xsm, flask: sample flask policy

- The patch includes a policy for xen that can be booted into
  enforcing mode and supports creation and management of
  paravirtualized guests.  The policy follows the dom0/domU usage
  model, extension to other models or the addition of management or IO
  permissions should be much more straightforward now. The option
  flask_enforcing=1 can be passed on the xen line in grub to boot
  into enforcing mode.

- The policy provides a basic policy for booting the platform and
  creating a domU with the label system_u:object_r:domU_t.  The policy
  can be easily extended to support new types by modifying the xen.te
  source file.

- The policy includes some basic macros which may be helpful in
  extending the policy.

- The policy is compatible with and requires the most recent XSM
  patch, xsm-flask-io-sysctl-hooks-090308.diff.

- The policy is not built as part of the make all as it requires the
  SELinux policy compiler which may/may not be installed on all
  systems.  Users must go into the tools/flask/policy directory and
  explicitly compile the policy.

Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>

21 files changed, 2291 insertions, 0 deletions

diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
new file mode 100644
index 0000000000..069b232128
--- /dev/null
+++ b/tools/flask/policy/Makefile
@@ -0,0 +1,234 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+# 
+# install       - compile and install the policy configuration, and context files.
+# load          - compile, install, and load the policy configuration.
+# reload        - compile, install, and load/reload the policy configuration.
+# policy        - compile the policy configuration locally for testing/development.
+#
+# The default target is 'policy'.
+#
+
+########################################
+#
+# Configurable portions of the Makefile
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports.  Setting this will
+# override the version.
+OUTPUT_POLICY = 20
+
+# Policy Type
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
+TYPE = strict
+
+# Policy Name
+# If set, this will be used as the policy
+# name.  Otherwise the policy type will be
+# used for the name.
+NAME = xenrefpolicy
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution.  Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, and suse are current options.
+# Fedora users should enable redhat.
+#DISTRO = 
+
+# Build monolithic policy.  Putting n here
+# will build a loadable module policy.
+MONOLITHIC=y
+
+# Uncomment this to disable command echoing
+#QUIET:=@
+
+########################################
+#
+# NO OPTIONS BELOW HERE
+#
+
+# executable paths
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKPOLICY := $(BINDIR)/checkpolicy
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+LOADPOLICY := $(SBINDIR)/flask-loadpolicy
+
+CFLAGS := -Wall
+
+# policy source layout
+POLDIR := policy
+MODDIR := $(POLDIR)/modules
+FLASKDIR := $(POLDIR)/flask
+SECCLASS := $(FLASKDIR)/security_classes
+ISIDS := $(FLASKDIR)/initial_sids
+AVS := $(FLASKDIR)/access_vectors
+
+#policy building support tools
+SUPPORT := support
+FCSORT := tmp/fc_sort
+
+# config file paths
+GLOBALTUN := $(POLDIR)/global_tunables
+GLOBALBOOL := $(POLDIR)/global_booleans
+MOD_CONF := $(POLDIR)/modules.conf
+TUNABLES := $(POLDIR)/tunables.conf
+BOOLEANS := $(POLDIR)/booleans.conf
+
+# install paths
+TOPDIR = $(DESTDIR)/etc/xen/
+INSTALLDIR = $(TOPDIR)/$(NAME)
+SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
+CONTEXTPATH = $(INSTALLDIR)/contexts
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+	override M4PARAM += -D enable_mls
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+	override M4PARAM += -D enable_mcs
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+	override M4PARAM += -D targeted_policy
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+	override M4PARAM += -D distro_$(DISTRO)
+endif
+
+ifneq ($(OUTPUT_POLICY),)
+	CHECKPOLICY += -c $(OUTPUT_POLICY)
+endif
+
+ifeq ($(NAME),)
+	NAME := $(TYPE)
+endif
+
+# determine the policy version and current kernel version if possible
+PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+KV := $(shell cat /selinux/policyvers)
+
+# dont print version warnings if we are unable to determine
+# the currently running kernel's policy version
+ifeq ($(KV),)
+	KV := $(PV)
+endif
+
+FC := file_contexts
+POLVER := policy.$(PV)
+
+M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
+
+APPCONF := config/appconfig-$(TYPE)
+APPDIR := $(CONTEXTPATH)
+APPFILES := $(INSTALLDIR)/booleans
+CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
+USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
+
+ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
+
+GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
+GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
+GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc.in)))
+
+# sort here since it removes duplicates, which can happen
+# when a generated file is already generated
+DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) $(GENERATED_TE))
+
+# modules.conf setting for base module
+MODBASE := base
+
+# modules.conf setting for module
+MODMOD := module
+
+# extract settings from modules.conf
+BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
+MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
+
+HOMEDIR_TEMPLATE = tmp/homedir_template
+
+########################################
+#
+# Load appropriate rules
+#
+
+ifeq ($(MONOLITHIC),y)
+	include Rules.monolithic
+else
+	include Rules.modular
+endif
+
+########################################
+#
+# Create config files
+#
+conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
+
+$(MOD_CONF) $(BOOLEANS): $(POLXML)
+	@echo "Updating $(MOD_CONF) and $(BOOLEANS)"
+	$(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML)
+
+########################################
+#
+# Appconfig files
+#
+install-appconfig: $(APPFILES)
+
+$(INSTALLDIR)/booleans: $(BOOLEANS)
+	@mkdir -p $(INSTALLDIR)
+	$(QUIET) egrep '^[[:blank:]]*[[:alpha:]]' $(BOOLEANS) \
+		| sed -e 's/false/0/g' -e 's/true/1/g' > tmp/booleans
+	$(QUIET) install -m 644 tmp/booleans $@
+
+########################################
+#
+# Install policy sources
+#
+install-src:
+	rm -rf $(SRCPATH)/policy.old
+	-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
+	mkdir -p $(SRCPATH)/policy
+	cp -R . $(SRCPATH)/policy
+
+########################################
+#
+# Clean everything
+#
+bare: clean
+	rm -f $(POLXML)
+	rm -f $(SUPPORT)/*.pyc
+	rm -f $(FCSORT)
+	rm -f $(MOD_CONF)
+	rm -f $(BOOLEANS)
+	rm -fR $(HTMLDIR)
+ifneq ($(GENERATED_TE),)
+	rm -f $(GENERATED_TE)
+endif
+ifneq ($(GENERATED_IF),)
+	rm -f $(GENERATED_IF)
+endif
+ifneq ($(GENERATED_FC),)
+	rm -f $(GENERATED_FC)
+endif
+
+.PHONY: install-src install-appconfig conf html bare
diff --git a/tools/flask/policy/Rules.modular b/tools/flask/policy/Rules.modular
new file mode 100644
index 0000000000..798f989689
--- /dev/null
+++ b/tools/flask/policy/Rules.modular
@@ -0,0 +1,166 @@
+########################################
+#
+# Rules and Targets for building modular policies
+#
+
+ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+
+BASE_PKG := base.pp
+BASE_FC := base.fc
+
+BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
+
+BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
+BASE_TE_FILES := $(BASE_MODS)
+BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
+BASE_FC_FILES := $(BASE_MODS:.te=.fc)
+
+MOD_MODULES := $(MOD_MODS:.te=.mod)
+MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp))
+
+# search layer dirs for source files
+vpath %.te $(ALL_LAYERS)
+vpath %.if $(ALL_LAYERS)
+vpath %.fc $(ALL_LAYERS)
+
+########################################
+#
+# default action: create all module packages
+#
+default: base
+
+base: $(BASE_PKG)
+
+modules: $(MOD_PKGS)
+
+#policy: $(POLVER)
+#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
+#load: tmp/load
+
+########################################
+#
+# Create a base module package
+#
+$(BASE_PKG): tmp/base.mod $(BASE_FC)
+	@echo "Creating $(NAME) base module package"
+	$(QUIET) $(SEMOD_PKG) $@ $^
+
+########################################
+#
+# Compile a base module
+#
+tmp/base.mod: base.conf
+	@echo "Compiling $(NAME) base module"
+	$(QUIET) $(CHECKMODULE) $^ -o $@
+
+########################################
+#
+# Construct a base module policy.conf
+#
+base.conf: $(BASE_SECTIONS)
+	@echo "Creating $(NAME) base module policy.conf"
+# checkpolicy can use the #line directives provided by -s for error reporting:
+	$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
+	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
+# the ordering of these ocontexts matters:
+	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
+	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
+	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true
+
+tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES)
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES)
+	@test -d tmp || mkdir -p tmp
+# define all available object classes
+	$(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
+# per-userdomain templates
+	$(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
+	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
+		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
+			>> $@ ;\
+	done
+	$(QUIET) echo "')" >> $@
+# define foo.te
+	$(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \
+		echo "define(\`$$i')" >> $@ ;\
+	done
+	$(QUIET) $(SETTUN) $(BOOLEANS) >> $@
+
+tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ifeq ($(ALL_INTERFACES),)
+	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+tmp/all_te_files.conf: $(BASE_TE_FILES)
+ifeq ($(BASE_TE_FILES),)
+	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.  portcon, nodecon, and netifcon
+# is delayed since they are generated by m4
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
+	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
+	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
+	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+	$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+	$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
+	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
+	$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
+			-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
+			< tmp/all_te_files.conf > tmp/only_te_rules.conf
+
+########################################
+#
+# Construct base module file contexts
+#
+$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
+ifeq ($(BASE_FC_FILES),)
+	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+	@echo "Creating $(NAME) base module file contexts."
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) > tmp/$@.tmp
+	$(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
+	$(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
+	$(QUIET) $(FCSORT) tmp/$@.tmp $@
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
+	@if test -z "$(filter $^,$(MOD_MODS))"; then \
+		echo "The $(notdir $(basename $@)) module is not configured to be compiled as a lodable module." ;\
+		false ;\
+	fi
+	@echo "Compliling $(NAME) $(@F) module"
+	$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+	$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+%.pp: tmp/%.mod %.fc
+	@echo "Creating $(NAME) $(@F) policy package"
+	$(QUIET) $(SEMOD_PKG) $@ $^
+
+########################################
+#
+# Clean the sources
+#
+clean:
+	rm -fR tmp
+	rm -f base.conf
+	rm -f *.pp
+	rm -f $(BASE_FC)
+
+.PHONY: default base modules clean
diff --git a/tools/flask/policy/Rules.monolithic b/tools/flask/policy/Rules.monolithic
new file mode 100644
index 0000000000..03147a1a13
--- /dev/null
+++ b/tools/flask/policy/Rules.monolithic
@@ -0,0 +1,196 @@
+########################################
+#
+# Rules and Targets for building monolithic policies
+#
+
+# install paths
+POLICYPATH = $(INSTALLDIR)/policy
+LOADPATH = $(POLICYPATH)/$(POLVER)
+FCPATH = $(CONTEXTPATH)/files/file_contexts
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
+
+# for monolithic policy use all base and module to create policy
+ENABLEMOD := $(BASE_MODS) $(MOD_MODS)
+
+ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS))
+
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+ALL_TE_FILES := $(ALL_MODULES)
+ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
+
+PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
+POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
+
+POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
+
+########################################
+#
+# default action: build policy locally
+#
+default: policy
+
+policy: $(POLVER)
+
+install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
+
+load: tmp/load
+
+########################################
+#
+# Build a binary policy locally
+#
+$(POLVER): policy.conf
+	@echo "Compiling $(NAME) $(POLVER)"
+ifneq ($(PV),$(KV))
+	@echo
+	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
+	@echo
+endif
+	$(QUIET) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Install a binary policy
+#
+$(LOADPATH): policy.conf
+	@mkdir -p $(POLICYPATH)
+	@echo "Compiling and installing $(NAME) $(LOADPATH)"
+ifneq ($(PV),$(KV))
+	@echo
+	@echo "WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?"
+	@echo
+endif
+	$(QUIET) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Load the binary policy
+#
+reload tmp/load: $(LOADPATH) $(FCPATH)
+	@echo "Loading $(NAME) $(LOADPATH)"
+	$(QUIET) $(LOADPOLICY) -q $(LOADPATH)
+	@touch tmp/load
+
+########################################
+#
+# Construct a monolithic policy.conf
+#
+policy.conf: $(POLICY_SECTIONS)
+	@echo "Creating $(NAME) policy.conf"
+# checkpolicy can use the #line directives provided by -s for error reporting:
+	$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
+	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
+
+tmp/pre_te_files.conf: $(PRE_TE_FILES)
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
+# per-userdomain templates:
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
+	$(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
+		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
+			>> $@ ;\
+	done
+	$(QUIET) echo "')" >> $@
+# define foo.te
+	$(QUIET) for i in $(notdir $(ALL_MODULES)); do \
+		echo "define(\`$$i')" >> $@ ;\
+	done
+#	$(QUIET) $(SETTUN) $(BOOLEANS) >> $@
+
+tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ifeq ($(ALL_INTERFACES),)
+	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+tmp/all_te_files.conf: $(ALL_TE_FILES)
+ifeq ($(ALL_TE_FILES),)
+	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+tmp/post_te_files.conf: $(POST_TE_FILES)
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.  portcon, nodecon, and netifcon
+# is delayed since they are generated by m4
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
+	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
+	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
+	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+	$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+	$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
+	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
+	$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
+			-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
+			< tmp/all_te_files.conf > tmp/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: policy.conf
+	@test -d tmp || mkdir -p tmp
+	@echo "Removing dontaudit rules from policy.conf"
+	$(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
+	$(QUIET) mv tmp/policy.audit policy.conf
+
+########################################
+#
+# Construct file_contexts
+#
+$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES)
+ifeq ($(ALL_FC_FILES),)
+	$(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+	@echo "Creating $(NAME) file_contexts."
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) > tmp/$@.tmp
+#	$(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
+#	$(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
+#	$(QUIET) $(FCSORT) tmp/$@.tmp $@
+	$(QUIET) touch $(HOMEDIR_TEMPLATE)
+	$(QUIET) touch $@
+
+########################################
+#
+# Install file_contexts
+#
+$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
+	@echo "Validating $(NAME) file_contexts."
+#	$(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC)
+	@echo "Installing file_contexts."
+	@mkdir -p $(CONTEXTPATH)/files
+	$(QUIET) install -m 644 $(FC) $(FCPATH)
+	$(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+#	$(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD)
+
+########################################
+#
+# Run policy source checks
+#
+check: policy.conf $(FC)
+	$(SECHECK) -s --profile=development --policy=policy.conf --fcfile=$(FC) > $@.res
+
+longcheck: policy.conf $(FC)
+	$(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res
+
+########################################
+#
+# Clean the sources
+#
+clean:
+	rm -fR tmp
+	rm -f policy.conf
+	rm -f policy.$(PV)
+	rm -f $(FC)
+	rm -f *.res
+
+.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
diff --git a/tools/flask/policy/policy/constraints b/tools/flask/policy/policy/constraints
new file mode 100644
index 0000000000..beb949c9b6
--- /dev/null
+++ b/tools/flask/policy/policy/constraints
@@ -0,0 +1,27 @@
+
+#
+# Define the constraints
+#
+# constrain class_set perm_set expression ;
+#
+# expression : ( expression ) 
+#	     | not expression
+#	     | expression and expression
+#	     | expression or expression
+#	     | u1 op u2
+#	     | r1 role_op r2
+#	     | t1 op t2
+#	     | u1 op names
+#	     | u2 op names
+#	     | r1 op names
+#	     | r2 op names
+#	     | t1 op names
+#	     | t2 op names
+#
+# op : == | != 
+# role_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name		
+#
+
diff --git a/tools/flask/policy/policy/flask/Makefile b/tools/flask/policy/policy/flask/Makefile
new file mode 100644
index 0000000000..970b9fedce
--- /dev/null
+++ b/tools/flask/policy/policy/flask/Makefile
@@ -0,0 +1,41 @@
+# flask needs to know where to export the libselinux headers.
+LIBSEL ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUXDIR ?= ../../../linux-2.6
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+          else if [ -x /bin/bash ]; then echo /bin/bash; \
+          else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = security_classes initial_sids
+AV_H_DEPEND = access_vectors
+
+FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
+AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+all:  $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+	$(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+	$(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+
+tolib: all
+	install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
+	install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
+
+tokern: all
+	install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:  
+	rm -f $(FLASK_H_FILES)
+	rm -f $(AV_H_FILES)
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
new file mode 100644
index 0000000000..0df71d0a46
--- /dev/null
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -0,0 +1,166 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+#
+# Define a common prefix for file access vectors.
+#
+
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class xen
+{
+	scheduler
+	settime
+	tbufcontrol
+	readconsole
+	clearconsole
+	perfcontrol
+	mtrr_add
+	mtrr_del
+	mtrr_read
+	microcode
+	physinfo
+	quirk
+    writeconsole
+    readapic
+    writeapic
+    privprofile
+    nonprivprofile
+    kexec
+	firmware
+	sleep
+	frequency
+	getidle
+	debug
+	getcpuinfo
+	heap
+}
+
+class domain
+{
+	setvcpucontext
+	pause
+	unpause
+    resume
+    create
+    transition
+    max_vcpus
+    destroy
+    setvcpuaffinity
+	getvcpuaffinity
+	scheduler
+	getdomaininfo
+	getvcpuinfo
+	getvcpucontext
+	setdomainmaxmem
+	setdomainhandle
+	setdebugging
+	hypercall
+    settime
+    set_target
+    shutdown
+    setaddrsize
+    getaddrsize
+	trigger
+	getextvcpucontext
+	setextvcpucontext
+}
+
+class hvm
+{
+    sethvmc
+    gethvmc
+    setparam
+    getparam
+    pcilevel
+    irqlevel
+    pciroute
+	bind_irq
+	cacheattr
+}
+
+class event
+{
+	bind
+	send
+	status
+	notify
+	create
+    vector
+    reset
+}
+
+class grant
+{
+	map_read
+	map_write
+	unmap
+	transfer
+	setup
+    copy
+    query
+}
+
+class mmu
+{
+	map_read
+	map_write
+	pageinfo
+	pagelist
+    adjust
+    stat
+    translategp
+	updatemp
+    physmap
+    pinpage
+    mfnlist
+    memorymap
+}
+
+class shadow
+{
+	disable
+	enable
+    logdirty
+}
+
+class resource
+{
+	add
+	remove
+	use
+	add_irq
+	remove_irq
+	add_ioport
+	remove_ioport
+	add_iomem
+	remove_iomem
+	stat_device
+	add_device
+	remove_device
+}
+
+class security
+{
+	compute_av
+	compute_create
+	compute_member
+	check_context
+	load_policy
+	compute_relabel
+	compute_user
+	setenforce
+	setbool
+	setsecparam
+}
diff --git a/tools/flask/policy/policy/flask/initial_sids b/tools/flask/policy/policy/flask/initial_sids
new file mode 100644
index 0000000000..9b78fba49c
--- /dev/null
+++ b/tools/flask/policy/policy/flask/initial_sids
@@ -0,0 +1,17 @@
+# FLASK
+
+#
+# Define initial security identifiers 
+#
+sid xen
+sid dom0
+sid domU
+sid domio
+sid domxen
+sid unlabeled
+sid security
+sid ioport
+sid iomem
+sid pirq
+sid device
+# FLASK
diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/tools/flask/policy/policy/flask/mkaccess_vector.sh
new file mode 100644
index 0000000000..b5da734b04
--- /dev/null
+++ b/tools/flask/policy/policy/flask/mkaccess_vector.sh
@@ -0,0 +1,227 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="av_permissions.h"
+av_inherit="av_inherit.h"
+common_perm_to_string="common_perm_to_string.h"
+av_perm_to_string="av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN	{
+		outfile = \"$av_permissions\"
+		inheritfile = \"$av_inherit\"
+		cpermfile = \"$common_perm_to_string\"
+		avpermfile = \"$av_perm_to_string\"
+		"'
+		nextstate = "COMMON_OR_AV";
+		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
+		printf("/* This file is automatically generated.  Do not edit. */\n") > inheritfile;
+		printf("/* This file is automatically generated.  Do not edit. */\n") > cpermfile;
+		printf("/* This file is automatically generated.  Do not edit. */\n") > avpermfile;
+;
+	}
+/^[ \t]*#/	{ 
+			next;
+		}
+$1 == "common"	{ 
+			if (nextstate != "COMMON_OR_AV")
+			{
+				printf("Parse error:  Unexpected COMMON definition on line %d\n", NR);
+				next;	
+			}
+
+			if ($2 in common_defined)
+			{
+				printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
+				next;
+			}	
+			common_defined[$2] = 1;
+
+			tclass = $2;
+			common_name = $2; 
+			permission = 1;
+
+			printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
+
+			nextstate = "COMMON-OPENBRACKET";
+			next;
+		}
+$1 == "class"	{
+			if (nextstate != "COMMON_OR_AV" &&
+			    nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+			{
+				printf("Parse error:  Unexpected class definition on line %d\n", NR);
+				next;	
+			}
+
+			tclass = $2;
+
+			if (tclass in av_defined)
+			{
+				printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
+				next;
+			} 
+			av_defined[tclass] = 1;
+
+			inherits = "";
+			permission = 1;
+
+			nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+			next;
+		}
+$1 == "inherits" {			
+			if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
+			{
+				printf("Parse error:  Unexpected INHERITS definition on line %d\n", NR);
+				next;	
+			}
+
+			if (!($2 in common_defined))
+			{
+				printf("COMMON %s is not defined (line %d).\n", $2, NR);
+				next;
+			}
+
+			inherits = $2;
+			permission = common_base[$2];
+
+			for (combined in common_perms)
+			{
+				split(combined,separate, SUBSEP);
+				if (separate[1] == inherits)
+				{
+					inherited_perms[common_perms[combined]] = separate[2];
+				}
+			}
+
+                        j = 1;
+                        for (i in inherited_perms) {
+                            ind[j] = i + 0;
+                            j++;
+                        }
+                        n = asort(ind);
+			for (i = 1; i <= n; i++) {
+				perm = inherited_perms[ind[i]];
+				printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; 
+				spaces = 40 - (length(perm) + length(tclass));
+				if (spaces < 1)
+				      spaces = 1;
+				for (j = 0; j < spaces; j++) 
+					printf(" ") > outfile; 
+				printf("0x%08xUL\n", ind[i]) > outfile; 
+			}
+			printf("\n") > outfile;
+                        for (i in ind) delete ind[i];
+                        for (i in inherited_perms) delete inherited_perms[i];
+
+			printf("   S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; 
+
+			nextstate = "CLASS_OR_CLASS-OPENBRACKET";
+			next;
+		}
+$1 == "{"	{ 
+			if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+			    nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+			    nextstate != "COMMON-OPENBRACKET")
+			{
+				printf("Parse error:  Unexpected { on line %d\n", NR);
+				next;
+			}
+
+			if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+				nextstate = "CLASS-CLOSEBRACKET";
+
+			if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+				nextstate = "CLASS-CLOSEBRACKET";
+
+			if (nextstate == "COMMON-OPENBRACKET")
+				nextstate = "COMMON-CLOSEBRACKET";
+		}
+/[a-z][a-z_]*/	{
+			if (nextstate != "COMMON-CLOSEBRACKET" &&
+			    nextstate != "CLASS-CLOSEBRACKET")
+			{
+				printf("Parse error:  Unexpected symbol %s on line %d\n", $1, NR);		
+				next;
+			}
+
+			if (nextstate == "COMMON-CLOSEBRACKET")
+			{
+				if ((common_name,$1) in common_perms)
+				{
+					printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
+					next;
+				}
+
+				common_perms[common_name,$1] = permission;
+
+				printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; 
+
+				printf("    S_(\"%s\")\n", $1) > cpermfile;
+			}
+			else
+			{
+				if ((tclass,$1) in av_perms)
+				{
+					printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
+					next;
+				}
+
+				av_perms[tclass,$1] = permission;
+		
+				if (inherits != "")
+				{
+					if ((inherits,$1) in common_perms)
+					{
+						printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
+						next;
+					}
+				}
+
+				printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; 
+
+				printf("   S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; 
+			}
+
+			spaces = 40 - (length($1) + length(tclass));
+			if (spaces < 1)
+			      spaces = 1;
+
+			for (i = 0; i < spaces; i++) 
+				printf(" ") > outfile; 
+			printf("0x%08xUL\n", permission) > outfile; 
+			permission = permission * 2;
+		}
+$1 == "}"	{
+			if (nextstate != "CLASS-CLOSEBRACKET" && 
+			    nextstate != "COMMON-CLOSEBRACKET")
+			{
+				printf("Parse error:  Unexpected } on line %d\n", NR);
+				next;
+			}
+
+			if (nextstate == "COMMON-CLOSEBRACKET")
+			{
+				common_base[common_name] = permission;
+				printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; 
+			}
+
+			printf("\n") > outfile;
+
+			nextstate = "COMMON_OR_AV";
+		}
+END	{
+		if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+			printf("Parse error:  Unexpected end of file\n");
+
+	}'
+
+# FLASK
diff --git a/tools/flask/policy/policy/flask/mkflask.sh b/tools/flask/policy/policy/flask/mkflask.sh
new file mode 100644
index 0000000000..9c847549e2
--- /dev/null
+++ b/tools/flask/policy/policy/flask/mkflask.sh
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="flask.h"
+debug_file="class_to_string.h"
+debug_file2="initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN	{
+		outfile = \"$output_file\"
+		debugfile = \"$debug_file\"
+		debugfile2 = \"$debug_file2\"
+		"'
+		nextstate = "CLASS";
+
+		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
+
+		printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+		printf("#define _SELINUX_FLASK_H_\n") > outfile;
+		printf("\n/*\n * Security object class definitions\n */\n") > outfile;
+		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile;
+		printf("/*\n * Security object class definitions\n */\n") > debugfile;
+		printf("    S_(\"null\")\n") > debugfile;
+		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile2;
+		printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
+		printf("    \"null\",\n") > debugfile2;
+	}
+/^[ \t]*#/	{ 
+			next;
+		}
+$1 == "class"	{ 
+			if (nextstate != "CLASS")
+			{
+				printf("Parse error:  Unexpected class definition on line %d\n", NR);
+				next;	
+			}
+
+			if ($2 in class_found)
+			{
+				printf("Duplicate class definition for %s on line %d.\n", $2, NR);
+				next;
+			}	
+			class_found[$2] = 1;
+
+			class_value++;
+
+			printf("#define SECCLASS_%s", toupper($2)) > outfile;
+			for (i = 0; i < 40 - length($2); i++) 
+				printf(" ") > outfile; 
+			printf("%d\n", class_value) > outfile; 
+
+			printf("    S_(\"%s\")\n", $2) > debugfile;
+		}
+$1 == "sid"	{ 
+			if (nextstate == "CLASS")
+			{
+			    nextstate = "SID";
+			    printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;			    
+			}
+
+			if ($2 in sid_found)
+			{
+				printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
+				next;
+			}	
+			sid_found[$2] = 1;
+			sid_value++;
+
+			printf("#define SECINITSID_%s", toupper($2)) > outfile;
+			for (i = 0; i < 37 - length($2); i++) 
+				printf(" ") > outfile; 
+			printf("%d\n", sid_value) > outfile; 
+			printf("    \"%s\",\n", $2) > debugfile2;
+		}
+END	{
+		if (nextstate != "SID")
+			printf("Parse error:  Unexpected end of file\n");
+
+		printf("\n#define SECINITSID_NUM") > outfile;
+		for (i = 0; i < 34; i++) 
+			printf(" ") > outfile; 
+		printf("%d\n", sid_value) > outfile; 
+		printf("\n#endif\n") > outfile;
+		printf("};\n\n") > debugfile2;
+	}'
+
+# FLASK
diff --git a/tools/flask/policy/policy/flask/security_classes b/tools/flask/policy/policy/flask/security_classes
new file mode 100644
index 0000000000..2ca35d277b
--- /dev/null
+++ b/tools/flask/policy/policy/flask/security_classes
@@ -0,0 +1,20 @@
+# FLASK
+
+#
+# Define the security object classes 
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class xen
+class domain
+class hvm
+class mmu
+class resource
+class shadow
+class event
+class grant
+class security
+
+# FLASK
diff --git a/tools/flask/policy/policy/global_booleans b/tools/flask/policy/policy/global_booleans
new file mode 100644
index 0000000000..4c13cfb062
--- /dev/null
+++ b/tools/flask/policy/policy/global_booleans
@@ -0,0 +1,5 @@
+#
+# This file is for the declaration of global booleans.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
diff --git a/tools/flask/policy/policy/global_tunables b/tools/flask/policy/policy/global_tunables
new file mode 100644
index 0000000000..801b27ec2e
--- /dev/null
+++ b/tools/flask/policy/policy/global_tunables
@@ -0,0 +1,6 @@
+#
+# This file is for the declaration of global tunables.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
+
diff --git a/tools/flask/policy/policy/mcs b/tools/flask/policy/policy/mcs
new file mode 100644
index 0000000000..a3cef61f91
--- /dev/null
+++ b/tools/flask/policy/policy/mcs
@@ -0,0 +1,324 @@
+ifdef(`enable_mcs',`
+#
+# Define sensitivities 
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
+
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+#	     | not expression
+#	     | expression and expression
+#	     | expression or expression
+#	     | u1 op u2
+#	     | r1 role_mls_op r2
+#	     | t1 op t2
+#	     | l1 role_mls_op l2
+#	     | l1 role_mls_op h2
+#	     | h1 role_mls_op l2
+#	     | h1 role_mls_op h2
+#	     | l1 role_mls_op h1
+#	     | l2 role_mls_op h2
+#	     | u1 op names
+#	     | u2 op names
+#	     | r1 op names
+#	     | r2 op names
+#	     | t1 op names
+#	     | t2 op names
+#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+
+') dnl end enable_mcs
diff --git a/tools/flask/policy/policy/mls b/tools/flask/policy/policy/mls
new file mode 100644
index 0000000000..a598ebe257
--- /dev/null
+++ b/tools/flask/policy/policy/mls
@@ -0,0 +1,354 @@
+
+ifdef(`enable_mls',`
+#
+# Define sensitivities 
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+sensitivity s0;
+sensitivity s1;
+sensitivity s2;
+sensitivity s3;
+sensitivity s4;
+sensitivity s5;
+sensitivity s6;
+sensitivity s7;
+sensitivity s8;
+sensitivity s9;
+sensitivity s10;
+sensitivity s11;
+sensitivity s12;
+sensitivity s13;
+sensitivity s14;
+sensitivity s15;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
+
+
+#
+# Each MLS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+level s1:c0.c255;
+level s2:c0.c255;
+level s3:c0.c255;
+level s4:c0.c255;
+level s5:c0.c255;
+level s6:c0.c255;
+level s7:c0.c255;
+level s8:c0.c255;
+level s9:c0.c255;
+level s10:c0.c255;
+level s11:c0.c255;
+level s12:c0.c255;
+level s13:c0.c255;
+level s14:c0.c255;
+level s15:c0.c255;
+
+
+#
+# Define the MLS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+#	     | not expression
+#	     | expression and expression
+#	     | expression or expression
+#	     | u1 op u2
+#	     | r1 role_mls_op r2
+#	     | t1 op t2
+#	     | l1 role_mls_op l2
+#	     | l1 role_mls_op h2
+#	     | h1 role_mls_op l2
+#	     | h1 role_mls_op h2
+#	     | l1 role_mls_op h1
+#	     | l2 role_mls_op h2
+#	     | u1 op names
+#	     | u2 op names
+#	     | r1 op names
+#	     | r2 op names
+#	     | t1 op names
+#	     | t2 op names
+#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+
+') dnl end enable_mls
diff --git a/tools/flask/policy/policy/modules.conf b/tools/flask/policy/policy/modules.conf
new file mode 100644
index 0000000000..1031c59012
--- /dev/null
+++ b/tools/flask/policy/policy/modules.conf
@@ -0,0 +1,21 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from  being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module.  "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: xen
+# Module: xen
+# Required in base
+#
+# Policy for xen.
+# 
+xen = base
+
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
new file mode 100644
index 0000000000..792d600548
--- /dev/null
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -0,0 +1 @@
+#
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
new file mode 100644
index 0000000000..70fbfc0774
--- /dev/null
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -0,0 +1,135 @@
+attribute xen_type;
+attribute domain_type;
+attribute resource_type;
+attribute event_type;
+
+type xen_t, xen_type, domain_type;
+
+type dom0_t, domain_type;
+
+type domio_t, domain_type;
+
+type domxen_t, domain_type;
+
+type unlabeled_t, domain_type;
+
+type security_t, domain_type;
+
+type pirq_t, resource_type;
+type ioport_t, resource_type;
+type iomem_t, resource_type;
+type device_t, resource_type;
+
+################################################################################
+#
+# create_domain(priv_dom, domain, channel)
+#
+################################################################################
+define(`create_domain', `
+	type $2, domain_type;
+	allow $1 $2:domain {create max_vcpus setdomainmaxmem 
+				setaddrsize getdomaininfo hypercall 
+				setvcpucontext scheduler unpause 
+				getvcpuinfo getaddrsize getvcpuaffinity};
+	allow $1 $2:shadow {enable};
+	allow $1 $2:mmu {map_read map_write memorymap adjust pinpage};
+	allow $2 $2:mmu {map_read map_write pinpage};
+	allow $2 domio_t:mmu {map_read};
+	allow $2 $2:grant {query setup};
+	allow $1 $2:grant {map_read unmap};
+	allow $1 $3:event {create};
+')
+
+################################################################################
+#
+# manage_domain(priv_dom, domain)
+#
+################################################################################
+define(`manage_domain', `
+	allow $1 $2:domain {pause destroy};
+')
+
+################################################################################
+#
+# create_channel(caller, peer, channel)
+#
+################################################################################
+define(`create_channel', `
+	type $3, event_type;
+	type_transition $1 $2:event $3;
+	allow $1 $3:event {create};
+	allow $3 $2:event {bind};
+')
+
+################################################################################
+#
+# Boot the hypervisor and dom0
+#
+################################################################################
+allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del 
+scheduler physinfo heap quirk readconsole writeconsole settime microcode};
+
+allow dom0_t domio_t:mmu {map_read map_write};
+allow dom0_t iomem_t:mmu {map_read map_write};
+allow dom0_t pirq_t:event {vector};
+allow dom0_t xen_t:mmu {memorymap};
+
+allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust};
+allow dom0_t dom0_t:grant {query setup};
+allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo getvcpuaffinity};
+
+allow xen_t dom0_t:domain {create};
+allow xen_t dom0_t:resource {add remove};
+allow xen_t ioport_t:resource {add_ioport remove_ioport};
+allow dom0_t ioport_t:resource {use};
+allow xen_t iomem_t:resource {add_iomem remove_iomem};
+allow dom0_t iomem_t:resource {use};
+allow xen_t pirq_t:resource {add_irq remove_irq};
+allow dom0_t pirq_t:resource {use};
+
+allow dom0_t security_t:security {compute_av compute_create compute_member 
+check_context load_policy compute_relabel compute_user setenforce setbool
+setsecparam};
+
+create_channel(dom0_t, dom0_t, evchn0-0_t)
+allow dom0_t evchn0-0_t:event {send};
+
+################################################################################
+#
+# Create and manage a domU w/ dom0 IO
+#
+################################################################################
+create_domain(dom0_t, domU_t, evchnU-0_t)
+
+create_channel(domU_t, domU_t, evchnU-U_t)
+allow domU_t evchnU-U_t:event {send};
+
+create_channel(dom0_t, domU_t, evchn0-U_t)
+allow dom0_t evchn0-U_t:event {send};
+
+create_channel(domU_t, dom0_t, evchnU-0_t)
+allow domU_t evchnU-0_t:event {send};
+
+manage_domain(dom0_t, domU_t)
+
+################################################################################
+#
+#
+#
+################################################################################
+sid xen gen_context(system_u:system_r:xen_t,s0)
+sid dom0 gen_context(system_u:system_r:dom0_t,s0)
+sid domU gen_context(system_u:system_r:domU_t,s0)
+sid domxen gen_context(system_u:system_r:domxen_t,s0)
+sid domio gen_context(system_u:system_r:domio_t,s0)
+sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
+sid security gen_context(system_u:system_r:security_t,s0)
+sid pirq gen_context(system_u:object_r:pirq_t,s0)
+sid iomem gen_context(system_u:object_r:iomem_t,s0)
+sid ioport gen_context(system_u:object_r:ioport_t,s0)
+sid device gen_context(system_u:object_r:device_t,s0)
+
+role system_r types { xen_type domain_type };
+role user_r types { xen_type domain_type };
+role sysadm_r types { xen_type domain_type };
+role staff_r types { xen_type domain_type };
diff --git a/tools/flask/policy/policy/support/loadable_module.spt b/tools/flask/policy/policy/support/loadable_module.spt
new file mode 100644
index 0000000000..de48b3ba49
--- /dev/null
+++ b/tools/flask/policy/policy/support/loadable_module.spt
@@ -0,0 +1,166 @@
+########################################
+#
+# Macros for switching between source policy
+# and loadable policy module support
+#
+
+##############################
+#
+# For adding the module statement
+#
+define(`policy_module',`
+	ifdef(`self_contained_policy',`',`
+		module $1 $2;
+
+		require {
+			role system_r;
+			all_kernel_class_perms
+		}
+	')
+')
+
+##############################
+#
+# For use in interfaces, to optionally insert a require block
+#
+define(`gen_require',`
+	ifdef(`self_contained_policy',`',`
+		define(`in_gen_require_block')
+		require {
+			$1
+		}
+		undefine(`in_gen_require_block')
+	')
+')
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# template(name,rules)
+#
+define(`template',`
+	`define(`$1',`
+##### begin $1(dollarsstar)
+		$2
+##### end $1(dollarsstar)
+	'')
+')
+
+# helper function, since m4 wont expand macros
+# if a line is a comment (#):
+define(`policy_m4_comment',`dnl
+##### $2 depth: $1
+')dnl
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# interface(name,rules)
+#
+define(`interface',`
+	`define(`$1',`
+
+	define(`policy_temp',incr(policy_call_depth))
+	pushdef(`policy_call_depth',policy_temp)
+	undefine(`policy_temp')
+
+	policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar))
+
+	$2
+
+	define(`policy_temp',decr(policy_call_depth))
+	pushdef(`policy_call_depth',policy_temp)
+	undefine(`policy_temp')
+
+	policy_m4_comment(policy_call_depth,end `$1'(dollarsstar))
+
+	'')
+')
+
+define(`policy_call_depth',0)
+
+##############################
+#
+# Optional policy handling
+#
+define(`optional_policy',`
+	ifdef(`self_contained_policy',`
+		ifdef(`$1',`$2',`$3')
+	',`
+		optional {
+			$2
+		ifelse(`$3',`',`',`
+		} else {
+			$3
+		')
+		}
+	')
+')
+
+##############################
+#
+# Determine if we should use the default
+# tunable value as specified by the policy
+# or if the override value should be used
+#
+define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
+
+##############################
+#
+# Extract booleans out of an expression.
+# This needs to be reworked so expressions
+# with parentheses can work.
+
+define(`delcare_required_symbols',`
+ifelse(regexp($1, `\w'), -1, `', `dnl
+bool regexp($1, `\(\w+\)', `\1');
+delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
+
+##############################
+#
+# Tunable declaration
+#
+define(`gen_tunable',`
+	ifdef(`self_contained_policy',`
+		bool $1 dflt_or_overr(`$1'_conf,$2);
+	',`
+		# loadable module tunable
+		# declaration will go here
+		# instead of bool when
+		# loadable modules support
+		# tunables
+		bool $1 dflt_or_overr(`$1'_conf,$2);
+	')
+')
+
+##############################
+#
+# Tunable policy handling
+#
+define(`tunable_policy',`
+	ifdef(`self_contained_policy',`
+		if (`$1') {
+			$2
+		} else {
+			$3
+		}
+	',`
+		# structure for tunables
+		# will go here instead of a
+		# conditional when loadable
+		# modules support tunables
+		gen_require(`
+			delcare_required_symbols(`$1')
+		')
+
+		if (`$1') {
+			$2
+		} else {
+			$3
+		}
+	')
+')
diff --git a/tools/flask/policy/policy/support/misc_macros.spt b/tools/flask/policy/policy/support/misc_macros.spt
new file mode 100644
index 0000000000..ce94e03d8b
--- /dev/null
+++ b/tools/flask/policy/policy/support/misc_macros.spt
@@ -0,0 +1,32 @@
+
+########################################
+#
+# Helper macros
+#
+
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+########################################
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
+
+########################################
+#
+# gen_context(context,mls_sensitivity,[mcs_categories])
+#
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
+
+########################################
+#
+# gen_bool(name,default_value)
+#
+define(`gen_bool',`
+	bool $1 dflt_or_overr(`$1'_conf,$2);
+')
diff --git a/tools/flask/policy/policy/systemuser b/tools/flask/policy/policy/systemuser
new file mode 100644
index 0000000000..35499f8515
--- /dev/null
+++ b/tools/flask/policy/policy/systemuser
@@ -0,0 +1,19 @@
+##################################
+#
+# System User configuration.
+#
+
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
+
+# Normal users should not be added to this file,
+# but instead added to the users file.
diff --git a/tools/flask/policy/policy/users b/tools/flask/policy/policy/users
new file mode 100644
index 0000000000..88a516e39c
--- /dev/null
+++ b/tools/flask/policy/policy/users
@@ -0,0 +1,39 @@
+
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined.  The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user.  If you do not want to
+# permit any access to such users, then remove this entry.
+#
+ifdef(`targeted_policy',`
+gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+',`
+gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
+')
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell.  Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+ifdef(`targeted_policy',`
+	gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
+',`
+	ifdef(`direct_sysadm_daemon',`
+		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127)
+	',`
+		gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
+	')
+')