SLFO-pool/selinux-policy
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main selinux-policy revision 1b7db8d79e6f4b7b39687f2df8fa11a2

Browse Source
This commit is contained in:
Adrian Schröter 2025-01-28 17:47:41 +01:00
parent 7e2e3354e7
commit 95055a7411
32 changed files with 458 additions and 9274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_servicedata
View File

@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
<param name="changesrevision">e897b9b38aafb39b5b9bb4ab6d497bd23ec39f3c</param></service></servicedata>
<param name="changesrevision">da1e0e20a01fbeb119d494032a15b17984baf509</param></service></servicedata>

232
booleans-minimum.conf
View File

@ -1,232 +0,0 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true

232
booleans-mls.conf
View File

@ -1,232 +0,0 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = false
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = false

232
booleans-targeted.conf
View File

@ -1,232 +0,0 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true

54
booleans.subs_dist
View File

@ -1,54 +0,0 @@
allow_auditadm_exec_content auditadm_exec_content
allow_console_login login_console_enabled
allow_cvs_read_shadow cvs_read_shadow
allow_daemons_dump_core daemons_dump_core
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
allow_daemons_use_tty daemons_use_tty
allow_domain_fd_use domain_fd_use
allow_execheap selinuxuser_execheap
allow_execmod selinuxuser_execmod
allow_execstack selinuxuser_execstack
allow_ftpd_anon_write ftpd_anon_write
allow_ftpd_full_access ftpd_full_access
allow_ftpd_use_cifs ftpd_use_cifs
allow_ftpd_use_nfs ftpd_use_nfs
allow_gssd_read_tmp gssd_read_tmp
allow_guest_exec_content guest_exec_content
allow_httpd_anon_write httpd_anon_write
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
allow_httpd_mod_auth_pam httpd_mod_auth_pam
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
allow_kerberos kerberos_enabled
allow_mplayer_execstack mplayer_execstack
allow_mount_anyfile mount_anyfile
allow_nfsd_anon_write nfsd_anon_write
allow_polyinstantiation polyinstantiation_enabled
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
allow_rsync_anon_write rsync_anon_write
allow_saslauthd_read_shadow saslauthd_read_shadow
allow_secadm_exec_content secadm_exec_content
allow_smbd_anon_write smbd_anon_write
allow_ssh_keysign ssh_keysign
allow_staff_exec_content staff_exec_content
allow_sysadm_exec_content sysadm_exec_content
allow_user_exec_content user_exec_content
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
allow_write_xshm xserver_clients_write_xshm
allow_xguest_exec_content xguest_exec_content
allow_xserver_execmem xserver_execmem
allow_ypbind nis_enabled
allow_zebra_write_config zebra_write_config
user_direct_dri selinuxuser_direct_dri_enabled
user_ping selinuxuser_ping
user_share_music selinuxuser_share_music
user_tcp_server selinuxuser_tcp_server
sepgsql_enable_pitr_implementation postgresql_can_rsync
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
clamd_use_jit antivirus_use_jit
amavis_use_jit antivirus_use_jit
logwatch_can_sendmail logwatch_can_network_connect_mail
puppet_manage_all_files puppetagent_manage_all_files
virt_sandbox_use_nfs virt_use_nfs

3
container.fc
View File

@ -131,7 +131,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet/pod-resources(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0)
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
@ -162,6 +162,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
/var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0)

1
container.if
View File

@ -512,6 +512,7 @@ interface(`container_filetrans_named_content',`
files_pid_filetrans($1, container_var_run_t, dir, "containers")
files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers")
logging_log_filetrans($1, container_log_t, dir, "kube-apiserver")
logging_log_filetrans($1, container_log_t, dir, "lxc")
files_var_lib_filetrans($1, container_var_lib_t, dir, "containers")
files_var_lib_filetrans($1, container_file_t, dir, "origin")

21
container.te
View File

@ -1,4 +1,4 @@
policy_module(container, 2.232.1)
policy_module(container, 2.234.0)
gen_require(`
class passwd rootok;
@ -757,6 +757,7 @@ tunable_policy(`container_connect_any',`
#
allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
role system_r types spc_t;
dontaudit spc_t self:memprotect mmap_zero;
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
@ -1450,11 +1451,14 @@ allow container_engine_t sysctl_t:{dir file} mounton;
allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
allow container_engine_t fusefs_t:file relabelto;
allow container_engine_t kernel_t:system module_request;
allow container_engine_t null_device_t:chr_file mounton;
allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
allow container_engine_t random_device_t:chr_file mounton;
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
allow container_engine_t urandom_device_t:chr_file mounton;
allow container_engine_t zero_device_t:chr_file mounton;
allow container_engine_t container_file_t:sock_file mounton;
allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms };
allow container_engine_t devpts_t:chr_file setattr;
manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
@ -1483,6 +1487,17 @@ application_executable_file(kubelet_exec_t)
can_exec(container_runtime_t, kubelet_exec_t)
allow kubelet_t kubelet_exec_t:file entrypoint;
type kubelet_var_lib_t;
files_type(kubelet_var_lib_t)
manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources")
filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources")
ifdef(`enable_mcs',`
init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
')
@ -1516,10 +1531,12 @@ allow container_device_t device_node:chr_file rw_chr_file_perms;
# Standard container which needs to be allowed to use any device and
# communicate with kubelet
container_domain_template(container_device_plugin, container)
typeattribute container_device_plugin_t container_net_domain;
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
kernel_read_debugfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)
stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t)
# Standard container which needs to be allowed to use any device and
# modify kubelet configuration

13
customizable_types
View File

@ -1,13 +0,0 @@
sandbox_file_t
svirt_image_t
svirt_home_t
svirt_lxc_file_t
virt_content_t
httpd_user_htaccess_t
httpd_user_script_exec_t
httpd_user_rw_content_t
httpd_user_ra_content_t
httpd_user_content_t
git_session_content_t
home_bin_t
user_tty_device_t

2
debug-build.sh
View File

@ -23,7 +23,7 @@ VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
# Create tar file with name like selinux-policy-<current-version>.tar.xz
TAR_NAME=$REPO_NAME-$VERSION.tar.xz
echo "Creating tar file: $TAR_NAME"
tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
tar --exclude-vcs -cJhf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
# Some helpful prompts
if test $? -eq 0; then

22
file_contexts.subs_dist
View File

@ -1,22 +0,0 @@
/var/run /run
/var/lock /run/lock
/var/run/lock /var/lock
/lib /usr/lib
/lib64 /usr/lib
/usr/lib64 /usr/lib
/usr/local /usr
/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
/etc/systemd/system /usr/lib/systemd/system
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system
/run/systemd/generator.early /usr/lib/systemd/system
/run/systemd/generator.late /usr/lib/systemd/system
/var/lib/xguest/home /home
/var/run/netconfig /etc
/var/adm/netconfig/md5/etc /etc
/var/adm/netconfig/md5/var /var
/usr/etc /etc
/bin /usr/bin
/sbin /usr/bin
/usr/sbin /usr/bin

414
modules-minimum-base.conf
View File

@ -1,414 +0,0 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unconfineduser
#
# The unconfined user domain.
#
unconfineduser = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: admin
# Module: rpm
#
# Policy for the RPM package manager.
#
rpm = module
# Layer: contrib
# Module: packagekit
#
# Temporary permissive module for packagekit
#
packagekit = module
# Layer: services
# Module: nscd
#
# Name service cache daemon
#
nscd = module

2609
modules-minimum-contrib.conf
View File

File diff suppressed because it is too large Load Diff

1
modules-minimum-disable.lst
View File

@ -1 +0,0 @@
abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs

52
modules-minimum.lst Normal file
View File

@ -0,0 +1,52 @@
apache
application
auditadm
authlogin
base
bootloader
clock
dbus
dmesg
fstools
getty
hostname
inetd
init
ipsec
iptables
kerberos
libraries
locallogin
logadm
logging
lvm
miscfiles
modutils
mount
mta
netlabel
netutils
nis
postgresql
rpm
secadm
selinuxutil
setrans
seunshare
snapper
ssh
staff
su
sudo
sysadm
sysadm_secadm
sysnetwork
systemd
udev
unconfined
unconfineduser
unlabelednet
unprivuser
userdomain
usermanage
xserver

380
modules-mls-base.conf
View File

@ -1,380 +0,0 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unlabelednet
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module

1581
modules-mls-contrib.conf
View File

File diff suppressed because it is too large Load Diff

421
modules-targeted-base.conf
View File

@ -1,421 +0,0 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unconfineduser
#
# The unconfined user domain.
#
unconfineduser = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: contrib
# Module: packagekit
#
# Temporary permissive module for packagekit
#
packagekit = module
# Layer: contrib
# Module: rtorrent
#
# Policy for rtorrent
#
rtorrent = module
# Layer: contrib
# Module: wicked
#
# Policy for wicked
#
wicked = module
# Layer: system
# Module: rebootmgr
#
# Policy for rebootmgr
#
rebootmgr = module

2777
modules-targeted-contrib.conf
View File

File diff suppressed because it is too large Load Diff

4
securetty_types-minimum
View File

@ -1,4 +0,0 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

6
securetty_types-mls
View File

@ -1,6 +0,0 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t

4
securetty_types-targeted
View File

@ -1,4 +0,0 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

BIN
selinux-policy-20240604+git390.e897b9b3.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

BIN
selinux-policy-20240604+git689.da1e0e20.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

342
selinux-policy.changes
View File

@ -1,3 +1,345 @@
-------------------------------------------------------------------
Mon Jan 27 08:27:09 UTC 2025 - cathy.hu@suse.com
- Update to version 20240604+git689.da1e0e20:
* Transition samba-dcerpcd pid file from smbd_var_run_t to winbind_var_run_t (bsc#1235801)
* /run/samba/samba-dcerpcd.pid needs fc type winbind_rpcd_var_run_t (bsc#1235801)
* Adjust rpcd_lsad, samba-bgqd, samba-dcerpcd to SUSE-specific part (bsc#1235801)
* Transition nmbd pid file from smbd_var_run_t to nmbd_var_run_t (bsc#1235801)
-------------------------------------------------------------------
Tue Jan 21 10:21:51 UTC 2025 - cathy.hu@suse.com
- Update to version 20240604+git684.814e5b91:
* wtmpdbd systemd service uses NoNewPrivileges (bsc#1235660)
-------------------------------------------------------------------
Mon Jan 20 09:02:10 UTC 2025 - cathy.hu@suse.com
- Update to version 20240604+git682.1bebca04:
* Label xrdp scripts in /etc as bin_t (bsc#1233738)
* introduce unconfined_service_transition_to_unconfined_user boolean (bsc#1233738)
* Allow database rotation for wtmpdbd_t
* Allow wtmpdbd to send messages notifications
* Introduce policy for wtmpdbd (bsc#1235660)
-------------------------------------------------------------------
Thu Jan 09 13:44:10 UTC 2025 - cathy.hu@suse.com
- Sync content of factory branch to SLFO (git commit: 33c703587e800be11fca3101b7caf2d4a5c77117,
OBS Factory: selinux-policy-20241220) and update packaging for SLE 16.
This includes:
- Fix minimum policy by readding rpm module (bsc#1234314)
- Fix minimum policy by readding snapper module (bsc#1234037)
- Packaging rework: moving all config files to git repository
https://gitlab.suse.de/selinux/selinux-policy
- Moved booleans to dist/*/booleans.conf and dropped from package:
* booleans-minimum.conf
- user facing change: boolean settings are now the same as in upstream
* booleans-mls.conf
- user facing change: boolean settings are now the same as in upstream
* booleans-targeted.conf
- user facing change: kerberos_enabled boolean was not enabled due to a bug, now it is enabled
- Moved booleans.subs_dist to dist/booleans.subs_dist and dropped from package
- Moved customizable_types to dist/customizable_types and dropped from package
- user facing change: using upstream version
- Moved file_contexts.subs_dist to config/file_contexts.subs_dist and dropped from package
- user facing change: changed systemd entries in file_contexts.subs_dist:
/run/systemd/system -> dropped from file
/run/systemd/generator.early /run/systemd/generator
/run/systemd/generator.late /run/systemd/generator
- Moved modules config to dist/<policytype>/modules.conf and dropped from package:
- user facing change: minimum policy: modules base and contrib are merged into modules.lst
and modules-enabled.lst was added which contains the enabled modules, replacing modules-minimum-disable.lst
* modules-minimum-base.conf
* modules-minimum-contrib.conf
* modules-minimum-disable.lst
* Added: modules-minimum.lst
- user facing change: mls policy: modules base + contrib are merged into modules.lst
* modules-mls-base.conf
* modules-mls-contrib.conf
- user facing change: targeted policy: modules base + contrib are merged into modules.lst:
* modules-targeted-base.conf
* modules-targeted-contrib.conf
- Moved securetty config to config/appconfig-<policytype>/securetty_types and dropped from package
- user facing change: using upstream version for all policy types
* securetty_types-minimum
* securetty_types-mls
* securetty_types-targeted
- Moved setrans config to dist/<policytype>/setrans.conf and dropped from package
* setrans-minimum.conf
* setrans-mls.conf
* setrans-targeted.conf
- Moved users config to dist/<policytype>/users and dropped from package
* users-minimum
- user facing change: added guest_u and xguest_u
* users-mls
* users-targeted
- Fix debug-build.sh to follow symlinks when creating
the tarball
- Update embedded container-selinux version to commit:
* 3f06c141bebc00a07eec4c0ded038aac4f2ae3f0
- Sync modules-targeted-contrib.conf with Fedora targeted modules.conf
- Disable build of the MLS policy. We currently don't know if it works
and don't want to encourage users to apply it
- Enable named_write_master_zones boolean by default (bsc#1229479)
- Update to version 20240604+git675.f1f499c0:
* Revert "Remove the fail2ban module sources"
* Revert "Remove the linuxptp module sources"
* Revert "Remove the amtu module sources"
* Allow vhostmd_t list virtqemud pid dirs (bsc#1230961)
* Allow auditctl signal auditd
* Dontaudit systemd-coredump the sys_resource capability
* Allow traceroute_t bind rawip sockets to unreserved ports
* Fix the cups_read_pid_files() interface to use read_files_pattern
* Allow virtqemud additional permissions for tmpfs_t blk devices
* Allow virtqemud rw access to svirt_image_t chr files
* Allow virtqemud rw and setattr access to fixed block devices
* Label /etc/mdevctl.d/scripts.d with bin_t
* Allow virtqemud open svirt_devpts_t char files
* Allow virtqemud relabelfrom virt_log_t files
* Allow svirt_tcg_t read virtqemud_t fifo_files
* Allow virtqemud rw and setattr access to sev devices
* Allow virtqemud directly read and write to a fixed disk
* Allow virtqemud_t relabel virt_var_lib_t files
* Allow virtqemud_t relabel virtqemud_var_run_t sock_files
* Add gnome_filetrans_gstreamer_admin_home_content() interface
* Label /dev/swradio, /dev/v4l-subdev, /dev/v4l-touch with v4l_device_t
* Make bootupd_t permissive
* Allow init_t nnp domain transition to locate_t
* allow gdm and iiosensorproxy talk to each other via D-bus
* Allow systemd-journald getattr nsfs files
* Allow sendmail to map mail server configuration files
* Allow procmail to read mail aliases
* Allow cifs.idmap helper to set attributes on kernel keys
* Allow irqbalance setpcap capability in the user namespace
* Allow sssd_selinux_manager_t the setcap process permission
* Allow systemd-sleep manage efivarfs files
* Allow systemd-related domains getattr nsfs files
* Allow svirt_t the sys_rawio capability
* Allow alsa watch generic device directories
* Move systemd-homed interfaces to seperate optional_policy block
* Move systemd-homed interfaces to seperate optional_policy block (bsc#1234228)
* Update samba-bgqd policy
* Update virtlogd policy
* Allow svirt_t the sys_rawio capability
* Allow qemu-ga the dac_override and dac_read_search capabilities
* Add policy for importctl (bsc#1232670)
* adjust kandim binary paths (bsc#1232328)
* Allow bacula execute container in the container domain
* Allow httpd get attributes of dirsrv unit files
* Allow samba-bgqd read cups config files
* Add label rshim_var_run_t for /run/rshim.pid
* [5/5][sync from 'mysql-selinux'] Add mariadb-backup
* [4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/mysql/mysqlx.sock'
* [3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to the 'memory.pressure' file in cgroup2
* [2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705
* [1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/hostname'
* Allow systemd-networkd read mount pid files
* Update policy for samba-bgqd
* Allow chronyd read networkmanager's pid files
* Allow staff user connect to generic tcp ports
* Allow gnome-remote-desktop dbus chat with policykit
* Allow tlp the setpgid process permission
* Update the bootupd policy
* Allow sysadm_t use the io_uring API
* Allow sysadm user dbus chat with virt-dbus
* Allow virtqemud_t read virsh_t files
* Allow virt_dbus_t connect to virtd_t over a unix stream socket
* Allow systemd-tpm2-generator read hardware state information
* Allow coreos-installer-generator execute generic programs
* Allow coreos-installer domain transition on udev execution
* Add workaround for /run/rpmdb lockfile (bsc#1231127)
* Add dedicated health-checker module (bsc#1231127)
* Revert "Allow unconfined_t execute kmod in the kmod domain"
* Allow iio-sensor-proxy create and use unix dgram socket
* Allow virtstoraged read vm sysctls
* Support ssh connections via systemd-ssh-generator
* Label all semanage store files in /etc as semanage_store_t
* Add file transition for nvidia-modeset
* Re-add kanidm module to dist/targeted/modules.conf
* Add SUSE-specific file contexts to file_contexts.subs_dist
* Disallow execstack in dist/minimum/booleans.conf
* Add SUSE-specific booleans to dist/targeted/booleans.conf
* Add SUSE specific modules to targeted modules.conf
* Label /var/cache/systemd/home with systemd_homed_cache_t
* Allow login_userdomain connect to systemd-homed over a unix socket
* Allow boothd connect to systemd-homed over a unix socket
* Allow systemd-homed get attributes of a tmpfs filesystem
* Allow abrt-dump-journal-core connect to systemd-homed over a unix socket
* Allow aide connect to systemd-homed over a unix socket
* Label /dev/hfi1_[0-9]+ devices
* Remove the openct module sources
* Remove the timidity module sources
* Enable the slrn module
* Remove i18n_input module sources
* Enable the distcc module
* Remove the ddcprobe module sources
* Remove the timedatex module sources
* Remove the djbdns module sources
* Confine iio-sensor-proxy
* Allow staff user nlmsg_write
* Update policy for xdm with confined users
* Allow virtnodedev watch mdevctl config dirs
* Allow ssh watch home config dirs
* Allow ssh map home configs files
* Allow ssh read network sysctls
* Allow chronyc sendto to chronyd-restricted
* Allow cups sys_ptrace capability in the user namespace
* Add policy for systemd-homed
* Remove fc entry for /usr/bin/pump
* Label /usr/bin/noping and /usr/bin/oping with ping_exec_t
* Allow accountsd read gnome-initial-setup tmp files
* Allow xdm write to gnome-initial-setup fifo files
* Allow rngd read and write generic usb devices
* Allow qatlib search the content of the kernel debugging filesystem
* Allow qatlib connect to systemd-machined over a unix socket
* mls/modules.conf - fix typo
* Use dist/targeted/modules.conf in build workflow
* Fix default and dist config files
* Allow unprivileged user watch /run/systemd
* CI: update to actions/checkout@v4
* Allow boothd connect to kernel over a unix socket
* Clean up and sync securetty_types
* Bring config files from dist-git into the source repo
* Confine gnome-remote-desktop
* Allow virtstoraged execute mount programs in the mount domain
* Make mdevctl_conf_t member of the file_type attribute
* Allow virt_dbus_t to connect to virtd_t over unix_stream_socket (bsc#1232655)
* Label /var/livepatches as lib_t for ULP on micro (bsc#1228879)
* Allow dirsrv-snmp map dirsv_tmpfs_t files
* Label /usr/lib/node_modules_22/npm/bin with bin_t
* Add policy for /usr/libexec/samba/samba-bgqd
* Allow gnome-remote-desktop watch /etc directory
* Allow rpcd read network sysctls
* Allow journalctl connect to systemd-userdbd over a unix socket
* Allow some confined users send to lldpad over a unix dgram socket
* Allow lldpad send to unconfined_t over a unix dgram socket
* Allow lldpd connect to systemd-machined over a unix socket
* Confine the ktls service
* Allow dirsrv read network sysctls
* Label /run/sssd with sssd_var_run_t
* Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
* Allow unconfined_t execute kmod in the kmod domain
* Allow confined users r/w to screen unix stream socket
* Label /root/.screenrc and /root/.tmux.conf with screen_home_t
* Allow virtqemud read virtd_t files
* Allow ping_t read network sysctls
* Allow systemd-homework connect to init over a unix socket
* Fix systemd-homed blobs directory permissions
* Allow virtqemud read sgx_vepc devices
* Allow lldpad create and use netlink_generic_socket
* Allow snapperd to execute systemctl (bsc#1231489)
* rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494)
* Allow slpd to create TCPDIAG netlink socket (bsc#1231491)
* Allow slpd to use sys_chroot (bsc#1231491)
* Allow openvswitch-ipsec use strongswan (bsc#1231493)
* Allow systemd-homework write to init pid socket
* Allow init create /var/cache/systemd/home
* Confine the pcm service
* Allow login_userdomain read thumb tmp files
* Update power-profiles-daemon policy
* Fix the /etc/mdevctl\.d(/.*)? regexp
* Grant rhsmcertd chown capability & userdb access
* Allow iio-sensor-proxy the bpf capability
* Allow systemd-machined the kill user-namespace capability
* Remove the fail2ban module sources
* Remove the linuxptp module sources
* Remove legacy rules for slrnpull
* Remove the aiccu module sources
* Remove the bcfg2 module sources
* Remove the amtu module sources
* Remove the rhev module sources
* Remove all file context entries for /bin and /lib
* Allow ptp4l the sys_admin capability
* Confine power-profiles-daemon
* Label /var/cache/systemd/home with systemd_homed_cache_t
* Allow login_userdomain connect to systemd-homed over a unix socket
* Allow boothd connect to systemd-homed over a unix socket
* Allow systemd-homed get attributes of a tmpfs filesystem
* Allow abrt-dump-journal-core connect to systemd-homed over a unix socket
* Allow aide connect to systemd-homed over a unix socket
* Label /dev/hfi1_[0-9]+ devices
* Remove the openct module sources
* Remove the timidity module sources
* Enable the slrn module
* Remove i18n_input module sources
* Enable the distcc module
* Remove the ddcprobe module sources
* Remove the timedatex module sources
* Remove the djbdns module sources
* Confine iio-sensor-proxy
* Allow staff user nlmsg_write
* Update policy for xdm with confined users
* Allow virtnodedev watch mdevctl config dirs
* Allow ssh watch home config dirs
* Allow ssh map home configs files
* Allow ssh read network sysctls
* Allow chronyc sendto to chronyd-restricted
* Allow cups sys_ptrace capability in the user namespace
* Label auutyast binaries correctly
* Allow snapperd to manage unlabeled_t files (bsc#1230966)
* Add policy for systemd-homed
* Revert "Allow virtstoraged to manage images (bsc#1228742)"
* Remove fc entry for /usr/bin/pump
* Label /usr/bin/noping and /usr/bin/oping with ping_exec_t
* Allow accountsd read gnome-initial-setup tmp files
* Allow xdm write to gnome-initial-setup fifo files
* Allow rngd read and write generic usb devices
* Allow qatlib search the content of the kernel debugging filesystem
* Allow qatlib connect to systemd-machined over a unix socket
* mls/modules.conf - fix typo
* Use dist/targeted/modules.conf in build workflow
* Fix default and dist config files
* Allow unprivileged user watch /run/systemd
* CI: update to actions/checkout@v4
* Allow boothd connect to kernel over a unix socket
* Clean up and sync securetty_types
* Bring config files from dist-git into the source repo
* Confine gnome-remote-desktop
* Allow systemd_ibft_rule_generator_t to create udev_rules_t dirs (bsc#1230011)
* Allow virtstoraged execute mount programs in the mount domain
* Make mdevctl_conf_t member of the file_type attribute
* Allow systemd_udev_trigger_generator_t list and read sysctls (bsc#1230315)
* Initial policy for udev-trigger-generator (bsc#1230315)
* Allow init_t mount syslog socket (bsc#1230134)
* Allow init_t create syslog files (bsc#1230134)
* Introduce initial policy for btrfs-soft-reboot-generator (bsc#1230134)
* Label /etc/mdevctl.d with mdevctl_conf_t
* Sync users with Fedora targeted users
* Update policy for rpc-virtstorage
* Allow virtstoraged get attributes of configfs dirs
* Fix SELinux policy for sandbox X server to fix 'sandbox -X' command
* Update bootupd policy when ESP is not mounted
* Allow thumb_t map dri devices
* Allow samba use the io_uring API
* Allow the sysadm user use the secretmem API
* Allow nut-upsmon read systemd-logind session files
* Allow sysadm_t to create PF_KEY sockets
* Update bootupd policy for the removing-state-file test
* Allow xen to use qemu as dom0 disk backend (bsc#1228540)
* Label /var/lib/xen/xenstore as xenstored_var_lib_t (bsc#1228540)
* Allow coreos-installer-generator manage mdadm_conf_t files
* Allow virtstoraged to manage images (bsc#1228742)
* Allow virtstoraged_t domtrans to udev (bsc#1228742)
* Allow setsebool_t relabel selinux data files
* Allow virtqemud relabelfrom virtqemud_var_run_t dirs
* Use better escape method for "interface"
* Allow init and systemd-logind to inherit fds from sshd
* Allow systemd-ssh-generator read sysctl files
* Sync modules.conf with Fedora targeted modules
* Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766)
* Allow virtqemud relabel user tmp files and socket files
* Add missing sys_chroot capability to groupadd policy
* Label /run/libvirt/qemu/channel with virtqemud_var_run_t
* Allow rasdaemon write access to sysfs (bsc#1229587)
* Allow xl to access hypercall interfaces to xen hypervisor (bsc#1228540)
* Initial policy for syslog-ng (bsc#1229153)
* Allow virtqemud relabelfrom also for file and sock_file
* Add virt_create_log() and virt_write_log() interfaces
* allow sshd_t and sshd_net_t access to ssh vsockets (bsc#1228831)
-------------------------------------------------------------------
Mon Dec 16 16:18:50 UTC 2024 - cathy.hu@suse.com

111
selinux-policy.spec
View File

@ -24,7 +24,10 @@
%define monolithic n
%define BUILD_TARGETED 1
%define BUILD_MINIMUM 1
%define BUILD_MLS 1
# At the moment we don't build the MLS policy. We didn't do any testing for this and have no
# confidence that it works. Feel free to branch the package and enable it, but be aware that
# you're on your own
%define BUILD_MLS 0
%define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
%define CHECKPOLICYVER %POLICYCOREUTILSVER
@ -33,7 +36,7 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
Version: 20240604+git390.e897b9b3
Version: 20240604+git689.da1e0e20
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
@ -44,37 +47,11 @@ Source5: README.Update
Source6: update.sh
Source7: debug-build.sh
Source10: modules-targeted-base.conf
Source11: modules-targeted-contrib.conf
Source12: modules-mls-base.conf
Source13: modules-mls-contrib.conf
Source14: modules-minimum-base.conf
Source15: modules-minimum-contrib.conf
Source18: modules-minimum-disable.lst
Source20: booleans-targeted.conf
Source21: booleans-mls.conf
Source22: booleans-minimum.conf
Source23: booleans.subs_dist
Source30: setrans-targeted.conf
Source31: setrans-mls.conf
Source32: setrans-minimum.conf
Source40: securetty_types-targeted
Source41: securetty_types-mls
Source42: securetty_types-minimum
Source50: users-targeted
Source51: users-mls
Source52: users-minimum
Source18: modules-minimum.lst
Source60: selinux-policy.conf
Source91: Makefile.devel
Source92: customizable_types
#Source93: config.tgz
Source94: file_contexts.subs_dist
Source95: macros.selinux-policy
URL: https://github.com/fedora-selinux/selinux-policy.git
@ -107,17 +84,11 @@ Recommends: selinux-autorelabel
%define makeCmds() \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
cp -f selinux_config/users-%1 ./policy/users \
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \
install -p -m0644 ./dist/%1/users ./policy/users \
%define makeModulesConf() \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
if [ %3 == "contrib" ];then \
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
fi; \
install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \
%define installCmds() \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
@ -128,14 +99,13 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
install -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
install -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
install -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
@ -198,8 +168,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%dir %{_datadir}/selinux/%1 \
%dir %{_datadir}/selinux/packages/%1 \
%{_datadir}/selinux/%1/base.lst \
%{_datadir}/selinux/%1/modules-base.lst \
%{_datadir}/selinux/%1/modules-contrib.lst \
%{_datadir}/selinux/%1/modules.lst \
%{_datadir}/selinux/%1/nonbasemodules.lst \
%dir %{_sharedstatedir}/selinux/%1 \
%{_sharedstatedir}/selinux/%1/active/commit_num \
@ -276,16 +245,12 @@ else \
fi;
%define modulesList() \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
if [ -e ./policy/modules-contrib.conf ];then \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
fi;
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
%define nonBaseModulesList() \
contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
for i in $contrib_modules $base_modules; do \
modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \
for i in $modules; do \
if [ $i != "sandbox" ];then \
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
fi; \
@ -366,15 +331,10 @@ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/
mkdir selinux_config
for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
cp $i selinux_config
done
make clean
%if %{BUILD_TARGETED}
%makeCmds targeted mcs allow
%makeModulesConf targeted base contrib
%makeModulesConf targeted
%installCmds targeted mcs allow
# recreate sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
@ -386,19 +346,19 @@ mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
%if %{BUILD_MINIMUM}
%makeCmds minimum mcs allow
%makeModulesConf targeted base contrib
%makeModulesConf targeted
%installCmds minimum mcs allow
install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst
# Sandbox is only targeted
rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
install -p -m 644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst
%modulesList minimum
%nonBaseModulesList minimum
%endif
%if %{BUILD_MLS}
%makeCmds mls mls deny
%makeModulesConf mls base contrib
%makeModulesConf mls
%installCmds mls mls deny
%modulesList mls
%nonBaseModulesList mls
@ -411,7 +371,7 @@ make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot}
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
mkdir %{buildroot}%{_datadir}/selinux/devel/
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
install -m 644 %{SOURCE91} %{buildroot}%{_datadir}/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
@ -570,16 +530,19 @@ if [ $1 -ne 1 ]; then
fi
%post minimum
contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null
modules=`cat %{_datadir}/selinux/minimum/modules.lst`
basemodules=`cat %{_datadir}/selinux/minimum/base.lst`
enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst`
if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
fi
if [ $1 -eq 1 ]; then
for p in $contribpackages; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $modules; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $basemodules $enabledmodules; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
%{_sbindir}/semanage import -S minimum -f - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
@ -588,7 +551,7 @@ __eof
%{_sbindir}/semodule -B -s minimum
else
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
for p in $contribpackages; do
for p in $packages; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $instpackages snapper dbus kerberos nscd rtkit; do
@ -605,7 +568,7 @@ exit 0
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
%{_datadir}/selinux/minimum/modules-minimum-disable.lst
%{_datadir}/selinux/minimum/modules-enabled.lst
%fileList minimum
%endif

19
setrans-minimum.conf
View File

@ -1,19 +0,0 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

52
setrans-mls.conf
View File

@ -1,52 +0,0 @@
#
# Multi-Level Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
# SystemLow
# SystemHigh
# Unclassified
# Secret with compartments A and B.
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh
# Unclassified level
s1=Unclassified
# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B
# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh
# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c1023=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

19
setrans-targeted.conf
View File

@ -1,19 +0,0 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

39
users-minimum
View File

@ -1,39 +0,0 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

40
users-mls
View File

@ -1,40 +0,0 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

41
users-targeted
View File

@ -1,41 +0,0 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)