="tunables"></a>
+<h3>Tunables: </h3>
+[[tunables]]
+<a href=#top>Return</a>
+[[end]]
 [[if interfaces]]
 <a name="interfaces"></a>
 <h3>Interfaces: </h3>
@ -26,6 +47,6 @@
 [[templates]]
 <a href=#top>Return</a>
 [[end]]
-[[if not templates and not interfaces]]
-<h3>No interfaces or templates.</h3>
+[[if not templates and not interfaces and not tunables]]
+<h3>No booleans, tunables, interfaces, or templates.</h3>
 [[end]]
--- a/doc/templates/tun_list.html
+++ b/doc/templates/tun_list.html
@ -0,0 +1,23 @@
+<h3>Master tunable index:</h3>
+
+[[for tun in tunables]]
+<div id="interfacesmall">
+[[if tun.has_key('mod_layer')]]
+Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'>
+[[tun['mod_name']]]</a><p/>
+Layer: <a href='[[tun['mod_layer']]].html'>
+[[tun['mod_layer']]]</a><p/>
+[[else]]
+Global
+[[end]]
+<div id="codeblock">
+[[tun['tun_name']]]
+<small>(Default: [[tun['def_val']]])</small>
+</div>
+[[if tun['desc']]]
+<div id="description">
+[[tun['desc']]]
+</div>
+[[end]]
+</div>
+[[end]]
--- a/doc/templates/tunable.html
+++ b/doc/templates/tunable.html
@ -0,0 +1,13 @@
+[[for tun in tunables]]
+<a name="link_[[tun['tun_name']]]"></a>
+<div id="interface">
+<div id="codeblock">[[tun['tun_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[tun['def_val']]]</p>
+[[if tun['desc']]]
+<h5>Description</h5>
+[[tun['desc']]]
+[[end]]
+</div></div>
+[[end]]
--- a/policy/global_tunables
+++ b/policy/global_tunables
@ -9,22 +9,6 @@
 # Common tunables
 #

-## <desc>
-## <p>
-## Allow cvs daemon to read shadow
-## </p>
-## </desc>
-#
-gen_tunable(allow_cvs_read_shadow,false)
-
-## <desc>
-## <p>
-## Allow zebra daemon to write it configuration files
-## </p>
-## </desc>
-#
-gen_tunable(allow_zebra_write_config,false)
-
 ## <desc>
 ## <p>
 ## Allow making the heap executable.
@ -56,82 +40,6 @@ gen_tunable(allow_execmod,false)
 ## </desc>
 gen_tunable(allow_execstack,false)

-## <desc>
-## <p>
-## Allow ftp servers to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_anon_write,false)
-
-## <desc>
-## <p>
-## Allow ftp servers to login to local users and 
-## read/write all files on the system, governed by DAC.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_full_access,false)
-
-## <desc>
-## <p>
-## Allow ftp servers to use cifs
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_use_cifs,false)
-
-## <desc>
-## <p>
-## Allow ftp servers to use nfs
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_use_nfs,false)
-
-## <desc>
-## <p>
-## Allow gssd to read temp directory.
-## </p>
-## </desc>
-gen_tunable(allow_gssd_read_tmp,true)
-
-## <desc>
-## <p>
-## Allow Apache to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_httpd_anon_write,false)
-
-## <desc>
-## <p>
-## Allow Apache to use mod_auth_pam
-## </p>
-## </desc>
-gen_tunable(allow_httpd_mod_auth_pam,false)
-
-## <desc>
-## <p>
-## Allow java executable stack
-## </p>
-## </desc>
-gen_tunable(allow_java_execstack,false)
-
-## <desc>
-## <p>
-## Allow system to run with kerberos
-## </p>
-## </desc>
-gen_tunable(allow_kerberos,false)
-
-## <desc>
-## <p>
-## Allow nfs servers to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_nfsd_anon_write,false)
-
 ## <desc>
 ## <p>
 ## Enable polyinstantiated directory support.
@ -139,30 +47,6 @@ gen_tunable(allow_nfsd_anon_write,false)
 ## </desc>
 gen_tunable(allow_polyinstantiation,false)

-## <desc>
-## <p>
-## Allow rsync to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_rsync_anon_write,false)
-
-## <desc>
-## <p>
-## Allow sasl to read shadow
-## </p>
-## </desc>
-gen_tunable(allow_saslauthd_read_shadow,false)
-
-## <desc>
-## <p>
-## Allow samba to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_smbd_anon_write,false)
-
-
 ## <desc>
 ## <p>
 ## Allow system to run with NIS
@ -170,28 +54,6 @@ gen_tunable(allow_smbd_anon_write,false)
 ## </desc>
 gen_tunable(allow_ypbind,false)

-## <desc>
-## <p>
-## Enable extra rules in the cron domain
-## to support fcron.
-## </p>
-## </desc>
-gen_tunable(fcron_crond,false)
-
-## <desc>
-## <p>
-## Allow ftp to read and write files in the user home directories
-## </p>
-## </desc>
-gen_tunable(ftp_home_dir,false)
-
-## <desc>
-## <p>
-## Allow ftpd to run directly without inetd
-## </p>
-## </desc>
-gen_tunable(ftpd_is_daemon,false)
-
 ## <desc>
 ## <p>
 ## Enable reading of urandom for all domains.
@ -205,85 +67,6 @@ gen_tunable(ftpd_is_daemon,false)
 ## </desc>
 gen_tunable(global_ssp,false)

-## <desc>
-## <p>
-## Allow httpd to use built in scripting (usually php)
-## </p>
-## </desc>
-gen_tunable(httpd_builtin_scripting,false)
-
-## <desc>
-## <p>
-## Allow http daemon to tcp connect 
-## </p>
-## </desc>
-gen_tunable(httpd_can_network_connect,false)
-
-## <desc>
-## <p>
-## Allow httpd to connect to mysql/posgresql 
-## </p>
-## </desc>
-gen_tunable(httpd_can_network_connect_db, false)
-
-## <desc>
-## <p>
-## Allow httpd to act as a relay 
-## </p>
-## </desc>
-gen_tunable(httpd_can_network_relay, false)
-
-## <desc>
-## <p>
-## Allow httpd cgi support
-## </p>
-## </desc>
-gen_tunable(httpd_enable_cgi,false)
-
-## <desc>
-## <p>
-## Allow httpd to act as a FTP server by
-## listening on the ftp port.
-## </p>
-## </desc>
-gen_tunable(httpd_enable_ftp_server,false)
-
-## <desc>
-## <p>
-## Allow httpd to read home directories
-## </p>
-## </desc>
-gen_tunable(httpd_enable_homedirs,false)
-
-## <desc>
-## <p>
-## Run SSI execs in system CGI script domain.
-## </p>
-## </desc>
-gen_tunable(httpd_ssi_exec,false)
-
-## <desc>
-## <p>
-## Allow http daemon to communicate with the TTY
-## </p>
-## </desc>
-gen_tunable(httpd_tty_comm,false)
-
-## <desc>
-## <p>
-## Run CGI in the main httpd domain
-## </p>
-## </desc>
-gen_tunable(httpd_unified,false)
-
-## <desc>
-## <p>
-## Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS.
-## </p>
-## </desc>
-gen_tunable(named_write_master_zones,false)
-
 ## <desc>
 ## <p>
 ## Allow nfs to be exported read/write.
@ -298,13 +81,6 @@ gen_tunable(nfs_export_all_rw,false)
 ## </desc>
 gen_tunable(nfs_export_all_ro,false)

-## <desc>
-## <p>
-## Allow pppd to load kernel modules for certain modems
-## </p>
-## </desc>
-gen_tunable(pppd_can_insmod,false)
-
 ## <desc>
 ## <p>
 ## Allow reading of default_t files.
@ -312,43 +88,6 @@ gen_tunable(pppd_can_insmod,false)
 ## </desc>
 gen_tunable(read_default_t,false)

-## <desc>
-## <p>
-## Allow samba to export user home directories.
-## </p>
-## </desc>
-gen_tunable(samba_enable_home_dirs,false)
-
-## <desc>
-## <p>
-## Allow samba to export NFS volumes.
-## </p>
-## </desc>
-gen_tunable(samba_share_nfs,false)
-
-## <desc>
-## <p>
-## Allow squid to connect to all ports, not just
-## HTTP, FTP, and Gopher ports.
-## </p>
-## </desc>
-gen_tunable(squid_connect_any,false)
-
-## <desc>
-## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
-## </p>
-## </desc>
-gen_tunable(ssh_sysadm_login,false)
-
-## <desc>
-## <p>
-## Configure stunnel to be a standalone daemon or
-## inetd service.
-## </p>
-## </desc>
-gen_tunable(stunnel_is_daemon,false)
-
 ## <desc>
 ## <p>
 ## Support NFS home directories
@ -363,115 +102,12 @@ gen_tunable(use_nfs_home_dirs,false)
 ## </desc>
 gen_tunable(use_samba_home_dirs,false)

-## <desc>
-## <p>
-## Allow xdm logins as sysadm
-## </p>
-## </desc>
-gen_tunable(xdm_sysadm_login,false)
-
 ########################################
 #
 # Strict policy specific
 #

 ifdef(`strict_policy',`
-## <desc>
-## <p>
-## Control users use of ping and traceroute
-## </p>
-## </desc>
-gen_tunable(user_ping,false)
-
-## <desc>
-## <p>
-## Allow gpg executable stack
-## </p>
-## </desc>
-gen_tunable(allow_gpg_execstack,false)
-
-## <desc>
-## <p>
-## Allow mplayer executable stack
-## </p>
-## </desc>
-gen_tunable(allow_mplayer_execstack,false)
-
-## <desc>
-## <p>
-## Allow sysadm to ptrace all processes
-## </p>
-## </desc>
-gen_tunable(allow_ptrace,false)
-
-## <desc>
-## <p>
-## allow host key based authentication
-## </p>
-## </desc>
-gen_tunable(allow_ssh_keysign,false)
-
-## <desc>
-## <p>
-## Allow users to connect to mysql
-## </p>
-## </desc>
-gen_tunable(allow_user_mysql_connect,false)
-
-## <desc>
-## <p>
-## Allows clients to write to the X server shared
-## memory segments.
-## </p>
-## </desc>
-gen_tunable(allow_write_xshm,false)
-
-## <desc>
-## <p>
-## Allow cdrecord to read various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
-## </p>
-## </desc>
-gen_tunable(cdrecord_read_content,false)
-
-## <desc>
-## <p>
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-## </p>
-## </desc>
-gen_tunable(cron_can_relabel,false)
-
-## <desc>
-## <p>
-## force to games to run in user_t
-## mapping executable (text relocation).
-## </p>
-## </desc>
-gen_tunable(disable_games_trans,false)
-
-## <desc>
-## <p>
-## Disable transitions to evolution domains.
-## </p>
-## </desc>
-gen_tunable(disable_evolution_trans,false)
-
-## <desc>
-## <p>
-## Disable transitions to user mozilla domains
-## </p>
-## </desc>
-gen_tunable(disable_mozilla_trans,false)
-
-## <desc>
-## <p>
-## Disable transitions to user thunderbird domains
-## </p>
-## </desc>
-gen_tunable(disable_thunderbird_trans,false)
-
 ## <desc>
 ## <p>
 ## Allow email client to various content.
@ -481,20 +117,6 @@ gen_tunable(disable_thunderbird_trans,false)
 ## </desc>
 gen_tunable(mail_read_content,false)

-## <desc>
-## <p>
-## Control mozilla content access
-## </p>
-## </desc>
-gen_tunable(mozilla_read_content,false)
-
-## <desc>
-## <p>
-## Allow pppd to be run for a regular user
-## </p>
-## </desc>
-gen_tunable(pppd_for_user,false)
-
 ## <desc>
 ## <p>
 ## Allow applications to read untrusted content
@ -504,65 +126,6 @@ gen_tunable(pppd_for_user,false)
 ## </desc>
 gen_tunable(read_untrusted_content,false)

-## <desc>
-## <p>
-## Allow ssh to run from inetd instead of as a daemon.
-## </p>
-## </desc>
-gen_tunable(run_ssh_inetd,false)
-
-## <desc>
-## <p>
-## Allow user spamassassin clients to use the network.
-## </p>
-## </desc>
-gen_tunable(spamassassin_can_network,false)
-
-## <desc>
-## <p>
-## Allow staff_r users to search the sysadm home 
-## dir and read files (such as ~/.bashrc)
-## </p>
-## </desc>
-gen_tunable(staff_read_sysadm_file,false)
-
-## <desc>
-## <p>
-## Use lpd server instead of cups
-## </p>
-## </desc>
-gen_tunable(use_lpd_server,false)
-
-## <desc>
-## <p>
-## Allow regular users direct mouse access 
-## </p>
-## </desc>
-gen_tunable(user_direct_mouse,false)
-
-## <desc>
-## <p>
-## Allow users to read system messages.
-## </p>
-## </desc>
-gen_tunable(user_dmesg,false)
-
-## <desc>
-## <p>
-## Allow users to control network interfaces
-## (also needs USERCTL=true)
-## </p>
-## </desc>
-gen_tunable(user_net_control,false)
-
-## <desc>
-## <p>
-## Allow user to r/w files on filesystems
-## that do not have extended attributes (FAT, CDROM, FLOPPY)
-## </p>
-## </desc>
-gen_tunable(user_rw_noexattrfile,false)
-
 ## <desc>
 ## <p>
 ## Allow users to run TCP servers (bind to ports and accept connection from
@ -572,13 +135,6 @@ gen_tunable(user_rw_noexattrfile,false)
 ## </desc>
 gen_tunable(user_tcp_server,false)

-## <desc>
-## <p>
-## Allow w to display everyone
-## </p>
-## </desc>
-gen_tunable(user_ttyfile_stat,false)
-
 ## <desc>
 ## <p>
 ## Allow applications to write untrusted content
@ -588,31 +144,3 @@ gen_tunable(user_ttyfile_stat,false)
 ## </desc>
 gen_tunable(write_untrusted_content,false)
 ')
-
-########################################
-#
-# Targeted policy specific
-#
-
-ifdef(`targeted_policy',`
-## <desc>
-## <p>
-## Allow all daemons the ability to use unallocated ttys
-## </p>
-## </desc>
-gen_tunable(allow_daemons_use_tty,false)
-
-## <desc>
-## <p>
-## Allow mount to mount any file
-## </p>
-## </desc>
-gen_tunable(allow_mount_anyfile,false)
-
-## <desc>
-## <p>
-## Allow spamd to read/write user home directories.
-## </p>
-## </desc>
-gen_tunable(spamd_enable_home_dirs,true)
-')
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@ -1,11 +1,20 @@

-policy_module(netutils,1.3.0)
+policy_module(netutils,1.3.1)

 ########################################
 #
 # Declarations
 #

+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Control users use of ping and traceroute
+## </p>
+## </desc>
+gen_tunable(user_ping,false)
+')
+
 type netutils_t;
 type netutils_exec_t;
 init_system_domain(netutils_t,netutils_exec_t)
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@ -1,10 +1,21 @@

-policy_module(cdrecord,1.1.0)
+policy_module(cdrecord,1.1.1)

 ########################################
 #
 # Declarations
 #

+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow cdrecord to read various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+## </p>
+## </desc>
+gen_tunable(cdrecord_read_content,false)
+')
+
 type cdrecord_exec_t;
 corecmd_executable_file(cdrecord_exec_t)
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@ -187,7 +187,6 @@ template(`evolution_per_role_template',`
 	corecmd_exec_shell($1_evolution_t)
 	# Run various programs
 	corecmd_exec_bin($1_evolution_t)
-	corecmd_exec_bin($1_evolution_t)

 	corenet_non_ipsec_sendrecv($1_evolution_t)
 	corenet_tcp_sendrecv_generic_if($1_evolution_t)
@ -674,7 +673,8 @@ template(`evolution_per_role_template',`
 	allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
 	allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;

-	allow $1_evolution_server_t $2:fd use;
+	# Transition from user type
+	domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)

 	kernel_read_system_state($1_evolution_server_t)

@ -718,11 +718,6 @@ template(`evolution_per_role_template',`
 	# until properly implemented
 	userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)

-	# Transition from user type
-	tunable_policy(`!disable_evolution_trans',`
-		domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
-	')
-
 	# Access evolution home
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_files($1_evolution_server_t)
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@ -1,5 +1,5 @@

-policy_module(evolution,1.1.1)
+policy_module(evolution,1.1.2)

 ########################################
 #
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@ -84,6 +84,7 @@ template(`games_per_role_template',`

 	can_exec($1_games_t, games_exec_t)

+	domain_auto_trans($2, games_exec_t, $1_games_t)
 	allow $2 $1_games_t:unix_stream_socket connectto;
 	allow $1_games_t $2:unix_stream_socket connectto;

@ -136,11 +137,6 @@ template(`games_per_role_template',`
 	# Suppress .icons denial until properly implemented
 	userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
 	
-	# Type transition
-	tunable_policy(`!disable_games_trans',`
-		domain_auto_trans($2, games_exec_t, $1_games_t)
-	')
-
 	tunable_policy(`allow_execmem',`
 		allow $1_games_t self:process execmem;
 	')
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@ -1,5 +1,5 @@

-policy_module(games,1.1.2)
+policy_module(games,1.1.3)

 ########################################
 #
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@ -1,11 +1,18 @@

-policy_module(java,1.3.3)
+policy_module(java,1.3.4)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow java executable stack
+## </p>
+## </desc>
+gen_tunable(allow_java_execstack,false)
+
 type java_t;
 type java_exec_t;
 init_system_domain(java_t,java_exec_t)
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@ -105,6 +105,10 @@ template(`mozilla_per_role_template',`

 	allow $1_mozilla_t $2:process signull;

+	domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+	# Unrestricted inheritance from the caller.
+	allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
+
 	# Allow the user domain to signal/ps.
 	ps_process_pattern($2,$1_mozilla_t)
 	allow $2 $1_mozilla_t:process signal_perms;
@ -207,13 +211,6 @@ template(`mozilla_per_role_template',`
 		fs_manage_cifs_symlinks($1_mozilla_t)
 	')

-	# Type transition
-	tunable_policy(`! disable_mozilla_trans',`
-		domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
-		# Unrestricted inheritance from the caller.
-		allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
-	')
-
 	# Uploads, local html
 	tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
 		fs_list_auto_mountpoints($1_mozilla_t)
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@ -1,11 +1,20 @@

-policy_module(mozilla,1.1.1)
+policy_module(mozilla,1.1.2)

 ########################################
 #
 # Declarations
 #

+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Control mozilla content access
+## </p>
+## </desc>
+gen_tunable(mozilla_read_content,false)
+')
+
 type mozilla_conf_t;
 files_config_file(mozilla_conf_t)

--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@ -1,11 +1,20 @@

-policy_module(mplayer,1.1.1)
+policy_module(mplayer,1.1.2)

 ########################################
 #
 # Declarations
 #

+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow mplayer executable stack
+## </p>
+## </desc>
+gen_tunable(allow_mplayer_execstack,false)
+')
+
 type mplayer_etc_t;
 files_config_file(mplayer_etc_t)

--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@ -77,6 +77,7 @@ template(`thunderbird_per_role_template',`
 	manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
 	fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

+	domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
 	allow $2 $1_thunderbird_t:fd use;
 	allow $2 $1_thunderbird_t:shm { associate getattr };
 	allow $2 $1_thunderbird_t:unix_stream_socket connectto;
@ -166,11 +167,6 @@ template(`thunderbird_per_role_template',`
 	xserver_read_xdm_tmp_files($1_thunderbird_t)
 	xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)

-	# Transition from user type
-	tunable_policy(`! disable_thunderbird_trans',`
-		domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
-	')
-
 	# Access ~/.thunderbird
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($1_thunderbird_t)
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@ -1,5 +1,5 @@

-policy_module(thunderbird,1.1.1)
+policy_module(thunderbird,1.1.2)

 ########################################
 #
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@ -1,11 +1,21 @@

-policy_module(usernetctl,1.0.0)
+policy_module(usernetctl,1.0.1)

 ########################################
 #
 # Declarations
 #

+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow users to control network interfaces
+## (also needs USERCTL=true)
+## </p>
+## </desc>
+gen_tunable(user_net_control,false)
+')
+
 type usernetctl_t;
 type usernetctl_exec_t;
 domain_type(usernetctl_t)
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -1,5 +1,5 @@

-policy_module(apache,1.5.4)
+policy_module(apache,1.5.5)

 #
 # NOTES: 
@ -20,6 +20,92 @@ policy_module(apache,1.5.4)
 # Declarations
 #

+## <desc>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
+gen_tunable(httpd_builtin_scripting,false)
+
+## <desc>
+## <p>
+## Allow http daemon to tcp connect
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect,false)
+
+## <desc>
+## <p>
+## Allow httpd to connect to mysql/posgresql
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_db, false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a relay
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_relay, false)
+
+## <desc>
+## <p>
+## Allow httpd cgi support
+## </p>
+## </desc>
+gen_tunable(httpd_enable_cgi,false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
+## </desc>
+gen_tunable(httpd_enable_ftp_server,false)
+
+## <desc>
+## <p>
+## Allow httpd to read home directories
+## </p>
+## </desc>
+gen_tunable(httpd_enable_homedirs,false)
+
+## <desc>
+## <p>
+## Run SSI execs in system CGI script domain.
+## </p>
+## </desc>
+gen_tunable(httpd_ssi_exec,false)
+
+## <desc>
+## <p>
+## Allow http daemon to communicate with the TTY
+## </p>
+## </desc>
+gen_tunable(httpd_tty_comm,false)
+
+## <desc>
+## <p>
+## Run CGI in the main httpd domain
+## </p>
+## </desc>
+gen_tunable(httpd_unified,false)
+
 attribute httpdcontent;

 # domains that can exec all users scripts
@ -507,13 +593,7 @@ allow httpd_suexec_t self:process signal_perms;
 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
 allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;

-ifdef(`targeted_policy',`
-	gen_tunable(httpd_suexec_disable_trans,false)
-
-	tunable_policy(`httpd_suexec_disable_trans',`',`
-		domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-	')
-')
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)

 create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
 append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@ -1,11 +1,19 @@

-policy_module(bind,1.3.1)
+policy_module(bind,1.3.2)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow BIND to write the master zone files.
+## Generally this is used for dynamic DNS.
+## </p>
+## </desc>
+gen_tunable(named_write_master_zones,false)
+
 # for DNSSEC key files
 type dnssec_t;
 files_security_file(dnssec_t)
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@ -1,5 +1,5 @@

-policy_module(cron,1.5.1)
+policy_module(cron,1.5.2)

 gen_require(`
 	class passwd rootok;
@ -9,6 +9,23 @@ gen_require(`
 #
 # Declarations
 #
+
+## <desc>
+## <p>
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+## </p>
+## </desc>
+gen_tunable(cron_can_relabel,false)
+
+## <desc>
+## <p>
+## Enable extra rules in the cron domain
+## to support fcron.
+## </p>
+## </desc>
+gen_tunable(fcron_crond,false)
+
 attribute cron_spool_type;

 type anacron_exec_t;
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@ -1,11 +1,18 @@

-policy_module(cvs,1.3.0)
+policy_module(cvs,1.3.1)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow cvs daemon to read shadow
+## </p>
+## </desc>
+gen_tunable(allow_cvs_read_shadow,false)
+
 type cvs_t;
 type cvs_exec_t;
 inetd_tcp_service_domain(cvs_t,cvs_exec_t)
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@ -28,13 +28,11 @@ template(`ftp_per_role_template',`
 		type ftpd_t;
 	')

-	tunable_policy(`ftpd_is_daemon',`
-		userdom_manage_user_home_content_files($1,ftpd_t)
-		userdom_manage_user_home_content_symlinks($1,ftpd_t)
-		userdom_manage_user_home_content_sockets($1,ftpd_t)
-		userdom_manage_user_home_content_pipes($1,ftpd_t)
-		userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
-	')
+	userdom_manage_user_home_content_files($1,ftpd_t)
+	userdom_manage_user_home_content_symlinks($1,ftpd_t)
+	userdom_manage_user_home_content_sockets($1,ftpd_t)
+	userdom_manage_user_home_content_pipes($1,ftpd_t)
+	userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
 ')

 ########################################
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@ -1,11 +1,50 @@

-policy_module(ftp,1.4.3)
+policy_module(ftp,1.4.4)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow ftp servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to login to local users and 
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_full_access,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_cifs,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_nfs,false)
+
+## <desc>
+## <p>
+## Allow ftp to read and write files in the user home directories
+## </p>
+## </desc>
+gen_tunable(ftp_home_dir,false)
+
 type ftpd_t;
 type ftpd_exec_t;
 init_daemon_domain(ftpd_t,ftpd_exec_t)
@ -13,7 +52,6 @@ init_daemon_domain(ftpd_t,ftpd_exec_t)
 type ftpd_etc_t;
 files_config_file(ftpd_etc_t)

-# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
 type ftpd_lock_t;
 files_lock_file(ftpd_lock_t)

@ -53,6 +91,9 @@ allow ftpd_t self:udp_socket create_socket_perms;

 allow ftpd_t ftpd_etc_t:file read_file_perms;

+allow ftpd_t ftpd_lock_t:file manage_file_perms;
+files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
+
 manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
 manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
 files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
@ -198,13 +239,6 @@ tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
 	fs_read_cifs_symlinks(ftpd_t)
 ')

-tunable_policy(`ftpd_is_daemon',`
-	allow ftpd_t ftpd_lock_t:file manage_file_perms;
-	files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
-
-	corenet_tcp_bind_ftp_port(ftpd_t)
-')
-
 optional_policy(`
 	tunable_policy(`ftp_home_dir',`
 		apache_search_sys_content(ftpd_t)
@ -232,17 +266,10 @@ optional_policy(`
 ')

 optional_policy(`
-	#reh: typeattributes not allowed in conditionals yet.
-	#tunable_policy(`! ftpd_is_daemon',`
-	#	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
-	#')
-
 	inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)

 	optional_policy(`
-		tunable_policy(`! ftpd_is_daemon',`
-			tcpd_domtrans(tcpd_t)
-		')
+		tcpd_domtrans(tcpd_t)
 	')
 ')

--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@ -1,5 +1,5 @@

-policy_module(inetd,1.2.3)
+policy_module(inetd,1.2.4)

 ########################################
 #
@ -227,13 +227,6 @@ ifdef(`targeted_policy',`
 	unconfined_domain(inetd_child_t)
 ')

-optional_policy(`
-	tunable_policy(`ftpd_is_daemon',`
-		# Allows it to check exec privs on daemon
-		ftp_check_exec(inetd_t)
-	')
-')
-
 optional_policy(`
 	kerberos_use(inetd_child_t)
 ')
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@ -1,11 +1,18 @@

-policy_module(kerberos,1.3.3)
+policy_module(kerberos,1.3.4)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow system to run with kerberos
+## </p>
+## </desc>
+gen_tunable(allow_kerberos,false)
+
 type kadmind_t;
 type kadmind_exec_t;
 init_daemon_domain(kadmind_t,kadmind_exec_t)
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@ -1,11 +1,18 @@

-policy_module(lpd,1.4.2)
+policy_module(lpd,1.4.3)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Use lpd server instead of cups
+## </p>
+## </desc>
+gen_tunable(use_lpd_server,false)
+
 type checkpc_t;
 type checkpc_exec_t;
 init_system_domain(checkpc_t,checkpc_exec_t)
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@ -1,11 +1,27 @@

-policy_module(ppp,1.3.1)
+policy_module(ppp,1.3.2)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow pppd to load kernel modules for certain modems
+## </p>
+## </desc>
+gen_tunable(pppd_can_insmod,false)
+
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow pppd to be run for a regular user
+## </p>
+## </desc>
+gen_tunable(pppd_for_user,false)
+')
+
 # pppd_t is the domain for the pppd program.
 # pppd_exec_t is the type of the pppd executable.
 type pppd_t;
@ -172,20 +188,6 @@ ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_ttys(pppd_t)
 	term_dontaudit_use_generic_ptys(pppd_t)
 	files_dontaudit_read_root_files(pppd_t)
-
-	optional_policy(`
-		gen_require(`
-			bool postfix_disable_trans;
-		')
-
-		if(!postfix_disable_trans) {
-			postfix_domtrans_master(pppd_t)
-		}
-	')
-',`
-	optional_policy(`
-		postfix_domtrans_master(pppd_t)
-	')
 ')

 optional_policy(`
@ -210,6 +212,10 @@ optional_policy(`
 	nscd_socket_use(pppd_t)
 ')

+optional_policy(`
+	postfix_domtrans_master(pppd_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(pppd_t)
 ')
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@ -1,11 +1,26 @@

-policy_module(rpc,1.4.3)
+policy_module(rpc,1.4.4)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow gssd to read temp directory.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_read_tmp,true)
+
+## <desc>
+## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_nfsd_anon_write,false)
+
 type exports_t;
 files_type(exports_t)

--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@ -1,11 +1,19 @@

-policy_module(rsync,1.3.1)
+policy_module(rsync,1.3.2)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow rsync to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_rsync_anon_write,false)
+
 type rsync_t;
 type rsync_exec_t;
 init_daemon_domain(rsync_t,rsync_exec_t)
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@ -1,11 +1,33 @@

-policy_module(samba,1.4.2)
+policy_module(samba,1.4.3)

 #################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow samba to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_smbd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow samba to export user home directories.
+## </p>
+## </desc>
+gen_tunable(samba_enable_home_dirs,false)
+
+## <desc>
+## <p>
+## Allow samba to export NFS volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_nfs,false)
+
 type nmbd_t;
 type nmbd_exec_t;
 init_daemon_domain(nmbd_t,nmbd_exec_t)
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@ -1,11 +1,18 @@

-policy_module(sasl,1.4.1)
+policy_module(sasl,1.4.2)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow sasl to read shadow
+## </p>
+## </desc>
+gen_tunable(allow_saslauthd_read_shadow,false)
+
 type saslauthd_t;
 type saslauthd_exec_t;
 init_daemon_domain(saslauthd_t,saslauthd_exec_t)
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@ -1,11 +1,29 @@

-policy_module(spamassassin,1.5.5)
+policy_module(spamassassin,1.5.6)

 ########################################
 #
 # Declarations
 #

+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow user spamassassin clients to use the network.
+## </p>
+## </desc>
+gen_tunable(spamassassin_can_network,false)
+')
+
+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow spamd to read/write user home directories.
+## </p>
+## </desc>
+gen_tunable(spamd_enable_home_dirs,true)
+')
+
 # spamassassin client executable
 type spamc_exec_t;
 corecmd_executable_file(spamc_exec_t)
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@ -1,11 +1,19 @@

-policy_module(squid,1.2.1)
+policy_module(squid,1.2.2)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
+## </desc>
+gen_tunable(squid_connect_any,false)
+
 type squid_t;
 type squid_exec_t;
 init_daemon_domain(squid_t,squid_exec_t)
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@ -476,6 +476,7 @@ template(`ssh_server_template', `
 	corenet_non_ipsec_sendrecv($1_t)
 	corenet_tcp_bind_all_nodes($1_t)
 	corenet_udp_bind_all_nodes($1_t)
+	corenet_tcp_bind_ssh_port($1_t)
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_ssh_server_packets($1_t)

@ -517,25 +518,6 @@ template(`ssh_server_template', `
 		fs_read_cifs_files($1_t)
 	')

-	# cjp: commenting out until typeattribute works in conditional
-	# and require block in optional else is resolved
-	#optional_policy(`
-	#	tunable_policy(`run_ssh_inetd',`
-	#		allow $1_t self:process signal;
-	#		files_list_pids($1_t)
-	#	',`
-	#		corenet_tcp_bind_ssh_port($1_t)
-	#		init_use_fds($1_t)
-	#		init_use_script_ptys($1_t)
-	#	')
-	#',`
-		# These rules should match the else block
-		# of the run_ssh_inetd tunable directly above
-		corenet_tcp_bind_ssh_port($1_t)
-		init_use_fds($1_t)
-		init_use_script_ptys($1_t)
-	#')
-
 	optional_policy(`
 		kerberos_use($1_t)
 	')
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@ -1,11 +1,25 @@

-policy_module(ssh,1.5.1)
+policy_module(ssh,1.5.2)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## allow host key based authentication
+## </p>
+## </desc>
+gen_tunable(allow_ssh_keysign,false)
+
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login,false)
+
 attribute ssh_server;

 # Type for the ssh-agent executable.
@ -140,6 +154,8 @@ tunable_policy(`ssh_sysadm_login',`

 ifdef(`strict_policy',`
 	ifdef(`TODO',`
+	domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+
 	domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
 	# Signal the user domains.
 	allow sshd_extern_t user_mini_domain:process signal;
@ -159,15 +175,7 @@ ifdef(`strict_policy',`
 	allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;

 	optional_policy(`
-		tunable_policy(`run_ssh_inetd',`
-			domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
-		',`
-			domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
-		')
-	',`
-		# These rules should match the else block
-		# of the run_ssh_inetd tunable directly above
-		domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+		domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
 	')

 	ifdef(`direct_sysadm_daemon', `
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@ -1,5 +1,5 @@

-policy_module(stunnel,1.2.1)
+policy_module(stunnel,1.2.2)

 ########################################
 #
@ -127,13 +127,9 @@ ifdef(`distro_gentoo', `
 	')
 ')

-tunable_policy(`stunnel_is_daemon',`
-	allow stunnel_t self:tcp_socket create_stream_socket_perms;
-
-	# hack since this port has no interfaces since it doesnt
-	# have net_contexts
-	gen_require(`
-		type stunnel_port_t;
-	')
-	allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+# hack since this port has no interfaces since it doesnt
+# have net_contexts
+gen_require(`
+	type stunnel_port_t;
 ')
+allow stunnel_t stunnel_port_t:tcp_socket name_bind;
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@ -1,11 +1,28 @@

-policy_module(xserver,1.3.3)
+policy_module(xserver,1.3.4)

 ########################################
 #
 # Declarations
 #

+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
+## </desc>
+gen_tunable(allow_write_xshm,false)
+')
+
+## <desc>
+## <p>
+## Allow xdm logins as sysadm
+## </p>
+## </desc>
+gen_tunable(xdm_sysadm_login,false)
+
 attribute fonts_type;
 attribute fonts_cache_type;
 attribute fonts_config_type;
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@ -1,11 +1,19 @@

-policy_module(zebra,1.3.1)
+policy_module(zebra,1.3.2)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
+## </desc>
+#
+gen_tunable(allow_zebra_write_config,false)
+
 type zebra_t;
 type zebra_exec_t;
 init_daemon_domain(zebra_t,zebra_exec_t)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -1,5 +1,5 @@

-policy_module(init,1.5.4)
+policy_module(init,1.5.5)

 gen_require(`
 	class passwd rootok;
@ -10,6 +10,15 @@ gen_require(`
 # Declarations
 #

+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow all daemons the ability to use unallocated ttys
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty,false)
+')
+
 # used for direct running of init scripts
 # by admin domains
 attribute direct_run_init;
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@ -1,11 +1,20 @@

-policy_module(mount,1.5.0)
+policy_module(mount,1.5.1)

 ########################################
 #
 # Declarations
 #

+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow mount to mount any file
+## </p>
+## </desc>
+gen_tunable(allow_mount_anyfile,false)
+')
+
 type mount_t;
 type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@ -1,5 +1,5 @@

-policy_module(userdomain,2.1.2)
+policy_module(userdomain,2.1.3)

 gen_require(`
 	role sysadm_r, staff_r, user_r;
@ -15,6 +15,51 @@ gen_require(`
 # Declarations
 #

+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow sysadm to ptrace all processes
+## </p>
+## </desc>
+gen_tunable(allow_ptrace,false)
+
+## <desc>
+## <p>
+## Allow users to connect to mysql
+## </p>
+## </desc>
+gen_tunable(allow_user_mysql_connect,false)
+
+## <desc>
+## <p>
+## Allow regular users direct mouse access
+## </p>
+## </desc>
+gen_tunable(user_direct_mouse,false)
+
+## <desc>
+## <p>
+## Allow users to read system messages.
+## </p>
+## </desc>
+gen_tunable(user_dmesg,false)
+
+## <desc>
+## <p>
+## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_rw_noexattrfile,false)
+
+## <desc>
+## <p>
+## Allow w to display everyone
+## </p>
+## </desc>
+gen_tunable(user_ttyfile_stat,false)
+')
+
 # admin users terminals (tty and pty)
 attribute admin_terminal;

--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@ -33,7 +33,7 @@ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
 docs = doc
 polxml = $(docs)/policy.xml
 xmldtd = $(HEADERDIR)/support/policy.dtd
-layerxml = metadata.xml
+metaxml = metadata.xml

 globaltun = $(HEADERDIR)/global_tunables.xml
 globalbool = $(HEADERDIR)/global_booleans.xml
@ -84,26 +84,41 @@ M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$

 # policy headers
 m4support = $(wildcard $(HEADERDIR)/support/*.spt)
+
 all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
 all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
 rolemap = $(HEADERDIR)/rolemap

 detected_layers =  $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+
+clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers))))
+all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers))))
+detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers))))
+
 3rd_party_mods = $(wildcard *.te)
 detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
+detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te))
+
 detected_ifs = $(detected_mods:.te=.if)
 detected_fcs = $(detected_mods:.te=.fc)
 all_packages = $(notdir $(detected_mods:.te=.pp))

+modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml))
+layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR))))
+
+hmodxml = $(all_interfaces:.if=.xml)
+hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset))))
+hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml))
+
+cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te))
+cmodxml = $(cmods:.te=.xml)
+clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers))))
+cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml))
+
 vpath %.te $(detected_layers)
 vpath %.if $(detected_layers)
 vpath %.fc $(detected_layers)

-# if there are modules in the current directory, add them into the third party layer
-ifneq "$(3rd_party_mods)" ""
-        genxml += -3 .
-endif
-
 ########################################
 #
 # Functions
@ -197,18 +212,45 @@ $(detected_ifs) $(detected_fcs):
 # Documentation generation
 #

-# minimal dependencies here, because we don't want to rebuild
-# this and its dependents every time the dependencies
-# change.  Also use all .if files here, rather then just the
-# enabled modules.
-$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
-	@echo "Creating $@"
-	@mkdir -p doc
+$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml)
+	@test -d tmp || mkdir -p tmp
+	$(verbose) echo '<layer name="$(*F)">' > $@
+	$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
+	$(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@
+	$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
+	$(verbose) echo '</layer>' >> $@
+
+$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml)
+	@test -d tmp || mkdir -p tmp
+	$(verbose) echo '<layer name="$(*F)">' > $@
+	$(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
+	$(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
+	$(verbose) echo '</layer>' >> $@
+
+$(cmodxml) $(modxml): %.xml: %.if %.te
+	$(verbose) $(genxml) -w -m $* > $@
+
+$(layerxml): %.xml: $(modxml)
+	@test -d tmp || mkdir -p tmp
+	$(verbose) echo '<layer name="$(*F)">' > $@
+	$(verbose) if test -f '$(metaxml)'; then \
+		cat $(metaxml) >> $@; \
+	else \
+		echo '<summary>This is all third-party generated modules.</summary>' >> $@; \
+	fi
+	$(verbose) cat $(filter-out %/$(metaxml), $^) >> $@
+	$(verbose) echo '</layer>' >> $@
+
+$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool)
+	@echo "Creating $(@F)"
+	@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
 	$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
-	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(xmldtd)">' >> $@
-	$(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
+	$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
+	$(verbose) echo '<policy>' >> $@
+	$(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@
+	$(verbose) echo '</policy>' >> $@
 	$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
-		$(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
+		$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
 	fi

 ########################################
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@ -1,6 +1,7 @@
 #!/usr/bin/python

 #  Author: Joshua Brindle <jbrindle@tresys.com>
+#          Caleb Case <ccase@tresys.com>
 #
 # Copyright (C) 2005 - 2006 Tresys Technology, LLC
 #      This program is free software; you can redistribute it and/or modify
@ -317,6 +318,12 @@ def gen_docs(doc, working_dir, templatedir):
 		templatefile = open(templatedir + "/template.html", "r")
 		templatedata = templatefile.read()
 		templatefile.close()
+		tunfile = open(templatedir + "/tunable.html", "r")
+		tundata = tunfile.read()
+		tunfile.close()
+		boolfile = open(templatedir + "/boolean.html", "r")
+		booldata = boolfile.read()
+		boolfile.close()
 		menufile = open(templatedir + "/menu.html", "r")
 		menudata = menufile.read()
 		menufile.close()
@ -332,12 +339,18 @@ def gen_docs(doc, working_dir, templatedir):
 		templistfile = open(templatedir + "/temp_list.html", "r")
 		templistdata = templistfile.read()
 		templistfile.close()
-		boollistfile = open(templatedir + "/global_bool_list.html", "r")
-		boollistdata = boollistfile.read()
-		boollistfile.close()
-		tunlistfile = open(templatedir + "/global_tun_list.html", "r")
+		tunlistfile = open(templatedir + "/tun_list.html", "r")
 		tunlistdata = tunlistfile.read()
 		tunlistfile.close()
+		boollistfile = open(templatedir + "/bool_list.html", "r")
+		boollistdata = boollistfile.read()
+		boollistfile.close()
+		gboollistfile = open(templatedir + "/global_bool_list.html", "r")
+		gboollistdata = gboollistfile.read()
+		gboollistfile.close()
+		gtunlistfile = open(templatedir + "/global_tun_list.html", "r")
+		gtunlistdata = gtunlistfile.read()
+		gtunlistfile.close()
 	except:
 		error("Could not open templates")

@ -412,6 +425,8 @@ def gen_docs(doc, working_dir, templatedir):

 	all_interfaces = []
 	all_templates = []
+	all_tunables = []
+	all_booleans = []
 	for node in doc.getElementsByTagName("module"):
                mod_name = mod_layer = mod_desc = interface_buf = ''

@ -511,6 +526,54 @@ def gen_docs(doc, working_dir, templatedir):
 		template_tpl = pyplate.Template(templatedata)
 		template_buf = template_tpl.execute_string({"templates" : templates})

+		#generate 'boolean' pages
+		booleans = []
+		for boolean in node.getElementsByTagName("bool"):
+			boolean_parameters = []
+			boolean_desc = None
+			boolean_name = boolean.getAttribute("name")
+			boolean_dftval = boolean.getAttribute("dftval")
+			for desc in boolean.childNodes:
+				if desc.nodeName == "desc":
+					boolean_desc = format_html_desc(desc)
+
+			booleans.append({ "bool_name" : boolean_name,
+					  "desc" : boolean_desc,
+					  "def_val" : boolean_dftval })
+			#all_booleans is for the main boolean index with all booleans
+			all_booleans.append({ "bool_name" : boolean_name,
+					   "desc" : boolean_desc,
+					   "def_val" : boolean_dftval,
+					   "mod_name": mod_name,
+					   "mod_layer" : mod_layer })
+		booleans.sort(bool_cmp)
+		boolean_tpl = pyplate.Template(booldata)
+		boolean_buf = boolean_tpl.execute_string({"booleans" : booleans})
+
+		#generate 'tunable' pages
+		tunables = []
+		for tunable in node.getElementsByTagName("tunable"):
+			tunable_parameters = []
+			tunable_desc = None
+			tunable_name = tunable.getAttribute("name")
+			tunable_dftval = tunable.getAttribute("dftval")
+			for desc in tunable.childNodes:
+				if desc.nodeName == "desc":
+					tunable_desc = format_html_desc(desc)
+
+			tunables.append({ "tun_name" : tunable_name,
+					  "desc" : tunable_desc,
+					  "def_val" : tunable_dftval })
+			#all_tunables is for the main tunable index with all tunables
+			all_tunables.append({ "tun_name" : tunable_name,
+					   "desc" : tunable_desc,
+					   "def_val" : tunable_dftval,
+					   "mod_name": mod_name,
+					   "mod_layer" : mod_layer })
+		tunables.sort(tun_cmp)
+		tunable_tpl = pyplate.Template(tundata)
+		tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
+	

 		menu = gen_doc_menu(mod_layer, module_list)

@ -531,6 +594,10 @@ def gen_docs(doc, working_dir, templatedir):
 			interface_buf = None
 		if not template_buf.strip():
 			template_buf = None
+		if not tunable_buf.strip():
+			tunable_buf = None
+		if not boolean_buf.strip():
+			boolean_buf = None

 		module_args = { "mod_layer" : mod_layer,
 			      "mod_name" : mod_name,	
@ -538,7 +605,9 @@ def gen_docs(doc, working_dir, templatedir):
 			      "mod_desc" : mod_desc,
 			      "mod_req" : mod_req,
 			      "interfaces" : interface_buf,
-			      "templates": template_buf }
+			      "templates" : template_buf,
+			      "tunables" : tunable_buf,
+			      "booleans" : boolean_buf }

 		module_tpl = pyplate.Template(moduledata)
 		module_buf = module_tpl.execute_string(module_args)
@ -590,19 +659,19 @@ def gen_docs(doc, working_dir, templatedir):


 	#build the global tunable index
-	global_tun_buf = []
+	global_tun = []
 	for tunable in doc.getElementsByTagName("tunable"):
 		if tunable.parentNode.nodeName == "policy":
 			tunable_name = tunable.getAttribute("name")
 			default_value = tunable.getAttribute("dftval")
 			for desc in tunable.getElementsByTagName("desc"):
 				description = format_html_desc(desc)
-			global_tun_buf.append( { "tun_name" : tunable_name,
+			global_tun.append( { "tun_name" : tunable_name,
 						"def_val" : default_value,
 						"desc" : description } )
-	global_tun_buf.sort(tun_cmp)
-	global_tun_tpl = pyplate.Template(tunlistdata)
-	global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun_buf})
+	global_tun.sort(tun_cmp)
+	global_tun_tpl = pyplate.Template(gtunlistdata)
+	global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun})
 	global_tun_file = "global_tunables.html"
 	global_tun_fh = open(global_tun_file, "w")
 	body_tpl = pyplate.Template(bodydata)
@ -613,21 +682,35 @@ def gen_docs(doc, working_dir, templatedir):
 	body_tpl.execute(global_tun_fh, body_args)
 	global_tun_fh.close()

+	#build the tunable index
+	all_tunables = all_tunables + global_tun
+	all_tunables.sort(tun_cmp)
+	tunable_tpl = pyplate.Template(tunlistdata)
+	tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables})
+	temp_file = "tunables.html"
+	temp_fh = open(temp_file, "w")
+	body_tpl = pyplate.Template(bodydata)
+
+	body_args = { "menu" : menu_buf, 
+		      "content" : tunable_buf }
+
+	body_tpl.execute(temp_fh, body_args)
+	temp_fh.close()

 	#build the global boolean index
-	global_bool_buf = []
+	global_bool = []
 	for boolean in doc.getElementsByTagName("bool"):
 		if boolean.parentNode.nodeName == "policy":
 			bool_name = boolean.getAttribute("name")
 			default_value = boolean.getAttribute("dftval")
 			for desc in boolean.getElementsByTagName("desc"):
 				description = format_html_desc(desc)
-			global_bool_buf.append( { "bool_name" : bool_name,
+			global_bool.append( { "bool_name" : bool_name,
 						"def_val" : default_value,
 						"desc" : description } )
-	global_bool_buf.sort(bool_cmp)
-	global_bool_tpl = pyplate.Template(boollistdata)
-	global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool_buf})
+	global_bool.sort(bool_cmp)
+	global_bool_tpl = pyplate.Template(gboollistdata)
+	global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool})
 	global_bool_file = "global_booleans.html"
 	global_bool_fh = open(global_bool_file, "w")
 	body_tpl = pyplate.Template(bodydata)
@ -637,6 +720,21 @@ def gen_docs(doc, working_dir, templatedir):

 	body_tpl.execute(global_bool_fh, body_args)
 	global_bool_fh.close()
+	
+	#build the boolean index
+	all_booleans = all_booleans + global_bool
+	all_booleans.sort(bool_cmp)
+	boolean_tpl = pyplate.Template(boollistdata)
+	boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans})
+	temp_file = "booleans.html"
+	temp_fh = open(temp_file, "w")
+	body_tpl = pyplate.Template(bodydata)
+
+	body_args = { "menu" : menu_buf, 
+		      "content" : boolean_buf }
+
+	body_tpl.execute(temp_fh, body_args)
+	temp_fh.close()



--- a/support/segenxml.py
+++ b/support/segenxml.py
@ -3,6 +3,7 @@
 #  Author(s): Donald Miner <dminer@tresys.com>
 #             Dave Sugar <dsugar@tresys.com>
 #             Brian Williams <bwilliams@tresys.com>
+#             Caleb Case <ccase@tresys.com>
 #
 # Copyright (C) 2005 - 2006 Tresys Technology, LLC
 #      This program is free software; you can redistribute it and/or modify
@ -18,6 +19,7 @@ import sys
 import os
 import glob
 import re
+import getopt

 # GLOBALS

@ -70,9 +72,15 @@ def getModuleXML(file_name):
 	Returns the XML data for a module in a list, one line per list item.
 	'''

+	# Gather information.
+	module_dir = os.path.dirname(file_name)
+	module_name = os.path.basename(file_name)
+	module_te = "%s/%s.te" % (module_dir, module_name)
+	module_if = "%s/%s.if" % (module_dir, module_name)
+
 	# Try to open the file, if it cant, just ignore it.
 	try:
-		module_file = open(file_name, "r")
+		module_file = open(module_if, "r")
 		module_code = module_file.readlines()
 		module_file.close()
 	except:
@ -83,7 +91,7 @@ def getModuleXML(file_name):

 	# Infer the module name, which is the base of the file name.
 	module_buf.append("<module name=\"%s\" filename=\"%s\">\n" 
-		% (os.path.splitext(os.path.split(file_name)[-1])[0], file_name))
+		% (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))

 	temp_buf = []
 	interface = None
@ -175,54 +183,13 @@ def getModuleXML(file_name):
 	elif temp_buf:
 		warning("orphan XML comments at bottom of file %s" % file_name)

+	# Process the TE file if it exists.
+	module_buf = module_buf + getTunableXML(module_te, "both")
+
 	module_buf.append("</module>\n")

 	return module_buf

-def getLayerXML (layerName, directories):
-	'''
-	Returns the XML documentation for a layer.
-	'''
-
-	layer_buf = []
-
-	# Infer the layer name from the directory name.
-	layer_buf.append("<layer name=\"%s\">\n" % layerName)
-
-	# Try to file the metadata file for this layer and if it exists,
-	# append the contents to the buffer.
-	bFoundMeta = False
-	for directory in directories:
-		metafile = directory + "/" + meta
-
-		if not bFoundMeta and os.path.isfile (metafile):
-			layer_meta = open (metafile, "r")
-			layer_buf += layer_meta.readlines ()
-			layer_meta.close()
-			bFoundMeta = True
-
-	# force the metadata for the third party layer
-	if not bFoundMeta:
-		if layerName == third_party:
-			layer_buf.append ("<summary>This is all third-party generated modules.</summary>\n")
-			bFoundMeta = True
-
-	# didn't find meta data for this layer - oh well	
-	if not bFoundMeta:
-		layer_buf.append ("<summary>Summary is missing!.</summary>\n")
-		warning ("unable to find %s for layer %s" % (meta, layerName))	
-	
-	# For each module file in the layer, add its XML.
-	for directory in directories:
-		modules = glob.glob("%s/*.if" % directory)
-		modules.sort()
-		for module in modules:
-			layer_buf += getModuleXML(module)
-
-	layer_buf.append("</layer>\n")
-
-	return layer_buf
-
 def getTunableXML(file_name, kind):
 	'''
 	Return all the XML for the tunables/bools in the file specified.
@ -257,8 +224,10 @@ def getTunableXML(file_name, kind):
 		if boolean:
 			# If there is a gen_bool in a tunable file or a
 			# gen_tunable in a boolean file, error and exit.
-			if boolean.group(1) != kind:
-				error("%s in a %s file." % (boolean.group(1), kind))
+			# Skip if both kinds are valid.
+			if kind != "both":
+				if boolean.group(1) != kind:
+					error("%s in a %s file." % (boolean.group(1), kind))

 			tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
 			tunable_buf += temp_buf
@ -341,39 +310,15 @@ def usage():
 	Displays a message describing the proper usage of this script.
 	"""

-	sys.stdout.write("usage: %s [-w] [-m file] "\
-		% sys.argv[0])
+	sys.stdout.write("usage: %s [-w] [-mtb] <file>\n\n" % sys.argv[0])
+	sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\
+	"-m --module <file>\t\tname of module to process\n"+\
+	"-t --tunable <file>\t\tname of global tunable file to process\n"+\
+	"-b --boolean <file>\t\tname of global boolean file to process\n\n")

-	sys.stdout.write("layerdirectory [layerdirectory...]\n\n")
-
-	sys.stdout.write("Options:\n")
-
-	sys.stdout.write ("-h --help                      -- "+\
-				"show command line options\n")
-
-	sys.stdout.write("-w --warn                      -- "+\
-				"show warnings\n")
-
-	sys.stdout.write("-m --meta <file>               -- "+\
-				"the filename of the metadata in each layer\n")
-
-	sys.stdout.write("-t --tunable <file>            -- "+\
-				"A file containing tunable declarations\n")
-
-	sys.stdout.write("-b --bool <file>               -- "+\
-				"A file containing bool declarations\n")
-												   
-	sys.stdout.write("-o --output-dir <directory>    -- "+\
-				"A directory to output global_tunables.xml and global_booleans.xml\n")
-
-	sys.stdout.write("--tunables-xml <file>          -- "+\
-				"A file containing tunable declarations already in XML format\n")
-
-	sys.stdout.write("--booleans-xml <file>          -- "+\
-				"A file containing bool declarations already in XML format\n")
-				
-	sys.stdout.write ("-3 --third-party <directory>   -- "+\
-				"Look for 3rd Party modules in directory.\n")
+	sys.stdout.write("examples:\n")
+	sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0])
+	sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0])

 def warning(description):
 	'''
@ -397,79 +342,50 @@ def error(description):


 # MAIN PROGRAM
+
+# Defaults
+warn = False
+module = False
+tunable = False
+boolean = False
+
 # Check that there are command line arguments.
 if len(sys.argv) <= 1:
 	usage()
 	sys.exit(1)

-
-# Parse the command line arguments
-for i in range(1, len(sys.argv)):
-	if sys.argv[i-1] in ("-m", "--meta",\
-					"-t", "--tunable", "-b", "--bool",\
-					"-o", "--output-dir", "-3", "--third-party", \
-					"--tunables-xml", "--booleans-xml"):
-		continue
-	elif sys.argv[i] in ("-w", "--warn"):
+# Parse command line args
+try:
+	opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean='])
+except getopt.GetoptError:
+	usage()
+	sys.exit(2)
+for o, a in opts:
+	if o in ('-w', '--warn'):
 		warn = True
-	elif sys.argv[i] in ("-m", "--meta"):
-		if i < len(sys.argv)-1:
-			meta = sys.argv[i+1]
-		else:
-			usage()
-	elif sys.argv[i] in ("-t", "--tunable"):
-		if i < len(sys.argv)-1:
-			tunable_files.append(sys.argv[i+1])
-		else:
-			usage()
-	elif sys.argv[i] in ("-b", "--bool"):
-		if i < len(sys.argv)-1:
-			bool_files.append(sys.argv[i+1])
-		else:
-			usage()
-	
-	elif sys.argv[i] == "--tunables-xml":
-		if i < len(sys.argv)-1:
-			xml_bool_files.append (sys.argv[i+1])
-		else:
-			usage ()
-			
-	elif sys.argv[i] == "--booleans-xml":
-		if i < len(sys.argv)-1:
-			xml_tunable_files.append (sys.argv[i+1])
-		else:
-			usage ()
-			
-	elif sys.argv[i] in ("-o", "--output-dir"):
-		if i < len(sys.argv)-1:
-			output_dir = sys.argv[i+1]
-		else:
-			usage ()
-			
-	elif sys.argv[i] in ("-3", "--third-party"):
-		if i < len(sys.argv) -1:
-			if layers.has_key (third_party):
-				layers[third_party].append (sys.argv[i+1])
-			else:
-				layers[third_party] = [sys.argv[i+1]]
-		else:
-			usage ()
-
-	elif sys.argv[i] in ("-h", "--help"):
-		usage ()
-		sys.exit (1)
-
+	elif o in ('-h', '--help'):
+		usage()
+		sys.exit(0)
+	elif o in ('-m', '--module'):
+		module = a
+		break
+	elif o in ('-t', '--tunable'):
+		tunable = a
+		break
+	elif o in ('-b', '--boolean'):
+		boolean = a
+		break
 	else:
-		# store directories in hash stored by layer name
-		splitlayer = os.path.split(sys.argv[i])
-		if layers.has_key (splitlayer[1]):
-			layers[splitlayer[1]].append (sys.argv[i])
-		else:
-			layers[splitlayer[1]] = [sys.argv[i]]
+		usage()
+		sys.exit(2)

-
-# Generate the XML and output it to a file
-lines = getPolicyXML()
-for s in lines:
-	sys.stdout.write(s)
+if module:
+	sys.stdout.writelines(getModuleXML(module))
+elif tunable:
+	sys.stdout.writelines(getTunableXML(tunable, "tunable"))
+elif boolean:
+	sys.stdout.writelines(getTunableXML(boolean, "bool"))
+else:
+	usage()
+	sys.exit(2)