Commit graph

102 commits

Author SHA1 Message Date
Stephen Smalley
91c290b829 Allow access to unlabeled socket and fifo files.
Just use notdevfile_class_set to pick up all non-device file classes.

Change-Id: Ib3604537ccfc25da67823f0f2b5d70b84edfaadf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-09 18:37:26 +00:00
Stephen Smalley
959fdaaa25 Remove unlabeled execute access from domain, add to appdomain.
Otherwise all domains can create/write files that are executable
by all other domains.  If I understand correctly, this should
only be necessary for app domains executing content from legacy
unlabeled userdata partitions on existing devices and zygote
and system_server mappings of dalvikcache files, so only allow
it for those domains.

If required for others, add it to the individual
domain .te file, not for all domains.

Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-09 18:30:16 +00:00
Stephen Smalley
8b51674b2d Restrict ability to set checkreqprot.
Now that we set /sys/fs/selinux/checkreqprot via init.rc,
restrict the ability to set it to only the kernel domain.

Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 09:33:26 -05:00
Robert Craig
529fcbe065 Create proc_net type for /proc/sys/net entries.
/proc/sys/net could use its own type to help distinguish
among some of the proc access rules. Fix dhcp and netd
because of this.

Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-01-07 14:03:32 -05:00
Nick Kralevich
a730e50bd9 Don't allow zygote init:binder call
init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50
2014-01-03 20:45:42 -08:00
Stephen Smalley
c4021cebcf Address adb backup/restore denials.
Resolves the following denials seen during an adb backup and restore
sequence.

<5>[   90.247039] type=1400 audit(1388759567.693:16): avc:  denied  { getopt } for  pid=3503 comm="Thread-149" scontext=u:r:system_server:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket
<5>[   90.249176] type=1400 audit(1388759567.703:17): avc:  denied  { getopt } for  pid=2334 comm="app_process" scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket

Change-Id: I1f6f90f29eecc32ee692764b04b812988f099cde
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-03 18:39:17 -05:00
Stephen Smalley
ad7df7bb76 Remove execmem permission from domain, add to appdomain.
execmem permission controls the ability to make an anonymous
mapping executable or to make a private file mapping writable
and executable.  Remove this permission from domain (i.e.
all domains) by default, and add it explicitly to app domains.
It is already allowed in other specific .te files as required.
There may be additional cases in device-specific policy where
it is required for proprietary binaries.

Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-02 21:26:14 +00:00
Stephen Smalley
712ca0a4d5 Confine shell domain in -user builds only.
Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g.  console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.

Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-18 09:37:52 -05:00
Nick Kralevich
7466f9b693 Label /data/misc/zoneinfo
And allow any SELinux domain to read these timezone
related files.

Addresses the following denial:
<5>[    4.746399] type=1400 audit(3430294.470:7): avc:  denied  { open } for  pid=197 comm="time_daemon" name="tzdata" dev="mmcblk0p28" ino=618992 scontext=u:r:time:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Iff32465e62729d7aad8c79607848d89ce0aede86
2013-12-13 15:57:23 -08:00
Stephen Smalley
95e0842e34 Restrict ptrace access by debuggerd and unconfineddomain.
Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-09 12:59:17 -05:00
Stephen Smalley
fea6e66fad Allow kernel domain, not init domain, to set SELinux enforcing mode.
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/

init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file.  Hence,
the setenforce permission is checked while still running in the
kernel domain.  Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later.  We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.

Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 12:02:01 -05:00
Nick Kralevich
9e8b8d9fdf Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode."
The build is broken. Reverting temporarily to fix breakage.

libsepol.check_assertion_helper: neverallow on line 4758 violated by allow init kernel:security { setenforce };
Error while expanding policy
make: *** [out/target/product/mako/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....


This reverts commit bf12e22514.

Change-Id: I78a05756d8ce3c7d06e1d9d27e6135f4b352bb85
2013-12-06 16:52:30 +00:00
Stephen Smalley
bf12e22514 Allow kernel domain, not init domain, to set SELinux enforcing mode.
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/

init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file.  Hence,
the setenforce permission is checked while still running in the
kernel domain.  Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later.  We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.

Change-Id: I617876c479666a03167b8fce270c82a8d45c7cc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 08:21:15 -08:00
Stephen Smalley
7adb999e70 Restrict the ability to set usermodehelpers and proc security settings.
Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.

The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.

Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root     root              u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root     root              u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root     root              u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root     root              u:object_r:proc_security:s0 randomize_va_space
-rw------- root     root              u:object_r:usermodehelper:s0 bset
-rw------- root     root              u:object_r:usermodehelper:s0 inheritable

Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 09:44:38 -05:00
Robert Craig
b2547644ef Drop tegra specific label from policy.
This label was originally used for Motorola
Xoom devices. nvmap is the tegra gpu memory
manager and the various nvhost drivers are
for tegra graphics related functionality,
i.e. display serial interface, image signal
processor, or media processing stuff.

Only grouper and tilapia presently need this
policy.

Change-Id: I2a7000f69abf3185724d88d428e8237e0ca436ec
2013-12-05 13:29:07 -08:00
Stephen Smalley
d99e6d5fa1 Restrict the ability to set SELinux enforcing mode to init.
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-02 15:59:04 -05:00
Geremy Condra
ddf98fa8cf Neverallow access to the kmem device from userspace.
Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
2013-11-07 16:17:32 -08:00
Stephen Smalley
2e0b4a149e Move goldfish-specific rules to their own directory.
Change-Id:  I1bdd80f641db05fef4714654515c1e1fbb259794
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-06 10:27:19 -05:00
Nick Kralevich
967f39a6e8 Move sysfs_devices_system_cpu to the central policy.
Every device has a CPU. This is not device specific.

Allow every domain to read these files/directories.
For unknown reasons, these files are accessed by A LOT
of processes.

Allow ueventd to write to these files. This addresses
the following denials seen on mako:

<5>[    4.935602] type=1400 audit(1383167737.512:4): avc:  denied  { read } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.935785] type=1400 audit(1383167737.512:5): avc:  denied  { open } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.935937] type=1400 audit(1383167737.512:6): avc:  denied  { search } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.936120] type=1400 audit(1383167737.512:7): avc:  denied  { write } for  pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
<5>[    4.936303] type=1400 audit(1383167737.512:8): avc:  denied  { open } for  pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file

Change-Id: I4766dc571762d8fae06aa8c26828c070b80f5936
2013-10-30 14:12:21 -07:00
William Roberts
85c5fc21c8 Start confining ueventd
* Keep ueventd in permissive
* Drop unconfined macro to collect logs
* Restore allow rules to current NSA maintained policy

Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b
2013-10-08 09:43:28 -04:00
Alex Klyubin
8d688315ae Restrict access to /dev/hw_random to system_server and init.
/dev/hw_random is accessed only by init and by EntropyMixer (which
runs inside system_server). Other domains are denied access because
apps/services should be obtaining randomness from the Linux RNG.

Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f
2013-10-03 14:25:15 -07:00
Stephen Smalley
0130154985 Make sure exec_type is assigned to all entrypoint types.
Some file types used as domain entrypoints were missing the
exec_type attribute.  Add it and add a neverallow rule to
keep it that way.

Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-27 10:38:14 -04:00
Alex Klyubin
1fdee11df2 1/2: Rename domain "system" to "system_server".
This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
2013-09-17 08:40:12 -07:00
Stephen Smalley
c0845036cc Remove sys_nice capability from domains.
Remove sys_nice capability from domains; this does not appear to be necessary
and should not be possible in particular for app domains.  If we encounter
specific instances where it should be granted, we can add it back on a
per-domain basis.  Allow it explicitly for the system_server.  Unconfined
domains get it via unconfined_domain() and the rules in unconfined.te.

Change-Id: I9669db80a04a90a22241b2fbc5236a28dcde8c6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-13 13:06:36 -07:00
Stephen Smalley
29326eda65 Drop domain write access to sysfs for the emulator.
3.4 goldfish kernel supports sysfs labeling so we no longer need this.

Change-Id: I77514a8f3102ac8be957c57d95e7de7d5901f69d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-13 18:29:03 +00:00
Alex Klyubin
a2477056ae Permit writing to /dev/random and /dev/urandom.
Apps attempting to write to /dev/random or /dev/urandom currently
succeed, but a policy violation is logged. These two Linux RNG
devices are meant to be written to by arbitrary apps. Thus, there's
no reason to deny this capability.

Bug: 10679705

Change-Id: Ife401f1dd2182889471eef7e90fcc92e96f9c4d6
2013-09-10 12:01:15 -07:00
Geremy Condra
81560733a4 Fix denials encountered while getting bugreports.
Bug: 10498304
Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74
2013-08-30 15:10:17 -07:00
Nick Kralevich
2637198f92 Only init should be able to load a security policy
Bug: 9859477
Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b
2013-07-15 17:16:08 -07:00
Nick Kralevich
0b5b4faf30 Merge "untrusted_app.te / isolated_app.te / app.te first pass" 2013-07-15 22:48:02 +00:00
Nick Kralevich
ceff21b7a3 Merge "domain.te: Temporarily work around debuggerd connection bug" 2013-07-15 19:45:41 +00:00
Nick Kralevich
5919d1c86a domain.te: Temporarily work around debuggerd connection bug
For some reason, the debuggerd socket isn't getting properly
labeled. Work around this bug for now by allowing all domains
to connect to all unix stream sockets.

Bug: 9858255
Change-Id: If994e51b0201ea8cae46341efc76dc71a4e577c8
2013-07-15 12:31:31 -07:00
Nick Kralevich
6634a1080e untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef349
with extensive modifications, some of which are included below.

* Allow communication with netd/dnsproxyd, to allow netd to handle
  dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
  the DAC allows access.

In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.

This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.

Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 18:46:03 -07:00
Nick Kralevich
9a19885c4c remove "self:process ptrace" from domain, netd neverallow rules
Remove "self:process ptrace" from all SELinux enforced domains.
In general, a process should never need to ptrace itself.
We can add this back to more narrowly scoped domains as needed.

Add a bunch of neverallow assertions to netd.te, to verify that netd
never gets unexpected capabilities.

Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
2013-07-12 21:28:41 -07:00
Nick Kralevich
8758cc5f8b domain.te: allow access to /sys/kernel/debug/tracing/trace_marker
Bug: 9781325
Change-Id: Ib6f6875f690420b59fceb0a32590a2b9ed8dda95
2013-07-11 11:30:20 -07:00
Nick Kralevich
0c9708b2af domain.te: Add backwards compatibility for unlabeled files
For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.

Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.

To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.

Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
2013-07-10 18:54:45 -07:00
Nick Kralevich
dbd28d91d3 Enable SELinux protections for netd.
This change does several things:

1) Restore domain.te to the version present at
cd516a3266 . This is the version
currently being distributed in AOSP.

2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.

3) Restore netd.te to the version present at
80c9ba5267 . This is the version
currently being distributed in AOSP.

4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.

5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.

6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.

7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.

The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.

Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.

Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 08:24:30 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
Stephen Smalley
74ba8c8613 run-as policy fixes.
- Remove dac_read_search as it is no longer required by run-as.
- Introduce a separate type for /dev/tty so that we can allow use of own tty for
for a run-as shell without allowing access to other /dev/tty[0-9]* nodes.
- Allow sigchld notifications for death of run-as and its descendants by adbd.
- Drop redundant rules for executing shell or system commands from untrusted_app;
now covered by rules in app.te.

Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c
2013-04-05 13:11:12 -07:00
Stephen Smalley
0e856a02cb Allow all domains to read /dev symlinks.
Change-Id: I448a5553937a98775178b94f289ccb45ae862876
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-04-05 13:10:05 -07:00
Stephen Smalley
81fe5f7c0f Allow all domains to read the log devices.
Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-04-05 13:07:16 -07:00
Geremy Condra
c529c66f2c Add policy for __properties__ device.
Change-Id: Ie9b391283362fb6930f1ae858f0a879835c91e32
2013-03-29 12:59:21 -07:00
William Roberts
4d3f1089aa Allow domain search/getattr access to security file
Change-Id: I3b35b68247f35d5d9d9afd33c203aa97e437dc14
2013-03-22 15:00:02 -04:00
Stephen Smalley
1f5939a976 Allow search of tmpfs mount for /storage/emulated.
Change-Id: Ie79ff3fb9c0a893e348c4adb2f457cae42d7800f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:47:20 +00:00
Stephen Smalley
6136284081 Permit fstat of property mapping.
Change-Id: Ie58185519252dad29a23d0d3d54b1cbafea83a83
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:46:42 +00:00
Stephen Smalley
aeb512d2ed Disable debugfs access by default.
Change-Id: I8265e34a76913a76eedd2d7a6fe3b14945fde924
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:45:53 +00:00
William Roberts
40356b993a Allow domain to random_device
Change-Id: I1a728cbc78e30c0b43309acc125169528d352f11
2013-01-30 10:40:58 -08:00
rpcraig
7672eac5fb Add SELinux policy for asec containers.
Creates 2 new types:
- asec_apk_file : files found under /mnt/asec
                  when the asec images are mounted
- asec_image_file : the actual encrypted apks under
                    /data/app-asec

Change-Id: I963472add1980ac068d3a6d36a24f27233022832
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2012-10-22 14:14:11 -04:00
William Roberts
ccc8271aba Allow domain access to /dev/ion
Change-Id: I87f81a632ed61f284f2fe09726f5c4529d36f252
2012-09-13 14:30:11 -07:00
Stephen Smalley
fed246510c Allow debugfs access and setsched for mediaserver. 2012-08-09 08:36:10 -04:00
Haiqing Jiang
c70dc4e3c7 domain writes to cgroup pseudo filesystem 2012-07-30 16:40:03 -04:00
Stephen Smalley
c83d0087e4 Policy changes to support running the latest CTS. 2012-03-07 14:59:01 -05:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00