Pushing 2.20120215 (current version)

5 files changed, 1620 insertions, 0 deletions

diff --git a/policy/flask/Makefile b/policy/flask/Makefile
new file mode 100644
index 000000000..17dc1747c
--- /dev/null
+++ b/policy/flask/Makefile
@@ -0,0 +1,51 @@
+PYTHON ?= python
+
+# flask needs to know where to export the libselinux headers.
+LIBSELINUX_D ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUX_D ?= ../../../linux-2.6
+
+ACCESS_VECTORS_F = access_vectors
+INITIAL_SIDS_F = initial_sids
+SECURITY_CLASSES_F = security_classes
+
+USER_D = userspace
+KERN_D = kernel
+
+LIBSELINUX_INCLUDE_H = flask.h av_permissions.h
+LIBSELINUX_SOURCE_H = class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h
+
+FLASK_H = class_to_string.h flask.h initial_sid_to_string.h
+ACCESS_VECTORS_H = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H = $(FLASK_H) $(ACCESS_VECTORS_H)
+
+USER_H = $(addprefix $(USER_D)/, $(ALL_H))
+KERN_H = $(addprefix $(KERN_D)/, $(ALL_H))
+
+FLASK_NOWARNINGS = --nowarnings
+
+all:  $(USER_H) $(KERN_H)
+
+$(USER_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
+	mkdir -p $(USER_D)
+	$(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(USER_D) -u $(FLASK_NOWARNINGS)
+
+$(KERN_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
+	mkdir -p $(KERN_D) 
+	$(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(KERN_D) -k $(FLASK_NOWARNINGS)
+
+tolib: all
+	install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_INCLUDE_H)) $(LIBSELINUX_D)/include/selinux
+	install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_SOURCE_H)) $(LIBSELINUX_D)/src
+
+tokern: all
+	install -m 644 $(KERN_H) $(LINUX_D)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:  
+	rm -fr userspace
+	rm -fr kernel
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
new file mode 100644
index 000000000..bf241600e
--- /dev/null
+++ b/policy/flask/access_vectors
@@ -0,0 +1,864 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	unlink
+	link
+	rename
+	execute
+	swapon
+	quotaon
+	mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+# socket-specific
+	bind
+	connect
+	listen
+	accept
+	getopt
+	setopt
+	shutdown
+	recvfrom
+	sendto
+	recv_msg
+	send_msg
+	name_bind
+}	
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+	create
+	destroy
+	getattr
+	setattr
+	read
+	write
+	associate
+	unix_read
+	unix_write
+}
+
+#
+#  Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+	create
+	drop
+	getattr
+	setattr
+	relabelfrom
+	relabelto
+}
+
+#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+	getattr
+	setattr
+	use
+	read
+	write
+	getfocus
+	setfocus
+	bell
+	force_cursor
+	freeze
+	grab
+	manage
+	list_property
+	get_property
+	set_property
+	add
+	remove
+	create
+	destroy
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+	mount
+	remount
+	unmount
+	getattr
+	relabelfrom
+	relabelto
+	transition
+	associate
+	quotamod
+	quotaget
+}
+
+class dir
+inherits file
+{
+	add_name
+	remove_name
+	reparent
+	search
+	rmdir
+	open
+	audit_access
+	execmod
+}
+
+class file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class lnk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class chr_file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+	execmod
+	open
+	audit_access
+}
+
+class blk_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class sock_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fifo_file
+inherits file
+{
+	open
+	audit_access
+	execmod
+}
+
+class fd
+{
+	use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+	node_bind
+	name_connect
+}
+
+class udp_socket
+inherits socket
+{
+	node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+	node_bind
+}
+
+class node 
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	enforce_dest
+	dccp_recv
+	dccp_send
+	recvfrom
+	sendto
+}
+
+class netif
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	dccp_recv
+	dccp_send
+	ingress
+	egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+	fork
+	transition
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
+	ptrace
+	getsched
+	setsched
+	getsession
+	getpgid
+	setpgid
+	getcap
+	setcap
+	share
+	getattr
+	setexec
+	setfscreate
+	noatsecure
+	siginh
+	setrlimit
+	rlimitinh
+	dyntransition
+	setcurrent
+	execmem
+	execstack
+	execheap
+	setkeycreate
+	setsockcreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+	enqueue
+}
+
+class msg
+{
+	send
+	receive
+}
+
+class shm
+inherits ipc
+{
+	lock
+}
+
+
+#
+# Define the access vector interpretation for the security server. 
+#
+
+class security
+{
+	compute_av
+	compute_create
+	compute_member
+	check_context
+	load_policy
+	compute_relabel
+	compute_user
+	setenforce     # was avc_toggle in system class
+	setbool
+	setsecparam
+	setcheckreqprot
+	read_policy
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+	ipc_info
+	syslog_read  
+	syslog_mod
+	syslog_console
+	module_request
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the capability2 class.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown           
+	dac_override    
+	dac_read_search 
+	fowner          
+	fsetid          
+	kill            
+	setgid           
+	setuid           
+	setpcap          
+	linux_immutable  
+	net_bind_service 
+	net_broadcast    
+	net_admin        
+	net_raw          
+	ipc_lock         
+	ipc_owner        
+	sys_module       
+	sys_rawio        
+	sys_chroot       
+	sys_ptrace       
+	sys_pacct        
+	sys_admin        
+	sys_boot         
+	sys_nice         
+	sys_resource     
+	sys_time         
+	sys_tty_config  
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+class capability2 
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+}
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+	passwd	# change another user passwd
+	chfn	# change another user finger info
+	chsh	# change another user shell
+	rootok  # pam_rootok check (skip auth)
+	crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class x_drawable
+{
+	create
+	destroy
+	read
+	write
+	blend
+	getattr
+	setattr
+	list_child
+	add_child
+	remove_child
+	list_property
+	get_property
+	set_property
+	manage
+	override
+	show
+	hide
+	send
+	receive
+}
+
+class x_screen
+{
+	getattr
+	setattr
+	hide_cursor
+	show_cursor
+	saver_getattr
+	saver_setattr
+	saver_hide
+	saver_show
+}
+
+class x_gc
+{
+	create
+	destroy
+	getattr
+	setattr
+	use
+}
+
+class x_font
+{
+	create
+	destroy
+	getattr
+	add_glyph
+	remove_glyph
+	use
+}
+
+class x_colormap
+{
+	create
+	destroy
+	read
+	write
+	getattr
+	add_color
+	remove_color
+	install
+	uninstall
+	use
+}
+
+class x_property
+{
+	create
+	destroy
+	read
+	write
+	append
+	getattr
+	setattr
+}
+
+class x_selection
+{
+	read
+	write
+	getattr
+	setattr
+}
+
+class x_cursor
+{
+	create
+	destroy
+	read
+	write
+	getattr
+	setattr
+	use
+}
+
+class x_client
+{
+	destroy
+	getattr
+	setattr
+	manage
+}
+
+class x_device
+inherits x_device
+
+class x_server
+{
+	getattr
+	setattr
+	record
+	debug
+	grab
+	manage
+}
+
+class x_extension
+{
+	query
+	use
+}
+
+class x_resource
+{
+	read
+	write
+}
+
+class x_event
+{
+	send
+	receive
+}
+
+class x_synthetic_event
+{
+	send
+	receive
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+	nlmsg_relay
+	nlmsg_readpriv
+	nlmsg_tty_audit
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+	nlmsg_read
+	nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+	acquire_svc
+	send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+	getpwd
+	getgrp
+	gethost
+	getstat
+	admin
+	shmempwd
+	shmemgrp
+	shmemhost
+	getserv
+	shmemserv
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+	sendto
+	recvfrom
+	setcontext
+	polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+	send
+	recv
+	relabelto
+	flow_in		# deprecated
+	flow_out	# deprecated
+	forward_in
+	forward_out
+}
+
+class key
+{
+	view
+	read
+	write
+	search
+	link
+	setattr
+	create
+}
+
+class context
+{
+	translate
+	contains
+}
+
+class dccp_socket
+inherits socket
+{
+	node_bind
+	name_connect
+}
+
+class memprotect
+{
+	mmap_zero
+}
+
+class db_database
+inherits database
+{
+	access
+	install_module
+	load_module
+	get_param	# deprecated
+	set_param	# deprecated
+}
+
+class db_table
+inherits database
+{
+	use		# deprecated
+	select
+	update
+	insert
+	delete
+	lock
+}
+
+class db_procedure
+inherits database
+{
+	execute
+	entrypoint
+	install
+}
+
+class db_column
+inherits database
+{
+	use		# deprecated
+	select
+	update
+	insert
+}
+
+class db_tuple
+{
+	relabelfrom
+	relabelto
+	use		# deprecated
+	select
+	update
+	insert
+	delete
+}
+
+class db_blob
+inherits database
+{
+	read
+	write
+	import
+	export
+}
+
+# network peer labels
+class peer
+{
+	recv
+}
+
+class x_application_data
+{
+	paste
+	paste_after_confirm
+	copy
+}
+
+class kernel_service
+{
+	use_as_override
+	create_files_as	
+}
+
+class tun_socket
+inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
+
+class db_schema
+inherits database
+{
+	search
+	add_name
+	remove_name
+}
+
+class db_view
+inherits database
+{
+	expand
+}
+
+class db_sequence
+inherits database
+{
+	get_value
+	next_value
+	set_value
+}
+
+class db_language
+inherits database
+{
+	implement
+	execute
+}
diff --git a/policy/flask/flask.py b/policy/flask/flask.py
new file mode 100644
index 000000000..8b4be503c
--- /dev/null
+++ b/policy/flask/flask.py
@@ -0,0 +1,536 @@
+#!/usr/bin/python -E
+#
+# Author(s):	Caleb Case <ccase@tresys.com>
+#
+# Adapted from the bash/awk scripts mkflask.sh and mkaccess_vector.sh
+#
+
+import getopt
+import os
+import sys
+import re
+
+class ParseError(Exception):
+	def __init__(self, type, file, line):
+		self.type = type
+		self.file = file
+		self.line = line
+	def __str__(self):
+		typeS = self.type
+		if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
+		return "Parse Error: Unexpected %s on line %d of %s." % (typeS, self.line, self.file)
+
+class DuplicateError(Exception):
+	def __init__(self, type, file, line, symbol):
+		self.type = type
+		self.file = file
+		self.line = line
+		self.symbol = symbol
+	def __str__(self):
+		typeS = self.type
+		if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
+		return "Duplicate Error: Duplicate %s '%s' on line %d of %s." % (typeS, self.symbol, self.line, self.file)
+
+class UndefinedError(Exception):
+	def __init__(self, type, file, line, symbol):
+		self.type = type
+		self.file = file
+		self.line = line
+		self.symbol = symbol
+	def __str__(self):
+		typeS = self.type
+		if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
+		return "Undefined Error: %s '%s' is not defined but used on line %d of %s." % (typeS, self.symbol, self.line, self.file)
+
+class UnusedError(Exception):
+	def __init__(self, info):
+		self.info = info
+	def __str__(self):
+		return "Unused Error: %s" % self.info
+
+class Flask:
+	'''
+	FLASK container class with utilities for parsing definition
+	files and creating c header files.
+	'''
+
+	#Constants used in definitions parsing.
+	WHITE    = re.compile(r'^\s*$')
+	COMMENT  = re.compile(r'^\s*#')
+	USERFLAG = re.compile(r'# userspace')
+	CLASS    = re.compile(r'^class (?P<name>\w+)')
+	COMMON   = re.compile(r'^common (?P<name>\w+)')
+	INHERITS = re.compile(r'^inherits (?P<name>\w+)')
+	OPENB    = re.compile(r'^{')
+	VECTOR   = re.compile(r'^\s*(?P<name>\w+)')
+	CLOSEB   = re.compile(r'^}')
+	SID      = re.compile(r'^sid (?P<name>\w+)')
+	EOF      = "end of file"
+
+	#Constants used in header generation.
+	USERSPACE = 0
+	KERNEL    = 1
+
+	CONSTANT_S = { \
+		#parsing constants
+		WHITE    : "whitespace", \
+		COMMENT  : "comment", \
+		USERFLAG : "userspace flag", \
+		CLASS    : "class definition", \
+		COMMON   : "common definition", \
+		INHERITS : "inherits definition", \
+		OPENB    : "'{'", \
+		VECTOR   : "access vector definition", \
+		CLOSEB   : "'}'", \
+		SID      : "security identifier", \
+		EOF      : "end of file", \
+		#generation constants
+		USERSPACE : "userspace mode", \
+		KERNEL    : "kernel mode", \
+	}
+
+	def __init__(self, warn = True):
+		self.WARN = warn
+		self.autogen   = "/* This file is automatically generated.  Do not edit. */\n"
+		self.commons   = []
+		self.user_commons = []
+		self.common    = {}
+		self.classes   = []
+		self.vectors   = []
+		self.vector    = {}
+		self.userspace = {}
+		self.sids      = []
+		self.inherits  = {}
+	
+	def warning(self, msg):
+		'''
+		Prints a warning message out to stderr if warnings are enabled.
+		'''
+		if self.WARN: sys.stderr.write("Warning: %s\n" % msg)
+
+	def parseClasses(self, path):
+		'''
+		Parses security class definitions from the given path.
+		'''
+		classes = []
+		input = open(path, 'r')
+
+		number = 0
+		for line in input:
+			number += 1
+			m = self.COMMENT.search(line)
+			if m: continue
+
+			m = self.WHITE.search(line)
+			if m: continue
+
+			m = self.CLASS.search(line)
+			if m:
+				g = m.groupdict()
+				c = g['name']
+				if c in classes: raise DuplicateError, (self.CLASS, path, number, c)
+				classes.append(c)
+				if self.USERFLAG.search(line):
+					self.userspace[c] = True
+				else:
+					self.userspace[c] = False
+				continue
+
+			raise ParseError, ("data.  Was expecting either a comment, whitespace, or class definition. ", path, number)
+
+		self.classes = classes
+		return classes
+
+	def parseSids(self, path):
+		'''
+		Parses initial SID definitions from the given path.
+		'''
+
+		sids = []
+		input = open(path, 'r')
+		for line in input:
+			m = self.COMMENT.search(line)
+			if m: continue
+
+			m = self.WHITE.search(line)
+			if m: continue
+
+			m = self.SID.search(line)
+			if m:
+				g = m.groupdict()
+				s = g['name']
+				if s in sids: raise DuplicateError, (self.SID, path, number, s)
+				sids.append(s)
+				continue
+			
+			raise ParseError, ("data. Was expecting either a comment, whitespace, or security identifier. ", path, number)
+
+		self.sids = sids
+		return sids
+
+	def parseVectors(self, path):
+		'''
+		Parses access vector definitions from the given path.
+		'''
+		vectors = []
+		vector  = {}
+		commons = []
+		common = {}
+		inherits = {}
+		user_commons = {}
+		input = open(path, 'r')
+
+		# states
+		NONE    = 0
+		COMMON  = 1
+		CLASS   = 2
+		INHERIT = 3
+		OPEN    = 4
+
+		state = NONE
+		state2 = NONE
+		number = 0
+		for line in input:
+			number += 1
+			m = self.COMMENT.search(line)
+			if m: continue
+
+			m = self.WHITE.search(line)
+			if m: 
+				if state == INHERIT:
+					state = NONE
+				continue
+
+			m = self.COMMON.search(line)
+			if m:
+				if state != NONE: raise ParseError, (self.COMMON, path, number)
+				g = m.groupdict()
+				c = g['name']
+				if c in commons: raise DuplicateError, (self.COMMON, path, number, c)
+				commons.append(c)
+				common[c] = []
+				user_commons[c] = True
+				state = COMMON
+				continue
+
+			m = self.CLASS.search(line)
+			if m:
+				if state != NONE: raise ParseError, (self.CLASS, number)
+				g = m.groupdict()
+				c = g['name']
+				if c in vectors: raise DuplicateError, (self.CLASS, path, number, c)
+				if c not in self.classes: raise UndefinedError, (self.CLASS, path, number, c)
+				vectors.append(c)
+				vector[c] = []
+				state = CLASS
+				continue
+			
+			m = self.INHERITS.search(line)
+			if m:
+				if state != CLASS: raise ParseError, (self.INHERITS, number)
+				g = m.groupdict()
+				i = g['name']
+				if c in inherits: raise DuplicateError, (self.INHERITS, path, number, c)
+				if i not in common: raise UndefinedError, (self.COMMON, path, number, i)
+				inherits[c] = i
+				state = INHERIT
+				if not self.userspace[c]: user_commons[i] = False
+				continue
+
+			m = self.OPENB.search(line)
+			if m:
+				if (state != CLASS \
+				and state != INHERIT \
+				and state != COMMON) \
+				or state2 != NONE: 
+					raise ParseError, (self.OPENB, path, number)
+				state2 = OPEN
+				continue
+
+			m = self.VECTOR.search(line)
+			if m:
+				if state2 != OPEN: raise ParseError, (self.VECTOR, path, number)
+				g = m.groupdict()
+				v = g['name']
+				if state == CLASS or state == INHERIT:
+					if v in vector[c]: raise DuplicateError, (self.VECTOR, path, number, v)
+					vector[c].append(v)
+				elif state == COMMON:
+					if v in common[c]: raise DuplicateError, (self.VECTOR, path, number, v)
+					common[c].append(v)
+				continue
+
+			m = self.CLOSEB.search(line)
+			if m:
+				if state2 != OPEN: raise ParseError, (self.CLOSEB, path, number)
+				state = NONE
+				state2 = NONE
+				c = None
+				continue
+			
+			raise ParseError, ("data", path, number)
+
+		if state != NONE and state2 != NONE: raise ParseError, (self.EOF, path, number)
+
+		cvdiff = set(self.classes) - set(vectors)
+		if cvdiff: raise UnusedError, "Not all security classes were used in access vectors: %s" % cvdiff # the inverse of this will be caught as an undefined class error
+
+		self.commons = commons
+		self.user_commons = user_commons
+		self.common = common
+		self.vectors = vectors
+		self.vector = vector
+		self.inherits = inherits
+		return vector
+
+	def createHeaders(self, path, mode = USERSPACE):
+		'''
+		Creates the C header files in the specified MODE and outputs
+		them to give PATH.
+		'''
+		headers = { \
+			'av_inherit.h'            : self.createAvInheritH(mode), \
+			'av_perm_to_string.h'     : self.createAvPermToStringH(mode), \
+			'av_permissions.h'        : self.createAvPermissionsH(mode), \
+			'class_to_string.h'       : self.createClassToStringH(mode), \
+			'common_perm_to_string.h' : self.createCommonPermToStringH(mode), \
+			'flask.h'                 : self.createFlaskH(mode), \
+			'initial_sid_to_string.h' : self.createInitialSidToStringH(mode) \
+		}
+
+		for key, value in headers.items():
+			of = open(os.path.join(path, key), 'w')
+			of.writelines(value)
+			of.close()
+
+	def createUL(self, count):
+		fields = [1, 2, 4, 8]
+		return "0x%08xUL" % (fields[count % 4] << 4 * (count / 4))
+
+	def createAvInheritH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		for c in self.vectors:
+			if self.inherits.has_key(c):
+				i = self.inherits[c]
+				count = len(self.common[i])
+				if not (mode == self.KERNEL and self.userspace[c]):
+					results.append("   S_(SECCLASS_%s, %s, %s)\n" % (c.upper(), i, self.createUL(count)))
+		return results
+
+	def createAvPermToStringH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		for c in self.vectors:
+			for p in self.vector[c]:
+				if not (mode == self.KERNEL and self.userspace[c]):
+					results.append("   S_(SECCLASS_%s, %s__%s, \"%s\")\n" % (c.upper(), c.upper(), p.upper(), p))
+
+		return results
+
+	def createAvPermissionsH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+
+		width = 57
+		count = 0
+		for common in self.commons:
+			count = 0
+			shift = 0
+			for p in self.common[common]:
+				if not (mode == self.KERNEL and self.user_commons[common]):
+					columnA = "#define COMMON_%s__%s " % (common.upper(), p.upper())
+					columnA += "".join([" " for i in range(width - len(columnA))])
+					results.append("%s%s\n" % (columnA, self.createUL(count)))
+					count += 1
+
+		width = 50 # broken for old tools whitespace
+		for c in self.vectors:
+			count = 0
+
+			ps = []
+			if self.inherits.has_key(c):
+				ps += self.common[self.inherits[c]]
+			ps += self.vector[c]
+			for p in ps: 
+				columnA = "#define %s__%s " % (c.upper(), p.upper())
+				columnA += "".join([" " for i in range(width - len(columnA))])
+				if not (mode == self.KERNEL and self.userspace[c]):
+					results.append("%s%s\n" % (columnA, self.createUL(count)))
+				count += 1
+
+		return results
+
+	def createClassToStringH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		results.append("/*\n * Security object class definitions\n */\n")
+
+		if mode == self.KERNEL:
+			results.append("    S_(NULL)\n")
+		else:
+			results.append("    S_(\"null\")\n")
+
+		for c in self.classes:
+			if mode == self.KERNEL and self.userspace[c]:
+				results.append("    S_(NULL)\n")
+			else:
+				results.append("    S_(\"%s\")\n" % c)
+		return results
+
+	def createCommonPermToStringH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		for common in self.commons:
+			if not (mode == self.KERNEL and self.user_commons[common]):
+				results.append("TB_(common_%s_perm_to_string)\n" % common)
+				for p in self.common[common]:
+					results.append("    S_(\"%s\")\n" % p)
+				results.append("TE_(common_%s_perm_to_string)\n\n" % common)
+		return results
+	
+	def createFlaskH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		results.append("#ifndef _SELINUX_FLASK_H_\n")
+		results.append("#define _SELINUX_FLASK_H_\n")
+		results.append("\n")
+		results.append("/*\n")
+		results.append(" * Security object class definitions\n")
+		results.append(" */\n")
+
+		count = 0
+		width = 57
+		for c in self.classes:
+			count += 1
+			columnA = "#define SECCLASS_%s " % c.upper()
+			columnA += "".join([" " for i in range(width - len(columnA))])
+			if not (mode == self.KERNEL and self.userspace[c]):
+				results.append("%s%d\n" % (columnA, count))
+
+		results.append("\n")
+		results.append("/*\n")
+		results.append(" * Security identifier indices for initial entities\n")
+		results.append(" */\n")
+		
+		count = 0
+		width = 56 # broken for old tools whitespace
+		for s in self.sids:
+			count += 1
+			columnA = "#define SECINITSID_%s " % s.upper()
+			columnA += "".join([" " for i in range(width - len(columnA))])
+			results.append("%s%d\n" % (columnA, count))
+
+		results.append("\n")
+		columnA = "#define SECINITSID_NUM "
+		columnA += "".join([" " for i in range(width - len(columnA))])
+		results.append("%s%d\n" % (columnA, count))
+
+		results.append("\n")
+		results.append("#endif\n")
+		return results
+
+
+
+	def createInitialSidToStringH(self, mode = USERSPACE):
+		'''
+		'''
+		results = []
+		results.append(self.autogen)
+		results.append("static char *initial_sid_to_string[] =\n")
+		results.append("{\n")
+		results.append("    \"null\",\n")
+		for s in self.sids:
+			results.append("    \"%s\",\n" % s)
+		results.append("};\n")
+		results.append("\n")
+
+		return results
+
+def usage():
+	'''
+	Returns the usage string.
+	'''
+	usage  = 'Usage: %s -a ACCESS_VECTORS -i INITIAL_SIDS -s SECURITY_CLASSES -o OUTPUT_DIRECTORY -k|-u [-w]\n' % os.path.basename(sys.argv[0])
+	usage += '\n'
+	usage += ' -a --access_vectors\taccess vector definitions\n'
+	usage += ' -i --initial_sids\tinitial sid definitions\n'
+	usage += ' -s --security_classes\tsecurity class definitions\n'
+	usage += ' -o --output\toutput directory for generated files\n'
+	usage += ' -k --kernel\toutput mode set to kernel (kernel headers contain empty blocks for all classes specified with # userspace in the security_classes file)\n'
+	usage += ' -u --user\toutput mode set to userspace\n'
+	usage += ' -w --nowarnings\tsupresses output of warning messages\n'
+	return usage
+
+########## MAIN ##########
+if __name__ == '__main__':
+	
+	# Parse command line args
+	try:
+		opts, args = getopt.getopt(sys.argv[1:], 'a:i:s:o:kuwh', ['access_vectors=', 'initial_sids=', 'security_classes=', 'output=', 'kernel', 'user', 'nowarnings', 'help'])
+	except getopt.GetoptError:
+		print(usage())
+		sys.exit(2)
+	
+	avec = None
+	isid = None
+	secc = None
+	outd = None
+	mode = None
+	warn = True
+	for o, a in opts:
+		if o in ('-h', '--help'):
+			print(usage())
+			sys.exit(0)
+		elif o in ('-a', '--access_vectors'):
+			avec = a
+		elif o in ('-i', '--initial_sids'):
+			isid = a
+		elif o in ('-s', '--security_classes'):
+			secc = a
+		elif o in ('-o', '--output'):
+			outd = a
+		elif o in ('-k', '--kernel'):
+			if mode != None:
+				print(usage())
+				sys.exit(2)
+			mode = Flask.KERNEL
+		elif o in ('-u', '--user'):
+			if mode != None:
+				print(usage())
+				sys.exit(2)
+			mode = Flask.USERSPACE
+		elif o in ('-w', '--nowarnings'):
+			warn = False
+		else:
+			print(usage())
+			sys.exit(2)
+
+	if avec == None or \
+	   isid == None or \
+	   secc == None or \
+	   outd == None:
+		   print(usage())
+		   sys.exit(2)
+
+	try:
+		f = Flask(warn)
+		f.parseSids(isid)
+		f.parseClasses(secc)
+		f.parseVectors(avec)
+		f.createHeaders(outd, mode)
+	except Exception, e:
+		print(e)
+		sys.exit(2)
diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
new file mode 100644
index 000000000..95894eb48
--- /dev/null
+++ b/policy/flask/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers 
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
new file mode 100644
index 000000000..14a479911
--- /dev/null
+++ b/policy/flask/security_classes
@@ -0,0 +1,134 @@
+# FLASK
+
+#
+# Define the security object classes 
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd			# userspace
+
+# SE-X Windows stuff (more classes below)
+class x_drawable		# userspace
+class x_screen			# userspace
+class x_gc			# userspace
+class x_font			# userspace
+class x_colormap		# userspace
+class x_property		# userspace
+class x_selection		# userspace
+class x_cursor			# userspace
+class x_client			# userspace
+class x_device			# userspace
+class x_server			# userspace
+class x_extension		# userspace
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus			# userspace
+class nscd			# userspace
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class context			# userspace
+
+class dccp_socket
+
+class memprotect
+
+class db_database		# userspace
+class db_table			# userspace
+class db_procedure		# userspace
+class db_column			# userspace
+class db_tuple			# userspace
+class db_blob			# userspace
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# More SE-X Windows stuff
+class x_resource		# userspace
+class x_event			# userspace
+class x_synthetic_event		# userspace
+class x_application_data	# userspace
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service 
+
+class tun_socket
+
+# Still More SE-X Windows stuff
+class x_pointer			# userspace
+class x_keyboard		# userspace
+
+# More Database stuff
+class db_schema			# userspace
+class db_view			# userspace
+class db_sequence		# userspace
+class db_language		# userspace
+
+# FLASK