Eliminate olpc stuff and other no longer needed files. Update to new system to build policy.* file within payload.

2011-06-09 22:36:45 -04:00 · 2011-06-09 22:36:45 -04:00 · 857c813190
commit 857c813190
parent d0597c1c15
10 changed files with 53 additions and 640 deletions
--- a/booleans-olpc.conf
+++ b/booleans-olpc.conf
@ -1,51 +0,0 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
 allow_execmem = false
 # Allow making a modified private filemapping executable (text relocation).
 # 
 allow_execmod = false
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
 allow_execstack = false
 # Allow ftp servers to modify public filesused for public file transfer services.
 # 
 allow_ftpd_anon_write = false
 # Allow gssd to read temp directory.
 # 
 allow_gssd_read_tmp = false
 # Allow sysadm to ptrace all processes
 # 
 allow_ptrace = false
 # Allow reading of default_t files.
 # 
 read_default_t = false
 # Allow system cron jobs to relabel filesystemfor restoring file contexts.
 # 
 cron_can_relabel = false
 # Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
 # 
 staff_read_sysadm_file = false
 # Allow users to read system messages.
 # 
 user_dmesg = false
 # Allow sysadm to ptrace all processes
 # 
 allow_ptrace = false
 ## Control users use of ping and traceroute
 user_ping = true
 # Allow unlabeled packets to flow
 # 
 allow_unlabeled_packets = true
--- a/build.conf
+++ b/build.conf
@ -1,71 +0,0 @@
 ########################################
 #
 # Policy build options
 #
 # Policy version
 # By default, checkpolicy will create the highest
 # version policy it supports.  Setting this will
 # override the version.  This only has an
 # effect for monolithic policies.
 #OUTPUT_POLICY = 18
 # Policy Type
 # standard, mls, mcs
 TYPE = standard
 # Policy Name
 # If set, this will be used as the policy
 # name.  Otherwise the policy type will be
 # used for the name.
 NAME = refpolicy
 # Distribution
 # Some distributions have portions of policy
 # for programs or configurations specific to the
 # distribution.  Setting this will enable options
 # for the distribution.
 # redhat, gentoo, debian, suse, and rhel4 are current options.
 # Fedora users should enable redhat.
 #DISTRO = redhat
 # Unknown Permissions Handling
 # The behavior for handling permissions defined in the
 # kernel but missing from the policy.  The permissions
 # can either be allowed, denied, or the policy loading
 # can be rejected.
 # allow, deny, and reject are current options.
 #UNK_PERMS = deny
 # Direct admin init
 # Setting this will allow sysadm to directly
 # run init scripts, instead of requring run_init.
 # This is a build option, as role transitions do
 # not work in conditional policy.
 DIRECT_INITRC = n
 # Build monolithic policy.  Putting n here
 # will build a loadable module policy.
 MONOLITHIC = y
 # User-based access control (UBAC)
 # Enable UBAC for role separations.
 UBAC = y
 # Number of MLS Sensitivities
 # The sensitivities will be s0 to s(MLS_SENS-1).
 # Dominance will be in increasing numerical order
 # with s0 being lowest.
 MLS_SENS = 16
 # Number of MLS Categories
 # The categories will be c0 to c(MLS_CATS-1).
 MLS_CATS = 1024
 # Number of MCS Categories
 # The categories will be c0 to c(MLS_CATS-1).
 MCS_CATS = 1024
 # Set this to y to only display status messages
 # during build.
 QUIET = n
--- a/file_contexts.subs_dist
+++ b/file_contexts.subs_dist
@ -4,5 +4,3 @@
 /lib64 /lib
 /usr/lib64 /usr/lib
 /usr/lib/debug /
--- a/modules-olpc.conf
+++ b/modules-olpc.conf
@ -1,397 +0,0 @@
 #
 # This file contains a listing of available modules.
 # To prevent a module from  being used in policy
 # creation, set the module name to "off".
 #
 # For monolithic policies, modules set to "base" and "module"
 # will be built into the policy.
 #
 # For modular policies, modules set to "base" will be
 # included in the base module.  "module" will be compiled
 # as individual loadable modules.
 #
 # Layer: admin
 # Module: acct
 #
 # Berkeley process accounting
 # 
 acct = base
 # Layer: admin
 # Module: alsa
 #
 # Ainit ALSA configuration tool
 # 
 alsa = base
 # Layer: apps
 # Module: ada
 #
 # ada executable
 # 
 ada = base
 # Layer: admin
 # Module: anaconda
 #
 # Policy for the Anaconda installer.
 # 
 anaconda = base
 # Layer: system
 # Module: application
 # Required in base
 #
 # Defines attributs and interfaces for all user applications
 # 
 application = base
 # Layer: system
 # Module: authlogin
 #
 # Common policy for authentication and user login.
 # 
 authlogin = base
 # Layer: services
 # Module: canna
 #
 # Canna - kana-kanji conversion server
 # 
 canna = base
 # Layer: system
 # Module: clock
 #
 # Policy for reading and setting the hardware clock.
 # 
 clock = base
 # Layer: admin
 # Module: consoletype
 #
 # Determine of the console connected to the controlling terminal.
 # 
 consoletype = base
 # Layer: kernel
 # Module: corecommands
 # Required in base
 #
 # Core policy for shells, and generic programs
 # in /bin, /sbin, /usr/bin, and /usr/sbin.
 # 
 corecommands = base
 # Layer: kernel
 # Module: corenetwork
 # Required in base
 #
 # Policy controlling access to network objects
 # 
 corenetwork = base
 # Layer: services
 # Module: cpucontrol
 #
 # Services for loading CPU microcode and CPU frequency scaling.
 # 
 cpucontrol = base
 # Layer: services
 # Module: dbus
 #
 # Desktop messaging bus
 # 
 dbus = base
 # Layer: kernel
 # Module: devices
 # Required in base
 #
 # Device nodes and interfaces for many basic system devices.
 # 
 devices = base
 # Layer: services
 # Module: dhcp
 #
 # Dynamic host configuration protocol (DHCP) server
 # 
 dhcp = base
 # Layer: system
 # Module: domain
 # Required in base
 #
 # Core policy for domains.
 # 
 domain = base
 # Layer: kernel
 # Module: files
 # Required in base
 #
 # Basic filesystem types and interfaces.
 # 
 files = base
 # Layer: kernel
 # Module: filesystem
 # Required in base
 #
 # Policy for filesystems.
 # 
 filesystem = base
 # Layer: system
 # Module: fstools
 #
 # Tools for filesystem management, such as mkfs and fsck.
 # 
 fstools = base
 # Layer: system
 # Module: getty
 #
 # Policy for getty.
 # 
 getty = base
 # Layer: services
 # Module: hal
 #
 # Hardware abstraction layer
 # 
 hal = base
 # Layer: system
 # Module: hotplug
 #
 # Policy for hotplug system, for supporting the
 # connection and disconnection of devices at runtime.
 # 
 hotplug = base
 # Layer: system
 # Module: init
 #
 # System initialization programs (init and init scripts).
 # 
 init = base
 # Layer: system
 # Module: iptables
 #
 # Policy for iptables.
 # 
 iptables = base
 # Layer: apps
 # Module: java
 #
 # java executable
 # 
 java = base
 # Layer: kernel
 # Module: kernel
 # Required in base
 #
 # Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
 # 
 kernel = base
 # Layer: admin
 # Module: kudzu
 #
 # Hardware detection and configuration tools
 # 
 kudzu = base
 # Layer: system
 # Module: libraries
 #
 # Policy for system libraries.
 # 
 libraries = base
 # Layer: system
 # Module: locallogin
 #
 # Policy for local logins.
 # 
 locallogin = base
 # Layer: system
 # Module: logging
 #
 # Policy for the kernel message logger and system logging daemon.
 # 
 logging = base
 # Layer: kernel
 # Module: mcs
 # Required in base
 #
 # MultiCategory security policy
 # 
 mcs = base
 # Layer: system
 # Module: miscfiles
 #
 # Miscelaneous files.
 # 
 miscfiles = base
 # Layer: system
 # Module: modutils
 #
 # Policy for kernel module utilities
 # 
 modutils = base
 # Layer: apps
 # Module: mono
 #
 # mono executable
 # 
 mono = base
 # Layer: admin
 # Module: netutils
 #
 # Network analysis utilities
 # 
 netutils = base
 # Layer: services
 # Module: networkmanager
 #
 # Manager for dynamically switching between networks.
 # 
 networkmanager = base
 # Layer: services
 # Module: nscd
 #
 # Name service cache daemon
 # 
 nscd = base
 # Layer: services
 # Module: ntp
 #
 # Network time protocol daemon
 # 
 ntp = base
 # Layer: admin
 # Module: prelink
 #
 # Manage temporary directory sizes and file ages
 # 
 prelink = base
 # Layer: admin
 # Module: readahead
 #
 # Readahead, read files into page cache for improved performance
 # 
 readahead = base
 # Layer: admin
 # Module: rpm
 #
 # Policy for the RPM package manager.
 # 
 rpm = base
 # Layer: kernel
 # Module: selinux
 # Required in base
 #
 # Policy for kernel security interface, in particular, selinuxfs.
 # 
 selinux = base
 # Layer: system
 # Module: selinuxutil
 #
 # Policy for SELinux policy and userland applications.
 # 
 selinuxutil = base
 # Layer: kernel
 # Module: storage
 #
 # Policy controlling access to storage devices
 # 
 storage = base
 # Layer: system
 # Module: sysnetwork
 #
 # Policy for network configuration: ifconfig and dhcp client.
 # 
 sysnetwork = base
 # Layer: system
 # Module: udev
 #
 # Policy for udev.
 # 
 udev = base
 # Layer: system
 # Module: userdomain
 #
 # Policy for user domains
 # 
 userdomain = base
 # Layer: system
 # Module: unconfined
 #
 # The unconfined domain.
 # 
 unconfined = base 
 # Layer: admin
 # Module: usbmodules
 #
 # List kernel modules of USB devices
 # 
 usbmodules = base
 # Layer: services
 # Module: xfs
 #
 # X Windows Font Server
 # 
 xfs = base
 # Layer: services
 # Module: xserver
 #
 # X windows login display manager
 # 
 xserver = base
 # Module: terminal
 # Required in base
 #
 # Policy for terminals.
 # 
 terminal = base
 # Layer: kernel
 # Module: mls
 # Required in base
 #
 # Multilevel security policy
 # 
 mls = base
--- a/3
+++ b/3
@ -1,3 +0,0 @@
 #!/bin/sh
 echo "$0 is no longer supported, better tools exist for creating policy"
 echo "Please use /usr/bin/sepolgen, slide or polgengui to generate policy"
--- a/0
+++ b/0
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -30,7 +30,6 @@ Source4: setrans-targeted.conf
 Source5: modules-mls.conf
 Source6: booleans-mls.conf
 Source8: setrans-mls.conf
 Source13: policygentool
 Source14: securetty_types-targeted
 Source15: securetty_types-mls
 Source16: modules-minimum.conf
@ -71,7 +70,6 @@ SELinux Base package
 %ghost %{_sysconfdir}/sysconfig/selinux
 %{_usr}/share/selinux/devel/include/*
 %{_usr}/share/selinux/devel/Makefile
 %{_usr}/share/selinux/devel/policygentool
 %{_usr}/share/selinux/devel/example.*
 %{_usr}/share/selinux/devel/policy.*
@ -116,12 +114,13 @@ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/seli
 install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
 install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
 install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \
-bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp.bz2  > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \
+bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp  > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \
-for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/$i; done \
+rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp  \
 for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
 rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp*  \
-semodule -n -B -p %{buildroot}; \
+semodule -s %1 -n -B -p %{buildroot}; \
-/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} > %{buildroot}%{_sysconfdir}/selinux/%1/policy/.policymd5 \
+/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policymd5 \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts 
 %nil
@ -136,12 +135,12 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
 %verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
 %verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
 %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
-%config(noreplace) %dir %{_sysconfdir}/selinux/%1/modules/active/* \
+%dir %{_sysconfdir}/selinux/%1/modules/active/* \
-%config %dir %{_sysconfdir}/selinux/%1/modules/active/modules/* \
+%{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \
 #%verify(not md5 size mtime) %attr(600,root,root) %config(noreplace) %{_sysconfdir}/selinux/%1/modules/active/seusers \
 %dir %{_sysconfdir}/selinux/%1/policy/ \
 %config(noreplace) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
-%{_sysconfdir}/selinux/%1/policy/.policymd5 \
+%{_sysconfdir}/selinux/%1/.policymd5 \
 %dir %{_sysconfdir}/selinux/%1/contexts \
 %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
@ -176,7 +175,7 @@ if [ -s /etc/selinux/config ]; then \
     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
        [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
     fi \
-fi
+fi;
 %define relabel() \
 . %{_sysconfdir}/selinux/config; \
@ -188,6 +187,24 @@ if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
     rm -f ${FILE_CONTEXT}.pre; \
 fi; 
 %define postInstall() \
 . %{_sysconfdir}/selinux/config; \
 md5=`md5sum /etc/selinux/%2/policy/policy.%{POLICYVER} | cut -d ' ' -f 1`; \
 checkmd5=`cat /etc/selinux/%2/.policymd5`; \
 if [ "$md5" != "$checkmd5" ] ; then \
   if [ %1 -ne 1 ]; then \
      	 semodule -n -s %2 -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger 2>/dev/null; \
   fi \
   semodule -B -s %2; \
 else \
   [ "${SELINUXTYPE}" == "%2" ] && [ selinuxenabled ] && load_policy; \
 fi; \
 if [ %1 -eq 1 ]; then \
   restorecon -R /root /var/log /var/run 2> /dev/null; \
 else \
 %relabel %2 \
 fi;
 %description
 SELinux Reference Policy - modular.
 Based off of reference policy: Checked out revision  2.20091117
@ -200,7 +217,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %install
 mkdir selinux_config
-for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do
+for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do
 cp $i selinux_config
 done
 tar zxvf selinux_config/config.tgz
@ -242,7 +259,6 @@ make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITR
 mkdir %{buildroot}%{_usr}/share/selinux/devel/
 mkdir %{buildroot}%{_usr}/share/selinux/packages/
 mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
 install -m 755 selinux_config/policygentool %{buildroot}%{_usr}/share/selinux/devel/
 install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
 install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
@ -315,22 +331,7 @@ SELinux Reference policy targeted base module.
 %saveFileContext targeted
 %post targeted
-md5=`md5sum /etc/selinux/targeted/policy/policy.%{POLICYVER}`
+%postInstall $1 targeted
 checkmd5=`cat /etc/selinux/targeted/policy/policy.%{POLICYVER}.md5sum`
 if [ "$md5" != "$checkmd5" ] ; then
   if [ $1 -ne 1 ]; then
      	 semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
   fi
   semodule -B -s targeted
 else
   [ "${SELINUXTYPE}" == "targeted" ] && [ selinuxenabled ] && load_policy
 fi
 if [ $1 -eq 1 ]; then
      restorecon -R /root /var/log /var/run 2> /dev/null
 else
      %relabel targeted
 fi
 exit 0
 %triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9
@ -373,17 +374,35 @@ SELinux Reference policy minimum base module.
 %pre minimum
 %saveFileContext minimum
 if [ $1 -ne 1 ]; then
   semodule -s minimum -l 2>/dev/null | awk '{ print $1 }' > /usr/share/selinux/minimum/instmodules.lst
 fi
 %post minimum
-packages="execmem.pp.bz2 unconfined.pp.bz2 unconfineduser.pp.bz2 application.pp.bz2 userdomain.pp.bz2 authlogin.pp.bz2 logging.pp.bz2 selinuxutil.pp.bz2 init.pp.bz2 systemd.pp.bz2 sysnetwork.pp.bz2 miscfiles.pp.bz2 libraries.pp.bz2 modutils.pp.bz2 sysadm.pp.bz2 locallogin.pp.bz2 dbus.pp.bz2 rpm.pp.bz2 mount.pp.bz2 fstools.pp.bz2 usermanage.pp.bz2 mta.pp.bz2"
+allpackages=`cat /usr/share/selinux/minimum/modules.lst`
 semodule -B -s minimum
 if [ $1 -eq 1 ]; then
 packages="clock.pp execmem.pp unconfined.pp unconfineduser.pp application.pp userdomain.pp authlogin.pp logging.pp selinuxutil.pp init.pp systemd.pp sysnetwork.pp miscfiles.pp libraries.pp modutils.pp sysadm.pp locallogin.pp dbus.pp rpm.pp mount.pp fstools.pp usermanage.pp mta.pp"
 for p in $allpackages; do 
    touch /etc/selinux/minimum/modules/active/modules/$p.disabled
 done
 for p in $packages; do 
    rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled
 done
 semanage -S minimum -i - << __eof
 login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
 login -m  -s unconfined_u -r s0-s0:c0.c1023 root
 __eof
 restorecon -R /root /var/log /var/run 2> /dev/null
 semodule -B -s minimum
 else
 instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
 for p in $allpackages; do 
    touch /etc/selinux/minimum/modules/active/modules/$p.disabled
 done
 for p in $instpackages; do 
    rm -f /etc/selinux/minimum/modules/active/modules/$p.pp.disabled
 done
 semodule -B -s minimum
 %relabel minimum
 fi
 exit 0
@ -414,15 +433,7 @@ SELinux Reference policy mls base module.
 %saveFileContext mls
 %post mls 
-semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
+%postInstall $1 mls
 semodule -B -s mls
 if [ $1 -eq 1 ]; then
   restorecon -R /root /var/log /var/run 2> /dev/null
 else
   %relabel mls
 fi
 exit 0
 %files mls
 %defattr(-,root,root,-)
@ -434,6 +445,8 @@ exit 0
 %changelog
 * Wed Jun 8 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-28.1
 - Add policy.26 to the payload
 - Remove olpc stuff
 - Remove policygentool
 * Wed Jun 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-27
 - Fixes for zabbix
--- a/setrans-olpc.conf
+++ b/setrans-olpc.conf
@ -1,19 +0,0 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Categories are stored in the system as c0-c1023.  Users can use this
 # table to translate the categories into a more meaningful output.
 # Examples:
 # s0:c0=CompanyConfidential
 # s0:c1=PatientRecord
 # s0:c2=Unclassified
 # s0:c3=TopSecret
 # s0:c1,c3=CompanyConfidentialRedHat
 s0=SystemLow
 s0-s0:c0.c1023=SystemLow-SystemHigh
 s0:c0.c1023=SystemHigh
--- a/setrans.conf
+++ b/setrans.conf
@ -1,19 +0,0 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
 # Uncomment the following to disable translation libary
 # disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
 # Categories are stored in the system as c0-c1023.  Users can use this
 # table to translate the categories into a more meaningful output.
 # Examples:
 # s0:c0=CompanyConfidential
 # s0:c1=PatientRecord
 # s0:c2=Unclassified
 # s0:c3=TopSecret
 # s0:c1,c3=CompanyConfidentialRedHat
 s0=SystemLow
 s0-s0:c0.c1023=SystemLow-SystemHigh
 s0:c0.c1023=SystemHigh
--- a/38
+++ b/38
@ -1,38 +0,0 @@
 ##################################
 #
 # Core User configuration.
 #
 #
 # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
 # Note: Identities without a prefix wil not be listed
 # in the users_extra file used by genhomedircon.
 #
 # system_u is the user identity for system processes and objects.
 # There should be no corresponding Unix user identity for system,
 # and a user process should never be assigned the system user
 # identity.
 #
 gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # user_u is a generic user identity for Linux users who have no
 # SELinux user identity defined.  The modified daemons will use
 # this user identity in the security context if there is no matching
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 #
 # The following users correspond to Unix identities.
 # These identities are typically assigned as the user attribute
 # when login starts the user shell.  Users with access to the sysadm_r
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)