From 599e9756ef01e787998231a4202e5c12369c0294 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jul 25 2008 04:17:41 +0000
Subject: - Eliminate vbetool duplicate entry


---

diff --git a/policy-20080710.patch b/policy-20080710.patch
index 3bbac0e..a8e3d99 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -1,82 +1,3 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.1/Makefile
---- nsaserefpolicy/Makefile	2008-06-12 23:25:10.000000000 -0400
-+++ serefpolicy-3.5.1/Makefile	2008-07-24 06:54:04.000000000 -0400
-@@ -311,20 +311,22 @@
- 
- # parse-rolemap modulename,outputfile
- define parse-rolemap
--	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
--		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+	echo "" >> $2
-+#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
- 
- # perrole-expansion modulename,outputfile
- define perrole-expansion
--	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
--	$(call parse-rolemap,$1,$2)
--	$(verbose) echo "')" >> $2
--
--	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
--	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
--	$(call parse-rolemap-compat,$1,$2)
--	$(verbose) echo "')" >> $2
-+	echo "No longer doing perrole-expansion"
-+#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+#	$(call parse-rolemap,$1,$2)
-+#	$(verbose) echo "')" >> $2
-+
-+#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+#	$(call parse-rolemap-compat,$1,$2)
-+#	$(verbose) echo "')" >> $2
- endef
- 
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -523,6 +525,10 @@
- 	@mkdir -p $(appdir)/users
- 	$(verbose) $(INSTALL) -m 644 $^ $@
- 
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+	@mkdir -p $(appdir)
-+	$(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- 	@mkdir -p $(appdir)
- 	$(verbose) $(INSTALL) -m 644 $< $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.1/Rules.modular
---- nsaserefpolicy/Rules.modular	2008-06-12 23:25:10.000000000 -0400
-+++ serefpolicy-3.5.1/Rules.modular	2008-07-24 06:54:04.000000000 -0400
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- 	@echo "Compliling $(NAME) $(@F) module"
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
--	$(call perrole-expansion,$(basename $(@F)),$@.role)
--	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+#	$(call perrole-expansion,$(basename $(@F)),$@.role)
-+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
- 
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- 	$(verbose) $(genperm) $(avs) $(secclass) > $@
--	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
- 
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -146,7 +146,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- 	$(verbose) echo "" > $@
--	$(call parse-rolemap,base,$@)
-+#	$(call parse-rolemap,base,$@)
- 
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.1/config/appconfig-mcs/default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/default_contexts	2008-06-12 23:25:09.000000000 -0400
 +++ serefpolicy-3.5.1/config/appconfig-mcs/default_contexts	2008-07-24 06:54:04.000000000 -0400
@@ -188,6 +109,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg
 +system_r:sshd_t		xguest_r:xguest_t
 +system_r:crond_t	xguest_r:xguest_crond_t
 +system_r:xdm_t		xguest_r:xguest_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.1/Makefile
+--- nsaserefpolicy/Makefile	2008-06-12 23:25:10.000000000 -0400
++++ serefpolicy-3.5.1/Makefile	2008-07-24 06:54:04.000000000 -0400
+@@ -311,20 +311,22 @@
+ 
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++	echo "" >> $2
++#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+ 
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+-	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+-	$(call parse-rolemap,$1,$2)
+-	$(verbose) echo "')" >> $2
+-
+-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+-	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+-	$(call parse-rolemap-compat,$1,$2)
+-	$(verbose) echo "')" >> $2
++	echo "No longer doing perrole-expansion"
++#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++#	$(call parse-rolemap,$1,$2)
++#	$(verbose) echo "')" >> $2
++
++#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++#	$(call parse-rolemap-compat,$1,$2)
++#	$(verbose) echo "')" >> $2
+ endef
+ 
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -523,6 +525,10 @@
+ 	@mkdir -p $(appdir)/users
+ 	$(verbose) $(INSTALL) -m 644 $^ $@
+ 
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++	@mkdir -p $(appdir)
++	$(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ 	@mkdir -p $(appdir)
+ 	$(verbose) $(INSTALL) -m 644 $< $@
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.5.1/man/man8/ftpd_selinux.8
 --- nsaserefpolicy/man/man8/ftpd_selinux.8	2008-06-12 23:25:09.000000000 -0400
 +++ serefpolicy-3.5.1/man/man8/ftpd_selinux.8	2008-07-24 06:54:04.000000000 -0400
@@ -1413,6 +1381,121 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  optional_policy(`
  	usermanage_domtrans_groupadd(rpm_script_t)
  	usermanage_domtrans_useradd(rpm_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.1/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if	2008-06-12 23:25:08.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/admin/sudo.if	2008-07-24 06:54:04.000000000 -0400
+@@ -55,7 +55,7 @@
+ 	#
+ 
+ 	# Use capabilities.
+-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 	allow $1_sudo_t self:process { setexec setrlimit };
+ 	allow $1_sudo_t self:fd use;
+@@ -68,33 +68,35 @@
+ 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ 	allow $1_sudo_t self:unix_dgram_socket sendto;
+ 	allow $1_sudo_t self:unix_stream_socket connectto;
+-	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++	allow $1_sudo_t self:key manage_key_perms;
++	allow $1_sudo_t $1_t:key search;
+ 
+ 	# Enter this derived domain from the user domain
+ 	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+ 
+ 	# By default, revert to the calling domain when a shell is executed.
+ 	corecmd_shell_domtrans($1_sudo_t,$2)
++	corecmd_bin_domtrans($1_sudo_t,$2)
+ 	allow $2 $1_sudo_t:fd use;
+ 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ 	allow $2 $1_sudo_t:process sigchld;
+ 
+ 	kernel_read_kernel_sysctls($1_sudo_t)
+ 	kernel_read_system_state($1_sudo_t)
+-	kernel_search_key($1_sudo_t)
++	kernel_link_key($1_sudo_t)
+ 
+ 	dev_read_urand($1_sudo_t)
+ 
+ 	fs_search_auto_mountpoints($1_sudo_t)
+ 	fs_getattr_xattr_fs($1_sudo_t)
+ 
+-	auth_domtrans_chk_passwd($1_sudo_t)
++	auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ 	# sudo stores a token in the pam_pid directory
+ 	auth_manage_pam_pid($1_sudo_t)
+ 	auth_use_nsswitch($1_sudo_t)
+ 
+ 	corecmd_read_bin_symlinks($1_sudo_t)
+-	corecmd_getattr_all_executables($1_sudo_t)
++	corecmd_exec_all_executables($1_sudo_t)
+ 
+ 	domain_use_interactive_fds($1_sudo_t)
+ 	domain_sigchld_interactive_fds($1_sudo_t)
+@@ -106,32 +108,50 @@
+ 	files_getattr_usr_files($1_sudo_t)
+ 	# for some PAM modules and for cwd
+ 	files_dontaudit_search_home($1_sudo_t)
++	files_list_tmp($1_sudo_t)
+ 
+ 	init_rw_utmp($1_sudo_t)
+ 
+ 	libs_use_ld_so($1_sudo_t)
+ 	libs_use_shared_libs($1_sudo_t)
+ 
++	logging_send_audit_msgs($1_sudo_t)
+ 	logging_send_syslog_msg($1_sudo_t)
+ 
+ 	miscfiles_read_localization($1_sudo_t)
+ 
+-	userdom_manage_user_home_content_files($1,$1_sudo_t)
+-	userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
+-	userdom_manage_user_tmp_files($1,$1_sudo_t)
+-	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
++	mta_per_role_template($1, $1_sudo_t, $3)
++
++	unprivuser_manage_home_content_files($1_sudo_t)
++	unprivuser_manage_home_content_symlinks($1_sudo_t)
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_manage_nfs_files($1_sudo_t)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_manage_cifs_files($1_sudo_t)
++	')
++	unprivuser_manage_tmp_files($1_sudo_t)
++	unprivuser_manage_tmp_symlinks($1_sudo_t)
++	userdom_exec_user_home_content_files($1,$1_sudo_t)
+ 	userdom_use_user_terminals($1,$1_sudo_t)
+ 	userdom_use_unpriv_users_fds($1_sudo_t)
+ 	# for some PAM modules and for cwd
++	sysadm_search_home_content_dirs($1_sudo_t)
+ 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
++	userdom_manage_all_users_keys($1_sudo_t)
+ 
+-	ifdef(`TODO',`
+-	# for when the network connection is killed
+-	dontaudit unpriv_userdomain $1_sudo_t:process signal;
+-
+-	ifdef(`mta.te', `
+-	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+-	')
++	domain_role_change_exemption($1_sudo_t)
++	userdom_spec_domtrans_all_users($1_sudo_t)
+ 
+-	') dnl end TODO
++	selinux_validate_context($1_sudo_t)
++	selinux_compute_relabel_context($1_sudo_t)
++	selinux_getattr_fs($1_sudo_t)
++	seutil_read_config($1_sudo_t)
++	seutil_search_default_contexts($1_sudo_t)
++
++	term_use_all_user_ttys($1_sudo_t)
++	term_use_all_user_ptys($1_sudo_t)
++	term_relabel_all_user_ttys($1_sudo_t)
++	term_relabel_all_user_ptys($1_sudo_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.1/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2008-06-12 23:25:08.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/admin/su.if	2008-07-24 06:54:04.000000000 -0400
@@ -1543,121 +1626,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
  ')
  
  #######################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.1/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if	2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/admin/sudo.if	2008-07-24 06:54:04.000000000 -0400
-@@ -55,7 +55,7 @@
- 	#
- 
- 	# Use capabilities.
--	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- 	allow $1_sudo_t self:process { setexec setrlimit };
- 	allow $1_sudo_t self:fd use;
-@@ -68,33 +68,35 @@
- 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- 	allow $1_sudo_t self:unix_dgram_socket sendto;
- 	allow $1_sudo_t self:unix_stream_socket connectto;
--	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
-+	allow $1_sudo_t self:key manage_key_perms;
-+	allow $1_sudo_t $1_t:key search;
- 
- 	# Enter this derived domain from the user domain
- 	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
- 
- 	# By default, revert to the calling domain when a shell is executed.
- 	corecmd_shell_domtrans($1_sudo_t,$2)
-+	corecmd_bin_domtrans($1_sudo_t,$2)
- 	allow $2 $1_sudo_t:fd use;
- 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
- 	allow $2 $1_sudo_t:process sigchld;
- 
- 	kernel_read_kernel_sysctls($1_sudo_t)
- 	kernel_read_system_state($1_sudo_t)
--	kernel_search_key($1_sudo_t)
-+	kernel_link_key($1_sudo_t)
- 
- 	dev_read_urand($1_sudo_t)
- 
- 	fs_search_auto_mountpoints($1_sudo_t)
- 	fs_getattr_xattr_fs($1_sudo_t)
- 
--	auth_domtrans_chk_passwd($1_sudo_t)
-+	auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
- 	# sudo stores a token in the pam_pid directory
- 	auth_manage_pam_pid($1_sudo_t)
- 	auth_use_nsswitch($1_sudo_t)
- 
- 	corecmd_read_bin_symlinks($1_sudo_t)
--	corecmd_getattr_all_executables($1_sudo_t)
-+	corecmd_exec_all_executables($1_sudo_t)
- 
- 	domain_use_interactive_fds($1_sudo_t)
- 	domain_sigchld_interactive_fds($1_sudo_t)
-@@ -106,32 +108,50 @@
- 	files_getattr_usr_files($1_sudo_t)
- 	# for some PAM modules and for cwd
- 	files_dontaudit_search_home($1_sudo_t)
-+	files_list_tmp($1_sudo_t)
- 
- 	init_rw_utmp($1_sudo_t)
- 
- 	libs_use_ld_so($1_sudo_t)
- 	libs_use_shared_libs($1_sudo_t)
- 
-+	logging_send_audit_msgs($1_sudo_t)
- 	logging_send_syslog_msg($1_sudo_t)
- 
- 	miscfiles_read_localization($1_sudo_t)
- 
--	userdom_manage_user_home_content_files($1,$1_sudo_t)
--	userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
--	userdom_manage_user_tmp_files($1,$1_sudo_t)
--	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
-+	mta_per_role_template($1, $1_sudo_t, $3)
-+
-+	unprivuser_manage_home_content_files($1_sudo_t)
-+	unprivuser_manage_home_content_symlinks($1_sudo_t)
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_manage_nfs_files($1_sudo_t)
-+	')
-+
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_manage_cifs_files($1_sudo_t)
-+	')
-+	unprivuser_manage_tmp_files($1_sudo_t)
-+	unprivuser_manage_tmp_symlinks($1_sudo_t)
-+	userdom_exec_user_home_content_files($1,$1_sudo_t)
- 	userdom_use_user_terminals($1,$1_sudo_t)
- 	userdom_use_unpriv_users_fds($1_sudo_t)
- 	# for some PAM modules and for cwd
-+	sysadm_search_home_content_dirs($1_sudo_t)
- 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-+	userdom_manage_all_users_keys($1_sudo_t)
- 
--	ifdef(`TODO',`
--	# for when the network connection is killed
--	dontaudit unpriv_userdomain $1_sudo_t:process signal;
--
--	ifdef(`mta.te', `
--	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
--	')
-+	domain_role_change_exemption($1_sudo_t)
-+	userdom_spec_domtrans_all_users($1_sudo_t)
- 
--	') dnl end TODO
-+	selinux_validate_context($1_sudo_t)
-+	selinux_compute_relabel_context($1_sudo_t)
-+	selinux_getattr_fs($1_sudo_t)
-+	seutil_read_config($1_sudo_t)
-+	seutil_search_default_contexts($1_sudo_t)
-+
-+	term_use_all_user_ttys($1_sudo_t)
-+	term_use_all_user_ptys($1_sudo_t)
-+	term_relabel_all_user_ttys($1_sudo_t)
-+	term_relabel_all_user_ptys($1_sudo_t)
- ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2008-06-12 23:25:08.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/admin/tmpreaper.te	2008-07-24 06:54:04.000000000 -0400
@@ -20555,7 +20523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.1/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.1/policy/modules/services/polkit.te	2008-07-24 06:54:04.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/polkit.te	2008-07-24 22:56:25.000000000 -0400
 @@ -0,0 +1,221 @@
 +policy_module(polkit_auth,1.0.0)
 +
@@ -20894,6 +20862,100 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ##	Execute postfix user mail programs
  ##	in their respective domains.
  ## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc	2008-06-12 23:25:05.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc	2008-07-24 06:54:04.000000000 -0400
+@@ -3,3 +3,5 @@
+ /usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+ 
+ /var/run/policyd\.pid		--	gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
++
++/etc/rc.d/init.d/postfixpolicyd	--	gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if	2008-06-12 23:25:05.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if	2008-07-24 06:54:04.000000000 -0400
+@@ -1 +1,68 @@
+ ## <summary>Postfix policy server</summary>
++
++########################################
++## <summary>
++##	Execute postfixpolicyd server in the postfixpolicyd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`postfixpolicyd_script_domtrans',`
++	gen_require(`
++		type postfix_policyd_script_exec_t;
++	')
++
++	init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an postfixpolicyd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the postfixpolicyd domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`postfixpolicyd_admin',`
++	gen_require(`
++		type postfix_policyd_t;
++		type postfix_policyd_script_exec_t;
++		type postfix_policyd_conf_t;
++		type postfix_policyd_var_run_t;
++	')
++
++	allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
++	        
++	# Allow postfix_policyd_t to restart the apache service
++	postfixpolicyd_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 postfix_policyd_script_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_etc($1)
++        manage_all_pattern($1,postfix_policyd_conf_t)
++
++	files_list_pids($1)
++        manage_all_pattern($1,postfix_policyd_var_run_t)
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te	2008-06-12 23:25:05.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te	2008-07-24 06:54:04.000000000 -0400
+@@ -16,6 +16,9 @@
+ type postfix_policyd_var_run_t;
+ files_pid_file(postfix_policyd_var_run_t)
+ 
++type postfix_policyd_script_exec_t;
++init_script_type(postfix_policyd_script_exec_t)
++
+ ########################################
+ #
+ # Local Policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.1/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2008-07-10 11:38:46.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/services/postfix.te	2008-07-24 06:54:04.000000000 -0400
@@ -21158,100 +21220,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  corecmd_exec_shell(postfix_virtual_t)
  corecmd_exec_bin(postfix_virtual_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.fc	2008-07-24 06:54:04.000000000 -0400
-@@ -3,3 +3,5 @@
- /usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
- 
- /var/run/policyd\.pid		--	gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
-+
-+/etc/rc.d/init.d/postfixpolicyd	--	gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.if	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.if	2008-07-24 06:54:04.000000000 -0400
-@@ -1 +1,68 @@
- ## <summary>Postfix policy server</summary>
-+
-+########################################
-+## <summary>
-+##	Execute postfixpolicyd server in the postfixpolicyd domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+#
-+interface(`postfixpolicyd_script_domtrans',`
-+	gen_require(`
-+		type postfix_policyd_script_exec_t;
-+	')
-+
-+	init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate 
-+##	an postfixpolicyd environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the postfixpolicyd domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the user terminal.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`postfixpolicyd_admin',`
-+	gen_require(`
-+		type postfix_policyd_t;
-+		type postfix_policyd_script_exec_t;
-+		type postfix_policyd_conf_t;
-+		type postfix_policyd_var_run_t;
-+	')
-+
-+	allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
-+	        
-+	# Allow postfix_policyd_t to restart the apache service
-+	postfixpolicyd_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 postfix_policyd_script_exec_t system_r;
-+	allow $2 system_r;
-+
-+	files_list_etc($1)
-+        manage_all_pattern($1,postfix_policyd_conf_t)
-+
-+	files_list_pids($1)
-+        manage_all_pattern($1,postfix_policyd_var_run_t)
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/postfixpolicyd.te	2008-07-24 06:54:04.000000000 -0400
-@@ -16,6 +16,9 @@
- type postfix_policyd_var_run_t;
- files_pid_file(postfix_policyd_var_run_t)
- 
-+type postfix_policyd_script_exec_t;
-+init_script_type(postfix_policyd_script_exec_t)
-+
- ########################################
- #
- # Local Policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.1/policy/modules/services/postgresql.fc
 --- nsaserefpolicy/policy/modules/services/postgresql.fc	2008-06-12 23:25:06.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/services/postgresql.fc	2008-07-24 06:54:04.000000000 -0400
@@ -22969,6 +22937,121 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun
  ########################################
  #
  # Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.1/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc	2008-06-12 23:25:05.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/rpcbind.fc	2008-07-24 06:54:04.000000000 -0400
+@@ -5,3 +5,5 @@
+ /var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.lock	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.sock	-s	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
++
++/etc/rc.d/init.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.5.1/policy/modules/services/rpcbind.if
+--- nsaserefpolicy/policy/modules/services/rpcbind.if	2008-06-12 23:25:05.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/rpcbind.if	2008-07-24 06:54:04.000000000 -0400
+@@ -95,3 +95,68 @@
+ 	manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ 	files_search_var_lib($1)
+ ')
++
++########################################
++## <summary>
++##	Execute rpcbind server in the rpcbind domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`rpcbind_script_domtrans',`
++	gen_require(`
++		type rpcbind_script_exec_t;
++	')
++
++	init_script_domtrans_spec($1,rpcbind_script_exec_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an rpcbind environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the rpcbind domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`rpcbind_admin',`
++	gen_require(`
++		type rpcbind_t;
++		type rpcbind_script_exec_t;
++		type rpcbind_var_lib_t;
++		type rpcbind_var_run_t;
++	')
++
++	allow $1 rpcbind_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, rpcbind_t, rpcbind_t)
++	        
++	# Allow rpcbind_t to restart the apache service
++	rpcbind_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 rpcbind_script_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_var_lib($1)
++        manage_all_pattern($1,rpcbind_var_lib_t)
++
++	files_list_pids($1)
++        manage_all_pattern($1,rpcbind_var_run_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.1/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te	2008-06-12 23:25:05.000000000 -0400
++++ serefpolicy-3.5.1/policy/modules/services/rpcbind.te	2008-07-24 06:54:04.000000000 -0400
+@@ -16,16 +16,21 @@
+ type rpcbind_var_lib_t;
+ files_type(rpcbind_var_lib_t)
+ 
++type rpcbind_script_exec_t;
++init_script_type(rpcbind_script_exec_t)
++
+ ########################################
+ #
+ # rpcbind local policy
+ #
+ 
+-allow rpcbind_t self:capability setuid;
++allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+ allow rpcbind_t self:fifo_file rw_file_perms;
+ allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+ allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow rpcbind_t self:udp_socket create_socket_perms;
++# BROKEN ...
++dontaudit rpcbind_t self:udp_socket listen;
+ allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+ 
+ manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
+@@ -37,6 +42,7 @@
+ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+ 
++kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+ 
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.1/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2008-07-10 11:38:46.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/services/rpc.if	2008-07-24 06:54:04.000000000 -0400
@@ -23124,121 +23207,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.1/policy/modules/services/rpcbind.fc
---- nsaserefpolicy/policy/modules/services/rpcbind.fc	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.fc	2008-07-24 06:54:04.000000000 -0400
-@@ -5,3 +5,5 @@
- /var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.lock	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.sock	-s	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+
-+/etc/rc.d/init.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.5.1/policy/modules/services/rpcbind.if
---- nsaserefpolicy/policy/modules/services/rpcbind.if	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.if	2008-07-24 06:54:04.000000000 -0400
-@@ -95,3 +95,68 @@
- 	manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
- 	files_search_var_lib($1)
- ')
-+
-+########################################
-+## <summary>
-+##	Execute rpcbind server in the rpcbind domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+#
-+interface(`rpcbind_script_domtrans',`
-+	gen_require(`
-+		type rpcbind_script_exec_t;
-+	')
-+
-+	init_script_domtrans_spec($1,rpcbind_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate 
-+##	an rpcbind environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the rpcbind domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the user terminal.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`rpcbind_admin',`
-+	gen_require(`
-+		type rpcbind_t;
-+		type rpcbind_script_exec_t;
-+		type rpcbind_var_lib_t;
-+		type rpcbind_var_run_t;
-+	')
-+
-+	allow $1 rpcbind_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, rpcbind_t, rpcbind_t)
-+	        
-+	# Allow rpcbind_t to restart the apache service
-+	rpcbind_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 rpcbind_script_exec_t system_r;
-+	allow $2 system_r;
-+
-+	files_list_var_lib($1)
-+        manage_all_pattern($1,rpcbind_var_lib_t)
-+
-+	files_list_pids($1)
-+        manage_all_pattern($1,rpcbind_var_run_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.1/policy/modules/services/rpcbind.te
---- nsaserefpolicy/policy/modules/services/rpcbind.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/rpcbind.te	2008-07-24 06:54:04.000000000 -0400
-@@ -16,16 +16,21 @@
- type rpcbind_var_lib_t;
- files_type(rpcbind_var_lib_t)
- 
-+type rpcbind_script_exec_t;
-+init_script_type(rpcbind_script_exec_t)
-+
- ########################################
- #
- # rpcbind local policy
- #
- 
--allow rpcbind_t self:capability setuid;
-+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
- allow rpcbind_t self:fifo_file rw_file_perms;
- allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
- allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
- allow rpcbind_t self:udp_socket create_socket_perms;
-+# BROKEN ...
-+dontaudit rpcbind_t self:udp_socket listen;
- allow rpcbind_t self:tcp_socket create_stream_socket_perms;
- 
- manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
-@@ -37,6 +42,7 @@
- manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
- files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
- 
-+kernel_read_system_state(rpcbind_t)
- kernel_read_network_state(rpcbind_t)
- 
- corenet_all_recvfrom_unlabeled(rpcbind_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.1/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2008-06-12 23:25:06.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/services/rshd.te	2008-07-24 06:54:04.000000000 -0400
@@ -32851,8 +32819,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.1/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2008-07-16 10:26:23.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/system/unconfined.fc	2008-07-24 06:54:05.000000000 -0400
-@@ -2,15 +2,29 @@
++++ serefpolicy-3.5.1/policy/modules/system/unconfined.fc	2008-07-24 22:55:17.000000000 -0400
+@@ -2,15 +2,28 @@
  # e.g.:
  # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
  # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
@@ -32886,7 +32854,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/libexec/ghc-[^/]+/ghc-.*  --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/sbin/vbetool	       --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.1/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-07-16 10:26:23.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/system/unconfined.if	2008-07-24 06:54:05.000000000 -0400
@@ -36854,3 +36821,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.1/Rules.modular
+--- nsaserefpolicy/Rules.modular	2008-06-12 23:25:10.000000000 -0400
++++ serefpolicy-3.5.1/Rules.modular	2008-07-24 06:54:04.000000000 -0400
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ 	@echo "Compliling $(NAME) $(@F) module"
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+-	$(call perrole-expansion,$(basename $(@F)),$@.role)
+-	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++#	$(call perrole-expansion,$(basename $(@F)),$@.role)
++	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+ 
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ 	$(verbose) $(genperm) $(avs) $(secclass) > $@
+-	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+ 
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -146,7 +146,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ 	$(verbose) echo "" > $@
+-	$(call parse-rolemap,base,$@)
++#	$(call parse-rolemap,base,$@)
+ 
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf