Merge -base and -contrib

Contrib was merged to main repo long time ago. Makes the build process simpler. Modules enabled in minimum lives in %{_datadir}/selinux/minimum/modules.lst now. Fixes: RPM build warnings: File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/cil File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/hll File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/lang_ext [skip changelog] Related: RHEL-54303
2024-06-24 21:21:44 +02:00 · 2024-06-24 21:21:44 +02:00 · fc93f2b404
commit fc93f2b404
parent 4b190446b9
7 changed files with 2387 additions and 4942 deletions
--- a/modules-minimum.lst
+++ b/modules-minimum.lst
@ -0,0 +1,50 @@
+apache
+application
+auditadm
+authlogin
+base
+bootloader
+clock
+dbus
+dmesg
+fstools
+getty
+hostname
+inetd
+init
+ipsec
+iptables
+kerberos
+libraries
+locallogin
+logadm
+logging
+lvm
+miscfiles
+modutils
+mount
+mta
+netlabel
+netutils
+nis
+postgresql
+secadm
+selinuxutil
+setrans
+seunshare
+ssh
+staff
+su
+sudo
+sysadm
+sysadm_secadm
+sysnetwork
+systemd
+udev
+unconfined
+unconfineduser
+unlabelednet
+unprivuser
+userdomain
+usermanage
+xserver
--- a/modules-mls-base.conf
+++ b/modules-mls-base.conf
@ -1,380 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-# 
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-# 
-seunshare = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-# 
-corecommands = base
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-# 
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-# 
-# 
-ubac = base
-
-# Layer: kernel
-# Module: unlabelednet
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-# 
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-# 
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-# 
-secadm = module
-
-# Layer:role
-# Module: staff
-#
-# admin account 
-# 
-staff = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-# 
-sysadm_secadm = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-# 
-sysadm = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-# 
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-# 
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-# 
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-# 
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module
--- a/modules-mls-contrib.conf
+++ b/modules-mls-contrib.conf
@ -1,3 +1,383 @@
+# Layer: kernel
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+# 
+bootloader = module
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+# 
+corenetwork = base
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+# 
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+# 
+sudo = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+# 
+su = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+# 
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+# 
+corecommands = base
+
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+# 
+domain = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = module
+
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+# 
+files = base
+
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+# 
+filesystem = base
+
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+# 
+kernel = base
+
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+# 
+mcs = base
+
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+# 
+mls = base
+
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+# 
+selinux = base
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = base
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+#
+# 
+# 
+ubac = base
+
+# Layer: kernel
+# Module: unlabelednet
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
+# Layer: role
+# Module: auditadm
+#
+# auditadm account on tty logins
+# 
+auditadm = module
+
+# Layer: role
+# Module: logadm
+#
+# Minimally prived root role for managing logging system
+# 
+logadm = module
+
+# Layer: role
+# Module: secadm
+#
+# secadm account on tty logins
+# 
+secadm = module
+
+# Layer:role
+# Module: staff
+#
+# admin account 
+# 
+staff = module
+
+# Layer:role
+# Module: sysadm_secadm
+#
+# System Administrator with Security Admin rules
+# 
+sysadm_secadm = module
+
+# Layer:role
+# Module: sysadm
+#
+# System Administrator
+# 
+sysadm = module
+
+# Layer: role
+# Module: unprivuser
+#
+# Minimally privs guest account on tty logins
+# 
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+# 
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+# 
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+# 
+xserver = module
+
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+# 
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+# 
+hostname = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+# 
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+# 
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+# 
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# Basic netlabel types and interfaces.
+# 
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = module
+
+# Module: setrans
+# Required in base
+#
+# Policy for setrans
+# 
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = module
+
+# Layer: system
+# Module: systemd
+#
+# Policy for systemd components
+# 
+systemd = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = module
 # Layer: services
 # Module: accountsd
 #
@ -523,6 +903,13 @@ glance = module
 # 
 gnome = module

+# Layer: apps
+# Module: gnome_remote_desktop
+#
+# gnome-remote-desktop
+#
+gnome_remote_desktop = module
+
 # Layer: apps
 # Module: gpg
 #
@ -1004,8 +1391,6 @@ ppp = module
 # 
 prelink = module

-unprivuser = module
-
 # Layer: services
 # Module: privoxy
 #
@ -1034,13 +1419,6 @@ psad = module
 # 
 ptchown = module

-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP
-# 
-publicfile = module
-
 # Layer: apps
 # Module: pulseaudio
 #
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@ -1,393 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-# 
-seunshare = module
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-# 
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-# 
-# 
-ubac = base
-
-# Layer: kernel
-# Module: unconfined
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-# 
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-# 
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-# 
-secadm = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-# 
-sysadm_secadm = module
-
-# Module: staff
-#
-# admin account 
-# 
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-# 
-sysadm = module
-
-# Layer: role
-# Module: unconfineduser
-#
-# The unconfined user domain.
-# 
-unconfineduser = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-# 
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-# 
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-# 
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-# 
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = module
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,18 +21,16 @@ Version: 40.13.13
 Release: 1%{?dist}
 License: GPL-2.0-or-later
 Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
-Source1: modules-targeted-base.conf
-Source31: modules-targeted-contrib.conf
+Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
 Source4: setrans-targeted.conf
-Source5: modules-mls-base.conf
-Source32: modules-mls-contrib.conf
+Source5: modules-mls.conf
 Source6: booleans-mls.conf
 Source8: setrans-mls.conf
 Source14: securetty_types-targeted
 Source15: securetty_types-mls
-#Source16: modules-minimum.conf
+Source16: modules-minimum.lst
 Source17: booleans-minimum.conf
 Source18: setrans-minimum.conf
 Source19: securetty_types-minimum
@ -182,12 +180,7 @@ cp -f selinux_config/users-%1 ./policy/users \
 #cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \

 %define makeModulesConf() \
-cp -f selinux_config/modules-%1-%2.conf  ./policy/modules-base.conf \
-cp -f selinux_config/modules-%1-%2.conf  ./policy/modules.conf \
-if [ %3 == "contrib" ];then \
-	cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
-	cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
-fi; \
+cp -f selinux_config/modules-%1.conf  ./policy/modules.conf

 %define installCmds() \
 %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
@ -263,8 +256,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
 %dir %{_datadir}/selinux/%1 \
 %{_datadir}/selinux/%1/base.lst \
-%{_datadir}/selinux/%1/modules-base.lst \
-%{_datadir}/selinux/%1/modules-contrib.lst \
+%{_datadir}/selinux/%1/modules.lst \
 %{_datadir}/selinux/%1/nonbasemodules.lst \
 %dir %{_sharedstatedir}/selinux/%1 \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
@ -337,16 +329,12 @@ else \
 fi;

 %define modulesList() \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
-if [ -e ./policy/modules-contrib.conf ];then \
-	awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
-fi;
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \

 %define nonBaseModulesList() \
-contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
-base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
-for i in $contrib_modules $base_modules; do \
+modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \
+for i in $modules; do \
    if [ $i != "sandbox" ];then \
        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
    fi; \
@ -419,7 +407,7 @@ end
 tar -C policy/modules/contrib -xf %{SOURCE35}

 mkdir selinux_config
-for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
+for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do
 cp $i selinux_config
 done

@ -452,7 +440,7 @@ make clean
 %if %{with targeted}
 # Build targeted policy
 %makeCmds targeted mcs allow
-%makeModulesConf targeted base contrib
+%makeModulesConf targeted
 %installCmds targeted mcs allow
 # install permissivedomains.cil
 %{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28}
@ -467,9 +455,10 @@ mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
 %if %{with minimum}
 # Build minimum policy
 %makeCmds minimum mcs allow
-%makeModulesConf targeted base contrib
+%makeModulesConf targeted
 %installCmds minimum mcs allow
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
+install -m 644 %{SOURCE16} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst
 %modulesList minimum
 %nonBaseModulesList minimum
 %endif
@ -477,7 +466,7 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
 %if %{with mls}
 # Build mls policy
 %makeCmds mls mls deny
-%makeModulesConf mls base contrib
+%makeModulesConf mls
 %installCmds mls mls deny
 %modulesList mls
 %nonBaseModulesList mls
@ -697,16 +686,17 @@ fi

 %post minimum
 %checkConfigConsistency minimum
-contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
-basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
+modules=`cat %{_datadir}/selinux/minimum/modules.lst`
+basemodules=`cat %{_datadir}/selinux/minimum/base.lst`
+enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst`
 if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
    mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
 fi
 if [ $1 -eq 1 ]; then
-for p in $contribpackages; do
+for p in $modules; do
    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
 done
-for p in $basepackages apache dbus inetd kerberos mta nis; do
+for p in $basemodules $enabledmodules; do
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
 done
 %{_sbindir}/semanage import -S minimum -f - << __eof
@ -717,7 +707,7 @@ __eof
 %{_sbindir}/semodule -B -s minimum 2> /dev/null
 else
 instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
-for p in $contribpackages; do
+for p in $packages; do
    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
 done
 for p in $instpackages apache dbus inetd kerberos mta nis; do
@ -774,6 +764,7 @@ exit 0
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
 %fileList minimum
+%{_datadir}/selinux/minimum/modules-enabled.lst
 %endif

 %if %{with mls}