srivasta@debian.org--etch/refpolicy--debian--0.0--patch-21
In Manoj's topic--pythonsupport branch

Add pythonsupport

russell-20080929.diff contains the pythonsupport_domtrans(apt_t) but none of
the rest, including the interface definition

Index: policy/modules/admin/apt.te
===================================================================
--- policy/modules/admin/apt.te.orig
+++ policy/modules/admin/apt.te
@@ -143,6 +143,10 @@
 #')
 
 optional_policy(`
+	pythonsupport_domtrans(apt_t)
+')
+
+optional_policy(`
 	# dpkg interaction
 	dpkg_read_db(apt_t)
 	dpkg_domtrans(apt_t)
Index: policy/modules/system/pythonsupport.fc
===================================================================
--- /dev/null
+++ policy/modules/system/pythonsupport.fc
@@ -0,0 +1,2 @@
+/usr/sbin/update-python-modules	--	gen_context(system_u:object_r:pythoncompile_exec_t,s0)
+/var/lib/python-support(/.*)?		gen_context(system_u:object_r:python_compiled_t,s0)
Index: policy/modules/system/pythonsupport.if
===================================================================
--- /dev/null
+++ policy/modules/system/pythonsupport.if
@@ -0,0 +1,55 @@
+## <summary>Support for precompiling python modules</summary>
+## <desc>
+##	<p>
+##		Debians python-support will precompile installed python
+##		packages for installed python versions. This way,
+##		the python2.3-foobar and python2.4-foobar (and 2.5) packages
+##		could be merged into one python-foobar while keeping the
+##		dependency information useful.
+##	</p>
+## </desc>
+#
+
+########################################
+## <summary>
+##	Execute the python-support utility to precompile modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pythonsupport_domtrans',`
+	gen_require(`
+		type pythoncompile_t, pythoncompile_exec_t;
+	')
+
+	domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t)
+
+	allow $1 pythoncompile_t:fd use;
+	allow pythoncompile_t $1:fd use;
+	allow $1 pythoncompile_t:fifo_file rw_file_perms;
+	allow $1 pythoncompile_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read compiled python modules
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to read the compiled python modules.
+##	</summary>
+## </param>
+#
+interface(`pythonsupport_compiled_read',`
+	gen_require(`
+		type python_compiled_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 python_compiled_t:dir list_dir_perms;
+	allow $1 python_compiled_t:file read_file_perms;
+	allow $1 python_compiled_t:lnk_file read_lnk_file_perms;
+')
Index: policy/modules/system/pythonsupport.te
===================================================================
--- /dev/null
+++ policy/modules/system/pythonsupport.te
@@ -0,0 +1,44 @@
+policy_module(pythonsupport,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type pythoncompile_t;
+type pythoncompile_exec_t;
+domain_type(pythoncompile_t)
+domain_entry_file(pythoncompile_t, pythoncompile_exec_t)
+
+role system_r types pythoncompile_t;
+role sysadm_r types pythoncompile_t;
+
+type python_compiled_t;
+files_type(python_compiled_t)
+
+########################################
+#
+# python-support local policy
+#
+
+kernel_read_system_state(pythoncompile_t)
+kernel_read_kernel_sysctls(pythoncompile_t)
+
+corecmd_exec_bin(pythoncompile_t)
+corecmd_exec_sbin(pythoncompile_t)
+
+files_read_etc_files(pythoncompile_t)
+files_read_usr_files(pythoncompile_t)
+
+libs_use_ld_so(pythoncompile_t)
+libs_use_shared_libs(pythoncompile_t)
+libs_use_lib_files(pythoncompile_t)
+
+miscfiles_read_localization(pythoncompile_t)
+
+
+# create compiled python modules
+allow pythoncompile_t python_compiled_t:dir manage_dir_perms;
+allow pythoncompile_t python_compiled_t:file manage_file_perms;
+allow pythoncompile_t python_compiled_t:lnk_file manage_lnk_file_perms;
+files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir)
Index: policy/modules/system/selinuxutil.te
===================================================================
--- policy/modules/system/selinuxutil.te.orig
+++ policy/modules/system/selinuxutil.te
@@ -501,6 +501,10 @@
 	')
 ')
 
+optional_policy(`
+	pythonsupport_compiled_read(semanage_t)
+')
+
 ########################################
 #
 # Setfiles local policy
Index: policy/modules/system/userdomain.if
===================================================================
--- policy/modules/system/userdomain.if.orig
+++ policy/modules/system/userdomain.if
@@ -655,6 +655,10 @@
 	')
 
 	optional_policy(`
+		pythonsupport_compiled_read($1_t)
+	')
+
+	optional_policy(`
 		pcscd_read_pub_files($1_t)
 		pcscd_stream_connect($1_t)
 	')