control: tags -1 patch
Patches attached.
Included a bunch of modernizations; the ones critical for the
autopkgtest are 0013-Fix-brctl-patch-to-pass-neverallow-check.patch
and 0014-Add-autopkgtest-Closes-1012841.patch.
From 909f9bb0da70dcb219d42c126e426554342d87f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:09:00 +0200
Subject: [PATCH 02/14] Drop unused script
---
debian/gen-deps.sh | 19 -------------------
1 file changed, 19 deletions(-)
delete mode 100755 debian/gen-deps.sh
diff --git a/debian/gen-deps.sh b/debian/gen-deps.sh
deleted file mode 100755
index f6ee0f1..0000000
--- a/debian/gen-deps.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash
-cd /usr/share/selinux/default || exit 1
-
-SEP="my %Deps = ("
-semodule_deps base.pp a*pp backup.pp b[i-z]*pp [c-z]*pp | while read INPUT ; do
- echo $INPUT | grep -q ^module
- if [ "$?" = "0" ]; then
- MODULE=$(echo $INPUT|sed -e s/^module..//)
- else
- echo $INPUT | grep -q "no dependencies"
- if [ "$?" = "1" -a "$INPUT" != "}" ]; then
- echo -n "$SEP"
- SEP=", "
- echo -n " '$MODULE' => '$INPUT'"
- fi
- fi
-done
-
-echo " );"
--
2.39.1
From 77cbd1f0551f51e8b147678a1ca1bc16c2b25d79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:08:03 +0200
Subject: [PATCH 01/14] Bump to debhelper compat level 13
dh_missing --fail-missing is now the default.
---
debian/compat | 1 -
debian/control | 2 +-
debian/rules | 4 ----
3 files changed, 1 insertion(+), 6 deletions(-)
delete mode 100644 debian/compat
diff --git a/debian/compat b/debian/compat
deleted file mode 100644
index b4de394..0000000
--- a/debian/compat
+++ /dev/null
@@ -1 +0,0 @@
-11
diff --git a/debian/control b/debian/control
index a83806f..fea4187 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Homepage: https://github.com/SELinuxProject/refpolicy/releases
Maintainer: Debian SELinux maintainers <selinux-de...@lists.alioth.debian.org>
Uploaders: Russell Coker <russ...@coker.com.au>
Standards-Version: 4.4.0
-Build-Depends: debhelper (>= 11)
+Build-Depends: debhelper-compat (= 13)
Build-Depends-Indep: bzip2,
checkpolicy (>= 3.3),
gawk,
diff --git a/debian/rules b/debian/rules
index 5b86e70..79c6ffd 100755
--- a/debian/rules
+++ b/debian/rules
@@ -22,10 +22,6 @@ endif
override_dh_auto_configure: $(patsubst %, conf-%-policy, $(FLAVOURS)) conf-docs conf-src
-override_dh_install:
- dh_install
- dh_missing --fail-missing
-
override_dh_fixperms:
dh_fixperms
chmod +x $(CURDIR)/debian/selinux-policy-dev/usr/share/selinux/devel/include/support/segenxml.py
--
2.39.1
From 0a2c8769286321752fd51705b0161e2052695e76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:43:57 +0200
Subject: [PATCH 05/14] Drop unused remove statement
rm: cannot remove 'selinux-policy-src/support/pyplate.pyc': No such file or directory
---
debian/rules | 1 -
1 file changed, 1 deletion(-)
diff --git a/debian/rules b/debian/rules
index 5147deb..056042e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -164,7 +164,6 @@ install-src: conf-src
$(CURDIR)/debian/tmp/etc/selinux/default/src/policy/build.conf
(cd $(CURDIR)/debian/tmp/etc/selinux/default/src/; mv policy selinux-policy-src; \
rm -rf selinux-policy-src/support/__pycache__/; \
- rm selinux-policy-src/support/pyplate.pyc; \
find selinux-policy-src -type f -print0 | xargs -0r chmod 0644; \
find selinux-policy-src -type d -print0 | xargs -0r chmod 0755; \
TZ=UTC tar -cf - --sort=name --mtime="$(BUILD_DATE)" selinux-policy-src | gzip -9n > $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.gz)
--
2.39.1
From ab1fb89f23db846d99d8cbd854742b64c376c14b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:43:19 +0200
Subject: [PATCH 04/14] Drop usage of GZIP environment variable
gzip: warning: GZIP environment variable is deprecated; use an alias or script
---
debian/rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/rules b/debian/rules
index 79c6ffd..5147deb 100755
--- a/debian/rules
+++ b/debian/rules
@@ -167,6 +167,6 @@ install-src: conf-src
rm selinux-policy-src/support/pyplate.pyc; \
find selinux-policy-src -type f -print0 | xargs -0r chmod 0644; \
find selinux-policy-src -type d -print0 | xargs -0r chmod 0755; \
- TZ=UTC GZIP="-9n" tar zfc $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.gz --sort=name --mtime="$(BUILD_DATE)" selinux-policy-src)
+ TZ=UTC tar -cf - --sort=name --mtime="$(BUILD_DATE)" selinux-policy-src | gzip -9n > $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.gz)
rm -rf $(CURDIR)/debian/tmp/etc/selinux/default/src/
touch $@
--
2.39.1
From e5cd5cc7fe77d14d5b326ec7972891ed504ffb60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:14:32 +0200
Subject: [PATCH 03/14] Drop unnecessary build dependencies
* Drop libsepol, nowhere used (checkpolicy is statically linked against
it).
* Drop tar, which is essential, and oldoldstable (stretch) ships 1.29.
---
debian/control | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/debian/control b/debian/control
index fea4187..9bd014c 100644
--- a/debian/control
+++ b/debian/control
@@ -11,14 +11,10 @@ Build-Depends: debhelper-compat (= 13)
Build-Depends-Indep: bzip2,
checkpolicy (>= 3.3),
gawk,
- libsepol2 (>= 3.3),
m4,
policycoreutils (>= 3.3),
policycoreutils-python-utils (>= 3.3),
- python3,
-# Needed for the --sort=name option, can probably be removed when this version
-# hits stable.
- tar (>= 1.28)
+ python3
Package: selinux-policy-default
Architecture: all
--
2.39.1
From e1525a842cf65732e42f5b932d4f1fdad5b69270 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:46:01 +0200
Subject: [PATCH 07/14] Avoid use of cute fields
P: refpolicy source: cute-field VCS-Browser vs Vcs-Browser [debian/control:3]
N:
N: The named field uses a free-style form of capitalization, which is permitted by policy. The alternative offered is probably a more common variant in the archive.
N:
N: Please refer to Syntax of control files (Section 5.1) in the Debian Policy Manual for details.
N:
N: Visibility: pedantic
N: Show-Always: no
N: Check: fields/style
N:
N:
P: refpolicy source: cute-field VCS-Git vs Vcs-Git [debian/control:2]
---
debian/control | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/control b/debian/control
index 9bd014c..fc7a805 100644
--- a/debian/control
+++ b/debian/control
@@ -1,6 +1,6 @@
Source: refpolicy
-VCS-Git: https://salsa.debian.org/selinux-team/refpolicy.git
-VCS-Browser: https://salsa.debian.org/selinux-team/refpolicy
+Vcs-Git: https://salsa.debian.org/selinux-team/refpolicy.git
+Vcs-Browser: https://salsa.debian.org/selinux-team/refpolicy
Priority: optional
Section: admin
Homepage: https://github.com/SELinuxProject/refpolicy/releases
--
2.39.1
From 1ff685839c5332b4dce272cb698829a19f58b12f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:45:00 +0200
Subject: [PATCH 06/14] Update format of Lintian tags
---
debian/selinux-policy-default.lintian-overrides | 2 +-
debian/selinux-policy-mls.lintian-overrides | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/selinux-policy-default.lintian-overrides b/debian/selinux-policy-default.lintian-overrides
index 363dd91..1ade564 100644
--- a/debian/selinux-policy-default.lintian-overrides
+++ b/debian/selinux-policy-default.lintian-overrides
@@ -1 +1 @@
-selinux-policy-default: non-standard-dir-perm var/lib/selinux/default/ 0700 != 0755
+selinux-policy-default: non-standard-dir-perm 0700 != 0755 [var/lib/selinux/default/]
diff --git a/debian/selinux-policy-mls.lintian-overrides b/debian/selinux-policy-mls.lintian-overrides
index a192c8c..5f139d6 100644
--- a/debian/selinux-policy-mls.lintian-overrides
+++ b/debian/selinux-policy-mls.lintian-overrides
@@ -1 +1 @@
-selinux-policy-mls: non-standard-dir-perm var/lib/selinux/mls/ 0700 != 0755
+selinux-policy-mls: non-standard-dir-perm 0700 != 0755 [var/lib/selinux/mls/]
--
2.39.1
From 1d3e22b3da1af2b9e585ad1b8dd460f0ca62d52d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:46:28 +0200
Subject: [PATCH 08/14] Specify Rules-Requires-Root
---
debian/control | 1 +
debian/rules | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index fc7a805..8e3a733 100644
--- a/debian/control
+++ b/debian/control
@@ -7,6 +7,7 @@ Homepage: https://github.com/SELinuxProject/refpolicy/releases
Maintainer: Debian SELinux maintainers <selinux-de...@lists.alioth.debian.org>
Uploaders: Russell Coker <russ...@coker.com.au>
Standards-Version: 4.4.0
+Rules-Requires-Root: no
Build-Depends: debhelper-compat (= 13)
Build-Depends-Indep: bzip2,
checkpolicy (>= 3.3),
diff --git a/debian/rules b/debian/rules
index 056042e..06bd8da 100755
--- a/debian/rules
+++ b/debian/rules
@@ -160,7 +160,7 @@ install-src: conf-src
mv modules.conf modules.conf.dist; \
fi; \
ln -sf modules.conf.mls modules.conf)
- install -p -o root -g root -m 644 debian/build.conf.default \
+ install -p -m 644 debian/build.conf.default \
$(CURDIR)/debian/tmp/etc/selinux/default/src/policy/build.conf
(cd $(CURDIR)/debian/tmp/etc/selinux/default/src/; mv policy selinux-policy-src; \
rm -rf selinux-policy-src/support/__pycache__/; \
--
2.39.1
From 272b65c57b730c77aaed9dd486c0f505cc9fa29b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:48:31 +0200
Subject: [PATCH 10/14] Ignore long lines in upstream source
---
debian/source/lintian-overrides | 2 ++
1 file changed, 2 insertions(+)
create mode 100644 debian/source/lintian-overrides
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 0000000..9aab8ee
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1,2 @@
+refpolicy source: very-long-line-length-in-source-file * > 512 [policy/mls:197]
+refpolicy source: very-long-line-length-in-source-file * > 512 [policy/support/obj_perm_sets.spt:37]
--
2.39.1
From 679956f4da750ef878637a969fcace3f68b5ecd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:47:06 +0200
Subject: [PATCH 09/14] Update URLs in copyright
---
debian/copyright | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/copyright b/debian/copyright
index 6ff0a29..5c7f387 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,5 +1,5 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Source: http://oss.tresys.com/projects/refpolicy
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://github.com/SELinuxProject/refpolicy
License: GPL-2+
Files: *
--
2.39.1
From 9599f7f5dc870630cc84021d079732178b84314e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 23:12:09 +0200
Subject: [PATCH 12/14] Fix patch hunk for previous patch
---
.../0001-Make-default-and-root-mcs-seusers-unconfined.patch | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/patches/0001-Make-default-and-root-mcs-seusers-unconfined.patch b/debian/patches/0001-Make-default-and-root-mcs-seusers-unconfined.patch
index 1b533f8..7f2a25c 100644
--- a/debian/patches/0001-Make-default-and-root-mcs-seusers-unconfined.patch
+++ b/debian/patches/0001-Make-default-and-root-mcs-seusers-unconfined.patch
@@ -10,11 +10,12 @@ Index: refpolicy-2.20210130/config/appconfig-mcs/seusers
===================================================================
--- refpolicy-2.20210130.orig/config/appconfig-mcs/seusers
+++ refpolicy-2.20210130/config/appconfig-mcs/seusers
-@@ -1,2 +1,2 @@
+@@ -1,3 +1,3 @@
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh
+ sddm:xdm:s0
Index: refpolicy-2.20210130/policy/constraints
===================================================================
--- refpolicy-2.20210130.orig/policy/constraints
--
2.39.1
From 306da6576a74ca7b9f713082a938ca1b9fa69973 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 21:49:19 +0200
Subject: [PATCH 11/14] Drop trailing spaces in changelog
refpolicy source: trailing-whitespace [debian/changelog:206]
---
debian/changelog | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index c16279f..548f4c2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -265,7 +265,7 @@ refpolicy (2:2.20210203-4) unstable; urgency=medium
Allow chromium to run naclhelper with nnp_transition
Allow chromium to watch root dirs
Allow chromium to read/write unix sockets from the calling domain
- * Make Postgresql use postgresql_tmpfs_t for tmpfs files and make
+ * Make Postgresql use postgresql_tmpfs_t for tmpfs files and make
mon_local_test_t and systemd_logind_t not have getattr access to tmpfs
files audited.
* Allow systemd_user_runtime_dir_t to unlink device nodes of type
@@ -348,7 +348,7 @@ refpolicy (2:2.20210126-1) unstable; urgency=medium
consoletype dcc ddcprobe denyhosts dspam firstboot howl imaze jockey
ktalk lockdev lsm mailscanner mcelog oav polipo pyicqt resmgr rhcs
rhsmcertd ricci rpm vhostmd
- * Don't enable by default: amtu bugzilla condor
+ * Don't enable by default: amtu bugzilla condor
* Added SE Linux "user" named xdm for the "sddm" Unix account to be used
by the sddm greeter process. This makes the greeter run as xdm_t
instead of unconfined_t.
@@ -687,7 +687,7 @@ refpolicy (2:2.20161023.1-8) unstable; urgency=medium
-- Russell Coker <russ...@coker.com.au> Mon, 23 Jan 2017 01:55:57 +1100
refpolicy (2:2.20161023.1-7) unstable; urgency=medium
-
+
[ Laurent Bigonville and cgzones ]
* Sort the files in the files in the selinux-policy-src.tar.gz tarball by
name, this should fix the last issue for reproducible build
@@ -1033,7 +1033,7 @@ refpolicy (2:2.20140421-12) jessie; urgency=medium
* Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs
* Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration
* Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to create it
- * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir
+ * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir
* Allow apache to read sysctl_vm_t for overcommit_memory
Allow httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t files
and directories for mod_pagespeed.
@@ -2180,18 +2180,18 @@ refpolicy (2:0.2.20091013-1) unstable; urgency=low
+ Allow udev_t to access anon_inodefs_t
These changes take care of most of the problems encountered in recent
reference policy packages in Debian. Thanks to Russell Coker for the
- fixes.
+ fixes.
-- Manoj Srivastava <sriva...@debian.org> Tue, 13 Oct 2009 15:29:54 -0500
refpolicy (2:0.2.20090828-1) unstable; urgency=low
* New upstream snapshot.
- - Deprecated the userdom_xwindwos_client_template().
+ - Deprecated the userdom_xwindwos_client_template().
* Modified the list of modules we build (added consolekit, and added a
dependency on consolekit to the devicekit policymodule. Turned off
ddcprobe, since it needs kudzu.
- * Bug fix: "linking policy fails", thanks to Jonathan Nieder
+ * Bug fix: "linking policy fails", thanks to Jonathan Nieder
(Closes: #544079).
* Bug fix: "linking policy fails (with a statement to file a bug)",
thanks to Philipp Kern (Closes: #543148).
@@ -2199,7 +2199,7 @@ refpolicy (2:0.2.20090828-1) unstable; urgency=low
Russell Coker (Closes: #539855).
* Bug fix: "SELinux prevented console-kit-dae from using the terminal
/dev/tty0", thanks to Ritesh Raj Sarraf. We now have:
- policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t)
+ policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t)
This should allow access to all terms and ttys. (Closes: #515167).
* Bug fix: "SELinux is preventing pulseaudio from loading
/usr/lib/libFLAC.so.8.2.0 which requires text relocation", thanks to
@@ -3181,4 +3181,3 @@ refpolicy (20060117-1) sesarge; urgency=low
* Experimental release
-- Erich Schubert <er...@debian.org> Mon, 13 Feb 2006 22:50:03 +0100
-
--
2.39.1
From 5801d4417f13c77995ee92d006632fae4ad7fb1a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 23:21:43 +0200
Subject: [PATCH 13/14] Fix brctl patch to pass neverallow check
Use the kernel_load_module() interface instead of manually granting
capability { sys_module } to comply with neverallow rules:
libsepol.report_failure: neverallow violated by allow brctl_t brctl_t:capability { sys_module };
---
debian/patches/0028-misc | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/debian/patches/0028-misc b/debian/patches/0028-misc
index 62708ad..ebabdef 100644
--- a/debian/patches/0028-misc
+++ b/debian/patches/0028-misc
@@ -121,15 +121,14 @@ Index: refpolicy-2.20221101/policy/modules/admin/brctl.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/admin/brctl.te
+++ refpolicy-2.20221101/policy/modules/admin/brctl.te
-@@ -17,7 +17,7 @@ role brctl_roles types brctl_t;
- # Local policy
- #
-
--allow brctl_t self:capability net_admin;
-+allow brctl_t self:capability { net_admin sys_module };
- allow brctl_t self:fifo_file rw_fifo_file_perms;
- allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+@@ -23,6 +23,7 @@ allow brctl_t self:unix_stream_socket cr
allow brctl_t self:unix_dgram_socket create_socket_perms;
+ allow brctl_t self:tcp_socket create_socket_perms;
+
++kernel_load_module(brctl_t)
+ kernel_request_load_module(brctl_t)
+ kernel_read_network_state(brctl_t)
+ kernel_read_sysctl(brctl_t)
Index: refpolicy-2.20221101/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20221101.orig/policy/modules/admin/logrotate.te
--
2.39.1
From 4f9da132197d6664e7f18003819315c0b190d5d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com>
Date: Mon, 19 Sep 2022 22:10:49 +0200
Subject: [PATCH 14/14] Add autopkgtest (Closes: #1012841)
Validate a policy build from all installed modules.
This should prevent future validation issues, like #1012503.
---
debian/tests/control | 2 ++
debian/tests/validate-default | 16 ++++++++++++++++
debian/tests/validate-mls | 16 ++++++++++++++++
3 files changed, 34 insertions(+)
create mode 100644 debian/tests/control
create mode 100755 debian/tests/validate-default
create mode 100755 debian/tests/validate-mls
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..ee62cf4
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: validate-default validate-mls
+Depends: @
diff --git a/debian/tests/validate-default b/debian/tests/validate-default
new file mode 100755
index 0000000..503c53a
--- /dev/null
+++ b/debian/tests/validate-default
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -eu
+
+tmpdir=$(mktemp -d)
+
+cd "${tmpdir}"
+
+cp /usr/share/selinux/default/*.pp.bz2 .
+
+bzip2 -d *.pp.bz2
+
+mv base.pp base
+
+semodule_link -o test.lnk base *.pp
+semodule_expand test.lnk policy.bin
diff --git a/debian/tests/validate-mls b/debian/tests/validate-mls
new file mode 100755
index 0000000..d281e89
--- /dev/null
+++ b/debian/tests/validate-mls
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -eu
+
+tmpdir=$(mktemp -d)
+
+cd "${tmpdir}"
+
+cp /usr/share/selinux/mls/*.pp.bz2 .
+
+bzip2 -d *.pp.bz2
+
+mv base.pp base
+
+semodule_link -o test.lnk base *.pp
+semodule_expand test.lnk policy.bin
--
2.39.1
