XML: encapsulate modules in layers, rather then layer being an attribute of

module tag

refpolicy/Makefile

@@ -129,7 +129,7 @@ CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
 USER_FILES := $(POLDIR)/users 
 
 DISABLEMOD := $(foreach mod,$(shell egrep -v '^[[:blank:]]*\#' $(MOD_DISABLE)),$(subst ./,,$(shell find -iname $(mod).te)))
-ALL_LAYERS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d)
+ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
 
 GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
 GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
@@ -153,6 +153,7 @@ POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_
 DOCS = doc
 POLXML = $(DOCS)/policy.xml
 XMLDTD = $(DOCS)/policy.dtd
+LAYERXML = metadata.xml
 HTMLDIR = $(DOCS)/html
 DOCTEMPLATE = $(DOCS)/templates
 
@@ -364,9 +365,13 @@ $(POLXML): $(ALL_INTERFACES)
 	$(QUIET) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
 	$(QUIET) echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> $@
 	$(QUIET) echo "<policy>" >> $@
-# process this through m4 to eliminate the generated definitions templates.
-# currently these are only in corenetwork.if
-	$(QUIET) m4 $(ALL_INTERFACES) $(GLOBALTUN) | egrep -h "^##[[:blank:]]" | sed -e 's/^##[[:blank:]]//g' >> $@
+# do all modules, even disabled ones:
+	$(QUIET) for i in $(ALL_LAYERS); do \
+		cat $$i/$(LAYERXML) >> $@ ;\
+		egrep -h "^##[[:blank:]]" $$i/*.if | sed -e 's/^##[[:blank:]]//g' >> $@ ;\
+		echo "</layer>" >> $@;\
+	done
+	$(QUIET) egrep -h "^##[[:blank:]]" $(GLOBALTUN) | sed -e 's/^##[[:blank:]]//g' >> $@
 	$(QUIET) echo "</policy>" >> $@
 	$(QUIET) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
 		$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\

refpolicy/doc/policy.dtd

@@ -1,10 +1,12 @@
 <!ENTITY  % inline.class  "pre|p|ul|li">
 
-<!ELEMENT policy (module+,tunable*)>
-<!ELEMENT module (summary,description?,interface+)>
+<!ELEMENT policy (layer+,tunable*)>
+<!ELEMENT layer (module+)>
+<!ATTLIST layer
+      name CDATA #REQUIRED>
+<!ELEMENT module (summary,description?,(interface|template)*)>
 <!ATTLIST module 
-      name CDATA #REQUIRED
-      layer CDATA #REQUIRED>
+      name CDATA #REQUIRED>
 <!ELEMENT tunable (#PCDATA)>
 <!ATTLIST tunable
       name CDATA #REQUIRED
@@ -12,6 +14,8 @@
 <!ELEMENT summary (#PCDATA)>
 <!ELEMENT interface (summary?,description?,securitydesc?,parameter+,infoflow?)>
 <!ATTLIST interface name CDATA #REQUIRED>
+<!ELEMENT template (summary,description?,securitydesc?,parameter+)>
+<!ATTLIST template name CDATA #REQUIRED>
 <!ELEMENT description (#PCDATA|%inline.class;)*>
 <!ELEMENT securitydesc (#PCDATA|%inline.class;)*>
 <!ELEMENT parameter (#PCDATA)>

refpolicy/policy/modules/admin/dmesg.if

@@ -1,4 +1,4 @@
-## <module name="dmesg" layer="admin">
+## <module name="dmesg">
 ## <summary>Policy for dmesg.</summary>
 
 ########################################

refpolicy/policy/modules/admin/rpm.if

@@ -1,4 +1,4 @@
-## <module name="rpm" layer="admin">
+## <module name="rpm">
 ## <summary>Policy for the RPM package manager.</summary>
 
 ########################################

refpolicy/policy/modules/admin/usermanage.if

@@ -1,4 +1,4 @@
-## <module name="usermanage" layer="admin">
+## <module name="usermanage">
 ## <summary>Policy for managing user accounts.</summary>
 
 ########################################

refpolicy/policy/modules/apps/gpg.if

@@ -1,9 +1,28 @@
+## <module name="gpg">
+## <summary>Policy for GNU Privacy Guard and related programs.</summary>
 
 #######################################
-#
-# Per user domain template for this module
-#
-# gpg_per_userdomain_template(userdomain_prefix)
+## <template name="gpg_per_userdomain_template">
+##	<summary>
+##		The per-userdomain template for the gpg module.
+##	</summary>
+##	<description>
+##		<p>
+##		This template creates the types and rules for GPG,
+##		GPG-agent, and GPG helper programs.  This protects
+##		the user keys and secrets, and runs the programs
+##		in domains specific to the user type.
+##		</p>
+##		<p>
+##		This is invoked	automatically for each user, and
+##		generally does not need to be statically invoked 
+##		directly by policy writers.
+##		</p>
+##	</description>
+##	<parameter name="userdomain_prefix">
+##		The prefix of the user domain (e.g., user
+##		is the prefix for user_t).
+##	</parameter>
 #
 define(`gpg_per_userdomain_template',`
 	gen_require(`$0'_depend)
@@ -349,3 +368,6 @@ define(`gpg_per_userdomain_template',`
 	') dnl end TODO
 ')
 
+## </template>
+
+## </module>

refpolicy/policy/modules/kernel/bootloader.if

@@ -1,4 +1,4 @@
-## <module name="bootloader" layer="kernel">
+## <module name="bootloader">
 ## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
 
 ########################################

refpolicy/policy/modules/kernel/corenetwork.if.in

@@ -1,4 +1,4 @@
-## <module name="corenetwork" layer="kernel">
+## <module name="corenetwork">
 ## <summary>Policy controlling access to network objects</summary>
 
 ########################################

refpolicy/policy/modules/kernel/devices.if

@@ -1,4 +1,4 @@
-## <module name="devices" layer="kernel">
+## <module name="devices">
 ## <summary>
 ##	Device nodes and interfaces for many basic system devices.
 ## </summary>

refpolicy/policy/modules/kernel/filesystem.if

@@ -1,4 +1,4 @@
-## <module name="filesystem" layer="kernel">
+## <module name="filesystem">
 ## <summary>Policy for filesystems.</summary>
 
 ########################################

refpolicy/policy/modules/kernel/kernel.if

@@ -1,4 +1,4 @@
-## <module name="kernel" layer="kernel">
+## <module name="kernel">
 ## <summary>
 ##	Policy for kernel threads, proc filesystem, 
 ##	and unlabeled processes and objects.

refpolicy/policy/modules/kernel/selinux.if

@@ -1,4 +1,4 @@
-## <module name="selinux" layer="kernel">
+## <module name="selinux">
 ## <summary>
 ##	Policy for kernel security interface, in particular, selinuxfs.
 ## </summary>

refpolicy/policy/modules/kernel/storage.if

@@ -1,4 +1,4 @@
-## <module name="storage" layer="kernel">
+## <module name="storage">
 ## <summary>Policy controlling access to storage devices</summary>
 
 ########################################

refpolicy/policy/modules/kernel/terminal.if

@@ -1,4 +1,4 @@
-## <module name="terminal" layer="kernel">
+## <module name="terminal">
 ## <summary>Policy for terminals.</summary>
 
 ########################################

refpolicy/policy/modules/services/mta.if

@@ -1,4 +1,4 @@
-## <module name="mta" layer="services">
+## <module name="mta">
 ## <summary>Policy common to all email tranfer agents.</summary>
 
 #######################################

refpolicy/policy/modules/services/remotelogin.if

@@ -1,4 +1,4 @@
-## <module name="remotelogin" layer="services">
+## <module name="remotelogin">
 ## <summary>Policy for rshd, rlogind, and telnetd.</summary>
 
 ########################################

refpolicy/policy/modules/services/sendmail.if

@@ -1,4 +1,4 @@
-## <module name="sendmail" layer="services">
+## <module name="sendmail">
 ## <summary>Policy for sendmail.</summary>
 
 ########################################

refpolicy/policy/modules/system/authlogin.if

@@ -1,4 +1,4 @@
-## <module name="authlogin" layer="system">
+## <module name="authlogin">
 ## <summary>Common policy for authentication and user login.</summary>
 
 #######################################

refpolicy/policy/modules/system/clock.if

@@ -1,4 +1,4 @@
-## <module name="clock" layer="system">
+## <module name="clock">
 ## <summary>Policy for reading and setting the hardware clock.</summary>
 
 ########################################

refpolicy/policy/modules/system/corecommands.if

@@ -1,4 +1,4 @@
-## <module name="corecommands" layer="system">
+## <module name="corecommands">
 ## <summary>
 ##	Core policy for shells, and generic programs
 ##	in /bin, /sbin, /usr/bin, and /usr/sbin.

refpolicy/policy/modules/system/domain.if

@@ -1,4 +1,4 @@
-## <module name="domain" layer="system">
+## <module name="domain">
 ## <summary>Core policy for domains.</summary>
 
 ########################################

refpolicy/policy/modules/system/files.if

@@ -1,4 +1,4 @@
-## <module name="files" layer="system">
+## <module name="files">
 ## <summary>
 ##	Basic filesystem types and interfaces.
 ## </summary>

refpolicy/policy/modules/system/getty.if

@@ -1,4 +1,4 @@
-## <module name="getty" layer="system">
+## <module name="getty">
 ## <summary>Policy for getty.</summary>
 
 ########################################

refpolicy/policy/modules/system/hostname.if

@@ -1,4 +1,4 @@
-## <module name="hostname" layer="system">
+## <module name="hostname">
 ## <summary>Policy for changing the system host name.</summary>
 
 ########################################

refpolicy/policy/modules/system/hotplug.if

@@ -1,4 +1,4 @@
-## <module name="hotplug" layer="system">
+## <module name="hotplug">
 ## <summary>
 ##	Policy for hotplug system, for supporting the
 ##	connection and disconnection of devices at runtime.

refpolicy/policy/modules/system/init.if

@@ -1,4 +1,4 @@
-## <module name="init" layer="system">
+## <module name="init">
 ## <summary>System initialization programs (init and init scripts).</summary>
 
 ########################################

refpolicy/policy/modules/system/iptables.if

@@ -1,4 +1,4 @@
-## <module name="iptables" layer="system">
+## <module name="iptables">
 ## <summary>Policy for iptables.</summary>
 
 ########################################

refpolicy/policy/modules/system/libraries.if

@@ -1,4 +1,4 @@
-## <module name="libraries" layer="system">
+## <module name="libraries">
 ## <summary>Policy for system libraries.</summary>
 
 ########################################

refpolicy/policy/modules/system/locallogin.if

@@ -1,4 +1,4 @@
-## <module name="locallogin" layer="system">
+## <module name="locallogin">
 ## <summary>Policy for local logins.</summary>
 
 ########################################

refpolicy/policy/modules/system/logging.if

@@ -1,4 +1,4 @@
-## <module name="logging" layer="system">
+## <module name="logging">
 ## <summary>Policy for the kernel message logger and system logging daemon.</summary>
 
 #######################################

refpolicy/policy/modules/system/lvm.if

@@ -1,4 +1,4 @@
-## <module name="lvm" layer="system">
+## <module name="lvm">
 ## <summary>Policy for logical volume management programs.</summary>
 
 ########################################

refpolicy/policy/modules/system/miscfiles.if

@@ -1,4 +1,4 @@
-## <module name="miscfiles" layer="system">
+## <module name="miscfiles">
 ## <summary>Miscelaneous files.</summary>
 
 ########################################

refpolicy/policy/modules/system/modutils.if

@@ -1,4 +1,4 @@
-## <module name="modutils" layer="system">
+## <module name="modutils">
 ## <summary>Policy for kernel module utilities</summary>
 
 ########################################

refpolicy/policy/modules/system/mount.if

@@ -1,4 +1,4 @@
-## <module name="mount" layer="system">
+## <module name="mount">
 ## <summary>Policy for mount.</summary>
 
 ########################################

refpolicy/policy/modules/system/selinuxutil.if

@@ -1,4 +1,4 @@
-## <module name="selinuxutil" layer="system">
+## <module name="selinuxutil">
 ## <summary>Policy for SELinux policy and userland applications.</summary>
 
 #######################################

refpolicy/policy/modules/system/sysnetwork.if

@@ -1,4 +1,4 @@
-## <module name="sysnetwork" layer="system">
+## <module name="sysnetwork">
 ## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
 
 #######################################

refpolicy/policy/modules/system/udev.if

@@ -1,4 +1,4 @@
-## <module name="udev" layer="system">
+## <module name="udev">
 ## <summary>Policy for udev.</summary>
 
 ########################################

refpolicy/policy/modules/system/userdomain.if

@@ -1,4 +1,4 @@
-## <module name="userdomain" layer="system">
+## <module name="userdomain">
 ## <summary>Policy for user domains</summary>
 
 ########################################