From: Laurent Bigonville <[email protected]>
Be sure that we are labeling properly all ssh host keys even if new
algorithms are added in the future.
---
policy/modules/services/ssh.fc | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 7df96c5..76d9f66 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,9 +1,7 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
When the active session is changed, the udev-acl executable is called
by ConsoleKit. It will then read the ConsoleKit database to figure out
which is the active one.
---
policy/modules/system/udev.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a2a4167..630d3e9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -221,6 +221,10 @@ optional_policy(`
')
optional_policy(`
+ consolekit_read_pid_files(udev_t)
+')
+
+optional_policy(`
cups_domtrans_config(udev_t)
')
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
the same way.
---
policy/modules/kernel/filesystem.fc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index cda5588..4da589c 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -14,3 +14,6 @@
# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/.* <<none>>
+
+/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/var/run/shm/.* <<none>>
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
On Debian /var/run/console directory might be created by consolekit, we
need these new interfaces to achieve this.
---
policy/modules/system/authlogin.if | 50 ++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8cdaa26..3efd5b6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1102,6 +1102,25 @@ interface(`auth_list_pam_console_data',`
########################################
## <summary>
+## Create pam var console pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_create_pam_console_data_dirs',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
## Relabel pam_console data directories.
## </summary>
## <param name="domain">
@@ -1181,6 +1200,37 @@ interface(`auth_delete_pam_console_data',`
########################################
## <summary>
+## Create specified objects in
+## pid directories with the pam var
+## console pid file type using a
+## file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`auth_pid_filetrans_pam_var_console',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_pid_filetrans($1, pam_var_console_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read all directories on the filesystem, except
## login files and listed exceptions.
## </summary>
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
This is allowing initscripts to create pidfile and to let them
transition to their context
---
policy/modules/system/init.if | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3f0c2d3..cb26dda 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -444,6 +444,33 @@ interface(`init_daemon_run_dir',`
########################################
## <summary>
+## Mark the file type as a pid file, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
+## <summary>
+## Type to mark as a pid file
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the file that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_run_file',`
+ gen_require(`
+ attribute pidfile;
+ type initrc_t;
+ ')
+
+ typeattribute $1 pidfile;
+
+ files_pid_filetrans(initrc_t, $1, file, $2)
+')
+
+########################################
+## <summary>
## Execute init (/sbin/init) with a domain transition.
## </summary>
## <param name="domain">
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
In Debian, this initscript is creating both /tmp/.X11-unix and
/tmp/.ICE-unix. This allows the directory to transition to the context
defined in the filecontext.
---
policy/modules/services/xserver.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 9393f65..7e96559 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -27,6 +27,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
+/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
/etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
This only seems to be used in Debian and the file is gone since 2006
---
policy/modules/services/xserver.fc | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 7e96559..d1f64a0 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -28,7 +28,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
--
1.7.10.4
On Wed, 2012-12-05 at 21:39 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> This is allowing initscripts to create pidfile and to let them
> transition to their context
> ---
> policy/modules/system/init.if | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 3f0c2d3..cb26dda 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -444,6 +444,33 @@ interface(`init_daemon_run_dir',`
>
> ########################################
> ## <summary>
> +## Mark the file type as a pid file, allowing initrc_t
> +## to create it
> +## </summary>
> +## <param name="filetype">
> +## <summary>
> +## Type to mark as a pid file
> +## </summary>
> +## </param>
> +## <param name="filename">
> +## <summary>
> +## Filename of the file that the init script creates
> +## </summary>
> +## </param>
> +#
> +interface(`init_daemon_run_file',`
> + gen_require(`
> + attribute pidfile;
> + type initrc_t;
> + ')
> +
> + typeattribute $1 pidfile;
> +
> + files_pid_filetrans(initrc_t, $1, file, $2)
> +')
Better use:
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
instead of:
## <param name="filename">
## <summary>
## Filename of the file that the init script creates
## </summary>
## </param>
For consistency
> +########################################
> +## <summary>
> ## Execute init (/sbin/init) with a domain transition.
> ## </summary>
> ## <param name="domain">
From: Laurent Bigonville <[email protected]>
This is allowing initscripts to create pidfile and to let them
transition to their context
---
policy/modules/system/init.if | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3f0c2d3..66a4869 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -444,6 +444,33 @@ interface(`init_daemon_run_dir',`
########################################
## <summary>
+## Mark the file type as a pid file, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
+## <summary>
+## Type to mark as a pid file
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_daemon_run_file',`
+ gen_require(`
+ attribute pidfile;
+ type initrc_t;
+ ')
+
+ typeattribute $1 pidfile;
+
+ files_pid_filetrans(initrc_t, $1, file, $2)
+')
+
+########################################
+## <summary>
## Execute init (/sbin/init) with a domain transition.
## </summary>
## <param name="domain">
--
1.7.10.4
On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
> the same way.
> ---
> policy/modules/kernel/filesystem.fc | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
> index cda5588..4da589c 100644
> --- a/policy/modules/kernel/filesystem.fc
> +++ b/policy/modules/kernel/filesystem.fc
> @@ -14,3 +14,6 @@
> # for systemd systems:
> /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
> /sys/fs/cgroup/.* <<none>>
> +
> +/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
> +/var/run/shm/.* <<none>>
Wouldn't it make more sense to just have a file context substitution in the Debian policy?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 12/5/2012 5:15 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> This is allowing initscripts to create pidfile and to let them
> transition to their context
> ---
> policy/modules/system/init.if | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 3f0c2d3..66a4869 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -444,6 +444,33 @@ interface(`init_daemon_run_dir',`
>
> ########################################
> ## <summary>
> +## Mark the file type as a pid file, allowing initrc_t
> +## to create it
> +## </summary>
> +## <param name="filetype">
> +## <summary>
> +## Type to mark as a pid file
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`init_daemon_run_file',`
> + gen_require(`
> + attribute pidfile;
> + type initrc_t;
> + ')
> +
> + typeattribute $1 pidfile;
> +
> + files_pid_filetrans(initrc_t, $1, file, $2)
> +')
pidfile isn't owned by this module. Additionally, I'm thinking that it would probably be better to generalize init_daemon_run_dir to take object classes as a parameter.... but I don't know what to call it.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Be sure that we are labeling properly all ssh host keys even if new
> algorithms are added in the future.
> ---
> policy/modules/services/ssh.fc | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 7df96c5..76d9f66 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -1,9 +1,7 @@
> HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
>
> /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
> -/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
> -/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
> -/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
> +/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
>
> /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
> /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> When the active session is changed, the udev-acl executable is called
> by ConsoleKit. It will then read the ConsoleKit database to figure out
> which is the active one.
> ---
> policy/modules/system/udev.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index a2a4167..630d3e9 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -221,6 +221,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_read_pid_files(udev_t)
> +')
> +
> +optional_policy(`
> cups_domtrans_config(udev_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> On Debian /var/run/console directory might be created by consolekit, we
> need these new interfaces to achieve this.
> ---
> policy/modules/system/authlogin.if | 50 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 50 insertions(+)
>
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 8cdaa26..3efd5b6 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1102,6 +1102,25 @@ interface(`auth_list_pam_console_data',`
>
> ########################################
> ## <summary>
> +## Create pam var console pid directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_create_pam_console_data_dirs',`
> + gen_require(`
> + type pam_var_console_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 pam_var_console_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Relabel pam_console data directories.
> ## </summary>
> ## <param name="domain">
> @@ -1181,6 +1200,37 @@ interface(`auth_delete_pam_console_data',`
>
> ########################################
> ## <summary>
> +## Create specified objects in
> +## pid directories with the pam var
> +## console pid file type using a
> +## file type transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_pid_filetrans_pam_var_console',`
> + gen_require(`
> + type pam_var_console_t;
> + ')
> +
> + files_pid_filetrans($1, pam_var_console_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Read all directories on the filesystem, except
> ## login files and listed exceptions.
> ## </summary>>
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> In Debian, this initscript is creating both /tmp/.X11-unix and
> /tmp/.ICE-unix. This allows the directory to transition to the context
> defined in the filecontext.
> ---
> policy/modules/services/xserver.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 9393f65..7e96559 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -27,6 +27,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
> /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
>
> +/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
>
> /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> This only seems to be used in Debian and the file is gone since 2006
> ---
> policy/modules/services/xserver.fc | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 7e96559..d1f64a0 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -28,7 +28,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
>
> /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
> -/etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
>
> /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
> /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Le Fri, 07 Dec 2012 00:13:03 -0500,
"Christopher J. PeBenito" <[email protected]> a ?crit :
> On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> > From: Laurent Bigonville <[email protected]>
> >
> > In Debian, /dev/shm is a symlink to /var/run/shm. Label that
> > mountpoint the same way.
> > ---
> > policy/modules/kernel/filesystem.fc | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/policy/modules/kernel/filesystem.fc
> > b/policy/modules/kernel/filesystem.fc index cda5588..4da589c 100644
> > --- a/policy/modules/kernel/filesystem.fc
> > +++ b/policy/modules/kernel/filesystem.fc
> > @@ -14,3 +14,6 @@
> > # for systemd systems:
> > /sys/fs/cgroup -d
> > gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.*
> > <<none>> +
> > +/var/run/shm -d
> > gen_context(system_u:object_r:tmpfs_t,s0)
> > +/var/run/shm/.* <<none>>
>
> Wouldn't it make more sense to just have a file context substitution
> in the Debian policy?
For some reason it's not working. Maybe because /var/run is already a
tmpfs? If you want I can give a patch that define this only for debian.
Laurent Bigonville
On Sat, 2012-12-15 at 23:29 +0100, Laurent Bigonville wrote:
> Le Fri, 07 Dec 2012 00:13:03 -0500,
> "Christopher J. PeBenito" <[email protected]> a ?crit :
>
> > On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> > > From: Laurent Bigonville <[email protected]>
> > >
> > > In Debian, /dev/shm is a symlink to /var/run/shm. Label that
> > > mountpoint the same way.
> > > ---
> > > policy/modules/kernel/filesystem.fc | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/policy/modules/kernel/filesystem.fc
> > > b/policy/modules/kernel/filesystem.fc index cda5588..4da589c 100644
> > > --- a/policy/modules/kernel/filesystem.fc
> > > +++ b/policy/modules/kernel/filesystem.fc
> > > @@ -14,3 +14,6 @@
> > > # for systemd systems:
> > > /sys/fs/cgroup -d
> > > gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.*
> > > <<none>> +
> > > +/var/run/shm -d
> > > gen_context(system_u:object_r:tmpfs_t,s0)
> > > +/var/run/shm/.* <<none>>
> >
> > Wouldn't it make more sense to just have a file context substitution
> > in the Debian policy?
>
> For some reason it's not working. Maybe because /var/run is already a
> tmpfs? If you want I can give a patch that define this only for debian.
>
I think it may be related to the fact that this tmpfs here is mounted
with the rootcontext= option in debian
> Laurent Bigonville
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy