aboutsummaryrefslogtreecommitdiffstats
path: root/tools/flask/policy
diff options
context:
space:
mode:
authorKeir Fraser <keir.fraser@citrix.com>2008-09-04 11:26:25 +0100
committerKeir Fraser <keir.fraser@citrix.com>2008-09-04 11:26:25 +0100
commit3129d6f2ead5be7c75078b1f7325d5a1e6d5e4d8 (patch)
tree9ad863524d59aff303bf67434c3dec8b45bae7bc /tools/flask/policy
parentaff2988ad524ed3835bd0c402f8ec25264db61ea (diff)
downloadxen-3129d6f2ead5be7c75078b1f7325d5a1e6d5e4d8.tar.gz
xen-3129d6f2ead5be7c75078b1f7325d5a1e6d5e4d8.tar.bz2
xen-3129d6f2ead5be7c75078b1f7325d5a1e6d5e4d8.zip
xsm, flask: sample flask policy
- The patch includes a policy for xen that can be booted into enforcing mode and supports creation and management of paravirtualized guests. The policy follows the dom0/domU usage model, extension to other models or the addition of management or IO permissions should be much more straightforward now. The option flask_enforcing=1 can be passed on the xen line in grub to boot into enforcing mode. - The policy provides a basic policy for booting the platform and creating a domU with the label system_u:object_r:domU_t. The policy can be easily extended to support new types by modifying the xen.te source file. - The policy includes some basic macros which may be helpful in extending the policy. - The policy is compatible with and requires the most recent XSM patch, xsm-flask-io-sysctl-hooks-090308.diff. - The policy is not built as part of the make all as it requires the SELinux policy compiler which may/may not be installed on all systems. Users must go into the tools/flask/policy directory and explicitly compile the policy. Signed-off-by: George Coker <gscoker@alpha.ncsc.mil>
Diffstat (limited to 'tools/flask/policy')
-rw-r--r--tools/flask/policy/Makefile234
-rw-r--r--tools/flask/policy/Rules.modular166
-rw-r--r--tools/flask/policy/Rules.monolithic196
-rw-r--r--tools/flask/policy/policy/constraints27
-rw-r--r--tools/flask/policy/policy/flask/Makefile41
-rw-r--r--tools/flask/policy/policy/flask/access_vectors166
-rw-r--r--tools/flask/policy/policy/flask/initial_sids17
-rw-r--r--tools/flask/policy/policy/flask/mkaccess_vector.sh227
-rw-r--r--tools/flask/policy/policy/flask/mkflask.sh95
-rw-r--r--tools/flask/policy/policy/flask/security_classes20
-rw-r--r--tools/flask/policy/policy/global_booleans5
-rw-r--r--tools/flask/policy/policy/global_tunables6
-rw-r--r--tools/flask/policy/policy/mcs324
-rw-r--r--tools/flask/policy/policy/mls354
-rw-r--r--tools/flask/policy/policy/modules.conf21
-rw-r--r--tools/flask/policy/policy/modules/xen/xen.if1
-rw-r--r--tools/flask/policy/policy/modules/xen/xen.te135
-rw-r--r--tools/flask/policy/policy/support/loadable_module.spt166
-rw-r--r--tools/flask/policy/policy/support/misc_macros.spt32
-rw-r--r--tools/flask/policy/policy/systemuser19
-rw-r--r--tools/flask/policy/policy/users39
21 files changed, 2291 insertions, 0 deletions
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
new file mode 100644
index 0000000000..069b232128
--- /dev/null
+++ b/tools/flask/policy/Makefile
@@ -0,0 +1,234 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+#
+# install - compile and install the policy configuration, and context files.
+# load - compile, install, and load the policy configuration.
+# reload - compile, install, and load/reload the policy configuration.
+# policy - compile the policy configuration locally for testing/development.
+#
+# The default target is 'policy'.
+#
+
+########################################
+#
+# Configurable portions of the Makefile
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports. Setting this will
+# override the version.
+OUTPUT_POLICY = 20
+
+# Policy Type
+# strict, targeted,
+# strict-mls, targeted-mls,
+# strict-mcs, targeted-mcs
+TYPE = strict
+
+# Policy Name
+# If set, this will be used as the policy
+# name. Otherwise the policy type will be
+# used for the name.
+NAME = xenrefpolicy
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution. Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, and suse are current options.
+# Fedora users should enable redhat.
+#DISTRO =
+
+# Build monolithic policy. Putting n here
+# will build a loadable module policy.
+MONOLITHIC=y
+
+# Uncomment this to disable command echoing
+#QUIET:=@
+
+########################################
+#
+# NO OPTIONS BELOW HERE
+#
+
+# executable paths
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKPOLICY := $(BINDIR)/checkpolicy
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+LOADPOLICY := $(SBINDIR)/flask-loadpolicy
+
+CFLAGS := -Wall
+
+# policy source layout
+POLDIR := policy
+MODDIR := $(POLDIR)/modules
+FLASKDIR := $(POLDIR)/flask
+SECCLASS := $(FLASKDIR)/security_classes
+ISIDS := $(FLASKDIR)/initial_sids
+AVS := $(FLASKDIR)/access_vectors
+
+#policy building support tools
+SUPPORT := support
+FCSORT := tmp/fc_sort
+
+# config file paths
+GLOBALTUN := $(POLDIR)/global_tunables
+GLOBALBOOL := $(POLDIR)/global_booleans
+MOD_CONF := $(POLDIR)/modules.conf
+TUNABLES := $(POLDIR)/tunables.conf
+BOOLEANS := $(POLDIR)/booleans.conf
+
+# install paths
+TOPDIR = $(DESTDIR)/etc/xen/
+INSTALLDIR = $(TOPDIR)/$(NAME)
+SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
+CONTEXTPATH = $(INSTALLDIR)/contexts
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+ override M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+ override M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+ override M4PARAM += -D targeted_policy
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ override M4PARAM += -D distro_$(DISTRO)
+endif
+
+ifneq ($(OUTPUT_POLICY),)
+ CHECKPOLICY += -c $(OUTPUT_POLICY)
+endif
+
+ifeq ($(NAME),)
+ NAME := $(TYPE)
+endif
+
+# determine the policy version and current kernel version if possible
+PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+KV := $(shell cat /selinux/policyvers)
+
+# dont print version warnings if we are unable to determine
+# the currently running kernel's policy version
+ifeq ($(KV),)
+ KV := $(PV)
+endif
+
+FC := file_contexts
+POLVER := policy.$(PV)
+
+M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
+
+APPCONF := config/appconfig-$(TYPE)
+APPDIR := $(CONTEXTPATH)
+APPFILES := $(INSTALLDIR)/booleans
+CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
+USER_FILES := $(POLDIR)/systemuser $(POLDIR)/users
+
+ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
+
+GENERATED_TE := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te.in)))
+GENERATED_IF := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if.in)))
+GENERATED_FC := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc.in)))
+
+# sort here since it removes duplicates, which can happen
+# when a generated file is already generated
+DETECTED_MODS := $(sort $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te)) $(GENERATED_TE))
+
+# modules.conf setting for base module
+MODBASE := base
+
+# modules.conf setting for module
+MODMOD := module
+
+# extract settings from modules.conf
+BASE_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODBASE)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
+MOD_MODS := $(foreach mod,$(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null),$(subst ./,,$(shell find -iname $(mod).te)))
+
+HOMEDIR_TEMPLATE = tmp/homedir_template
+
+########################################
+#
+# Load appropriate rules
+#
+
+ifeq ($(MONOLITHIC),y)
+ include Rules.monolithic
+else
+ include Rules.modular
+endif
+
+########################################
+#
+# Create config files
+#
+conf: $(MOD_CONF) $(BOOLEANS) $(GENERATED_TE) $(GENERATED_IF) $(GENERATED_FC)
+
+$(MOD_CONF) $(BOOLEANS): $(POLXML)
+ @echo "Updating $(MOD_CONF) and $(BOOLEANS)"
+ $(QUIET) cd $(DOCS) && ../$(GENDOC) -t ../$(BOOLEANS) -m ../$(MOD_CONF) -x ../$(POLXML)
+
+########################################
+#
+# Appconfig files
+#
+install-appconfig: $(APPFILES)
+
+$(INSTALLDIR)/booleans: $(BOOLEANS)
+ @mkdir -p $(INSTALLDIR)
+ $(QUIET) egrep '^[[:blank:]]*[[:alpha:]]' $(BOOLEANS) \
+ | sed -e 's/false/0/g' -e 's/true/1/g' > tmp/booleans
+ $(QUIET) install -m 644 tmp/booleans $@
+
+########################################
+#
+# Install policy sources
+#
+install-src:
+ rm -rf $(SRCPATH)/policy.old
+ -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
+ mkdir -p $(SRCPATH)/policy
+ cp -R . $(SRCPATH)/policy
+
+########################################
+#
+# Clean everything
+#
+bare: clean
+ rm -f $(POLXML)
+ rm -f $(SUPPORT)/*.pyc
+ rm -f $(FCSORT)
+ rm -f $(MOD_CONF)
+ rm -f $(BOOLEANS)
+ rm -fR $(HTMLDIR)
+ifneq ($(GENERATED_TE),)
+ rm -f $(GENERATED_TE)
+endif
+ifneq ($(GENERATED_IF),)
+ rm -f $(GENERATED_IF)
+endif
+ifneq ($(GENERATED_FC),)
+ rm -f $(GENERATED_FC)
+endif
+
+.PHONY: install-src install-appconfig conf html bare
diff --git a/tools/flask/policy/Rules.modular b/tools/flask/policy/Rules.modular
new file mode 100644
index 0000000000..798f989689
--- /dev/null
+++ b/tools/flask/policy/Rules.modular
@@ -0,0 +1,166 @@
+########################################
+#
+# Rules and Targets for building modular policies
+#
+
+ALL_MODULES := $(filter $(BASE_MODS) $(MOD_MODS),$(DETECTED_MODS))
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+
+BASE_PKG := base.pp
+BASE_FC := base.fc
+
+BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
+
+BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
+BASE_TE_FILES := $(BASE_MODS)
+BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
+BASE_FC_FILES := $(BASE_MODS:.te=.fc)
+
+MOD_MODULES := $(MOD_MODS:.te=.mod)
+MOD_PKGS := $(notdir $(MOD_MODS:.te=.pp))
+
+# search layer dirs for source files
+vpath %.te $(ALL_LAYERS)
+vpath %.if $(ALL_LAYERS)
+vpath %.fc $(ALL_LAYERS)
+
+########################################
+#
+# default action: create all module packages
+#
+default: base
+
+base: $(BASE_PKG)
+
+modules: $(MOD_PKGS)
+
+#policy: $(POLVER)
+#install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
+#load: tmp/load
+
+########################################
+#
+# Create a base module package
+#
+$(BASE_PKG): tmp/base.mod $(BASE_FC)
+ @echo "Creating $(NAME) base module package"
+ $(QUIET) $(SEMOD_PKG) $@ $^
+
+########################################
+#
+# Compile a base module
+#
+tmp/base.mod: base.conf
+ @echo "Compiling $(NAME) base module"
+ $(QUIET) $(CHECKMODULE) $^ -o $@
+
+########################################
+#
+# Construct a base module policy.conf
+#
+base.conf: $(BASE_SECTIONS)
+ @echo "Creating $(NAME) base module policy.conf"
+# checkpolicy can use the #line directives provided by -s for error reporting:
+ $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
+ $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
+# the ordering of these ocontexts matters:
+ $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
+ $(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
+ $(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true
+
+tmp/pre_te_files.conf: $(BASE_PRE_TE_FILES)
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ > $@
+
+tmp/generated_definitions.conf: $(ALL_LAYERS) $(BASE_TE_FILES)
+ @test -d tmp || mkdir -p tmp
+# define all available object classes
+ $(QUIET) $(GENPERM) $(AVS) $(SECCLASS) > $@
+# per-userdomain templates
+ $(QUIET) echo "define(\`per_userdomain_templates',\`" >> $@
+ $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
+ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
+ >> $@ ;\
+ done
+ $(QUIET) echo "')" >> $@
+# define foo.te
+ $(QUIET) for i in $(notdir $(BASE_TE_FILES)); do \
+ echo "define(\`$$i')" >> $@ ;\
+ done
+ $(QUIET) $(SETTUN) $(BOOLEANS) >> $@
+
+tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ifeq ($(ALL_INTERFACES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+tmp/all_te_files.conf: $(BASE_TE_FILES)
+ifeq ($(BASE_TE_FILES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ > $@
+
+tmp/post_te_files.conf: $(BASE_POST_TE_FILES)
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last. portcon, nodecon, and netifcon
+# is delayed since they are generated by m4
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
+ $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
+ $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
+ $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+ $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+ $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
+ $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
+ $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
+ -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
+ < tmp/all_te_files.conf > tmp/only_te_rules.conf
+
+########################################
+#
+# Construct base module file contexts
+#
+$(BASE_FC): $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) $(FCSORT)
+ifeq ($(BASE_FC_FILES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @echo "Creating $(NAME) base module file contexts."
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(BASE_FC_FILES) > tmp/$@.tmp
+ $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
+ $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
+ $(QUIET) $(FCSORT) tmp/$@.tmp $@
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
+ @if test -z "$(filter $^,$(MOD_MODS))"; then \
+ echo "The $(notdir $(basename $@)) module is not configured to be compiled as a lodable module." ;\
+ false ;\
+ fi
+ @echo "Compliling $(NAME) $(@F) module"
+ $(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+%.pp: tmp/%.mod %.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ $(QUIET) $(SEMOD_PKG) $@ $^
+
+########################################
+#
+# Clean the sources
+#
+clean:
+ rm -fR tmp
+ rm -f base.conf
+ rm -f *.pp
+ rm -f $(BASE_FC)
+
+.PHONY: default base modules clean
diff --git a/tools/flask/policy/Rules.monolithic b/tools/flask/policy/Rules.monolithic
new file mode 100644
index 0000000000..03147a1a13
--- /dev/null
+++ b/tools/flask/policy/Rules.monolithic
@@ -0,0 +1,196 @@
+########################################
+#
+# Rules and Targets for building monolithic policies
+#
+
+# install paths
+POLICYPATH = $(INSTALLDIR)/policy
+LOADPATH = $(POLICYPATH)/$(POLVER)
+FCPATH = $(CONTEXTPATH)/files/file_contexts
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
+
+# for monolithic policy use all base and module to create policy
+ENABLEMOD := $(BASE_MODS) $(MOD_MODS)
+
+ALL_MODULES := $(filter $(ENABLEMOD),$(DETECTED_MODS))
+
+ALL_INTERFACES := $(ALL_MODULES:.te=.if)
+ALL_TE_FILES := $(ALL_MODULES)
+ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
+
+PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
+POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
+
+POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
+
+########################################
+#
+# default action: build policy locally
+#
+default: policy
+
+policy: $(POLVER)
+
+install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
+
+load: tmp/load
+
+########################################
+#
+# Build a binary policy locally
+#
+$(POLVER): policy.conf
+ @echo "Compiling $(NAME) $(POLVER)"
+ifneq ($(PV),$(KV))
+ @echo
+ @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo
+endif
+ $(QUIET) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Install a binary policy
+#
+$(LOADPATH): policy.conf
+ @mkdir -p $(POLICYPATH)
+ @echo "Compiling and installing $(NAME) $(LOADPATH)"
+ifneq ($(PV),$(KV))
+ @echo
+ @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo
+endif
+ $(QUIET) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Load the binary policy
+#
+reload tmp/load: $(LOADPATH) $(FCPATH)
+ @echo "Loading $(NAME) $(LOADPATH)"
+ $(QUIET) $(LOADPOLICY) -q $(LOADPATH)
+ @touch tmp/load
+
+########################################
+#
+# Construct a monolithic policy.conf
+#
+policy.conf: $(POLICY_SECTIONS)
+ @echo "Creating $(NAME) policy.conf"
+# checkpolicy can use the #line directives provided by -s for error reporting:
+ $(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > tmp/$@.tmp
+ $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
+
+tmp/pre_te_files.conf: $(PRE_TE_FILES)
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ > $@
+
+tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES)
+# per-userdomain templates:
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
+ $(QUIET) for i in $(patsubst %.te,%,$(notdir $(ALL_MODULES))); do \
+ echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$*'")')" \
+ >> $@ ;\
+ done
+ $(QUIET) echo "')" >> $@
+# define foo.te
+ $(QUIET) for i in $(notdir $(ALL_MODULES)); do \
+ echo "define(\`$$i')" >> $@ ;\
+ done
+# $(QUIET) $(SETTUN) $(BOOLEANS) >> $@
+
+tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
+ifeq ($(ALL_INTERFACES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+tmp/all_te_files.conf: $(ALL_TE_FILES)
+ifeq ($(ALL_TE_FILES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ > $@
+
+tmp/post_te_files.conf: $(POST_TE_FILES)
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) cat $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last. portcon, nodecon, and netifcon
+# is delayed since they are generated by m4
+tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
+ $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
+ $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
+ $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+ $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+ $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
+ $(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
+ $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
+ -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
+ < tmp/all_te_files.conf > tmp/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: policy.conf
+ @test -d tmp || mkdir -p tmp
+ @echo "Removing dontaudit rules from policy.conf"
+ $(QUIET) grep -v dontaudit policy.conf > tmp/policy.audit
+ $(QUIET) mv tmp/policy.audit policy.conf
+
+########################################
+#
+# Construct file_contexts
+#
+$(FC): $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES)
+ifeq ($(ALL_FC_FILES),)
+ $(error No enabled modules! $(notdir $(MOD_CONF)) may need to be generated by using "make conf")
+endif
+ @echo "Creating $(NAME) file_contexts."
+ @test -d tmp || mkdir -p tmp
+ $(QUIET) m4 $(M4PARAM) $(M4SUPPORT) tmp/generated_definitions.conf $(ALL_FC_FILES) > tmp/$@.tmp
+# $(QUIET) grep -e HOME -e ROLE tmp/$@.tmp > $(HOMEDIR_TEMPLATE)
+# $(QUIET) sed -i -e /HOME/d -e /ROLE/d tmp/$@.tmp
+# $(QUIET) $(FCSORT) tmp/$@.tmp $@
+ $(QUIET) touch $(HOMEDIR_TEMPLATE)
+ $(QUIET) touch $@
+
+########################################
+#
+# Install file_contexts
+#
+$(FCPATH): $(FC) $(LOADPATH) $(USERPATH)/system.users
+ @echo "Validating $(NAME) file_contexts."
+# $(QUIET) $(SETFILES) -q -c $(LOADPATH) $(FC)
+ @echo "Installing file_contexts."
+ @mkdir -p $(CONTEXTPATH)/files
+ $(QUIET) install -m 644 $(FC) $(FCPATH)
+ $(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+# $(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(NAME) $(USEPWD)
+
+########################################
+#
+# Run policy source checks
+#
+check: policy.conf $(FC)
+ $(SECHECK) -s --profile=development --policy=policy.conf --fcfile=$(FC) > $@.res
+
+longcheck: policy.conf $(FC)
+ $(SECHECK) -s --profile=all --policy=policy.conf --fcfile=$(FC) > $@.res
+
+########################################
+#
+# Clean the sources
+#
+clean:
+ rm -fR tmp
+ rm -f policy.conf
+ rm -f policy.$(PV)
+ rm -f $(FC)
+ rm -f *.res
+
+.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
diff --git a/tools/flask/policy/policy/constraints b/tools/flask/policy/policy/constraints
new file mode 100644
index 0000000000..beb949c9b6
--- /dev/null
+++ b/tools/flask/policy/policy/constraints
@@ -0,0 +1,27 @@
+
+#
+# Define the constraints
+#
+# constrain class_set perm_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_op r2
+# | t1 op t2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+#
+# op : == | !=
+# role_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
diff --git a/tools/flask/policy/policy/flask/Makefile b/tools/flask/policy/policy/flask/Makefile
new file mode 100644
index 0000000000..970b9fedce
--- /dev/null
+++ b/tools/flask/policy/policy/flask/Makefile
@@ -0,0 +1,41 @@
+# flask needs to know where to export the libselinux headers.
+LIBSEL ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUXDIR ?= ../../../linux-2.6
+
+AWK = awk
+
+CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+ else if [ -x /bin/bash ]; then echo /bin/bash; \
+ else echo sh; fi ; fi)
+
+FLASK_H_DEPEND = security_classes initial_sids
+AV_H_DEPEND = access_vectors
+
+FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
+AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
+
+all: $(ALL_H_FILES)
+
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
+ $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
+
+$(AV_H_FILES): $(AV_H_DEPEND)
+ $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
+
+tolib: all
+ install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
+ install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
+
+tokern: all
+ install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:
+ rm -f $(FLASK_H_FILES)
+ rm -f $(AV_H_FILES)
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
new file mode 100644
index 0000000000..0df71d0a46
--- /dev/null
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -0,0 +1,166 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+#
+# Define a common prefix for file access vectors.
+#
+
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class xen
+{
+ scheduler
+ settime
+ tbufcontrol
+ readconsole
+ clearconsole
+ perfcontrol
+ mtrr_add
+ mtrr_del
+ mtrr_read
+ microcode
+ physinfo
+ quirk
+ writeconsole
+ readapic
+ writeapic
+ privprofile
+ nonprivprofile
+ kexec
+ firmware
+ sleep
+ frequency
+ getidle
+ debug
+ getcpuinfo
+ heap
+}
+
+class domain
+{
+ setvcpucontext
+ pause
+ unpause
+ resume
+ create
+ transition
+ max_vcpus
+ destroy
+ setvcpuaffinity
+ getvcpuaffinity
+ scheduler
+ getdomaininfo
+ getvcpuinfo
+ getvcpucontext
+ setdomainmaxmem
+ setdomainhandle
+ setdebugging
+ hypercall
+ settime
+ set_target
+ shutdown
+ setaddrsize
+ getaddrsize
+ trigger
+ getextvcpucontext
+ setextvcpucontext
+}
+
+class hvm
+{
+ sethvmc
+ gethvmc
+ setparam
+ getparam
+ pcilevel
+ irqlevel
+ pciroute
+ bind_irq
+ cacheattr
+}
+
+class event
+{
+ bind
+ send
+ status
+ notify
+ create
+ vector
+ reset
+}
+
+class grant
+{
+ map_read
+ map_write
+ unmap
+ transfer
+ setup
+ copy
+ query
+}
+
+class mmu
+{
+ map_read
+ map_write
+ pageinfo
+ pagelist
+ adjust
+ stat
+ translategp
+ updatemp
+ physmap
+ pinpage
+ mfnlist
+ memorymap
+}
+
+class shadow
+{
+ disable
+ enable
+ logdirty
+}
+
+class resource
+{
+ add
+ remove
+ use
+ add_irq
+ remove_irq
+ add_ioport
+ remove_ioport
+ add_iomem
+ remove_iomem
+ stat_device
+ add_device
+ remove_device
+}
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce
+ setbool
+ setsecparam
+}
diff --git a/tools/flask/policy/policy/flask/initial_sids b/tools/flask/policy/policy/flask/initial_sids
new file mode 100644
index 0000000000..9b78fba49c
--- /dev/null
+++ b/tools/flask/policy/policy/flask/initial_sids
@@ -0,0 +1,17 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+sid xen
+sid dom0
+sid domU
+sid domio
+sid domxen
+sid unlabeled
+sid security
+sid ioport
+sid iomem
+sid pirq
+sid device
+# FLASK
diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/tools/flask/policy/policy/flask/mkaccess_vector.sh
new file mode 100644
index 0000000000..b5da734b04
--- /dev/null
+++ b/tools/flask/policy/policy/flask/mkaccess_vector.sh
@@ -0,0 +1,227 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift
+
+# output files
+av_permissions="av_permissions.h"
+av_inherit="av_inherit.h"
+common_perm_to_string="common_perm_to_string.h"
+av_perm_to_string="av_perm_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$av_permissions\"
+ inheritfile = \"$av_inherit\"
+ cpermfile = \"$common_perm_to_string\"
+ avpermfile = \"$av_perm_to_string\"
+ "'
+ nextstate = "COMMON_OR_AV";
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
+;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "common" {
+ if (nextstate != "COMMON_OR_AV")
+ {
+ printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in common_defined)
+ {
+ printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ common_defined[$2] = 1;
+
+ tclass = $2;
+ common_name = $2;
+ permission = 1;
+
+ printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
+
+ nextstate = "COMMON-OPENBRACKET";
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "COMMON_OR_AV" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ tclass = $2;
+
+ if (tclass in av_defined)
+ {
+ printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
+ next;
+ }
+ av_defined[tclass] = 1;
+
+ inherits = "";
+ permission = 1;
+
+ nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "inherits" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
+ next;
+ }
+
+ if (!($2 in common_defined))
+ {
+ printf("COMMON %s is not defined (line %d).\n", $2, NR);
+ next;
+ }
+
+ inherits = $2;
+ permission = common_base[$2];
+
+ for (combined in common_perms)
+ {
+ split(combined,separate, SUBSEP);
+ if (separate[1] == inherits)
+ {
+ inherited_perms[common_perms[combined]] = separate[2];
+ }
+ }
+
+ j = 1;
+ for (i in inherited_perms) {
+ ind[j] = i + 0;
+ j++;
+ }
+ n = asort(ind);
+ for (i = 1; i <= n; i++) {
+ perm = inherited_perms[ind[i]];
+ printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
+ spaces = 40 - (length(perm) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+ for (j = 0; j < spaces; j++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", ind[i]) > outfile;
+ }
+ printf("\n") > outfile;
+ for (i in ind) delete ind[i];
+ for (i in inherited_perms) delete inherited_perms[i];
+
+ printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
+
+ nextstate = "CLASS_OR_CLASS-OPENBRACKET";
+ next;
+ }
+$1 == "{" {
+ if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
+ nextstate != "COMMON-OPENBRACKET")
+ {
+ printf("Parse error: Unexpected { on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
+ nextstate = "CLASS-CLOSEBRACKET";
+
+ if (nextstate == "COMMON-OPENBRACKET")
+ nextstate = "COMMON-CLOSEBRACKET";
+ }
+/[a-z][a-z_]*/ {
+ if (nextstate != "COMMON-CLOSEBRACKET" &&
+ nextstate != "CLASS-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ if ((common_name,$1) in common_perms)
+ {
+ printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
+ next;
+ }
+
+ common_perms[common_name,$1] = permission;
+
+ printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
+
+ printf(" S_(\"%s\")\n", $1) > cpermfile;
+ }
+ else
+ {
+ if ((tclass,$1) in av_perms)
+ {
+ printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
+ next;
+ }
+
+ av_perms[tclass,$1] = permission;
+
+ if (inherits != "")
+ {
+ if ((inherits,$1) in common_perms)
+ {
+ printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
+ next;
+ }
+ }
+
+ printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
+
+ printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
+ }
+
+ spaces = 40 - (length($1) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+
+ for (i = 0; i < spaces; i++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", permission) > outfile;
+ permission = permission * 2;
+ }
+$1 == "}" {
+ if (nextstate != "CLASS-CLOSEBRACKET" &&
+ nextstate != "COMMON-CLOSEBRACKET")
+ {
+ printf("Parse error: Unexpected } on line %d\n", NR);
+ next;
+ }
+
+ if (nextstate == "COMMON-CLOSEBRACKET")
+ {
+ common_base[common_name] = permission;
+ printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
+ }
+
+ printf("\n") > outfile;
+
+ nextstate = "COMMON_OR_AV";
+ }
+END {
+ if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
+ printf("Parse error: Unexpected end of file\n");
+
+ }'
+
+# FLASK
diff --git a/tools/flask/policy/policy/flask/mkflask.sh b/tools/flask/policy/policy/flask/mkflask.sh
new file mode 100644
index 0000000000..9c847549e2
--- /dev/null
+++ b/tools/flask/policy/policy/flask/mkflask.sh
@@ -0,0 +1,95 @@
+#!/bin/sh -
+#
+
+# FLASK
+
+set -e
+
+awk=$1
+shift 1
+
+# output file
+output_file="flask.h"
+debug_file="class_to_string.h"
+debug_file2="initial_sid_to_string.h"
+
+cat $* | $awk "
+BEGIN {
+ outfile = \"$output_file\"
+ debugfile = \"$debug_file\"
+ debugfile2 = \"$debug_file2\"
+ "'
+ nextstate = "CLASS";
+
+ printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
+
+ printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+ printf("#define _SELINUX_FLASK_H_\n") > outfile;
+ printf("\n/*\n * Security object class definitions\n */\n") > outfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
+ printf("/*\n * Security object class definitions\n */\n") > debugfile;
+ printf(" S_(\"null\")\n") > debugfile;
+ printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
+ printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
+ printf(" \"null\",\n") > debugfile2;
+ }
+/^[ \t]*#/ {
+ next;
+ }
+$1 == "class" {
+ if (nextstate != "CLASS")
+ {
+ printf("Parse error: Unexpected class definition on line %d\n", NR);
+ next;
+ }
+
+ if ($2 in class_found)
+ {
+ printf("Duplicate class definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ class_found[$2] = 1;
+
+ class_value++;
+
+ printf("#define SECCLASS_%s", toupper($2)) > outfile;
+ for (i = 0; i < 40 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", class_value) > outfile;
+
+ printf(" S_(\"%s\")\n", $2) > debugfile;
+ }
+$1 == "sid" {
+ if (nextstate == "CLASS")
+ {
+ nextstate = "SID";
+ printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
+ }
+
+ if ($2 in sid_found)
+ {
+ printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
+ next;
+ }
+ sid_found[$2] = 1;
+ sid_value++;
+
+ printf("#define SECINITSID_%s", toupper($2)) > outfile;
+ for (i = 0; i < 37 - length($2); i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf(" \"%s\",\n", $2) > debugfile2;
+ }
+END {
+ if (nextstate != "SID")
+ printf("Parse error: Unexpected end of file\n");
+
+ printf("\n#define SECINITSID_NUM") > outfile;
+ for (i = 0; i < 34; i++)
+ printf(" ") > outfile;
+ printf("%d\n", sid_value) > outfile;
+ printf("\n#endif\n") > outfile;
+ printf("};\n\n") > debugfile2;
+ }'
+
+# FLASK
diff --git a/tools/flask/policy/policy/flask/security_classes b/tools/flask/policy/policy/flask/security_classes
new file mode 100644
index 0000000000..2ca35d277b
--- /dev/null
+++ b/tools/flask/policy/policy/flask/security_classes
@@ -0,0 +1,20 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class xen
+class domain
+class hvm
+class mmu
+class resource
+class shadow
+class event
+class grant
+class security
+
+# FLASK
diff --git a/tools/flask/policy/policy/global_booleans b/tools/flask/policy/policy/global_booleans
new file mode 100644
index 0000000000..4c13cfb062
--- /dev/null
+++ b/tools/flask/policy/policy/global_booleans
@@ -0,0 +1,5 @@
+#
+# This file is for the declaration of global booleans.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
diff --git a/tools/flask/policy/policy/global_tunables b/tools/flask/policy/policy/global_tunables
new file mode 100644
index 0000000000..801b27ec2e
--- /dev/null
+++ b/tools/flask/policy/policy/global_tunables
@@ -0,0 +1,6 @@
+#
+# This file is for the declaration of global tunables.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
+
diff --git a/tools/flask/policy/policy/mcs b/tools/flask/policy/policy/mcs
new file mode 100644
index 0000000000..a3cef61f91
--- /dev/null
+++ b/tools/flask/policy/policy/mcs
@@ -0,0 +1,324 @@
+ifdef(`enable_mcs',`
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
+
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+
+') dnl end enable_mcs
diff --git a/tools/flask/policy/policy/mls b/tools/flask/policy/policy/mls
new file mode 100644
index 0000000000..a598ebe257
--- /dev/null
+++ b/tools/flask/policy/policy/mls
@@ -0,0 +1,354 @@
+
+ifdef(`enable_mls',`
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+sensitivity s0;
+sensitivity s1;
+sensitivity s2;
+sensitivity s3;
+sensitivity s4;
+sensitivity s5;
+sensitivity s6;
+sensitivity s7;
+sensitivity s8;
+sensitivity s9;
+sensitivity s10;
+sensitivity s11;
+sensitivity s12;
+sensitivity s13;
+sensitivity s14;
+sensitivity s15;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
+
+
+#
+# Each MLS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c255;
+level s1:c0.c255;
+level s2:c0.c255;
+level s3:c0.c255;
+level s4:c0.c255;
+level s5:c0.c255;
+level s6:c0.c255;
+level s7:c0.c255;
+level s8:c0.c255;
+level s9:c0.c255;
+level s10:c0.c255;
+level s11:c0.c255;
+level s12:c0.c255;
+level s13:c0.c255;
+level s14:c0.c255;
+level s15:c0.c255;
+
+
+#
+# Define the MLS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+
+') dnl end enable_mls
diff --git a/tools/flask/policy/policy/modules.conf b/tools/flask/policy/policy/modules.conf
new file mode 100644
index 0000000000..1031c59012
--- /dev/null
+++ b/tools/flask/policy/policy/modules.conf
@@ -0,0 +1,21 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: xen
+# Module: xen
+# Required in base
+#
+# Policy for xen.
+#
+xen = base
+
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
new file mode 100644
index 0000000000..792d600548
--- /dev/null
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -0,0 +1 @@
+#
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
new file mode 100644
index 0000000000..70fbfc0774
--- /dev/null
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -0,0 +1,135 @@
+attribute xen_type;
+attribute domain_type;
+attribute resource_type;
+attribute event_type;
+
+type xen_t, xen_type, domain_type;
+
+type dom0_t, domain_type;
+
+type domio_t, domain_type;
+
+type domxen_t, domain_type;
+
+type unlabeled_t, domain_type;
+
+type security_t, domain_type;
+
+type pirq_t, resource_type;
+type ioport_t, resource_type;
+type iomem_t, resource_type;
+type device_t, resource_type;
+
+################################################################################
+#
+# create_domain(priv_dom, domain, channel)
+#
+################################################################################
+define(`create_domain', `
+ type $2, domain_type;
+ allow $1 $2:domain {create max_vcpus setdomainmaxmem
+ setaddrsize getdomaininfo hypercall
+ setvcpucontext scheduler unpause
+ getvcpuinfo getaddrsize getvcpuaffinity};
+ allow $1 $2:shadow {enable};
+ allow $1 $2:mmu {map_read map_write memorymap adjust pinpage};
+ allow $2 $2:mmu {map_read map_write pinpage};
+ allow $2 domio_t:mmu {map_read};
+ allow $2 $2:grant {query setup};
+ allow $1 $2:grant {map_read unmap};
+ allow $1 $3:event {create};
+')
+
+################################################################################
+#
+# manage_domain(priv_dom, domain)
+#
+################################################################################
+define(`manage_domain', `
+ allow $1 $2:domain {pause destroy};
+')
+
+################################################################################
+#
+# create_channel(caller, peer, channel)
+#
+################################################################################
+define(`create_channel', `
+ type $3, event_type;
+ type_transition $1 $2:event $3;
+ allow $1 $3:event {create};
+ allow $3 $2:event {bind};
+')
+
+################################################################################
+#
+# Boot the hypervisor and dom0
+#
+################################################################################
+allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del
+scheduler physinfo heap quirk readconsole writeconsole settime microcode};
+
+allow dom0_t domio_t:mmu {map_read map_write};
+allow dom0_t iomem_t:mmu {map_read map_write};
+allow dom0_t pirq_t:event {vector};
+allow dom0_t xen_t:mmu {memorymap};
+
+allow dom0_t dom0_t:mmu {pinpage map_read map_write adjust};
+allow dom0_t dom0_t:grant {query setup};
+allow dom0_t dom0_t:domain {scheduler getdomaininfo getvcpuinfo getvcpuaffinity};
+
+allow xen_t dom0_t:domain {create};
+allow xen_t dom0_t:resource {add remove};
+allow xen_t ioport_t:resource {add_ioport remove_ioport};
+allow dom0_t ioport_t:resource {use};
+allow xen_t iomem_t:resource {add_iomem remove_iomem};
+allow dom0_t iomem_t:resource {use};
+allow xen_t pirq_t:resource {add_irq remove_irq};
+allow dom0_t pirq_t:resource {use};
+
+allow dom0_t security_t:security {compute_av compute_create compute_member
+check_context load_policy compute_relabel compute_user setenforce setbool
+setsecparam};
+
+create_channel(dom0_t, dom0_t, evchn0-0_t)
+allow dom0_t evchn0-0_t:event {send};
+
+################################################################################
+#
+# Create and manage a domU w/ dom0 IO
+#
+################################################################################
+create_domain(dom0_t, domU_t, evchnU-0_t)
+
+create_channel(domU_t, domU_t, evchnU-U_t)
+allow domU_t evchnU-U_t:event {send};
+
+create_channel(dom0_t, domU_t, evchn0-U_t)
+allow dom0_t evchn0-U_t:event {send};
+
+create_channel(domU_t, dom0_t, evchnU-0_t)
+allow domU_t evchnU-0_t:event {send};
+
+manage_domain(dom0_t, domU_t)
+
+################################################################################
+#
+#
+#
+################################################################################
+sid xen gen_context(system_u:system_r:xen_t,s0)
+sid dom0 gen_context(system_u:system_r:dom0_t,s0)
+sid domU gen_context(system_u:system_r:domU_t,s0)
+sid domxen gen_context(system_u:system_r:domxen_t,s0)
+sid domio gen_context(system_u:system_r:domio_t,s0)
+sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
+sid security gen_context(system_u:system_r:security_t,s0)
+sid pirq gen_context(system_u:object_r:pirq_t,s0)
+sid iomem gen_context(system_u:object_r:iomem_t,s0)
+sid ioport gen_context(system_u:object_r:ioport_t,s0)
+sid device gen_context(system_u:object_r:device_t,s0)
+
+role system_r types { xen_type domain_type };
+role user_r types { xen_type domain_type };
+role sysadm_r types { xen_type domain_type };
+role staff_r types { xen_type domain_type };
diff --git a/tools/flask/policy/policy/support/loadable_module.spt b/tools/flask/policy/policy/support/loadable_module.spt
new file mode 100644
index 0000000000..de48b3ba49
--- /dev/null
+++ b/tools/flask/policy/policy/support/loadable_module.spt
@@ -0,0 +1,166 @@
+########################################
+#
+# Macros for switching between source policy
+# and loadable policy module support
+#
+
+##############################
+#
+# For adding the module statement
+#
+define(`policy_module',`
+ ifdef(`self_contained_policy',`',`
+ module $1 $2;
+
+ require {
+ role system_r;
+ all_kernel_class_perms
+ }
+ ')
+')
+
+##############################
+#
+# For use in interfaces, to optionally insert a require block
+#
+define(`gen_require',`
+ ifdef(`self_contained_policy',`',`
+ define(`in_gen_require_block')
+ require {
+ $1
+ }
+ undefine(`in_gen_require_block')
+ ')
+')
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# template(name,rules)
+#
+define(`template',`
+ `define(`$1',`
+##### begin $1(dollarsstar)
+ $2
+##### end $1(dollarsstar)
+ '')
+')
+
+# helper function, since m4 wont expand macros
+# if a line is a comment (#):
+define(`policy_m4_comment',`dnl
+##### $2 depth: $1
+')dnl
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# interface(name,rules)
+#
+define(`interface',`
+ `define(`$1',`
+
+ define(`policy_temp',incr(policy_call_depth))
+ pushdef(`policy_call_depth',policy_temp)
+ undefine(`policy_temp')
+
+ policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar))
+
+ $2
+
+ define(`policy_temp',decr(policy_call_depth))
+ pushdef(`policy_call_depth',policy_temp)
+ undefine(`policy_temp')
+
+ policy_m4_comment(policy_call_depth,end `$1'(dollarsstar))
+
+ '')
+')
+
+define(`policy_call_depth',0)
+
+##############################
+#
+# Optional policy handling
+#
+define(`optional_policy',`
+ ifdef(`self_contained_policy',`
+ ifdef(`$1',`$2',`$3')
+ ',`
+ optional {
+ $2
+ ifelse(`$3',`',`',`
+ } else {
+ $3
+ ')
+ }
+ ')
+')
+
+##############################
+#
+# Determine if we should use the default
+# tunable value as specified by the policy
+# or if the override value should be used
+#
+define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
+
+##############################
+#
+# Extract booleans out of an expression.
+# This needs to be reworked so expressions
+# with parentheses can work.
+
+define(`delcare_required_symbols',`
+ifelse(regexp($1, `\w'), -1, `', `dnl
+bool regexp($1, `\(\w+\)', `\1');
+delcare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
+
+##############################
+#
+# Tunable declaration
+#
+define(`gen_tunable',`
+ ifdef(`self_contained_policy',`
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+ ',`
+ # loadable module tunable
+ # declaration will go here
+ # instead of bool when
+ # loadable modules support
+ # tunables
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+ ')
+')
+
+##############################
+#
+# Tunable policy handling
+#
+define(`tunable_policy',`
+ ifdef(`self_contained_policy',`
+ if (`$1') {
+ $2
+ } else {
+ $3
+ }
+ ',`
+ # structure for tunables
+ # will go here instead of a
+ # conditional when loadable
+ # modules support tunables
+ gen_require(`
+ delcare_required_symbols(`$1')
+ ')
+
+ if (`$1') {
+ $2
+ } else {
+ $3
+ }
+ ')
+')
diff --git a/tools/flask/policy/policy/support/misc_macros.spt b/tools/flask/policy/policy/support/misc_macros.spt
new file mode 100644
index 0000000000..ce94e03d8b
--- /dev/null
+++ b/tools/flask/policy/policy/support/misc_macros.spt
@@ -0,0 +1,32 @@
+
+########################################
+#
+# Helper macros
+#
+
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+########################################
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
+
+########################################
+#
+# gen_context(context,mls_sensitivity,[mcs_categories])
+#
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
+
+########################################
+#
+# gen_bool(name,default_value)
+#
+define(`gen_bool',`
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+')
diff --git a/tools/flask/policy/policy/systemuser b/tools/flask/policy/policy/systemuser
new file mode 100644
index 0000000000..35499f8515
--- /dev/null
+++ b/tools/flask/policy/policy/systemuser
@@ -0,0 +1,19 @@
+##################################
+#
+# System User configuration.
+#
+
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
+
+# Normal users should not be added to this file,
+# but instead added to the users file.
diff --git a/tools/flask/policy/policy/users b/tools/flask/policy/policy/users
new file mode 100644
index 0000000000..88a516e39c
--- /dev/null
+++ b/tools/flask/policy/policy/users
@@ -0,0 +1,39 @@
+
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined. The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user. If you do not want to
+# permit any access to such users, then remove this entry.
+#
+ifdef(`targeted_policy',`
+gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+',`
+gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
+')
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell. Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+ifdef(`targeted_policy',`
+ gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
+',`
+ ifdef(`direct_sysadm_daemon',`
+ gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127)
+ ',`
+ gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
+ ')
+')