GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/303734/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 303734,
    "url": "http://patchwork.ozlabs.org/api/patches/303734/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/1387485489-4186-15-git-send-email-clshotwe@rockwellcollins.com/",
    "project": {
        "id": 27,
        "url": "http://patchwork.ozlabs.org/api/projects/27/?format=api",
        "name": "Buildroot development",
        "link_name": "buildroot",
        "list_id": "buildroot.buildroot.org",
        "list_email": "buildroot@buildroot.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<1387485489-4186-15-git-send-email-clshotwe@rockwellcollins.com>",
    "list_archive_url": null,
    "date": "2013-12-19T20:38:03",
    "name": "[v5,14/20] refpolicy: new package",
    "commit_ref": null,
    "pull_url": null,
    "state": "changes-requested",
    "archived": false,
    "hash": "f09bacd3b1f9bac489fbf10428e9ef3a384ae514",
    "submitter": {
        "id": 38285,
        "url": "http://patchwork.ozlabs.org/api/people/38285/?format=api",
        "name": "Clayton Shotwell",
        "email": "clshotwe@rockwellcollins.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/1387485489-4186-15-git-send-email-clshotwe@rockwellcollins.com/mbox/",
    "series": [],
    "comments": "http://patchwork.ozlabs.org/api/patches/303734/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/303734/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<buildroot-bounces@busybox.net>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "buildroot@lists.busybox.net"
        ],
        "Delivered-To": [
            "patchwork-incoming@bilbo.ozlabs.org",
            "buildroot@osuosl.org"
        ],
        "Received": [
            "from whitealder.osuosl.org (whitealder.osuosl.org\n\t[140.211.166.138])\n\tby ozlabs.org (Postfix) with ESMTP id 7BEFB2C04A0\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri, 20 Dec 2013 07:41:11 +1100 (EST)",
            "from localhost (localhost [127.0.0.1])\n\tby whitealder.osuosl.org (Postfix) with ESMTP id A76F38C98D;\n\tThu, 19 Dec 2013 20:41:10 +0000 (UTC)",
            "from whitealder.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id NBg20EUya+pk; Thu, 19 Dec 2013 20:40:51 +0000 (UTC)",
            "from ash.osuosl.org (ash.osuosl.org [140.211.166.34])\n\tby whitealder.osuosl.org (Postfix) with ESMTP id CE46F8C696;\n\tThu, 19 Dec 2013 20:39:20 +0000 (UTC)",
            "from whitealder.osuosl.org (whitealder.osuosl.org\n\t[140.211.166.138])\n\tby ash.osuosl.org (Postfix) with ESMTP id 93EB31BF99B\n\tfor <buildroot@lists.busybox.net>;\n\tThu, 19 Dec 2013 20:39:19 +0000 (UTC)",
            "from localhost (localhost [127.0.0.1])\n\tby whitealder.osuosl.org (Postfix) with ESMTP id 92FA38C94C\n\tfor <buildroot@lists.busybox.net>;\n\tThu, 19 Dec 2013 20:39:19 +0000 (UTC)",
            "from whitealder.osuosl.org ([127.0.0.1])\n\tby localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id mjlb+zLvwjIl for <buildroot@lists.busybox.net>;\n\tThu, 19 Dec 2013 20:38:50 +0000 (UTC)",
            "from secvs01.rockwellcollins.com (secvs01.rockwellcollins.com\n\t[205.175.225.240])\n\tby whitealder.osuosl.org (Postfix) with ESMTPS id 24FE68C603\n\tfor <buildroot@busybox.net>; Thu, 19 Dec 2013 20:38:41 +0000 (UTC)",
            "from nosuchhost.198.131.in-addr.arpa (HELO\n\tcollinscrsmtp01.rockwellcollins.com) ([131.198.63.132])\n\tby mail-virt.rockwellcollins.com with ESMTP;\n\t19 Dec 2013 14:38:27 -0600",
            "from nyx ([131.198.63.11])\n\tby collinscrsmtp01.rockwellcollins.com (Lotus Domino Release 8.5.2FP2\n\tHF162) with ESMTP id 2013121914382632-2990157 ;\n\tThu, 19 Dec 2013 14:38:26 -0600 "
        ],
        "X-Virus-Scanned": [
            "amavisd-new at osuosl.org",
            "amavisd-new at osuosl.org"
        ],
        "X-Greylist": "domain auto-whitelisted by SQLgrey-1.7.6",
        "From": "Clayton Shotwell <clshotwe@rockwellcollins.com>",
        "To": "buildroot@busybox.net",
        "Date": "Thu, 19 Dec 2013 14:38:03 -0600",
        "Message-Id": "<1387485489-4186-15-git-send-email-clshotwe@rockwellcollins.com>",
        "X-Mailer": "git-send-email 1.7.1",
        "In-Reply-To": "<1387485489-4186-1-git-send-email-clshotwe@rockwellcollins.com>",
        "References": "<1387485489-4186-1-git-send-email-clshotwe@rockwellcollins.com>",
        "X-MIMETrack": "Itemize by SMTP Server on\n\tCollinsCRSMTP01/CedarRapids/Collins/Rockwell(Release\n\t8.5.2FP2 HF162|May 16, 2011) at 12/19/2013 02:38:26 PM,\n\tSerialize by Router on\n\tCollinsCRSMTP01/CedarRapids/Collins/Rockwell(Release\n\t8.5.2FP2 HF162|May 16, 2011) at 12/19/2013 02:38:27 PM,\n\tSerialize complete at 12/19/2013 02:38:27 PM",
        "Cc": "Clayton Shotwell <clshotwe@rockwellcollins.com>",
        "Subject": "[Buildroot] [PATCH v5 14/20] refpolicy: new package",
        "X-BeenThere": "buildroot@busybox.net",
        "X-Mailman-Version": "2.1.14",
        "Precedence": "list",
        "List-Id": "Discussion and development of buildroot <buildroot.busybox.net>",
        "List-Unsubscribe": "<http://lists.busybox.net/mailman/options/buildroot>,\n\t<mailto:buildroot-request@busybox.net?subject=unsubscribe>",
        "List-Archive": "<http://lists.busybox.net/pipermail/buildroot>",
        "List-Post": "<mailto:buildroot@busybox.net>",
        "List-Help": "<mailto:buildroot-request@busybox.net?subject=help>",
        "List-Subscribe": "<http://lists.busybox.net/mailman/listinfo/buildroot>,\n\t<mailto:buildroot-request@busybox.net?subject=subscribe>",
        "MIME-Version": "1.0",
        "Content-Type": "text/plain; charset=\"us-ascii\"",
        "Content-Transfer-Encoding": "7bit",
        "Errors-To": "buildroot-bounces@busybox.net",
        "Sender": "buildroot-bounces@busybox.net"
    },
    "content": "Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>\n---\nChanges v4 -> v5:\n  - No changes.\nChanges v3 -> v4:\n  - Added a dependency on host-gawk and correct the awk calls\n    in the makefile to use $(AWK)\n  - Changed the default policy name to br_policy to differentiate\n    the policy generated from refpolicy.\n  - Added a install step to create a /.autorelabel file to cause\n    the file system to be relabeled by S12SELinux init script.\n  - Adding a default modules.conf file with an option to specify\n    a different one. This will decrease the build time for\n    refpolicy by removing unused policies. (implemented by\n    Thomas).\n  - Cleaned up the configure comments (implemented by Thomas).\n  - Added a check to only install the documentation if the\n    Buildroot option is enabled.\n  - Removed the build because the install step completes the\n    same process. Also removed the clean step because it is\n    being removed globally from buildroot (implemented by\n    Thomas).\n  - Added more error handling to the startup script to print\n    a warning if SELinux fails to install the policy if it\n    exists. This can be caused by the kernel not being configured\n    with SELinux enabled.\nChanges v2 -> v3:\n  - Changes patch naming convention (suggested by Thomas).\n  - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and\n    BR2_LARGEFILE (suggested by Thomas).\n  - Removed configure option for a specific patch folder\n    (suggested by Thomas).\n  - Removed distribution configuration option (suggested by Thomas).\n  - Changed the monolithic configuration option to a modular\n    configuration option (suggested by Thomas).\n  - Removed the refpolicy name option (suggested by Thomas).\n  - Corrected gramatical and comment errors (suggested by Thomas).\n  - Multiple style corrections to the mk file (suggested by Thomas).\n  - Added a comment to clairfy the usage of the the host build\n    options for a target build.\nChanges v1 -> v2:\n  - General cleanup to the mk file to conform to the standard format.\n  - Fixed the patch naming to match the standard 4 digit numbering.\n  - Changed package dependencies into selects in the config.\n---\n package/Config.in                                  |    1 +\n package/refpolicy/Config.in                        |   72 ++\n package/refpolicy/S12selinux                       |  137 +++\n package/refpolicy/config                           |    8 +\n package/refpolicy/modules.conf                     |  406 +++++++\n .../refpolicy-0001-gentoo-hardened-fixes.patch     | 1250 ++++++++++++++++++++\n package/refpolicy/refpolicy-0002-awk-fix.patch     |   37 +\n package/refpolicy/refpolicy.mk                     |   82 ++\n 8 files changed, 1993 insertions(+), 0 deletions(-)\n create mode 100644 package/refpolicy/Config.in\n create mode 100644 package/refpolicy/S12selinux\n create mode 100755 package/refpolicy/config\n create mode 100644 package/refpolicy/modules.conf\n create mode 100644 package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch\n create mode 100644 package/refpolicy/refpolicy-0002-awk-fix.patch\n create mode 100644 package/refpolicy/refpolicy.mk",
    "diff": "diff --git a/package/Config.in b/package/Config.in\nindex 3d9fb19..3c691dc 100644\n--- a/package/Config.in\n+++ b/package/Config.in\n@@ -953,6 +953,7 @@ endmenu\n \n menu \"Security\"\n source \"package/policycoreutils/Config.in\"\n+source \"package/refpolicy/Config.in\"\n source \"package/sepolgen/Config.in\"\n source \"package/setools/Config.in\"\n endmenu\ndiff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in\nnew file mode 100644\nindex 0000000..64e5831\n--- /dev/null\n+++ b/package/refpolicy/Config.in\n@@ -0,0 +1,72 @@\n+config BR2_PACKAGE_REFPOLICY\n+\tbool \"refpolicy\"\n+\tselect BR2_PACKAGE_POLICYCOREUTILS\n+\tdepends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils\n+\tdepends on BR2_LARGEFILE # policycoreutils\n+\tdepends on BR2_ENABLE_LOCALE # policycoreutils\n+\tdepends on BR2_USE_WCHAR # policycoreutils\n+\tdepends on BR2_TOOLCHAIN_USES_GLIBC # policycoreutils\n+\thelp\n+\t  The SELinux Reference Policy project (refpolicy) is a\n+\t  complete SELinux policy that can be used as the system\n+\t  policy for a variety of systems and used as the basis\n+\t  for creating other policies. Reference Policy was originally\n+\t  based on the NSA example policy, but aims to accomplish\n+\t  many additional goals.\n+\n+\t  The current refpolicy does not fully support Buildroot\n+\t  and needs modifications to work with the default system\n+\t  file layout.  These changes should be added as patches to\n+\t  the refpolicy that modify a single SELinux policy.\n+\n+comment \"refpolicy needs a toolchain w/ wchar, locale, threads, largefile, glibc\"\n+\tdepends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE \\\n+\t\t|| !BR2_ENABLE_LOCALE || !BR2_USE_WCHAR \\\n+\t\t|| !BR2_TOOLCHAIN_USES_GLIBC\n+\n+if BR2_PACKAGE_REFPOLICY\n+\n+choice\n+\tprompt \"SELinux policy type\"\n+\tdefault BR2_PACKAGE_REFPOLICY_TYPE_STANDARD\n+\n+\tconfig BR2_PACKAGE_REFPOLICY_TYPE_STANDARD\n+\t\tbool \"Standard\"\n+\t\thelp\n+\t\t  Standard SELinux policy\n+\n+\tconfig BR2_PACKAGE_REFPOLICY_TYPE_MCS\n+\t\tbool \"MCS\"\n+\t\thelp\n+\t\t  SELinux policy with multi-catagory support\n+\n+\tconfig BR2_PACKAGE_REFPOLICY_TYPE_MLS\n+\t\tbool \"MLS\"\n+\t\thelp\n+\t\t  SELinux policy with multi-catagory and multi-level support\n+endchoice\n+\n+config BR2_PACKAGE_REFPOLICY_TYPE\n+\tstring\n+\tdefault \"standard\" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD\n+\tdefault \"mcs\" if BR2_PACKAGE_REFPOLICY_TYPE_MCS\n+\tdefault \"mls\" if BR2_PACKAGE_REFPOLICY_TYPE_MLS\n+\n+config BR2_PACKAGE_REFPOLICY_MODULES_FILE\n+\tstring\n+\tdefault \"package/refpolicy/modules.conf\"\n+\thelp\n+\t  Location of a custom modules.conf file that lists the\n+\t  SELinux policy modules to be included in the compiled\n+\t  policy. See policy/modules.conf in the refpolicy sources for\n+\t  the complete list of available modules.\n+\n+config BR2_PACKAGE_REFPOLICY_MODULAR\n+\tbool \"Build a modular SELinux policy\"\n+\thelp\n+\t  Select Y to build a modular SELinux policy. By default,\n+\t  a monolithing policy will be built to save space on the\n+\t  target. A modular policy can also be built if policies\n+\t  need to be modified without reloading the target.\n+\n+endif\ndiff --git a/package/refpolicy/S12selinux b/package/refpolicy/S12selinux\nnew file mode 100644\nindex 0000000..f570bd3\n--- /dev/null\n+++ b/package/refpolicy/S12selinux\n@@ -0,0 +1,137 @@\n+#!/bin/sh\n+################################################################################\n+#\n+# This file labels the security contexts of memory based filesystems such as\n+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.\n+# The 'stop' argument drops the security mode to 'permissive'.\n+#\n+# This script is a heavily stripped down and modified version of the one used\n+# in CentOS 6.2\n+#\n+################################################################################\n+\n+# Get SELinux config env vars\n+. /etc/selinux/config || failed \"Failed to source the SELinux config\"\n+\n+failed()\n+{\n+   echo $1\n+   exit 1\n+}\n+\n+setup_selinux() {\n+   # Create required directories\n+   mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ || \n+         failed \"Failed to create the policy folder\"\n+   mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \\\n+         failed \"Failed to create the modules folder\"\n+   if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]\n+   then\n+      touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \\\n+            failed \"Failed to create the file_contexts.local file\"\n+   fi\n+   \n+   # Install modules\n+   semodule -v -s ${SELINUXTYPE} -b /usr/share/selinux/${SELINUXTYPE}/base.pp \\\n+         -i $(ls /usr/share/selinux/${SELINUXTYPE}/*.pp | grep -v base) || \\\n+         failed \"Failed to install the base policy\"\n+   \n+   # Load the policy to activate it\n+   load_policy -i || failed \"Failed to load the SELinux policy\"\n+}\n+\n+relabel_selinux() {\n+   # if /sbin/init is not labeled correctly this process is running in the\n+   # wrong context, so a reboot will be required after relabel\n+   AUTORELABEL=\n+\n+   # Switch to Permissive mode\n+   echo \"0\" > /selinux/enforce || failed \"Failed to disable enforcing mode\"\n+\n+   echo\n+   echo \"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required.\"\n+   echo \"*** Relabeling could take a very long time, depending on file\"\n+   echo \"*** system size and speed of hard drives.\"\n+\n+   # Relabel mount points\n+   restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\\// { print $2 }' /etc/fstab) \\\n+         >/dev/null 2>&1 || failed \"Failed to relabel the mount points\"\n+   \n+   # Relabel file system\n+   echo \"Relabeling file systems\"\n+   restorecon -R -F / || failed \"Failed to relabel the file system\"\n+\n+   # Remove label\n+   rm -f  /.autorelabel || failed \"Failed to remove the autorelabel flag\"\n+   \n+   # Reboot to activate relabeled file system\n+   echo \"Automatic reboot in progress.\"\n+   reboot -f\n+}\n+\n+start() {\n+   echo -n \"Initializing SELinux: \"\n+\n+   # Check to see if the default policy has been installed\n+   if [ \"`sestatus | grep \"SELinux status\" | grep enabled`\" == \"\" ]; then\n+      if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ]\n+      then\n+         setup_selinux\n+      else\n+         echo \"SELinux policy install failed. Check kernel and init config\"\n+         exit 1\n+      fi\n+   fi\n+\n+   # Check SELinux status\n+   SELINUX_STATE=\n+   if [ -e \"/selinux/enforce\" ] && [ \"$(cat /proc/self/attr/current)\" != \"kernel\" ]; then\n+      if [ -r \"/selinux/enforce\" ] ; then\n+         SELINUX_STATE=$(cat \"/selinux/enforce\")\n+      else\n+         # assume enforcing if you can't read it\n+         SELINUX_STATE=1\n+      fi\n+   fi\n+\n+   # Context Label /dev/\n+   if [ -n \"$SELINUX_STATE\" -a -x /sbin/restorecon ] && fgrep \" /dev \" /proc/mounts >/dev/null 2>&1 ; then\n+      /sbin/restorecon -R -F /dev 2>/dev/null\n+   fi\n+\n+   # Context Label tmpfs mounts\n+   if [ -n \"$SELINUX_STATE\" -a -x /sbin/restorecon ]; then\n+      /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\\// && $3 ==\"tmpfs\" { print $2 }' /etc/fstab) >/dev/null 2>&1\n+   fi\n+\n+   # Clean up SELinux labels\n+   if [ -n \"$SELINUX_STATE\" -a -x /sbin/restorecon ]; then\n+      restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1\n+   fi\n+\n+   # Check for filesystem relabel request\n+   if [ -f /.autorelabel ] ; then\n+      relabel_selinux\n+   fi\n+\n+   echo \"OK\"\n+}  \n+stop() {\n+   # There is nothing to do\n+   echo \"OK\" \n+}\n+\n+case \"$1\" in\n+   start)\n+      start\n+      ;;\n+   stop)\n+      stop\n+      ;;\n+   *)\n+      echo \"Usage: $0 {start|stop}\"\n+      exit 1\n+      ;;\n+esac\n+\n+exit $?\ndiff --git a/package/refpolicy/config b/package/refpolicy/config\nnew file mode 100755\nindex 0000000..5eee807\n--- /dev/null\n+++ b/package/refpolicy/config\n@@ -0,0 +1,8 @@\n+# This file controls the state of SELinux on the system.\n+# SELINUX= can take one of these three values:\n+#     enforcing - SELinux security policy is enforced.\n+#     permissive - SELinux prints warnings instead of enforcing.\n+#     disabled - No SELinux policy is loaded.\n+SELINUX=permissive\n+# SELINUXTYPE= name of the selinux policy to use\n+SELINUXTYPE=refpolicy\ndiff --git a/package/refpolicy/modules.conf b/package/refpolicy/modules.conf\nnew file mode 100644\nindex 0000000..58282d8\n--- /dev/null\n+++ b/package/refpolicy/modules.conf\n@@ -0,0 +1,406 @@\n+#\n+# This file contains a listing of available modules.\n+# To prevent a module from  being used in policy\n+# creation, set the module name to \"off\".\n+#\n+# For monolithic policies, modules set to \"base\" and \"module\"\n+# will be built into the policy.\n+#\n+# For modular policies, modules set to \"base\" will be\n+# included in the base module.  \"module\" will be compiled\n+# as individual loadable modules.\n+#\n+\n+# Layer: kernel\n+# Module: corecommands\n+# Required in base\n+#\n+# Core policy for shells, and generic programs\n+# in /bin, /sbin, /usr/bin, and /usr/sbin.\n+#\n+corecommands = base\n+\n+# Layer: kernel\n+# Module: corenetwork\n+# Required in base\n+#\n+# Policy controlling access to network objects\n+#\n+corenetwork = base\n+\n+# Layer: kernel\n+# Module: devices\n+# Required in base\n+#\n+# Device nodes and interfaces for many basic system devices.\n+#\n+devices = base\n+\n+# Layer: kernel\n+# Module: domain\n+# Required in base\n+#\n+# Core policy for domains.\n+#\n+domain = base\n+\n+# Layer: kernel\n+# Module: files\n+# Required in base\n+#\n+# Basic filesystem types and interfaces.\n+#\n+files = base\n+\n+# Layer: kernel\n+# Module: filesystem\n+# Required in base\n+#\n+# Policy for filesystems.\n+#\n+filesystem = base\n+\n+# Layer: kernel\n+# Module: kernel\n+# Required in base\n+#\n+# Policy for kernel threads, proc filesystem,\n+# and unlabeled processes and objects.\n+#\n+kernel = base\n+\n+# Layer: kernel\n+# Module: mcs\n+# Required in base\n+#\n+# Multicategory security policy\n+#\n+mcs = base\n+\n+# Layer: kernel\n+# Module: mls\n+# Required in base\n+#\n+# Multilevel security policy\n+#\n+mls = base\n+\n+# Layer: kernel\n+# Module: selinux\n+# Required in base\n+#\n+# Policy for kernel security interface, in particular, selinuxfs.\n+#\n+selinux = base\n+\n+# Layer: kernel\n+# Module: terminal\n+# Required in base\n+#\n+# Policy for terminals.\n+#\n+terminal = base\n+\n+# Layer: kernel\n+# Module: ubac\n+# Required in base\n+#\n+# User-based access control policy\n+#\n+ubac = base\n+\n+# Layer: admin\n+# Module: bootloader\n+#\n+# Policy for the kernel modules, kernel image, and bootloader.\n+#\n+bootloader = module\n+\n+# Layer: admin\n+# Module: consoletype\n+#\n+# Determine of the console connected to the controlling terminal.\n+#\n+consoletype = module\n+\n+# Layer: admin\n+# Module: dmesg\n+#\n+# Policy for dmesg.\n+#\n+dmesg = module\n+\n+# Layer: admin\n+# Module: netutils\n+#\n+# Network analysis utilities\n+#\n+netutils = module\n+\n+# Layer: admin\n+# Module: su\n+#\n+# Run shells with substitute user and group\n+#\n+su = module\n+\n+# Layer: admin\n+# Module: sudo\n+#\n+# Execute a command with a substitute user\n+#\n+sudo = module\n+\n+# Layer: admin\n+# Module: usermanage\n+#\n+# Policy for managing user accounts.\n+#\n+usermanage = module\n+\n+# Layer: apps\n+# Module: seunshare\n+#\n+# Filesystem namespacing/polyinstantiation application.\n+#\n+seunshare = module\n+\n+# Layer: kernel\n+# Module: storage\n+#\n+# Policy controlling access to storage devices\n+#\n+storage = module\n+\n+# Layer: roles\n+# Module: auditadm\n+#\n+# Audit administrator role\n+#\n+auditadm = module\n+\n+# Layer: roles\n+# Module: logadm\n+#\n+# Log administrator role\n+#\n+logadm = module\n+\n+# Layer: roles\n+# Module: secadm\n+#\n+# Security administrator role\n+#\n+secadm = module\n+\n+# Layer: roles\n+# Module: staff\n+#\n+# Administrator's unprivileged user role\n+#\n+staff = module\n+\n+# Layer: roles\n+# Module: sysadm\n+#\n+# General system administration role\n+#\n+sysadm = module\n+\n+# Layer: roles\n+# Module: unprivuser\n+#\n+# Generic unprivileged user role\n+#\n+unprivuser = module\n+\n+# Layer: services\n+# Module: postgresql\n+#\n+# PostgreSQL relational database\n+#\n+postgresql = module\n+\n+# Layer: services\n+# Module: ssh\n+#\n+# Secure shell client and server policy.\n+#\n+ssh = module\n+\n+# Layer: services\n+# Module: xserver\n+#\n+# X Windows Server\n+#\n+xserver = module\n+\n+# Layer: system\n+# Module: application\n+#\n+# Policy for user executable applications.\n+#\n+application = module\n+\n+# Layer: system\n+# Module: authlogin\n+#\n+# Common policy for authentication and user login.\n+#\n+authlogin = module\n+\n+# Layer: system\n+# Module: clock\n+#\n+# Policy for reading and setting the hardware clock.\n+#\n+clock = module\n+\n+# Layer: system\n+# Module: fstools\n+#\n+# Tools for filesystem management, such as mkfs and fsck.\n+#\n+fstools = module\n+\n+# Layer: system\n+# Module: getty\n+#\n+# Policy for getty.\n+#\n+getty = module\n+\n+# Layer: system\n+# Module: hostname\n+#\n+# Policy for changing the system host name.\n+#\n+hostname = module\n+\n+# Layer: system\n+# Module: hotplug\n+#\n+# Policy for hotplug system, for supporting the\n+# connection and disconnection of devices at runtime.\n+#\n+hotplug = module\n+\n+# Layer: system\n+# Module: init\n+#\n+# System initialization programs (init and init scripts).\n+#\n+init = module\n+\n+# Layer: system\n+# Module: ipsec\n+#\n+# TCP/IP encryption\n+#\n+ipsec = module\n+\n+# Layer: system\n+# Module: iptables\n+#\n+# Policy for iptables.\n+#\n+iptables = module\n+\n+# Layer: system\n+# Module: libraries\n+#\n+# Policy for system libraries.\n+#\n+libraries = module\n+\n+# Layer: system\n+# Module: locallogin\n+#\n+# Policy for local logins.\n+#\n+locallogin = module\n+\n+# Layer: system\n+# Module: logging\n+#\n+# Policy for the kernel message logger and system logging daemon.\n+#\n+logging = module\n+\n+# Layer: system\n+# Module: lvm\n+#\n+# Policy for logical volume management programs.\n+#\n+lvm = module\n+\n+# Layer: system\n+# Module: miscfiles\n+#\n+# Miscelaneous files.\n+#\n+miscfiles = module\n+\n+# Layer: system\n+# Module: modutils\n+#\n+# Policy for kernel module utilities\n+#\n+modutils = module\n+\n+# Layer: system\n+# Module: mount\n+#\n+# Policy for mount.\n+#\n+mount = module\n+\n+# Layer: system\n+# Module: netlabel\n+#\n+# NetLabel/CIPSO labeled networking management\n+#\n+netlabel = module\n+\n+# Layer: system\n+# Module: selinuxutil\n+#\n+# Policy for SELinux policy and userland applications.\n+#\n+selinuxutil = module\n+\n+# Layer: system\n+# Module: setrans\n+#\n+# SELinux MLS/MCS label translation service.\n+#\n+setrans = module\n+\n+# Layer: system\n+# Module: sysnetwork\n+#\n+# Policy for network configuration: ifconfig and dhcp client.\n+#\n+sysnetwork = module\n+\n+# Layer: system\n+# Module: udev\n+#\n+# Policy for udev.\n+#\n+udev = module\n+\n+# Layer: system\n+# Module: unconfined\n+#\n+# The unconfined domain.\n+#\n+unconfined = module\n+\n+# Layer: system\n+# Module: userdomain\n+#\n+# Policy for user domains\n+#\n+userdomain = module\n+\ndiff --git a/package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch b/package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch\nnew file mode 100644\nindex 0000000..c1c398f\n--- /dev/null\n+++ b/package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch\n@@ -0,0 +1,1250 @@\n+From: Dominick Grift <dominick.grift@gmail.com>\n+Date: Fri, 16 Aug 2013 07:07:37 +0000 (+0200)\n+Subject: Fix monolithic built\n+X-Git-Url: http://git.overlays.gentoo.org/gitweb/?p=proj%2Fhardened-refpolicy.git;a=commitdiff_plain;h=86500de7\n+\n+Fix monolithic built\n+\n+Make unconfined_cronjob_t declaration mandatory, because else monolithic\n+built fails due to duplicate declaration\n+\n+Deprecate kerberos_keytab_template:\n+\n+Keytab type declarations have to be mandatory, because else monolithic\n+built fails due to out-of-scope\n+\n+This keytab solution does not make sense in its current implementation,\n+as many corresponding file context specs are missing, and there are no\n+type transtion rules\n+\n+Replaced two deprecated interface calls\n+\n+Signed-off-by: Dominick Grift <dominick.grift@gmail.com>\n+---\n+\n+diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if\n+index a1d1131..655cbe1 100644\n+--- a/policy/modules/contrib/apache.if\n++++ b/policy/modules/contrib/apache.if\n+@@ -1203,9 +1203,9 @@ interface(`apache_admin',`\n+ \t\tattribute httpd_script_domains, httpd_htaccess_type;\n+ \t\ttype httpd_t, httpd_config_t, httpd_log_t;\n+ \t\ttype httpd_modules_t, httpd_lock_t, httpd_helper_t;\n+-\t\ttype httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;\n++\t\ttype httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;\n+ \t\ttype httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;\n+-\t\ttype httpd_initrc_exec_t, httpd_suexec_t;\n++\t\ttype httpd_initrc_exec_t, httpd_keytab_t;\n+ \t')\n+ \n+ \tallow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };\n+@@ -1222,7 +1222,7 @@ interface(`apache_admin',`\n+ \tmiscfiles_manage_public_files($1)\n+ \n+ \tfiles_search_etc($1)\n+-\tadmin_pattern($1, { httpd_config_t httpd_keytab_t })\n++\tadmin_pattern($1, { httpd_keytab_t httpd_config_t })\n+ \n+ \tlogging_search_logs($1)\n+ \tadmin_pattern($1, httpd_log_t)\n+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te\n+index 0da7cc3..99bb9b5 100644\n+--- a/policy/modules/contrib/apache.te\n++++ b/policy/modules/contrib/apache.te\n+@@ -1,4 +1,4 @@\n+-policy_module(apache, 2.7.0)\n++policy_module(apache, 2.7.1)\n+ \n+ ########################################\n+ #\n+@@ -283,6 +283,9 @@ role httpd_helper_roles types httpd_helper_t;\n+ type httpd_initrc_exec_t;\n+ init_script_file(httpd_initrc_exec_t)\n+ \n++type httpd_keytab_t;\n++files_type(httpd_keytab_t)\n++\n+ type httpd_lock_t;\n+ files_lock_file(httpd_lock_t)\n+ \n+@@ -391,6 +394,8 @@ allow httpd_t httpd_config_t:dir list_dir_perms;\n+ read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)\n+ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)\n+ \n++allow httpd_t httpd_keytab_t:file read_file_perms;\n++\n+ allow httpd_t httpd_lock_t:file manage_file_perms;\n+ files_lock_filetrans(httpd_t, httpd_lock_t, file)\n+ \n+@@ -781,10 +786,11 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(httpd, httpd_t)\n+ \tkerberos_manage_host_rcache(httpd_t)\n++\tkerberos_read_keytab(httpd_t)\n+ \tkerberos_tmp_filetrans_host_rcache(httpd_t, file, \"HTTP_23\")\n+ \tkerberos_tmp_filetrans_host_rcache(httpd_t, file, \"HTTP_48\")\n++\tkerberos_use(httpd_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if\n+index 089430a..f24e369 100644\n+--- a/policy/modules/contrib/automount.if\n++++ b/policy/modules/contrib/automount.if\n+@@ -153,6 +153,7 @@ interface(`automount_admin',`\n+ \tgen_require(`\n+ \t\ttype automount_t, automount_lock_t, automount_tmp_t;\n+ \t\ttype automount_var_run_t, automount_initrc_exec_t;\n++\t\ttype automount_keytab_t;\n+ \t')\n+ \n+ \tallow $1 automount_t:process { ptrace signal_perms };\n+@@ -163,6 +164,9 @@ interface(`automount_admin',`\n+ \trole_transition $2 automount_initrc_exec_t system_r;\n+ \tallow $2 system_r;\n+ \n++\tfiles_list_etc($1)\n++\tadmin_pattern($1, automount_keytab_t)\n++\n+ \tfiles_list_var($1)\n+ \tadmin_pattern($1, automount_lock_t)\n+ \n+diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te\n+index d4e58ea..27d2f40 100644\n+--- a/policy/modules/contrib/automount.te\n++++ b/policy/modules/contrib/automount.te\n+@@ -1,4 +1,4 @@\n+-policy_module(automount, 1.14.0)\n++policy_module(automount, 1.14.1)\n+ \n+ ########################################\n+ #\n+@@ -12,8 +12,8 @@ init_daemon_domain(automount_t, automount_exec_t)\n+ type automount_initrc_exec_t;\n+ init_script_file(automount_initrc_exec_t)\n+ \n+-type automount_var_run_t;\n+-files_pid_file(automount_var_run_t)\n++type automount_keytab_t;\n++files_type(automount_keytab_t)\n+ \n+ type automount_lock_t;\n+ files_lock_file(automount_lock_t)\n+@@ -22,6 +22,9 @@ type automount_tmp_t;\n+ files_tmp_file(automount_tmp_t)\n+ files_mountpoint(automount_tmp_t)\n+ \n++type automount_var_run_t;\n++files_pid_file(automount_var_run_t)\n++\n+ ########################################\n+ #\n+ # Local policy\n+@@ -36,6 +39,8 @@ allow automount_t self:rawip_socket create_socket_perms;\n+ \n+ can_exec(automount_t, automount_exec_t)\n+ \n++allow automount_t automount_keytab_t:file read_file_perms;\n++\n+ allow automount_t automount_lock_t:file manage_file_perms;\n+ files_lock_filetrans(automount_t, automount_lock_t, file)\n+ \n+@@ -143,8 +148,9 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(automount, automount_t)\n+ \tkerberos_read_config(automount_t)\n++\tkerberos_read_keytab(automount_t)\n++\tkerberos_use(automount_t)\n+ \tkerberos_dontaudit_write_config(automount_t)\n+ ')\n+ \n+diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if\n+index 866a1e2..531a8f2 100644\n+--- a/policy/modules/contrib/bind.if\n++++ b/policy/modules/contrib/bind.if\n+@@ -364,6 +364,7 @@ interface(`bind_admin',`\n+ \t\ttype named_t, named_tmp_t, named_log_t;\n+ \t\ttype named_cache_t, named_zone_t, named_initrc_exec_t;\n+ \t\ttype dnssec_t, ndc_t, named_conf_t, named_var_run_t;\n++\t\ttype named_keytab_t;\n+ \t')\n+ \n+ \tallow $1 { named_t ndc_t }:process { ptrace signal_perms };\n+@@ -381,7 +382,7 @@ interface(`bind_admin',`\n+ \tadmin_pattern($1, named_log_t)\n+ \n+ \tfiles_list_etc($1)\n+-\tadmin_pattern($1, named_conf_t)\n++\tadmin_pattern($1, { named_keytab_t named_conf_t })\n+ \n+ \tfiles_list_var($1)\n+ \tadmin_pattern($1, { dnssec_t named_cache_t named_zone_t })\n+diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te\n+index b01e493..1241123 100644\n+--- a/policy/modules/contrib/bind.te\n++++ b/policy/modules/contrib/bind.te\n+@@ -1,4 +1,4 @@\n+-policy_module(bind, 1.13.0)\n++policy_module(bind, 1.13.1)\n+ \n+ ########################################\n+ #\n+@@ -44,6 +44,9 @@ files_type(named_cache_t)\n+ type named_initrc_exec_t;\n+ init_script_file(named_initrc_exec_t)\n+ \n++type named_keytab_t;\n++files_type(named_keytab_t)\n++\n+ type named_log_t;\n+ logging_log_file(named_log_t)\n+ \n+@@ -84,7 +87,7 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)\n+ manage_files_pattern(named_t, named_cache_t, named_cache_t)\n+ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)\n+ \n+-can_exec(named_t, named_exec_t)\n++allow named_t named_keytab_t:file read_file_perms;\n+ \n+ append_files_pattern(named_t, named_log_t, named_log_t)\n+ create_files_pattern(named_t, named_log_t, named_log_t)\n+@@ -100,6 +103,8 @@ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)\n+ manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)\n+ files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file })\n+ \n++can_exec(named_t, named_exec_t)\n++\n+ allow named_t named_zone_t:dir list_dir_perms;\n+ read_files_pattern(named_t, named_zone_t, named_zone_t)\n+ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)\n+@@ -182,7 +187,8 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(named, named_t)\n++\tkerberos_read_keytab(named_t)\n++\tkerberos_use(named_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te\n+index d865049..41bb279 100644\n+--- a/policy/modules/contrib/cron.te\n++++ b/policy/modules/contrib/cron.te\n+@@ -1,4 +1,4 @@\n+-policy_module(cron, 2.6.0)\n++policy_module(cron, 2.6.1)\n+ \n+ gen_require(`\n+ \tclass passwd rootok;\n+@@ -701,22 +701,22 @@ optional_policy(`\n+ # Unconfined local policy\n+ #\n+ \n+-optional_policy(`\n+-\ttype unconfined_cronjob_t;\n+-\tdomain_type(unconfined_cronjob_t)\n+-\tdomain_cron_exemption_target(unconfined_cronjob_t)\n++type unconfined_cronjob_t;\n++domain_type(unconfined_cronjob_t)\n++domain_cron_exemption_target(unconfined_cronjob_t)\n+ \n+-\tdontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };\n++dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };\n+ \n+-\tunconfined_domain(unconfined_cronjob_t)\n++tunable_policy(`cron_userdomain_transition',`\n++\tdontaudit crond_t unconfined_cronjob_t:process transition;\n++\tdontaudit crond_t unconfined_cronjob_t:fd use;\n++\tdontaudit crond_t unconfined_cronjob_t:key manage_key_perms;\n++',`\n++\tallow crond_t unconfined_cronjob_t:process transition;\n++\tallow crond_t unconfined_cronjob_t:fd use;\n++\tallow crond_t unconfined_cronjob_t:key manage_key_perms;\n++')\n+ \n+-\ttunable_policy(`cron_userdomain_transition',`\n+-\t\tdontaudit crond_t unconfined_cronjob_t:process transition;\n+-\t\tdontaudit crond_t unconfined_cronjob_t:fd use;\n+-\t\tdontaudit crond_t unconfined_cronjob_t:key manage_key_perms;\n+-\t',`\n+-\t\tallow crond_t unconfined_cronjob_t:process transition;\n+-\t\tallow crond_t unconfined_cronjob_t:fd use;\n+-\t\tallow crond_t unconfined_cronjob_t:key manage_key_perms;\n+-\t')\n++optional_policy(`\n++\tunconfined_domain(unconfined_cronjob_t)\n+ ')\n+diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if\n+index 9fa7ffb..64775fd 100644\n+--- a/policy/modules/contrib/cvs.if\n++++ b/policy/modules/contrib/cvs.if\n+@@ -59,7 +59,7 @@ interface(`cvs_exec',`\n+ interface(`cvs_admin',`\n+ \tgen_require(`\n+ \t\ttype cvs_t, cvs_tmp_t, cvs_initrc_exec_t;\n+-\t\ttype cvs_data_t, cvs_var_run_t;\n++\t\ttype cvs_data_t, cvs_var_run_t, cvs_keytab_t;\n+ \t')\n+ \n+ \tallow $1 cvs_t:process { ptrace signal_perms };\n+@@ -70,6 +70,9 @@ interface(`cvs_admin',`\n+ \trole_transition $2 cvs_initrc_exec_t system_r;\n+ \tallow $2 system_r;\n+ \n++\tfiles_search_etc($1)\n++\tadmin_pattern($1, cvs_keytab_t)\n++\n+ \tfiles_list_tmp($1)\n+ \tadmin_pattern($1, cvs_tmp_t)\n+ \n+diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te\n+index 6c544e5..17df324 100644\n+--- a/policy/modules/contrib/cvs.te\n++++ b/policy/modules/contrib/cvs.te\n+@@ -1,4 +1,4 @@\n+-policy_module(cvs, 1.10.0)\n++policy_module(cvs, 1.10.1)\n+ \n+ ########################################\n+ #\n+@@ -24,6 +24,9 @@ files_type(cvs_data_t)\n+ type cvs_initrc_exec_t;\n+ init_script_file(cvs_initrc_exec_t)\n+ \n++type cvs_keytab_t;\n++files_type(cvs_keytab_t)\n++\n+ type cvs_tmp_t;\n+ files_tmp_file(cvs_tmp_t)\n+ \n+@@ -44,6 +47,8 @@ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)\n+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)\n+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)\n+ \n++allow cvs_t cvs_keytab_t:file read_file_perms;\n++\n+ manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)\n+ manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)\n+ files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })\n+@@ -87,8 +92,9 @@ tunable_policy(`allow_cvs_read_shadow',`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(cvs, cvs_t)\n+ \tkerberos_read_config(cvs_t)\n++\tkerberos_read_keytab(cvs_t)\n++\tkerberos_use(cvs_t)\n+ \tkerberos_dontaudit_write_config(cvs_t)\n+ ')\n+ \n+diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if\n+index 6508280..83bfda6 100644\n+--- a/policy/modules/contrib/cyrus.if\n++++ b/policy/modules/contrib/cyrus.if\n+@@ -61,6 +61,7 @@ interface(`cyrus_admin',`\n+ \tgen_require(`\n+ \t\ttype cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;\n+ \t\ttype cyrus_var_run_t, cyrus_initrc_exec_t;\n++\t\ttype cyrus_keytab_t;\n+ \t')\n+ \n+ \tallow $1 cyrus_t:process { ptrace signal_perms };\n+@@ -71,6 +72,9 @@ interface(`cyrus_admin',`\n+ \trole_transition $2 cyrus_initrc_exec_t system_r;\n+ \tallow $2 system_r;\n+ \n++\tfiles_list_etc($1)\n++\tadmin_pattern($1, cyrus_keytab_t)\n++\n+ \tfiles_list_tmp($1)\n+ \tadmin_pattern($1, cyrus_tmp_t)\n+ \n+diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te\n+index 0cef3ef..4283f2d 100644\n+--- a/policy/modules/contrib/cyrus.te\n++++ b/policy/modules/contrib/cyrus.te\n+@@ -1,4 +1,4 @@\n+-policy_module(cyrus, 1.13.0)\n++policy_module(cyrus, 1.13.1)\n+ \n+ ########################################\n+ #\n+@@ -12,6 +12,9 @@ init_daemon_domain(cyrus_t, cyrus_exec_t)\n+ type cyrus_initrc_exec_t;\n+ init_script_file(cyrus_initrc_exec_t)\n+ \n++type cyrus_keytab_t;\n++files_type(cyrus_keytab_t)\n++\n+ type cyrus_tmp_t;\n+ files_tmp_file(cyrus_tmp_t)\n+ \n+@@ -41,6 +44,8 @@ allow cyrus_t self:unix_dgram_socket sendto;\n+ allow cyrus_t self:unix_stream_socket { accept connectto listen };\n+ allow cyrus_t self:tcp_socket { accept listen };\n+ \n++allow cyrus_t cyrus_keytab_t:file read_file_perms;\n++\n+ manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)\n+ manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)\n+ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })\n+@@ -116,7 +121,8 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(cyrus, cyrus_t)\n++\tkerberos_read_keytab(cyrus_t)\n++\tkerberos_use(cyrus_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if\n+index dbcac59..d5badb7 100644\n+--- a/policy/modules/contrib/dovecot.if\n++++ b/policy/modules/contrib/dovecot.if\n+@@ -143,6 +143,7 @@ interface(`dovecot_admin',`\n+ \t\ttype dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;\n+ \t\ttype dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;\n+ \t\ttype dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;\n++\t\ttype dovecot_keytab_t;\n+ \t')\n+ \n+ \tallow $1 dovecot_t:process { ptrace signal_perms };\n+@@ -154,7 +155,7 @@ interface(`dovecot_admin',`\n+ \tallow $2 system_r;\n+ \n+ \tfiles_list_etc($1)\n+-\tadmin_pattern($1, dovecot_etc_t)\n++\tadmin_pattern($1, { dovecot_keytab_t dovecot_etc_t })\n+ \n+ \tlogging_list_logs($1)\n+ \tadmin_pattern($1, dovecot_var_log_t)\n+diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te\n+index 3a6e733..0aabc7e 100644\n+--- a/policy/modules/contrib/dovecot.te\n++++ b/policy/modules/contrib/dovecot.te\n+@@ -1,4 +1,4 @@\n+-policy_module(dovecot, 1.16.0)\n++policy_module(dovecot, 1.16.1)\n+ \n+ ########################################\n+ #\n+@@ -38,6 +38,9 @@ files_config_file(dovecot_etc_t)\n+ type dovecot_initrc_exec_t;\n+ init_script_file(dovecot_initrc_exec_t)\n+ \n++type dovecot_keytab_t;\n++files_type(dovecot_keytab_t)\n++\n+ type dovecot_passwd_t;\n+ files_type(dovecot_passwd_t)\n+ \n+@@ -99,6 +102,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;\n+ allow dovecot_t dovecot_cert_t:file read_file_perms;\n+ allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;\n+ \n++allow dovecot_t dovecot_keytab_t:file read_file_perms;\n++\n+ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)\n+ manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)\n+ files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })\n+@@ -182,9 +187,10 @@ tunable_policy(`use_samba_home_dirs',`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(dovecot, dovecot_t)\n+ \tkerberos_manage_host_rcache(dovecot_t)\n++\tkerberos_read_keytab(dovecot_t)\n+ \tkerberos_tmp_filetrans_host_rcache(dovecot_t, file, \"imap_0\")\n++\tkerberos_use(dovecot_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if\n+index 6041113..94a8269 100644\n+--- a/policy/modules/contrib/exim.if\n++++ b/policy/modules/contrib/exim.if\n+@@ -244,6 +244,7 @@ interface(`exim_admin',`\n+ \tgen_require(`\n+ \t\ttype exim_t, exim_spool_t, exim_log_t;\n+ \t\ttype exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;\n++\t\ttype exim_keytab_t;\n+ \t')\n+ \n+ \tallow $1 exim_t:process { ptrace signal_perms };\n+@@ -254,6 +255,9 @@ interface(`exim_admin',`\n+ \trole_transition $2 exim_initrc_exec_t system_r;\n+ \tallow $2 system_r;\n+ \n++\tfiles_search_etc($1)\n++\tadmin_pattern($1, exim_keytab_t)\n++\n+ \tfiles_search_spool($1)\n+ \tadmin_pattern($1, exim_spool_t)\n+ \n+diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te\n+index c9c04ee..7e8cf42 100644\n+--- a/policy/modules/contrib/exim.te\n++++ b/policy/modules/contrib/exim.te\n+@@ -1,4 +1,4 @@\n+-policy_module(exim, 1.6.0)\n++policy_module(exim, 1.6.1)\n+ \n+ ########################################\n+ #\n+@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)\n+ type exim_initrc_exec_t;\n+ init_script_file(exim_initrc_exec_t)\n+ \n++type exim_keytab_t;\n++files_type(exim_keytab_t)\n++\n+ type exim_log_t;\n+ logging_log_file(exim_log_t)\n+ \n+@@ -68,6 +71,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;\n+ allow exim_t self:unix_stream_socket { accept listen };\n+ allow exim_t self:tcp_socket { accept listen };\n+ \n++allow exim_t exim_keytab_t:file read_file_perms;\n++\n+ append_files_pattern(exim_t, exim_log_t, exim_log_t)\n+ create_files_pattern(exim_t, exim_log_t, exim_log_t)\n+ setattr_files_pattern(exim_t, exim_log_t, exim_log_t)\n+@@ -188,7 +193,8 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(exim, exim_t)\n++\tkerberos_read_keytab(exim_t)\n++\tkerberos_use(exim_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if\n+index d062080..4498143 100644\n+--- a/policy/modules/contrib/ftp.if\n++++ b/policy/modules/contrib/ftp.if\n+@@ -176,6 +176,7 @@ interface(`ftp_admin',`\n+ \t\ttype ftpd_etc_t, ftpd_lock_t, sftpd_t;\n+ \t\ttype ftpd_var_run_t, xferlog_t, anon_sftpd_t;\n+ \t\ttype ftpd_initrc_exec_t, ftpdctl_tmp_t;\n++\t\ttype ftpd_keytab_t;\n+ \t')\n+ \n+ \tallow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };\n+@@ -192,7 +193,7 @@ interface(`ftp_admin',`\n+ \tadmin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })\n+ \n+ \tfiles_list_etc($1)\n+-\tadmin_pattern($1, ftpd_etc_t)\n++\tadmin_pattern($1, { ftpd_etc_t ftpd_keytab_t })\n+ \n+ \tfiles_list_var($1)\n+ \tadmin_pattern($1, ftpd_lock_t)\n+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te\n+index 544c512..36838c2 100644\n+--- a/policy/modules/contrib/ftp.te\n++++ b/policy/modules/contrib/ftp.te\n+@@ -1,4 +1,4 @@\n+-policy_module(ftp, 1.15.0)\n++policy_module(ftp, 1.15.1)\n+ \n+ ########################################\n+ #\n+@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)\n+ type ftpd_initrc_exec_t;\n+ init_script_file(ftpd_initrc_exec_t)\n+ \n++type ftpd_keytab_t;\n++files_type(ftpd_keytab_t)\n++\n+ type ftpd_lock_t;\n+ files_lock_file(ftpd_lock_t)\n+ \n+@@ -176,6 +179,8 @@ allow ftpd_t self:key manage_key_perms;\n+ \n+ allow ftpd_t ftpd_etc_t:file read_file_perms;\n+ \n++allow ftpd_t ftpd_keytab_t:file read_file_perms;\n++\n+ allow ftpd_t ftpd_lock_t:file manage_file_perms;\n+ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)\n+ \n+@@ -359,8 +364,9 @@ optional_policy(`\n+ optional_policy(`\n+ \tselinux_validate_context(ftpd_t)\n+ \n+-\tkerberos_keytab_template(ftpd, ftpd_t)\n++\tkerberos_read_keytab(ftpd_t)\n+ \tkerberos_tmp_filetrans_host_rcache(ftpd_t, file, \"host_0\")\n++\tkerberos_use(ftpd_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if\n+index f9de9fc..f6c00d8 100644\n+--- a/policy/modules/contrib/kerberos.if\n++++ b/policy/modules/contrib/kerberos.if\n+@@ -354,22 +354,7 @@ interface(`kerberos_etc_filetrans_keytab',`\n+ ## </param>\n+ #\n+ template(`kerberos_keytab_template',`\n+-\n+-\t########################################\n+-\t#\n+-\t# Declarations\n+-\t#\n+-\n+-\ttype $1_keytab_t;\n+-\tfiles_type($1_keytab_t)\n+-\n+-\t########################################\n+-\t#\n+-\t# Policy\n+-\t#\n+-\n+-\tallow $2 $1_keytab_t:file read_file_perms;\n+-\n++\trefpolicywarn(`$0($*) has been deprecated.')\n+ \tkerberos_read_keytab($2)\n+ \tkerberos_use($2)\n+ ')\n+diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if\n+index de2508e..7f09b4a 100644\n+--- a/policy/modules/contrib/ldap.if\n++++ b/policy/modules/contrib/ldap.if\n+@@ -116,7 +116,7 @@ interface(`ldap_admin',`\n+ \t\ttype slapd_t, slapd_tmp_t, slapd_replog_t;\n+ \t\ttype slapd_lock_t, slapd_etc_t, slapd_var_run_t;\n+ \t\ttype slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;\n+-\t\ttype slapd_db_t;\n++\t\ttype slapd_db_t, slapd_keytab_t;\n+ \t')\n+ \n+ \tallow $1 slapd_t:process { ptrace signal_perms };\n+@@ -128,7 +128,7 @@ interface(`ldap_admin',`\n+ \tallow $2 system_r;\n+ \n+ \tfiles_list_etc($1)\n+-\tadmin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })\n++\tadmin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })\n+ \n+ \tfiles_list_locks($1)\n+ \tadmin_pattern($1, slapd_lock_t)\n+diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te\n+index 71b00f8..131dc88 100644\n+--- a/policy/modules/contrib/ldap.te\n++++ b/policy/modules/contrib/ldap.te\n+@@ -1,4 +1,4 @@\n+-policy_module(ldap, 1.11.0)\n++policy_module(ldap, 1.11.1)\n+ \n+ ########################################\n+ #\n+@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)\n+ type slapd_initrc_exec_t;\n+ init_script_file(slapd_initrc_exec_t)\n+ \n++type slapd_keytab_t;\n++files_type(slapd_keytab_t)\n++\n+ type slapd_lock_t;\n+ files_lock_file(slapd_lock_t)\n+ \n+@@ -60,6 +63,8 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)\n+ \n+ allow slapd_t slapd_etc_t:file read_file_perms;\n+ \n++allow slapd_t slapd_keytab_t:file read_file_perms;\n++\n+ allow slapd_t slapd_lock_t:file manage_file_perms;\n+ files_lock_filetrans(slapd_t, slapd_lock_t, file)\n+ \n+@@ -131,11 +136,12 @@ ifdef(`distro_gentoo',`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(slapd, slapd_t)\n+ \tkerberos_manage_host_rcache(slapd_t)\n++\tkerberos_read_keytab(slapd_t)\n+ \tkerberos_tmp_filetrans_host_rcache(slapd_t, file, \"ldapmap1_0\")\n+ \tkerberos_tmp_filetrans_host_rcache(slapd_t, file, \"ldap_487\")\n+ \tkerberos_tmp_filetrans_host_rcache(slapd_t, file, \"ldap_55\")\n++\tkerberos_use(slapd_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if\n+index 6e26d71..8e7d1e7 100644\n+--- a/policy/modules/contrib/postfix.if\n++++ b/policy/modules/contrib/postfix.if\n+@@ -714,6 +714,7 @@ interface(`postfix_admin',`\n+ \t\ttype postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;\n+ \t\ttype postfix_data_t, postfix_var_run_t, postfix_public_t;\n+ \t\ttype postfix_private_t, postfix_map_tmp_t, postfix_exec_t;\n++\t\ttype postfix_keytab_t;\n+ \t')\n+ \n+ \tallow $1 postfix_domain:process { ptrace signal_perms };\n+@@ -725,7 +726,7 @@ interface(`postfix_admin',`\n+ \tallow $2 system_r;\n+ \n+ \tfiles_search_etc($1)\n+-\tadmin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })\n++\tadmin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })\n+ \n+ \tfiles_search_spool($1)\n+ \tadmin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })\n+diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te\n+index 0cb7938..dd7259f 100644\n+--- a/policy/modules/contrib/postfix.te\n++++ b/policy/modules/contrib/postfix.te\n+@@ -1,4 +1,4 @@\n+-policy_module(postfix, 1.15.0)\n++policy_module(postfix, 1.15.1)\n+ \n+ ########################################\n+ #\n+@@ -36,6 +36,9 @@ files_config_file(postfix_etc_t)\n+ type postfix_exec_t;\n+ application_executable_file(postfix_exec_t)\n+ \n++type postfix_keytab_t;\n++files_type(postfix_keytab_t)\n++\n+ postfix_server_domain_template(local)\n+ mta_mailserver_delivery(postfix_local_t)\n+ \n+@@ -209,6 +212,8 @@ allow postfix_master_t postfix_etc_t:file rw_file_perms;\n+ allow postfix_master_t postfix_data_t:dir manage_dir_perms;\n+ allow postfix_master_t postfix_data_t:file manage_file_perms;\n+ \n++allow postfix_master_t postfix_keytab_t:file read_file_perms;\n++\n+ allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };\n+ \n+ allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;\n+@@ -314,7 +319,8 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(postfix, postfix_t)\n++\tkerberos_read_keytab(postfix_master_t)\n++\tkerberos_use(postfix_master_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te\n+index fbbc398..cc426e6 100644\n+--- a/policy/modules/contrib/procmail.te\n++++ b/policy/modules/contrib/procmail.te\n+@@ -1,4 +1,4 @@\n+-policy_module(procmail, 1.13.0)\n++policy_module(procmail, 1.13.1)\n+ \n+ ########################################\n+ #\n+@@ -122,7 +122,7 @@ optional_policy(`\n+ \tpostfix_read_spool_files(procmail_t)\n+ \tpostfix_read_local_state(procmail_t)\n+ \tpostfix_read_master_state(procmail_t)\n+-\tpostfix_rw_master_pipes(procmail_t)\n++\tpostfix_rw_inherited_master_pipes(procmail_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te\n+index 83cccf9..8742944 100644\n+--- a/policy/modules/contrib/qmail.te\n++++ b/policy/modules/contrib/qmail.te\n+@@ -1,4 +1,4 @@\n+-policy_module(qmail, 1.6.0)\n++policy_module(qmail, 1.6.1)\n+ \n+ ########################################\n+ #\n+@@ -42,6 +42,9 @@ qmail_child_domain_template(qmail_send, qmail_start_t)\n+ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)\n+ qmail_child_domain_template(qmail_splogger, qmail_start_t)\n+ \n++type qmail_keytab_t;\n++files_type(qmail_keytab_t)\n++\n+ type qmail_spool_t;\n+ files_type(qmail_spool_t)\n+ \n+@@ -241,6 +244,8 @@ allow qmail_smtpd_t self:process signal_perms;\n+ allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;\n+ allow qmail_smtpd_t self:tcp_socket create_socket_perms;\n+ \n++allow qmail_smtpd_t qmail_keytab_t:file read_file_perms;\n++\n+ allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;\n+ \n+ dev_read_rand(qmail_smtpd_t)\n+@@ -253,7 +258,8 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(qmail, qmail_smtpd_t)\n++\tkerberos_read_keytab(qmail_smtpd_t)\n++\tkerberos_use(qmail_smtpd_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te\n+index 20696cc..5916f81 100644\n+--- a/policy/modules/contrib/rlogin.te\n++++ b/policy/modules/contrib/rlogin.te\n+@@ -1,4 +1,4 @@\n+-policy_module(rlogin, 1.11.0)\n++policy_module(rlogin, 1.11.1)\n+ \n+ ########################################\n+ #\n+@@ -16,6 +16,9 @@ term_login_pty(rlogind_devpts_t)\n+ type rlogind_home_t;\n+ userdom_user_home_content(rlogind_home_t)\n+ \n++type rlogind_keytab_t;\n++files_type(rlogind_keytab_t)\n++\n+ type rlogind_tmp_t;\n+ files_tmp_file(rlogind_tmp_t)\n+ \n+@@ -37,6 +40,8 @@ term_create_pty(rlogind_t, rlogind_devpts_t)\n+ \n+ allow rlogind_t rlogind_home_t:file read_file_perms;\n+ \n++allow rlogind_t rlogind_keytab_t:file read_file_perms;\n++\n+ manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)\n+ manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)\n+ files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })\n+@@ -98,9 +103,10 @@ tunable_policy(`use_samba_home_dirs',`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(rlogind, rlogind_t)\n++\tkerberos_read_keytab(rlogind_t)\n+ \tkerberos_tmp_filetrans_host_rcache(rlogind_t, file, \"host_0\")\n+ \tkerberos_manage_host_rcache(rlogind_t)\n++\tkerberos_use(rlogind_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if\n+index 07f5eb0..157afd9 100644\n+--- a/policy/modules/contrib/rpc.if\n++++ b/policy/modules/contrib/rpc.if\n+@@ -394,7 +394,7 @@ interface(`rpc_admin',`\n+ \t\tattribute rpc_domain;\n+ \t\ttype nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;\n+ \t\ttype var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;\n+-\t\ttype nfsd_ro_t, nfsd_rw_t;\n++\t\ttype nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;\n+ \t')\n+ \n+ \tallow $1 rpc_domain:process { ptrace signal_perms };\n+@@ -406,7 +406,7 @@ interface(`rpc_admin',`\n+  \tallow $2 system_r;\n+ \n+ \tfiles_list_etc($1)\n+-\tadmin_pattern($1, exports_t)\n++\tadmin_pattern($1, { gssd_keytab_t exports_t })\n+ \n+ \tfiles_list_var_lib($1)\n+ \tadmin_pattern($1, var_lib_nfs_t)\n+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te\n+index 1e6b44d..a8de8bd 100644\n+--- a/policy/modules/contrib/rpc.te\n++++ b/policy/modules/contrib/rpc.te\n+@@ -1,4 +1,4 @@\n+-policy_module(rpc, 1.15.0)\n++policy_module(rpc, 1.15.1)\n+ \n+ ########################################\n+ #\n+@@ -30,6 +30,9 @@ files_config_file(exports_t)\n+ \n+ rpc_domain_template(gssd)\n+ \n++type gssd_keytab_t;\n++files_type(gssd_keytab_t)\n++\n+ type gssd_tmp_t;\n+ files_tmp_file(gssd_tmp_t)\n+ \n+@@ -271,6 +274,8 @@ allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };\n+ allow gssd_t self:process { getsched setsched };\n+ allow gssd_t self:fifo_file rw_fifo_file_perms;\n+ \n++allow gssd_t gssd_keytab_t:file read_file_perms;\n++\n+ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)\n+ manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)\n+ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })\n+@@ -309,9 +314,10 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(gssd, gssd_t)\n+ \tkerberos_manage_host_rcache(gssd_t)\n++\tkerberos_read_keytab(gssd_t)\n+ \tkerberos_tmp_filetrans_host_rcache(gssd_t, file, \"nfs_0\")\n++\tkerberos_use(gssd_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te\n+index 575e3e3..864e089 100644\n+--- a/policy/modules/contrib/rshd.te\n++++ b/policy/modules/contrib/rshd.te\n+@@ -1,4 +1,4 @@\n+-policy_module(rshd, 1.8.0)\n++policy_module(rshd, 1.8.1)\n+ \n+ ########################################\n+ #\n+@@ -10,6 +10,9 @@ type rshd_exec_t;\n+ auth_login_pgm_domain(rshd_t)\n+ inetd_tcp_service_domain(rshd_t, rshd_exec_t)\n+ \n++type rshd_keytab_t;\n++files_type(rshd_keytab_t)\n++\n+ ########################################\n+ #\n+ # Local policy\n+@@ -20,6 +23,8 @@ allow rshd_t self:process { signal_perms setsched setpgid setexec };\n+ allow rshd_t self:fifo_file rw_fifo_file_perms;\n+ allow rshd_t self:tcp_socket create_stream_socket_perms;\n+ \n++allow rshd_t rshd_keytab_t:file read_file_perms;\n++\n+ kernel_read_kernel_sysctls(rshd_t)\n+ \n+ corenet_all_recvfrom_unlabeled(rshd_t)\n+@@ -54,9 +59,10 @@ tunable_policy(`use_samba_home_dirs',`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(rshd, rshd_t)\n+ \tkerberos_manage_host_rcache(rshd_t)\n++\tkerberos_read_keytab(rshd_t)\n+ \tkerberos_tmp_filetrans_host_rcache(rshd_t, file, \"host_0\")\n++\tkerberos_use(rshd_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if\n+index aee75af..50d07fb 100644\n+--- a/policy/modules/contrib/samba.if\n++++ b/policy/modules/contrib/samba.if\n+@@ -689,6 +689,7 @@ interface(`samba_admin',`\n+ \t\ttype samba_etc_t, samba_share_t, samba_initrc_exec_t;\n+ \t\ttype swat_var_run_t, swat_tmp_t, winbind_log_t;\n+ \t\ttype winbind_var_run_t, winbind_tmp_t;\n++\t\ttype smbd_keytab_t;\n+ \t')\n+ \n+ \tallow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };\n+@@ -700,7 +701,7 @@ interface(`samba_admin',`\n+ \tallow $2 system_r;\n+ \n+ \tfiles_list_etc($1)\n+-\tadmin_pattern($1, samba_etc_t)\n++\tadmin_pattern($1, { samba_etc_t smbd_keytab_t })\n+ \n+ \tlogging_list_logs($1)\n+ \tadmin_pattern($1, { samba_log_t winbind_log_t })\n+diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te\n+index 54b89a6..98daaef 100644\n+--- a/policy/modules/contrib/samba.te\n++++ b/policy/modules/contrib/samba.te\n+@@ -1,4 +1,4 @@\n+-policy_module(samba, 1.16.0)\n++policy_module(samba, 1.16.1)\n+ \n+ #################################\n+ #\n+@@ -142,6 +142,9 @@ type smbd_t;\n+ type smbd_exec_t;\n+ init_daemon_domain(smbd_t, smbd_exec_t)\n+ \n++type smbd_keytab_t;\n++files_type(smbd_keytab_t)\n++\n+ type smbd_tmp_t;\n+ files_tmp_file(smbd_tmp_t)\n+ \n+@@ -271,6 +274,8 @@ allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }\n+ \n+ allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };\n+ \n++allow smbd_t smbd_keytab_t:file read_file_perms;\n++\n+ manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)\n+ append_files_pattern(smbd_t, samba_log_t, samba_log_t)\n+ create_files_pattern(smbd_t, samba_log_t, samba_log_t)\n+@@ -468,8 +473,8 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n++\tkerberos_read_keytab(smbd_t)\n+ \tkerberos_use(smbd_t)\n+-\tkerberos_keytab_template(smbd, smbd_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if\n+index b2f388a..8c3c151 100644\n+--- a/policy/modules/contrib/sasl.if\n++++ b/policy/modules/contrib/sasl.if\n+@@ -39,6 +39,7 @@ interface(`sasl_connect',`\n+ interface(`sasl_admin',`\n+ \tgen_require(`\n+ \t\ttype saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;\n++\t\ttype saslauthd_keytab_t;\n+ \t')\n+ \n+ \tallow $1 saslauthd_t:process { ptrace signal_perms };\n+@@ -49,6 +50,9 @@ interface(`sasl_admin',`\n+ \trole_transition $2 saslauthd_initrc_exec_t system_r;\n+ \tallow $2 system_r;\n+ \n++\tfiles_list_etc($1)\n++\tadmin_pattern($1, saslauthd_keytab_t)\n++\n+ \tfiles_list_pids($1)\n+ \tadmin_pattern($1, saslauthd_var_run_t)\n+ ')\n+diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te\n+index 20ebffb..6c3bc20 100644\n+--- a/policy/modules/contrib/sasl.te\n++++ b/policy/modules/contrib/sasl.te\n+@@ -1,4 +1,4 @@\n+-policy_module(sasl, 1.15.0)\n++policy_module(sasl, 1.15.1)\n+ \n+ ########################################\n+ #\n+@@ -20,6 +20,9 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)\n+ type saslauthd_initrc_exec_t;\n+ init_script_file(saslauthd_initrc_exec_t)\n+ \n++type saslauthd_keytab_t;\n++files_type(saslauthd_keytab_t)\n++\n+ type saslauthd_var_run_t;\n+ files_pid_file(saslauthd_var_run_t)\n+ \n+@@ -34,6 +37,8 @@ allow saslauthd_t self:process { setsched signal_perms };\n+ allow saslauthd_t self:fifo_file rw_fifo_file_perms;\n+ allow saslauthd_t self:unix_stream_socket { accept listen };\n+ \n++allow saslauthd_t saslauthd_keytab_t:file read_file_perms;\n++\n+ manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)\n+ manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)\n+ manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)\n+@@ -92,9 +97,10 @@ tunable_policy(`allow_saslauthd_read_shadow',`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(saslauthd, saslauthd_t)\n++\tkerberos_read_keytab(saslauthd_t)\n+ \tkerberos_manage_host_rcache(saslauthd_t)\n+ \tkerberos_tmp_filetrans_host_rcache(saslauthd_t, file, \"host_0\")\n++\tkerberos_use(saslauthd_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if\n+index 88e753f..35ad2a7 100644\n+--- a/policy/modules/contrib/sendmail.if\n++++ b/policy/modules/contrib/sendmail.if\n+@@ -354,6 +354,7 @@ interface(`sendmail_admin',`\n+ \tgen_require(`\n+ \t\ttype sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;\n+ \t\ttype sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;\n++\t\ttype sendmail_keytab_t;\n+ \t')\n+ \n+ \tallow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };\n+@@ -363,6 +364,9 @@ interface(`sendmail_admin',`\n+ \tdomain_system_change_exemption($1)\n+ \trole_transition $2 sendmail_initrc_exec_t system_r;\n+ \n++\tfiles_list_etc($1)\n++\tadmin_pattern($1, sendmail_keytab_t)\n++\n+ \tlogging_list_logs($1)\n+ \tadmin_pattern($1, sendmail_log_t)\n+ \n+diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te\n+index 320db21..12700b4 100644\n+--- a/policy/modules/contrib/sendmail.te\n++++ b/policy/modules/contrib/sendmail.te\n+@@ -1,4 +1,4 @@\n+-policy_module(sendmail, 1.12.0)\n++policy_module(sendmail, 1.12.1)\n+ \n+ ########################################\n+ #\n+@@ -13,6 +13,9 @@ roleattribute system_r sendmail_unconfined_roles;\n+ type sendmail_initrc_exec_t;\n+ init_script_file(sendmail_initrc_exec_t)\n+ \n++type sendmail_keytab_t;\n++files_type(sendmail_keytab_t)\n++\n+ type sendmail_log_t;\n+ logging_log_file(sendmail_log_t)\n+ \n+@@ -43,6 +46,8 @@ allow sendmail_t self:fifo_file rw_fifo_file_perms;\n+ allow sendmail_t self:unix_stream_socket { accept listen };\n+ allow sendmail_t self:tcp_socket { accept listen };\n+ \n++allow sendmail_t sendmail_keytab_t:file read_file_perms;\n++\n+ allow sendmail_t sendmail_log_t:dir setattr_dir_perms;\n+ append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)\n+ create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)\n+@@ -154,7 +159,8 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(sendmail, sendmail_t)\n++\tkerberos_read_keytab(sendmail_t)\n++\tkerberos_use(sendmail_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te\n+index 02fba54..cc58e35 100644\n+--- a/policy/modules/contrib/spamassassin.te\n++++ b/policy/modules/contrib/spamassassin.te\n+@@ -1,4 +1,4 @@\n+-policy_module(spamassassin, 2.6.0)\n++policy_module(spamassassin, 2.6.1)\n+ \n+ ########################################\n+ #\n+@@ -262,7 +262,7 @@ optional_policy(`\n+ \tpostfix_domtrans_postdrop(spamc_t)\n+ \tpostfix_search_spool(spamc_t)\n+ \tpostfix_rw_local_pipes(spamc_t)\n+-\tpostfix_rw_master_pipes(spamc_t)\n++\tpostfix_rw_inherited_master_pipes(spamc_t)\n+ ')\n+ \n+ ########################################\n+diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te\n+index b9e2061..bcef8b5 100644\n+--- a/policy/modules/contrib/telnet.te\n++++ b/policy/modules/contrib/telnet.te\n+@@ -1,4 +1,4 @@\n+-policy_module(telnet, 1.11.0)\n++policy_module(telnet, 1.11.1)\n+ \n+ ########################################\n+ #\n+@@ -12,6 +12,9 @@ inetd_service_domain(telnetd_t, telnetd_exec_t)\n+ type telnetd_devpts_t;\n+ term_login_pty(telnetd_devpts_t)\n+ \n++type telnetd_keytab_t;\n++files_type(telnetd_keytab_t)\n++\n+ type telnetd_tmp_t;\n+ files_tmp_file(telnetd_tmp_t)\n+ \n+@@ -30,6 +33,8 @@ allow telnetd_t self:fifo_file rw_fifo_file_perms;\n+ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };\n+ term_create_pty(telnetd_t, telnetd_devpts_t)\n+ \n++allow telnetd_t telnetd_keytab_t:file read_file_perms;\n++\n+ manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)\n+ manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)\n+ files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })\n+@@ -85,9 +90,10 @@ tunable_policy(`use_samba_home_dirs',`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(telnetd, telnetd_t)\n++\tkerberos_read_keytab(telnetd_t)\n+ \tkerberos_tmp_filetrans_host_rcache(telnetd_t, file, \"host_0\")\n+ \tkerberos_manage_host_rcache(telnetd_t)\n++\tkerberos_use(telnetd_t)\n+ ')\n+ \n+ optional_policy(`\n+diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if\n+index e30a42e..c8bc302 100644\n+--- a/policy/modules/contrib/virt.if\n++++ b/policy/modules/contrib/virt.if\n+@@ -1148,7 +1148,7 @@ interface(`virt_admin',`\n+ \t\ttype virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;\n+ \t\ttype virt_var_run_t, virt_tmp_t, virt_log_t;\n+ \t\ttype virt_lock_t, svirt_var_run_t, virt_etc_rw_t;\n+-\t\ttype virt_etc_t, svirt_cache_t;\n++\t\ttype virt_etc_t, svirt_cache_t, virtd_keytab_t;\n+ \t')\n+ \n+ \tallow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };\n+@@ -1168,7 +1168,7 @@ interface(`virt_admin',`\n+ \tadmin_pattern($1, { virt_tmp_type virt_tmp_t })\n+ \n+ \tfiles_search_etc($1)\n+-\tadmin_pattern($1, { virt_etc_t virt_etc_rw_t })\n++\tadmin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })\n+ \n+ \tlogging_search_logs($1)\n+ \tadmin_pattern($1, virt_log_t)\n+diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te\n+index 9230f0d..f2916f7 100644\n+--- a/policy/modules/contrib/virt.te\n++++ b/policy/modules/contrib/virt.te\n+@@ -1,4 +1,4 @@\n+-policy_module(virt, 1.7.0)\n++policy_module(virt, 1.7.1)\n+ \n+ ########################################\n+ #\n+@@ -142,6 +142,9 @@ domain_subj_id_change_exemption(virtd_t)\n+ type virtd_initrc_exec_t;\n+ init_script_file(virtd_initrc_exec_t)\n+ \n++type virtd_keytab_t;\n++files_type(virtd_keytab_t)\n++\n+ ifdef(`enable_mcs',`\n+ \tinit_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)\n+ ')\n+@@ -438,6 +441,8 @@ manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)\n+ manage_files_pattern(virtd_t, virt_content_t, virt_content_t)\n+ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, \"isos\")\n+ \n++allow virtd_t virtd_keytab_t:file read_file_perms;\n++\n+ allow virtd_t svirt_var_run_t:file relabel_file_perms;\n+ manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)\n+ manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)\n+@@ -700,7 +705,8 @@ optional_policy(`\n+ ')\n+ \n+ optional_policy(`\n+-\tkerberos_keytab_template(virtd, virtd_t)\n++\tkerberos_read_keytab(virtd_t)\n++\tkerberos_use(virtd_t)\n+ ')\n+ \n+ optional_policy(`\ndiff --git a/package/refpolicy/refpolicy-0002-awk-fix.patch b/package/refpolicy/refpolicy-0002-awk-fix.patch\nnew file mode 100644\nindex 0000000..cc742a5\n--- /dev/null\n+++ b/package/refpolicy/refpolicy-0002-awk-fix.patch\n@@ -0,0 +1,37 @@\n+Use AWK variable instead of the hardcoded awk\n+\n+The refpolicy build system uses some awk expressions that need GNU\n+awk, and not some other version of awk. Unfortunately, while the\n+Makefile nicely defines a AWK variable pointing to gawk by default,\n+there are several places where it hardcodes the usage of 'awk' without\n+the variable. This patch fixes those instances by using the AWK\n+vairable everywhere.\n+\n+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>\n+\n+Index: refpolicy-2.20130424/Makefile\n+===================================================================\n+--- refpolicy-2.20130424.orig/Makefile\t2013-02-25 16:29:33.000000000 +0100\n++++ refpolicy-2.20130424/Makefile\t2013-11-24 22:29:19.000000000 +0100\n+@@ -292,9 +292,9 @@\n+ cmdline_off := $(addsuffix .te,$(APPS_OFF))\n+ \n+ # extract settings from modules.conf\n+-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == \"$(configbase)\") print $$1 }' $(mod_conf) 2> /dev/null)))\n+-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == \"$(configmod)\") print $$1 }' $(mod_conf) 2> /dev/null)))\n+-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == \"$(configoff)\") print $$1 }' $(mod_conf) 2> /dev/null)))\n++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == \"$(configbase)\") print $$1 }' $(mod_conf) 2> /dev/null)))\n++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == \"$(configmod)\") print $$1 }' $(mod_conf) 2> /dev/null)))\n++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == \"$(configoff)\") print $$1 }' $(mod_conf) 2> /dev/null)))\n+ \n+ base_mods := $(cmdline_base)\n+ mod_mods := $(cmdline_mods)\n+@@ -308,7 +308,7 @@\n+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))\n+ \n+ # filesystems to be used in labeling targets\n+-filesystems = $(shell mount | grep -v \"context=\" | egrep -v '\\((|.*,)bind(,.*|)\\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)\n++filesystems = $(shell mount | grep -v \"context=\" | egrep -v '\\((|.*,)bind(,.*|)\\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)\n+ fs_names := \"btrfs ext2 ext3 ext4 xfs jfs\"\n+ \n+ ########################################\ndiff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk\nnew file mode 100644\nindex 0000000..90be77a\n--- /dev/null\n+++ b/package/refpolicy/refpolicy.mk\n@@ -0,0 +1,82 @@\n+################################################################################\n+#\n+# refpolicy\n+#\n+################################################################################\n+\n+REFPOLICY_VERSION = 2.20130424\n+REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2\n+REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/\n+REFPOLICY_LICENSE = GPLv2\n+REFPOLICY_LICENSE_FILES = COPYING\n+\n+# Cannot use multiple threads to build the reference policy\n+REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)\n+\n+REFPOLICY_DEPENDENCIES = host-m4 host-checkpolicy host-policycoreutils \\\n+\thost-setools host-python-pyxml host-gawk policycoreutils\n+\n+REFPOLICY_INSTALL_STAGING = YES\n+\n+REFPOLICY_POLICY_NAME = br_policy\n+\n+# To apply board specific customizations, create a refpolicy folder in\n+# BR2_GLOBAL_PATCH_DIR.  These patches will be applied after the patches\n+# in package/refpolicy\n+\n+# Pointing to the host compiler to build a sort application during the build.\n+# The host compiler tools are not used for any part of the refpolicy build.\n+# Note, the TEST_TOOLCHAIN option will also set the\n+# LD_LIBRARY_PATH at run time.\n+REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \\\n+\tTEST_TOOLCHAIN=\"$(HOST_DIR)\"\n+\n+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)\n+\tREFPOLICY_MONOLITHIC = n\n+else\n+\tREFPOLICY_MONOLITHIC = y\n+endif\n+\n+define REFPOLICY_CONFIGURE_CMDS\n+\t$(REFPOLICY_MAKE) -C $(@D) bare $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)\n+\t$(SED) \"/TYPE/c\\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)\" $(@D)/build.conf\n+\t$(SED) \"/MONOLITHIC/c\\MONOLITHIC = $(REFPOLICY_MONOLITHIC)\" $(@D)/build.conf\n+\t$(SED) \"/NAME/c\\NAME = $(REFPOLICY_POLICY_NAME)\" $(@D)/build.conf\n+\t$(REFPOLICY_MAKE) -C $(@D) conf $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)\n+\tcp -f $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf\n+endef\n+\n+define REFPOLICY_INSTALL_STAGING_CMDS\n+\t$(REFPOLICY_MAKE) -C $(@D) install-src install-headers \\\n+\t\t$(if $(BR2_HAVE_DOCUMENTATION),install-docs) \\\n+\t\t$(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)\n+endef\n+\n+REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))\n+\n+define REFPOLICY_INSTALL_TARGET_CMDS\n+\t$(REFPOLICY_MAKE) -C $(@D) install $(REFPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)\n+\t$(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config\n+\t$(SED) \"/^SELINUXTYPE/c\\SELINUXTYPE=$(REFPOLICY_POLICY_NAME)\" \\\n+\t\t$(TARGET_DIR)/etc/selinux/config\n+\ttouch $(TARGET_DIR)/.autorelabel\n+\t$(RM) $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/booleans\n+endef\n+\n+define REFPOLICY_INSTALL_INIT_SYSV\n+\t$(INSTALL) -m 0755 -D package/refpolicy/S12selinux \\\n+\t\t$(TARGET_DIR)/etc/init.d/S12selinux\n+endef\n+\n+define REFPOLICY_POLICY_COMPILE\n+\t$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/policy\n+\t$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/modules/active/modules\n+\t$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files\n+\ttouch $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files/file_contexts.local\n+endef\n+\n+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)\n+\tREFPOLICY_POST_INSTALL_TARGET_HOOKS += REFPOLICY_POLICY_COMPILE\n+endif\n+\n+$(eval $(generic-package))\n",
    "prefixes": [
        "v5",
        "14/20"
    ]
}