rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

policycoreutils-2.7-5.fc28 

- sepolicy: Fix sepolicy manpage
- semanage: Update Infiniband code to work on python3
- semanage: Fix export of ibendport entries
- semanage: Enforce noreload only if it's requested by -N option
This commit is contained in:
Petr Lautrbach 2017-11-22 15:39:07 +01:00
parent e1f5c9548b
commit bd497b9fd6
2 changed files with 558 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
policycoreutils.spec
View File

@ -1,7 +1,7 @@
%global libauditver 2.1.3-4 %global libauditver 2.1.3-4
%global libsepolver 2.7-2 %global libsepolver 2.7-3
%global libsemanagever 2.7-4 %global libsemanagever 2.7-5
%global libselinuxver 2.7-5 %global libselinuxver 2.7-6
%global sepolgenver 2.7 %global sepolgenver 2.7
%global generatorsdir %{_prefix}/lib/systemd/system-generators %global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -9,7 +9,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.7 Version: 2.7
Release: 4%{?dist} Release: 5%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -31,7 +31,7 @@ Source18: selinux-autorelabel.target
Source19: selinux-autorelabel-generator.sh Source19: selinux-autorelabel-generator.sh
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# HEAD https://github.com/fedora-selinux/selinux/commit/4247fad665261169b430895f0ab10f56eb33dd10 # HEAD https://github.com/fedora-selinux/selinux/commit/2d0b90c1d95ec908f94c06337ec07a96b7d1205e
# $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do # $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do
# ./make-fedora-selinux-patch.sh $i # ./make-fedora-selinux-patch.sh $i
# done # done
@ -503,6 +503,12 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Wed Nov 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-5
- sepolicy: Fix sepolicy manpage
- semanage: Update Infiniband code to work on python3
- semanage: Fix export of ibendport entries
- semanage: Enforce noreload only if it's requested by -N option
* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-4 * Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-4
- restorecond: check write() and daemon() results - restorecond: check write() and daemon() results
- sepolicy: do not fail when file_contexts.local or .subs do not exist - sepolicy: do not fail when file_contexts.local or .subs do not exist

552
selinux-python-fedora.patch
View File

@ -1,3 +1,270 @@
diff --git selinux-python-2.7/semanage/semanage selinux-python-2.7/semanage/semanage
index 313537c..8d8a086 100644
--- selinux-python-2.7/semanage/semanage
+++ selinux-python-2.7/semanage/semanage
@@ -89,16 +89,6 @@ class CheckRole(argparse.Action):
newval.append(v)
setattr(namespace, self.dest, newval)
-store = ''
-
-
-class SetStore(argparse.Action):
-
- def __call__(self, parser, namespace, values, option_string=None):
- global store
- store = values
- setattr(namespace, self.dest, values)
-
class seParser(argparse.ArgumentParser):
@@ -134,67 +124,21 @@ class SetImportFile(argparse.Action):
sys.exit(1)
setattr(namespace, self.dest, values)
-# functions for OBJECT initialization
-
-
-def login_ini():
- OBJECT = seobject.loginRecords(store)
- return OBJECT
-
-
-def user_ini():
- OBJECT = seobject.seluserRecords(store)
- return OBJECT
-
-
-def port_ini():
- OBJECT = seobject.portRecords(store)
- return OBJECT
-
-def ibpkey_ini():
- OBJECT = seobject.ibpkeyRecords(store)
- return OBJECT
-
-def ibendport_ini():
- OBJECT = seobject.ibendportRecords(store)
- return OBJECT
-
-def module_ini():
- OBJECT = seobject.moduleRecords(store)
- return OBJECT
-
-
-def interface_ini():
- OBJECT = seobject.interfaceRecords(store)
- return OBJECT
-
-
-def node_ini():
- OBJECT = seobject.nodeRecords(store)
- return OBJECT
-
-
-def fcontext_ini():
- OBJECT = seobject.fcontextRecords(store)
- return OBJECT
-
-
-def boolean_ini():
- OBJECT = seobject.booleanRecords(store)
- return OBJECT
-
-
-def permissive_ini():
- OBJECT = seobject.permissiveRecords(store)
- return OBJECT
-
-
-def dontaudit_ini():
- OBJECT = seobject.dontauditClass(store)
- return OBJECT
-
# define dictonary for seobject OBEJCTS
-object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini, 'module': module_ini, 'interface': interface_ini, 'node': node_ini, 'fcontext': fcontext_ini, 'boolean': boolean_ini, 'permissive': permissive_ini, 'dontaudit': dontaudit_ini, 'ibpkey': ibpkey_ini, 'ibendport': ibendport_ini}
+object_dict = {
+ 'login': seobject.loginRecords,
+ 'user': seobject.seluserRecords,
+ 'port': seobject.portRecords,
+ 'module': seobject.moduleRecords,
+ 'interface': seobject.interfaceRecords,
+ 'node': seobject.nodeRecords,
+ 'fcontext': seobject.fcontextRecords,
+ 'boolean': seobject.booleanRecords,
+ 'permissive': seobject.permissiveRecords,
+ 'dontaudit': seobject.dontauditClass,
+ 'ibpkey': seobject.ibpkeyRecords,
+ 'ibendport': seobject.ibendportRecords
+}
def generate_custom_usage(usage_text, usage_dict):
# generate custom usage from given text and dictonary
@@ -238,8 +182,7 @@ def handleLogin(args):
handle_opts(args, login_args, args.action)
- OBJECT = object_dict['login']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['login'](args)
if args.action is "add":
OBJECT.add(args.login, args.seuser, args.range)
@@ -257,7 +200,7 @@ def handleLogin(args):
def parser_add_store(parser, name):
- parser.add_argument('-S', '--store', action=SetStore, help=_("Select an alternate SELinux Policy Store to manage"))
+ parser.add_argument('-S', '--store', default='', help=_("Select an alternate SELinux Policy Store to manage"))
def parser_add_priority(parser, name):
@@ -269,7 +212,7 @@ def parser_add_noheading(parser, name):
def parser_add_noreload(parser, name):
- parser.add_argument('-N', '--noreload', action='store_false', default=True, help=_('Do not reload policy after commit'))
+ parser.add_argument('-N', '--noreload', action='store_true', default=False, help=_('Do not reload policy after commit'))
def parser_add_locallist(parser, name):
@@ -372,8 +315,7 @@ def handleFcontext(args):
else:
handle_opts(args, fcontext_args, args.action)
- OBJECT = object_dict['fcontext']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['fcontext'](args)
if args.action is "add":
if args.equal:
@@ -441,8 +383,7 @@ def handleUser(args):
handle_opts(args, user_args, args.action)
- OBJECT = object_dict['user']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['user'](args)
if args.action is "add":
OBJECT.add(args.selinux_name, args.roles, args.level, args.range, args.prefix)
@@ -492,8 +433,7 @@ def handlePort(args):
handle_opts(args, port_args, args.action)
- OBJECT = object_dict['port']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['port'](args)
if args.action is "add":
OBJECT.add(args.port, args.proto, args.range, args.type)
@@ -538,8 +478,7 @@ def handlePkey(args):
handle_opts(args, ibpkey_args, args.action)
- OBJECT = object_dict['ibpkey']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['ibpkey'](args)
if args.action is "add":
OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type)
@@ -582,8 +521,7 @@ def handleIbendport(args):
handle_opts(args, ibendport_args, args.action)
- OBJECT = object_dict['ibendport']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['ibendport'](args)
if args.action is "add":
OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type)
@@ -626,8 +564,7 @@ def handleInterface(args):
handle_opts(args, interface_args, args.action)
- OBJECT = object_dict['interface']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['interface'](args)
if args.action is "add":
OBJECT.add(args.interface, args.range, args.type)
@@ -666,8 +603,7 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
- OBJECT = seobject.moduleRecords(store)
- OBJECT.set_reload(args.noreload)
+ OBJECT = seobject.moduleRecords(args)
if args.action == "add":
OBJECT.add(args.module_name, args.priority)
if args.action == "enable":
@@ -709,8 +645,7 @@ def handleNode(args):
node_args = {'list': [('node', 'type', 'proto', 'netmask'), ('')], 'add': [('locallist'), ('type', 'node', 'proto', 'netmask')], 'modify': [('locallist'), ('node', 'netmask', 'proto')], 'delete': [('locallist'), ('node', 'netmask', 'prototype')], 'extract': [('locallist', 'node', 'type', 'proto', 'netmask'), ('')], 'deleteall': [('locallist'), ('')]}
handle_opts(args, node_args, args.action)
- OBJECT = object_dict['node']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['node'](args)
if args.action is "add":
OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
@@ -756,8 +691,7 @@ def handleBoolean(args):
handle_opts(args, boolean_args, args.action)
- OBJECT = object_dict['boolean']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['boolean'](args)
if args.action is "modify":
if args.boolean:
@@ -795,8 +729,7 @@ def setupBooleanParser(subparsers):
def handlePermissive(args):
- OBJECT = object_dict['permissive']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['permissive'](args)
if args.action is "list":
OBJECT.list(args.noheading)
@@ -830,8 +763,7 @@ def setupPermissiveParser(subparsers):
def handleDontaudit(args):
- OBJECT = object_dict['dontaudit']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['dontaudit'](args)
OBJECT.toggle(args.action)
@@ -848,7 +780,7 @@ def handleExport(args):
for i in manageditems:
print("%s -D" % i)
for i in manageditems:
- OBJECT = object_dict[i]()
+ OBJECT = object_dict[i](args)
for c in OBJECT.customized():
print("%s %s" % (i, str(c)))
@@ -912,7 +844,7 @@ def mkargv(line):
def handleImport(args):
- trans = seobject.semanageRecords(store)
+ trans = seobject.semanageRecords(args)
trans.start()
for l in sys.stdin.readlines():
@@ -932,7 +864,6 @@ def handleImport(args):
except KeyboardInterrupt:
sys.exit(0)
- trans.set_reload(args.noreload)
trans.finish()
diff --git selinux-python-2.7/semanage/semanage.8 selinux-python-2.7/semanage/semanage.8 diff --git selinux-python-2.7/semanage/semanage.8 selinux-python-2.7/semanage/semanage.8
index 0bdb90f..0cdcfcc 100644 index 0bdb90f..0cdcfcc 100644
--- selinux-python-2.7/semanage/semanage.8 --- selinux-python-2.7/semanage/semanage.8
@ -15,10 +282,62 @@ index 0bdb90f..0cdcfcc 100644
user identities to authorized role sets. In most cases, only the user identities to authorized role sets. In most cases, only the
former mapping needs to be adjusted by the administrator; the latter former mapping needs to be adjusted by the administrator; the latter
diff --git selinux-python-2.7/semanage/seobject.py selinux-python-2.7/semanage/seobject.py diff --git selinux-python-2.7/semanage/seobject.py selinux-python-2.7/semanage/seobject.py
index 70fd192..55127de 100644 index 70fd192..b287594 100644
--- selinux-python-2.7/semanage/seobject.py --- selinux-python-2.7/semanage/seobject.py
+++ selinux-python-2.7/semanage/seobject.py +++ selinux-python-2.7/semanage/seobject.py
@@ -386,6 +386,8 @@ class moduleRecords(semanageRecords): @@ -238,21 +238,23 @@ class semanageRecords:
transaction = False
handle = None
store = None
+ args = None
- def __init__(self, store):
+ def __init__(self, args):
global handle
- self.load = True
- self.sh = self.get_handle(store)
+ self.args = args
+ try:
+ self.noreload = args.noreload
+ except:
+ self.noreload = False
+ self.sh = self.get_handle(args.store)
rc, localstore = selinux.selinux_getpolicytype()
- if store == "" or store == localstore:
+ if args.store == "" or args.store == localstore:
self.mylog = logger()
else:
self.mylog = nulllogger()
- def set_reload(self, load):
- self.load = load
-
def get_handle(self, store):
global is_mls_enabled
@@ -312,7 +314,8 @@ class semanageRecords:
if semanageRecords.transaction:
return
- semanage_set_reload(self.sh, self.load)
+ if self.noreload:
+ semanage_set_reload(self.sh, 0)
rc = semanage_commit(self.sh)
if rc < 0:
self.mylog.commit(0)
@@ -328,8 +331,8 @@ class semanageRecords:
class moduleRecords(semanageRecords):
- def __init__(self, store):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
def get_all(self):
l = []
@@ -386,6 +389,8 @@ class moduleRecords(semanageRecords):
print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled)) print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled))
def add(self, file, priority): def add(self, file, priority):
@ -27,7 +346,7 @@ index 70fd192..55127de 100644
if not os.path.exists(file): if not os.path.exists(file):
raise ValueError(_("Module does not exist: %s ") % file) raise ValueError(_("Module does not exist: %s ") % file)
@@ -398,6 +400,8 @@ class moduleRecords(semanageRecords): @@ -398,6 +403,8 @@ class moduleRecords(semanageRecords):
self.commit() self.commit()
def set_enabled(self, module, enable): def set_enabled(self, module, enable):
@ -36,7 +355,7 @@ index 70fd192..55127de 100644
for m in module.split(): for m in module.split():
rc, key = semanage_module_key_create(self.sh) rc, key = semanage_module_key_create(self.sh)
if rc < 0: if rc < 0:
@@ -416,11 +420,15 @@ class moduleRecords(semanageRecords): @@ -416,11 +423,15 @@ class moduleRecords(semanageRecords):
self.commit() self.commit()
def modify(self, file): def modify(self, file):
@ -52,7 +371,196 @@ index 70fd192..55127de 100644
rc = semanage_set_default_priority(self.sh, priority) rc = semanage_set_default_priority(self.sh, priority)
if rc < 0: if rc < 0:
raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
@@ -2566,10 +2574,15 @@ class fcontextRecords(semanageRecords): @@ -440,8 +451,8 @@ class moduleRecords(semanageRecords):
class dontauditClass(semanageRecords):
- def __init__(self, store):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
def toggle(self, dontaudit):
if dontaudit not in ["on", "off"]:
@@ -453,8 +464,8 @@ class dontauditClass(semanageRecords):
class permissiveRecords(semanageRecords):
- def __init__(self, store):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
def get_all(self):
l = []
@@ -522,8 +533,8 @@ class permissiveRecords(semanageRecords):
class loginRecords(semanageRecords):
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
self.oldsename = None
self.oldserange = None
self.sename = None
@@ -534,7 +545,7 @@ class loginRecords(semanageRecords):
if sename == "":
sename = "user_u"
- userrec = seluserRecords()
+ userrec = seluserRecords(self.args)
range, (rc, oldserole) = userrec.get(self.oldsename)
range, (rc, serole) = userrec.get(sename)
@@ -603,7 +614,7 @@ class loginRecords(semanageRecords):
if sename == "" and serange == "":
raise ValueError(_("Requires seuser or serange"))
- userrec = seluserRecords()
+ userrec = seluserRecords(self.args)
range, (rc, oldserole) = userrec.get(self.oldsename)
if sename != "":
@@ -660,7 +671,7 @@ class loginRecords(semanageRecords):
def __delete(self, name):
rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
- userrec = seluserRecords()
+ userrec = seluserRecords(self.args)
range, (rc, oldserole) = userrec.get(self.oldsename)
(rc, k) = semanage_seuser_key_create(self.sh, name)
@@ -779,8 +790,8 @@ class loginRecords(semanageRecords):
class seluserRecords(semanageRecords):
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
def get(self, name):
(rc, k) = semanage_user_key_create(self.sh, name)
@@ -1042,8 +1053,8 @@ class portRecords(semanageRecords):
except RuntimeError:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
def __genkey(self, port, proto):
if proto == "tcp":
@@ -1317,8 +1328,8 @@ class ibpkeyRecords(semanageRecords):
except:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
def __genkey(self, pkey, subnet_prefix):
if subnet_prefix == "":
@@ -1540,9 +1551,8 @@ class ibpkeyRecords(semanageRecords):
def customized(self):
l = []
ddict = self.get_all(True)
- keys = ddict.keys()
- keys.sort()
- for k in keys:
+
+ for k in sorted(ddict.keys()):
if k[0] == k[1]:
l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
else:
@@ -1554,11 +1564,10 @@ class ibpkeyRecords(semanageRecords):
keys = ddict.keys()
if len(keys) == 0:
return
- keys.sort()
if heading:
print("%-30s %-18s %s\n" % (_("SELinux IB Pkey Type"), _("Subnet_Prefix"), _("Pkey Number")))
- for i in keys:
+ for i in sorted(keys):
rec = "%-30s %-18s " % i
rec += "%s" % ddict[i][0]
for p in ddict[i][1:]:
@@ -1572,8 +1581,8 @@ class ibendportRecords(semanageRecords):
except:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
def __genkey(self, ibendport, ibdev_name):
if ibdev_name == "":
@@ -1782,10 +1791,9 @@ class ibendportRecords(semanageRecords):
def customized(self):
l = []
ddict = self.get_all(True)
- keys = ddict.keys()
- keys.sort()
- for k in keys:
- l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
+
+ for k in sorted(ddict.keys()):
+ l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0]))
return l
def list(self, heading=1, locallist=0):
@@ -1793,11 +1801,10 @@ class ibendportRecords(semanageRecords):
keys = ddict.keys()
if len(keys) == 0:
return
- keys.sort()
if heading:
print("%-30s %-18s %s\n" % (_("SELinux IB End Port Type"), _("IB Device Name"), _("Port Number")))
- for i in keys:
+ for i in sorted(keys):
rec = "%-30s %-18s " % i
rec += "%s" % ddict[i][0]
for p in ddict[i][1:]:
@@ -1810,8 +1817,8 @@ class nodeRecords(semanageRecords):
except RuntimeError:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
self.protocol = ["ipv4", "ipv6"]
def validate(self, addr, mask, protocol):
@@ -2046,8 +2053,8 @@ class nodeRecords(semanageRecords):
class interfaceRecords(semanageRecords):
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
def __add(self, interface, serange, ctype):
if is_mls_enabled == 1:
@@ -2243,8 +2250,8 @@ class fcontextRecords(semanageRecords):
except RuntimeError:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
self.equiv = {}
self.equiv_dist = {}
self.equal_ind = False
@@ -2566,10 +2573,15 @@ class fcontextRecords(semanageRecords):
if rc < 0: if rc < 0:
raise ValueError(_("Could not list file contexts")) raise ValueError(_("Could not list file contexts"))
@ -68,6 +576,40 @@ index 70fd192..55127de 100644
self.flist += fclocal self.flist += fclocal
ddict = {} ddict = {}
@@ -2627,8 +2639,8 @@ class fcontextRecords(semanageRecords):
class booleanRecords(semanageRecords):
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args):
+ semanageRecords.__init__(self, args)
self.dict = {}
self.dict["TRUE"] = 1
self.dict["FALSE"] = 0
diff --git selinux-python-2.7/sepolicy/sepolicy.8 selinux-python-2.7/sepolicy/sepolicy.8
index 7900586..09d2b24 100644
--- selinux-python-2.7/sepolicy/sepolicy.8
+++ selinux-python-2.7/sepolicy/sepolicy.8
@@ -22,14 +22,15 @@ Query SELinux policy to see if domains can communicate with each other
.br
.B generate
-.br
.br
Generate SELinux Policy module template
-.B gui
+.B sepolicy-generate(8)
.br
+
+.B gui
.br
Launch Graphical User Interface for SELinux Policy, requires policycoreutils-gui package.
-.B sepolicy-generate(8)
+.B sepolicy-gui(8)
.br
.B interface
diff --git selinux-python-2.7/sepolicy/sepolicy/__init__.py selinux-python-2.7/sepolicy/sepolicy/__init__.py diff --git selinux-python-2.7/sepolicy/sepolicy/__init__.py selinux-python-2.7/sepolicy/sepolicy/__init__.py
index 5cfc071..24e3526 100644 index 5cfc071..24e3526 100644
--- selinux-python-2.7/sepolicy/sepolicy/__init__.py --- selinux-python-2.7/sepolicy/sepolicy/__init__.py