From fade960df64ecc2390d7b01770eea9d02ce91e726338ccbac40d75ad3fd84a29 Mon Sep 17 00:00:00 2001 From: Hu Date: Thu, 8 Aug 2024 12:42:54 +0000 Subject: [PATCH] - Update to version 20240808: * Use new kanidm interfaces * Initial module for kanidm * Update bootupd policy * Allow rhsmcertd read/write access to /dev/papr-sysparm * Label /dev/papr-sysparm and /dev/papr-vpd * Allow abrt-dump-journal-core connect to winbindd * Allow systemd-hostnamed shut down nscd * Allow systemd-pstore send a message to syslogd over a unix domain * Allow postfix_domain map postfix_etc_t files * Allow microcode create /sys/devices/system/cpu/microcode/reload * Allow rhsmcertd read, write, and map ica tmpfs files * Support SGX devices * Allow initrc_t transition to passwd_t * Update fstab and cryptsetup generators policy * Allow xdm_t read and write the dma device * Update stalld policy for bpf usage * Allow systemd_gpt_generator to getattr on DOS directories * Make cgroup_memory_pressure_t a part of the file_type attribute * Allow ssh_t to change role to system_r * Update policy for coreos generators * Allow init_t nnp domain transition to firewalld_t * Label /run/modprobe.d with modules_conf_t * Allow virtnodedevd run udev with a domain transition * Allow virtnodedev_t create and use virtnodedev_lock_t * Allow virtstoraged manage files with virt_content_t type * Allow virtqemud unmount a filesystem with extended attributes * Allow svirt_t connect to unconfined_t over a unix domain socket * Update afterburn file transition policy * Allow systemd_generator read attributes of all filesystems * Allow fstab-generator read and write cryptsetup-generator unit file * Allow cryptsetup-generator read and write fstab-generator unit file * Allow systemd_generator map files in /etc * Allow systemd_generator read init's process state * Allow coreos-installer-generator read sssd public files * Allow coreos-installer-generator work with partitions * Label /etc/mdadm.conf.d with mdadm_conf_t * Confine coreos generators * Label /run/metadata with afterburn_runtime_t * Allow afterburn list ssh home directory * Label samba certificates with samba_cert_t * Label /run/coreos-installer-reboot with coreos_installer_var_run_t * Allow virtqemud read virt-dbus process state * Allow staff user dbus chat with virt-dbus * Allow staff use watch /run/systemd * Allow systemd_generator to write kmsg * Allow virtqemud connect to sanlock over a unix stream socket * Allow virtqemud relabel virt_var_run_t directories * Allow svirt_tcg_t read vm sysctls * Allow virtnodedevd connect to systemd-userdbd over a unix socket * Allow svirt read virtqemud fifo files * Allow svirt attach_queue to a virtqemud tun_socket * Allow virtqemud run ssh client with a transition * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket * Update keyutils policy * Allow sshd_keygen_t connect to userdbd over a unix stream socket * Allow postfix-smtpd read mysql config files * Allow locate stream connect to systemd-userdbd * Allow the staff user use wireshark * Allow updatedb connect to userdbd over a unix stream socket * Allow gpg_t set attributes of public-keys.d * Allow gpg_t get attributes of login_userdomain stream * Allow systemd_getty_generator_t read /proc/1/environ * Allow systemd_getty_generator_t to read and write to tty_device_t * Drop publicfile module * Remove permissive domain for systemd_nsresourced_t * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t * Allow to create and delete socket files created by rhsm.service * Allow virtnetworkd exec shell when virt_hooks_unconfined is on * Allow unconfined_service_t transition to passwd_t * Support /var is empty * Allow abrt-dump-journal read all non_security socket files * Allow timemaster write to sysfs files * Dontaudit domain write cgroup files * Label /usr/lib/node_modules/npm/bin with bin_t * Allow ip the setexec permission * Allow systemd-networkd write files in /var/lib/systemd/network * Fix typo in systemd_nsresourced_prog_run_bpf() OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=248 --- .gitattributes | 23 + .gitignore | 1 + Makefile.devel | 22 + README.Update | 19 + _service | 18 + _servicedata | 10 + booleans-minimum.conf | 232 +++ booleans-mls.conf | 232 +++ booleans-targeted.conf | 232 +++ booleans.subs_dist | 54 + container.fc | 167 ++ container.if | 1044 ++++++++++++ container.te | 1602 ++++++++++++++++++ customizable_types | 13 + debug-build.sh | 34 + file_contexts.subs_dist | 22 + macros.selinux-policy | 187 +++ modules-minimum-base.conf | 414 +++++ modules-minimum-contrib.conf | 2609 ++++++++++++++++++++++++++++++ modules-minimum-disable.lst | 1 + modules-mls-base.conf | 380 +++++ modules-mls-contrib.conf | 1581 ++++++++++++++++++ modules-targeted-base.conf | 421 +++++ modules-targeted-contrib.conf | 2784 ++++++++++++++++++++++++++++++++ securetty_types-minimum | 4 + securetty_types-mls | 6 + securetty_types-targeted | 4 + selinux-policy-20240715.tar.xz | 3 + selinux-policy-20240726.tar.xz | 3 + selinux-policy-20240802.tar.xz | 3 + selinux-policy-20240808.tar.xz | 3 + selinux-policy-rpmlintrc | 9 + selinux-policy.changes | 2151 ++++++++++++++++++++++++ selinux-policy.conf | 3 + selinux-policy.spec | 656 ++++++++ setrans-minimum.conf | 19 + setrans-mls.conf | 52 + setrans-targeted.conf | 19 + update.sh | 28 + users-minimum | 39 + users-mls | 40 + users-targeted | 41 + varrun-convert.sh | 105 ++ 43 files changed, 15290 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 Makefile.devel create mode 100644 README.Update create mode 100644 _service create mode 100644 _servicedata create mode 100644 booleans-minimum.conf create mode 100644 booleans-mls.conf create mode 100644 booleans-targeted.conf create mode 100644 booleans.subs_dist create mode 100644 container.fc create mode 100644 container.if create mode 100644 container.te create mode 100644 customizable_types create mode 100644 debug-build.sh create mode 100644 file_contexts.subs_dist create mode 100644 macros.selinux-policy create mode 100644 modules-minimum-base.conf create mode 100644 modules-minimum-contrib.conf create mode 100644 modules-minimum-disable.lst create mode 100644 modules-mls-base.conf create mode 100644 modules-mls-contrib.conf create mode 100644 modules-targeted-base.conf create mode 100644 modules-targeted-contrib.conf create mode 100644 securetty_types-minimum create mode 100644 securetty_types-mls create mode 100644 securetty_types-targeted create mode 100644 selinux-policy-20240715.tar.xz create mode 100644 selinux-policy-20240726.tar.xz create mode 100644 selinux-policy-20240802.tar.xz create mode 100644 selinux-policy-20240808.tar.xz create mode 100644 selinux-policy-rpmlintrc create mode 100644 selinux-policy.changes create mode 100644 selinux-policy.conf create mode 100644 selinux-policy.spec create mode 100644 setrans-minimum.conf create mode 100644 setrans-mls.conf create mode 100644 setrans-targeted.conf create mode 100644 update.sh create mode 100644 users-minimum create mode 100644 users-mls create mode 100644 users-targeted create mode 100644 varrun-convert.sh diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/Makefile.devel b/Makefile.devel new file mode 100644 index 0000000..c09146e --- /dev/null +++ b/Makefile.devel @@ -0,0 +1,22 @@ +# installation paths +SHAREDIR := /usr/share/selinux + +AWK ?= gawk +NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)) + +ifeq ($(MLSENABLED),) + MLSENABLED := 1 +endif + +ifeq ($(MLSENABLED),1) + NTYPE = mcs +endif + +ifeq ($(NAME),mls) + NTYPE = mls +endif + +TYPE ?= $(NTYPE) + +HEADERDIR := $(SHAREDIR)/devel/include +include $(HEADERDIR)/Makefile diff --git a/README.Update b/README.Update new file mode 100644 index 0000000..70c2483 --- /dev/null +++ b/README.Update @@ -0,0 +1,19 @@ +# How to update this project + +This project is updated using obs services. +The obs services pull from git repositories, which are specified in the `_service` file. +Please contribute all changes to the upstream git repositories listed there. + +To update this project to the upstream versions, please make sure you installed these obs services locally: +``` +sudo zypper in obs-service-tar_scm obs-service-recompress obs-service-set_version obs-service-download_files +``` + +Then, generate new tarballs, changelog and version number for this repository by running this command: +``` +sh update.sh +``` + +Afterwards, please check your local project state and remove old tarballs if necessary. +Then proceed as usual with check-in and build. + diff --git a/_service b/_service new file mode 100644 index 0000000..f74bf15 --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + 1 + %cd + https://gitlab.suse.de/selinux/selinux-policy.git + git + enable + factory + + + xz + *.tar + + + selinux-policy.spec + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..7dff588 --- /dev/null +++ b/_servicedata @@ -0,0 +1,10 @@ + + + https://gitlab.suse.de/selinux/selinux-policy.git + 621a01c53e301c3ced6a6438fbd6913f0f9b51aa + https://github.com/containers/container-selinux.git + 07b3034f6d9625ab84508a2f46515d8ff79b4204 + https://gitlab.suse.de/jsegitz/selinux-policy.git + 3e2ff590e3c22e0782b38b938a367440431bae13 + https://gitlab.suse.de/cahu/selinux-policy.git + dd1ff3c6a1e2c1f22ddd13039191ea458d7fcc8d \ No newline at end of file diff --git a/booleans-minimum.conf b/booleans-minimum.conf new file mode 100644 index 0000000..5185257 --- /dev/null +++ b/booleans-minimum.conf @@ -0,0 +1,232 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +selinuxuser_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +selinuxuser_execstack = false + +# Allow ftpd to read cifs directories. +# +ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +zebra_write_config = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to send dbus messages to avahi +httpd_dbus_avahi = true + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# allow host key based authentication +# +ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = true + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow all domains to talk to ttys +# +daemons_use_tty = false + +# Allow login domains to polyinstatiate directories +# +polyinstantiation_enabled = false + +# Allow all domains to dump core +# +daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = false + +# Allows XServer to execute writable memory +# +xserver_execmem = false + +# disallow guest accounts to execute files that they can create +# +guest_exec_content = false +xguest_exec_content = false + +# Allow postfix locat to write to mail spool +# +postfix_local_write_mail_spool = false + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile = true + +# Allow qemu to connect fully to the network +# +qemu_full_network = true + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# +mount_anyfile = true + +# Allow all domains to mmap files +# +domain_can_mmap_files = true + +# Allow confined applications to use nscd shared memory +# +nscd_use_shm = true + +# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +# +unconfined_chrome_sandbox_transition = true + +# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +# +unconfined_mozilla_plugin_transition = true diff --git a/booleans-mls.conf b/booleans-mls.conf new file mode 100644 index 0000000..3892f99 --- /dev/null +++ b/booleans-mls.conf @@ -0,0 +1,232 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +selinuxuser_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +selinuxuser_execstack = false + +# Allow ftpd to read cifs directories. +# +ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +zebra_write_config = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to send dbus messages to avahi +httpd_dbus_avahi = true + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# allow host key based authentication +# +ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = true + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow all domains to talk to ttys +# +daemons_use_tty = false + +# Allow login domains to polyinstatiate directories +# +polyinstantiation_enabled = false + +# Allow all domains to dump core +# +daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = false + +# Allows XServer to execute writable memory +# +xserver_execmem = false + +# disallow guest accounts to execute files that they can create +# +guest_exec_content = false +xguest_exec_content = false + +# Allow postfix locat to write to mail spool +# +postfix_local_write_mail_spool = false + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile = true + +# Allow qemu to connect fully to the network +# +qemu_full_network = true + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# +mount_anyfile = true + +# Allow all domains to mmap files +# +domain_can_mmap_files = true + +# Allow confined applications to use nscd shared memory +# +nscd_use_shm = true + +# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +# +unconfined_chrome_sandbox_transition = false + +# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +# +unconfined_mozilla_plugin_transition = false diff --git a/booleans-targeted.conf b/booleans-targeted.conf new file mode 100644 index 0000000..5185257 --- /dev/null +++ b/booleans-targeted.conf @@ -0,0 +1,232 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +selinuxuser_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +selinuxuser_execstack = false + +# Allow ftpd to read cifs directories. +# +ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +zebra_write_config = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to send dbus messages to avahi +httpd_dbus_avahi = true + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# allow host key based authentication +# +ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = true + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow all domains to talk to ttys +# +daemons_use_tty = false + +# Allow login domains to polyinstatiate directories +# +polyinstantiation_enabled = false + +# Allow all domains to dump core +# +daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = false + +# Allows XServer to execute writable memory +# +xserver_execmem = false + +# disallow guest accounts to execute files that they can create +# +guest_exec_content = false +xguest_exec_content = false + +# Allow postfix locat to write to mail spool +# +postfix_local_write_mail_spool = false + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile = true + +# Allow qemu to connect fully to the network +# +qemu_full_network = true + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# +mount_anyfile = true + +# Allow all domains to mmap files +# +domain_can_mmap_files = true + +# Allow confined applications to use nscd shared memory +# +nscd_use_shm = true + +# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +# +unconfined_chrome_sandbox_transition = true + +# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +# +unconfined_mozilla_plugin_transition = true diff --git a/booleans.subs_dist b/booleans.subs_dist new file mode 100644 index 0000000..e4f1c19 --- /dev/null +++ b/booleans.subs_dist @@ -0,0 +1,54 @@ +allow_auditadm_exec_content auditadm_exec_content +allow_console_login login_console_enabled +allow_cvs_read_shadow cvs_read_shadow +allow_daemons_dump_core daemons_dump_core +allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper +allow_daemons_use_tty daemons_use_tty +allow_domain_fd_use domain_fd_use +allow_execheap selinuxuser_execheap +allow_execmod selinuxuser_execmod +allow_execstack selinuxuser_execstack +allow_ftpd_anon_write ftpd_anon_write +allow_ftpd_full_access ftpd_full_access +allow_ftpd_use_cifs ftpd_use_cifs +allow_ftpd_use_nfs ftpd_use_nfs +allow_gssd_read_tmp gssd_read_tmp +allow_guest_exec_content guest_exec_content +allow_httpd_anon_write httpd_anon_write +allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind +allow_httpd_mod_auth_pam httpd_mod_auth_pam +allow_httpd_sys_script_anon_write httpd_sys_script_anon_write +allow_kerberos kerberos_enabled +allow_mplayer_execstack mplayer_execstack +allow_mount_anyfile mount_anyfile +allow_nfsd_anon_write nfsd_anon_write +allow_polyinstantiation polyinstantiation_enabled +allow_postfix_local_write_mail_spool postfix_local_write_mail_spool +allow_rsync_anon_write rsync_anon_write +allow_saslauthd_read_shadow saslauthd_read_shadow +allow_secadm_exec_content secadm_exec_content +allow_smbd_anon_write smbd_anon_write +allow_ssh_keysign ssh_keysign +allow_staff_exec_content staff_exec_content +allow_sysadm_exec_content sysadm_exec_content +allow_user_exec_content user_exec_content +allow_user_mysql_connect selinuxuser_mysql_connect_enabled +allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled +allow_write_xshm xserver_clients_write_xshm +allow_xguest_exec_content xguest_exec_content +allow_xserver_execmem xserver_execmem +allow_ypbind nis_enabled +allow_zebra_write_config zebra_write_config +user_direct_dri selinuxuser_direct_dri_enabled +user_ping selinuxuser_ping +user_share_music selinuxuser_share_music +user_tcp_server selinuxuser_tcp_server +sepgsql_enable_pitr_implementation postgresql_can_rsync +sepgsql_enable_users_ddl postgresql_selinux_users_ddl +sepgsql_transmit_client_label postgresql_selinux_transmit_client_label +sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm +clamd_use_jit antivirus_use_jit +amavis_use_jit antivirus_use_jit +logwatch_can_sendmail logwatch_can_network_connect_mail +puppet_manage_all_files puppetagent_manage_all_files +virt_sandbox_use_nfs virt_use_nfs diff --git a/container.fc b/container.fc new file mode 100644 index 0000000..40b03d5 --- /dev/null +++ b/container.fc @@ -0,0 +1,167 @@ +/root/\.docker gen_context(system_u:object_r:container_home_t,s0) + +/usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/buildah -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) + +/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) +/usr/local/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) +/usr/local/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) +/usr/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) +/usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) + +/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0) + +/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/buildkit(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) + +/var/lib/shared(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir. +/var/lib/containerd/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/lib/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/nerdctl/[^/]*/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/buildkit(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/buildkit/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) +# "/var/lib/buildkit/runc-/executor" contains "resolv.conf" and "hosts.", for OCI (runc) worker mode. +/var/lib/buildkit/runc-.*/executor(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) +# "/var/lib/buildkit/containerd-" contains resolv.conf and hosts., for containerd worker mode. +# Unlike the runc- directory, this directory does not contain the "executor" directory inside it. +/var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) + +HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/atomic(/.*)? <> +/var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) +/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/cache/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) + +/var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0) +/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) + +/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) + +/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) + +/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) diff --git a/container.if b/container.if new file mode 100644 index 0000000..cf864df --- /dev/null +++ b/container.if @@ -0,0 +1,1044 @@ +## The open-source application container engine. + +######################################## +## +## Execute container in the container domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_runtime_domtrans',` + gen_require(` + type container_runtime_t, container_runtime_exec_t; + type container_runtime_tmpfs_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, container_runtime_exec_t, container_runtime_t) + allow container_runtime_t $1:fifo_file setattr; +') + +######################################## +## +## Execute container runtime in the container runtime domain +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`container_runtime_run',` + gen_require(` + type container_runtime_t; + class dbus send_msg; + ') + + container_runtime_domtrans($1) + role $2 types container_runtime_t; + allow $1 container_runtime_t:dbus send_msg; +') + + +######################################## +## +## Execute container in the caller domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_runtime_exec',` + gen_require(` + type container_runtime_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, container_runtime_exec_t) +') + +######################################## +## +## Read the process state of container runtime +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_state',` + gen_require(` + type container_runtime_t; + ') + + ps_process_pattern($1, container_runtime_t) +') + +######################################## +## +## Search container lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_search_lib',` + gen_require(` + type container_var_lib_t; + ') + + allow $1 container_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Execute container lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_exec_lib',` + gen_require(` + type container_var_lib_t; + ') + + allow $1 container_var_lib_t:dir search_dir_perms; + can_exec($1, container_var_lib_t) +') + +######################################## +## +## Read container lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_lib_files',` + gen_require(` + type container_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, container_var_lib_t, container_var_lib_t) +') + +######################################## +## +## Read container share files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_share_files',` + gen_require(` + type container_ro_file_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) + read_files_pattern($1, container_ro_file_t, container_ro_file_t) + read_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) +') + +######################################## +## +## Read container runtime tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_runtime_read_tmpfs_files',` + gen_require(` + type container_runtime_tmpfs_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) + read_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) + read_lnk_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +') + +######################################## +## +## Manage container share files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_share_files',` + gen_require(` + type container_ro_file_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) + manage_files_pattern($1, container_ro_file_t, container_ro_file_t) + manage_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) +') + +######################################## +## +## Manage container share dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_share_dirs',` + gen_require(` + type container_ro_file_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, container_ro_file_t, container_ro_file_t) +') + +###################################### +## +## Allow the specified domain to execute container shared files +## in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_exec_share_files',` + gen_require(` + type container_ro_file_t; + ') + + can_exec($1, container_ro_file_t) +') + +######################################## +## +## Manage container config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_config_files',` + gen_require(` + type container_config_t; + type kubernetes_file_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, container_config_t, container_config_t) + manage_dirs_pattern($1, kubernetes_file_t, kubernetes_file_t) + manage_files_pattern($1, kubernetes_file_t, kubernetes_file_t) +') + +######################################## +## +## Manage container lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_lib_files',` + gen_require(` + type container_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, container_var_lib_t, container_var_lib_t) + manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t) +') + +######################################## +## +## Manage container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_files',` + gen_require(` + type container_file_t; + ') + + manage_files_pattern($1, container_file_t, container_file_t) + manage_lnk_files_pattern($1, container_file_t, container_file_t) +') + +######################################## +## +## Manage container directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_dirs',` + gen_require(` + type container_file_t; + ') + + manage_dirs_pattern($1, container_file_t, container_file_t) +') + +######################################## +## +## Manage container lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_lib_dirs',` + gen_require(` + type container_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t) +') + +######################################## +## +## Create objects in a container var lib directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`container_lib_filetrans',` + gen_require(` + type container_var_lib_t; + ') + + filetrans_pattern($1, container_var_lib_t, $2, $3, $4) +') + +######################################## +## +## Read container PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_pid_files',` + gen_require(` + type container_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, container_var_run_t, container_var_run_t) +') + +######################################## +## +## Execute container server in the container domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_systemctl',` + gen_require(` + type container_runtime_t; + type container_unit_file_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + systemd_read_fifo_file_passwd_run($1) + allow $1 container_unit_file_t:file read_file_perms; + allow $1 container_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, container_runtime_t) +') + +######################################## +## +## Read and write container shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_rw_sem',` + gen_require(` + type container_runtime_t; + ') + + allow $1 container_runtime_t:sem rw_sem_perms; +') + +######################################## +## +## Allow the specified domain to append +## to container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_append_file',` + gen_require(` + type container_file_t; + ') + + append_files_pattern($1, container_file_t, container_file_t) +') + +####################################### +## +## Read and write the container pty type. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_use_ptys',` + gen_require(` + type container_devpts_t; + ') + + allow $1 container_devpts_t:chr_file rw_term_perms; +') + +####################################### +## +## Allow domain to create container content +## +## +## +## Domain allowed access. +## +## +# +interface(`container_filetrans_named_content',` + + gen_require(` + type container_var_lib_t; + type container_file_t; + type container_ro_file_t; + type container_log_t; + type container_var_run_t; + type container_home_t; + type kubernetes_file_t; + type container_runtime_tmpfs_t; + type container_kvm_var_run_t; + type data_home_t; + ') + + files_pid_filetrans($1, container_var_run_t, file, "container.pid") + files_pid_filetrans($1, container_var_run_t, file, "docker.pid") + files_pid_filetrans($1, container_var_run_t, sock_file, "container.sock") + files_pid_filetrans($1, container_var_run_t, dir, "container-client") + files_pid_filetrans($1, container_var_run_t, dir, "docker") + files_pid_filetrans($1, container_var_run_t, dir, "containerd") + files_pid_filetrans($1, container_var_run_t, dir, "buildkit") + files_pid_filetrans($1, container_var_run_t, dir, "ocid") + files_pid_filetrans($1, container_var_run_t, dir, "containers") + files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers") + + logging_log_filetrans($1, container_log_t, dir, "lxc") + files_var_lib_filetrans($1, container_var_lib_t, dir, "containers") + files_var_lib_filetrans($1, container_file_t, dir, "origin") + files_var_lib_filetrans($1, container_var_lib_t, dir, "ocid") + files_var_lib_filetrans($1, container_var_lib_t, dir, "docker") + files_var_lib_filetrans($1, container_var_lib_t, dir, "docker-latest") + files_var_filetrans($1, container_ro_file_t, dir, "kata-containers") + files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers") + files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd") + files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit") + files_var_lib_filetrans($1, container_ro_file_t, dir, "shared") + + filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hosts") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hostname") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "resolv.conf") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "sandboxes") + # The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir. + # (lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs, + # upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/fs, + # workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work) + filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-images") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-layers") + + # "/var/lib/buildkit/runc-/executor" contains "resolv.conf" and "hosts.", for OCI (runc) worker mode. + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "executor") + + # "/var/lib/buildkit/containerd-" contains resolv.conf and hosts., for containerd worker mode. + # Unlike the runc- directory, this directory does not contain the "executor" directory inside it. + # Core snapshotters + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlayfs") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-native") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-btrfs") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-zfs") + # Non-core snapshotters + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-fuse-overlayfs") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-nydus") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlaybd") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-stargz") + # Third-party snapshotters + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci") + + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-images") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-layers") + + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic") + userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers") + filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") + files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes") +') + +######################################## +## +## Connect to container over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_stream_connect',` + gen_require(` + type container_runtime_t, container_var_run_t, container_runtime_tmpfs_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t) + stream_connect_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t, container_runtime_t) + allow $1 container_runtime_tmpfs_t:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Connect to SPC containers over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_spc_stream_connect',` + gen_require(` + type spc_t, spc_var_run_t; + ') + + files_search_pids($1) + allow $1 spc_t:unix_stream_socket connectto; +') + +######################################## +## +## All of the rules required to administrate +## an container environment +## +## +## +## Domain allowed access. +## +## +# +interface(`container_admin',` + gen_require(` + type container_runtime_t; + type container_var_lib_t, container_var_run_t; + type container_unit_file_t; + type container_lock_t; + type container_log_t; + type container_config_t; + type container_file_t; + ') + + allow $1 container_runtime_t:process { ptrace signal_perms }; + ps_process_pattern($1, container_runtime_t) + + admin_pattern($1, container_config_t) + + files_search_var_lib($1) + admin_pattern($1, container_var_lib_t) + + files_search_pids($1) + admin_pattern($1, container_var_run_t) + + files_search_locks($1) + admin_pattern($1, container_lock_t) + + logging_search_logs($1) + admin_pattern($1, container_log_t) + + container_systemctl($1) + admin_pattern($1, container_unit_file_t) + allow $1 container_unit_file_t:service all_service_perms; + + admin_pattern($1, container_file_t) + + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') + +######################################## +## +## Execute container_auth_exec_t in the container_auth domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_auth_domtrans',` + gen_require(` + type container_auth_t, container_auth_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, container_auth_exec_t, container_auth_t) +') + +###################################### +## +## Execute container_auth in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_auth_exec',` + gen_require(` + type container_auth_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, container_auth_exec_t) +') + +######################################## +## +## Connect to container_auth over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_auth_stream_connect',` + gen_require(` + type container_auth_t, container_plugin_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) +') + +######################################## +## +## container domain typebounds calling domain. +## +## +## +## Domain to be typebound. +## +## +# +interface(`container_runtime_typebounds',` + gen_require(` + type container_runtime_t; + ') + + allow container_runtime_t $1:process2 nnp_transition; +') + +######################################## +## +## Allow any container_runtime_exec_t to be an entrypoint of this domain +## +## +## +## Domain allowed access. +## +## +## +# +interface(`container_runtime_entrypoint',` + gen_require(` + type container_runtime_exec_t; + ') + allow $1 container_runtime_exec_t:file entrypoint; +') + +interface(`docker_exec_lib',` + container_exec_lib($1) +') + +interface(`docker_read_share_files',` + container_read_share_files($1) +') + +interface(`docker_exec_share_files',` + container_exec_share_files($1) +') + +interface(`docker_manage_lib_files',` + container_manage_lib_files($1) +') + + +interface(`docker_manage_lib_dirs',` + container_manage_lib_dirs($1) +') + +interface(`docker_lib_filetrans',` + container_lib_filetrans($1, $2, $3, $4) +') + +interface(`docker_read_pid_files',` + container_read_pid_files($1) +') + +interface(`docker_systemctl',` + container_systemctl($1) +') + +interface(`docker_use_ptys',` + container_use_ptys($1) +') + +interface(`docker_stream_connect',` + container_stream_connect($1) +') + +interface(`docker_spc_stream_connect',` + container_spc_stream_connect($1) +') + +######################################## +## +## Read the process state of spc containers +## +## +## +## Domain allowed access. +## +## +# +interface(`container_spc_read_state',` + gen_require(` + type spc_t; + ') + + ps_process_pattern($1, spc_t) +') + +######################################## +## +## Creates types and rules for a basic +## container runtime process domain. +## +## +## +## Prefix for the domain. +## +## +# +template(`container_runtime_domain_template',` + gen_require(` + attribute container_runtime_domain; + type container_runtime_t; + type container_var_lib_t; + type container_ro_file_t; + role system_r, sysadm_r; + ') + + type $1_t, container_runtime_domain; + role system_r types $1_t; + role sysadm_r types $1_t; + domain_type($1_t) + domain_subj_id_change_exemption($1_t) + domain_role_change_exemption($1_t) + + kernel_read_system_state($1_t) + kernel_read_all_proc($1_t) + + mls_file_read_to_clearance($1_t) + mls_file_write_to_clearance($1_t) + + storage_raw_rw_fixed_disk($1_t) + auth_use_nsswitch($1_t) + logging_send_syslog_msg($1_t) +') + +######################################## +## +## Creates types and rules for a basic +## container process domain. +## +## +## +## Prefix for the domain. +## +## +## +## +## Prefix for the file type. +## +## +# +template(`container_domain_template',` + gen_require(` + attribute container_domain; + type container_runtime_t; + type container_var_lib_t; + type container_ro_file_t; + ') + + type $1_t, container_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) + allow $1_t $2_file_t:file entrypoint; + + container_manage_files_template($1, $2) +') + + +######################################## +## +## Manage container files template +## +## +## +## Prefix for the domain. +## +## +## +## +## Prefix for the file type. +## +## +# +template(`container_manage_files_template',` + gen_require(` + attribute container_domain; + type container_runtime_t; + type container_var_lib_t; + type container_ro_file_t; + ') + + + mls_rangetrans_target($1_t) + mcs_constrained($1_t) + role system_r types $1_t; + + kernel_read_all_proc($1_t) + + allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map }; + + manage_files_pattern($1_t, $2_file_t, $2_file_t) + exec_files_pattern($1_t, $2_file_t, $2_file_t) + manage_lnk_files_pattern($1_t, $2_file_t, $2_file_t) + manage_dirs_pattern($1_t, $2_file_t, $2_file_t) + manage_chr_files_pattern($1_t, $2_file_t, $2_file_t) + allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads }; + manage_blk_files_pattern($1_t, $2_file_t, $2_file_t) + manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t) + manage_sock_files_pattern($1_t, $2_file_t, $2_file_t) + allow $1_t $2_file_t:{file dir} mounton; + allow $1_t $2_file_t:filesystem { mount remount unmount }; + allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map }; + + fs_tmpfs_filetrans($1_t, $2_file_t, { dir file lnk_file }) +') + +######################################## +## +## Read and write a spc_t unnamed pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_spc_rw_pipes',` + gen_require(` + type spc_t; + ') + + allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## +## Execute container in the container domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_kubelet_domtrans',` + gen_require(` + type kubelet_t, kubelet_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kubelet_exec_t, kubelet_t) +') + +######################################## +## +## Execute kubelet_exec_t in the kubelet_t domain +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`container_kubelet_run',` + gen_require(` + type kubelet_t; + ') + + container_kubelet_domtrans($1) + role $2 types kubelet_t; +') + +######################################## +## +## Connect to kubelet over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_kubelet_stream_connect',` + gen_require(` + type kubelet_t, container_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, container_var_run_t, container_var_run_t, kubelet_t) +') + +####################################### +## +## Create a file type used for container files. +## +## +## +## Type to be used for an container file. +## +## +# +interface(`container_file',` + gen_require(` + attribute container_file_type; + ') + + typeattribute $1 container_file_type; + files_type($1) + files_mountpoint($1) +') diff --git a/container.te b/container.te new file mode 100644 index 0000000..803530a --- /dev/null +++ b/container.te @@ -0,0 +1,1602 @@ +policy_module(container, 2.232.1) + +gen_require(` + class passwd rootok; +') + +######################################## +# +# Declarations +# + +## +##

+## Determine whether container can +## connect to all TCP ports. +##

+##
+gen_tunable(container_connect_any, false) + +## +##

+## Allow all container domains to read cert files and directories +##

+##
+gen_tunable(container_read_certs, false) + +## +##

+## Determine whether sshd can launch container engines +##

+##
+gen_tunable(sshd_launch_containers, false) + +## +##

+## Allow containers to use any device volume mounted into container +##

+##
+gen_tunable(container_use_devices, false) + +## +##

+## Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration +##

+##
+gen_tunable(container_use_xserver_devices, false) + +## +##

+## Allow containers to use any dri device volume mounted into container +##

+##
+gen_tunable(container_use_dri_devices, true) + +## +##

+## Allow sandbox containers to manage cgroup (systemd) +##

+##
+gen_tunable(container_manage_cgroup, false) + +## +##

+## Determine whether container can +## use ceph file system +##

+##
+gen_tunable(container_use_cephfs, false) + +## +##

+## Determine whether container can +## use ecrypt file system +##

+##
+gen_tunable(container_use_ecryptfs, false) + +attribute container_runtime_domain; +container_runtime_domain_template(container_runtime) +typealias container_runtime_t alias docker_t; + +type container_runtime_exec_t alias docker_exec_t; +can_exec(container_runtime_t,container_runtime_exec_t) +attribute container_domain; +attribute container_user_domain; +attribute container_net_domain; +attribute container_init_domain; +attribute container_file_type; +allow container_runtime_domain container_domain:process { dyntransition transition }; +allow container_domain container_runtime_domain:process sigchld; +allow container_runtime_domain container_domain:process2 { nnp_transition nosuid_transition }; +dontaudit container_runtime_domain container_domain:process { noatsecure rlimitinh siginh }; + +type conmon_exec_t; +application_executable_file(conmon_exec_t) +can_exec(container_runtime_t, conmon_exec_t) +allow container_runtime_domain conmon_exec_t:file entrypoint; +ifdef(`enable_mcs',` + range_transition container_runtime_t conmon_exec_t:process s0; +') +ifdef(`enable_mls',` + range_transition container_runtime_t conmon_exec_t:process s0; +') + +type spc_t; +domain_type(spc_t) +role system_r types spc_t; + +type container_auth_t alias docker_auth_t; +type container_auth_exec_t alias docker_auth_exec_t; +init_daemon_domain(container_auth_t, container_auth_exec_t) + +type spc_var_run_t; +files_pid_file(spc_var_run_t) + +type kubernetes_file_t; +files_config_file(kubernetes_file_t) + +type container_var_lib_t alias docker_var_lib_t; +files_type(container_var_lib_t) + +type container_home_t alias docker_home_t; +userdom_user_home_content(container_home_t) + +type container_config_t alias docker_config_t; +files_config_file(container_config_t) + +type container_lock_t alias docker_lock_t; +files_lock_file(container_lock_t) + +type container_log_t alias docker_log_t; +logging_log_file(container_log_t) + +type container_runtime_tmp_t alias docker_tmp_t; +files_tmp_file(container_runtime_tmp_t) + +type container_runtime_tmpfs_t alias docker_tmpfs_t; +files_tmpfs_file(container_runtime_tmpfs_t) + +type container_var_run_t alias docker_var_run_t; +files_pid_file(container_var_run_t) + +type container_plugin_var_run_t alias docker_plugin_var_run_t; +files_pid_file(container_plugin_var_run_t) + +type container_unit_file_t alias docker_unit_file_t; +systemd_unit_file(container_unit_file_t) + +type container_devpts_t alias docker_devpts_t; +term_pty(container_devpts_t) + +typealias container_ro_file_t alias { container_share_t docker_share_t }; +typeattribute container_ro_file_t container_file_type, user_home_type; +files_mountpoint(container_ro_file_t) +userdom_user_home_content(container_ro_file_t) + +type container_port_t alias docker_port_t; +corenet_port(container_port_t) + +init_daemon_domain(container_runtime_t, container_runtime_exec_t) +#ifdef(`enable_mcs',` +# init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mcs_systemhigh) +#') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh) +') +mls_trusted_object(container_runtime_t) + + +######################################## +# +# container local policy +# +allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; +allow container_runtime_domain self:tun_socket { create_socket_perms relabelto }; +allow container_runtime_domain self:process ~setcurrent; +allow container_runtime_domain self:passwd rootok; +allow container_runtime_domain self:fd use; +allow container_runtime_domain self:dir mounton; +allow container_runtime_domain self:file mounton; + +allow container_runtime_domain self:fifo_file rw_fifo_file_perms; +allow container_runtime_domain self:fifo_file manage_file_perms; +allow container_runtime_domain self:msg all_msg_perms; +allow container_runtime_domain self:sem create_sem_perms; +allow container_runtime_domain self:shm create_shm_perms; +allow container_runtime_domain self:msgq create_msgq_perms; +allow container_runtime_domain self:unix_stream_socket create_stream_socket_perms; +allow container_runtime_domain self:tcp_socket create_stream_socket_perms; +allow container_runtime_domain self:udp_socket create_socket_perms; +allow container_runtime_domain self:capability2 block_suspend; +allow container_runtime_domain container_port_t:tcp_socket name_bind; +allow container_runtime_domain port_t:icmp_socket name_bind; +allow container_runtime_domain self:filesystem associate; +allow container_runtime_domain self:packet_socket create_socket_perms; +allow container_runtime_domain self:socket create_socket_perms; +allow container_runtime_domain self:rawip_socket create_stream_socket_perms; +allow container_runtime_domain self:netlink_netfilter_socket create_socket_perms; +allow container_runtime_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_runtime_domain self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow container_runtime_domain self:netlink_socket create_socket_perms; + +corenet_tcp_bind_generic_node(container_runtime_domain) +corenet_udp_bind_generic_node(container_runtime_domain) +corenet_raw_bind_generic_node(container_runtime_domain) +corenet_tcp_sendrecv_all_ports(container_runtime_domain) +corenet_udp_sendrecv_all_ports(container_runtime_domain) +corenet_udp_bind_all_ports(container_runtime_domain) +corenet_tcp_bind_all_ports(container_runtime_domain) +corenet_tcp_connect_all_ports(container_runtime_domain) +corenet_sctp_bind_all_ports(container_net_domain) +corenet_sctp_connect_all_ports(container_net_domain) +corenet_rw_tun_tap_dev(container_runtime_domain) + +container_auth_stream_connect(container_runtime_domain) + +manage_files_pattern(container_runtime_domain, container_file_type, container_file_type) +manage_lnk_files_pattern(container_runtime_domain, container_file_type, container_file_type) +manage_blk_files_pattern(container_runtime_domain, container_file_type, container_file_type) +allow container_runtime_domain container_domain:key manage_key_perms; +manage_sock_files_pattern(container_runtime_domain, container_file_type, container_file_type) +allow container_runtime_domain container_file_type:dir_file_class_set {relabelfrom relabelto execmod}; +allow container_runtime_domain container_file_type:dir_file_class_set mmap_file_perms; + +manage_files_pattern(container_runtime_domain, container_home_t, container_home_t) +manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t) +manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t) +userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container") +userdom_manage_user_home_content(container_runtime_domain) +userdom_map_user_home_files(container_runtime_t) + +manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t) +manage_files_pattern(container_runtime_domain, container_config_t, container_config_t) +files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers") + +manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t) +manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t) +files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc") +files_manage_generic_locks(container_runtime_domain) + +manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t) +manage_files_pattern(container_runtime_domain, container_log_t, container_log_t) +manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t) + +logging_read_syslog_pid(container_runtime_domain) +logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file }) + +allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto }; +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log") +allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint; + +manage_dirs_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) +manage_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) +manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) +manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) + +manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_fifo_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_chr_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_blk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +allow container_runtime_domain container_runtime_tmpfs_t:dir relabelfrom; +can_exec(container_runtime_domain, container_runtime_tmpfs_t) +fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, dir_file_class_set) +allow container_runtime_domain container_runtime_tmpfs_t:chr_file mounton; + +manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto }; +can_exec(container_runtime_domain, container_ro_file_t) + +manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) + +manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) + +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "config.env") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hostname") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hosts") + +#container_filetrans_named_content(container_runtime_domain) + +manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto }; +files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file }) +files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers") + +manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_fifo_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) +files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) +allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom; + +allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(container_runtime_domain, container_devpts_t) +term_use_all_ttys(container_runtime_domain) +term_use_all_inherited_terms(container_runtime_domain) + +mls_file_read_to_clearance(container_runtime_t) +mls_file_relabel_to_clearance(container_runtime_t) +mls_file_write_to_clearance(container_runtime_t) +mls_process_read_to_clearance(container_runtime_t) +mls_process_write_to_clearance(container_runtime_t) +mls_socket_read_to_clearance(container_runtime_t) +mls_socket_write_to_clearance(container_runtime_t) +mls_sysvipc_read_to_clearance(container_runtime_t) +mls_sysvipc_write_to_clearance(container_runtime_t) + +kernel_read_network_state(container_runtime_domain) +kernel_read_all_sysctls(container_runtime_domain) +kernel_rw_net_sysctls(container_runtime_domain) +kernel_setsched(container_runtime_domain) +kernel_rw_all_sysctls(container_runtime_domain) +kernel_mounton_all_proc(container_runtime_domain) +fs_getattr_all_fs(container_runtime_domain) + +domain_obj_id_change_exemption(container_runtime_t) +domain_subj_id_change_exemption(container_runtime_t) +domain_role_change_exemption(container_runtime_t) +domain_use_interactive_fds(container_runtime_domain) +domain_dontaudit_read_all_domains_state(container_runtime_domain) +domain_sigchld_all_domains(container_runtime_domain) +domain_use_interactive_fds(container_runtime_domain) +domain_read_all_domains_state(container_runtime_domain) +domain_getattr_all_domains(container_runtime_domain) + +userdom_map_tmp_files(container_runtime_domain) + +anaconda_domtrans_install(container_runtime_domain) + +optional_policy(` + gnome_map_generic_data_home_files(container_runtime_domain) + allow container_runtime_domain data_home_t:dir { relabelfrom relabelto }; +') + +gen_require(` + attribute domain; +') + +allow container_runtime_domain domain:fifo_file rw_fifo_file_perms; +allow container_runtime_domain domain:fd use; + +corecmd_exec_bin(container_runtime_domain) +corecmd_exec_shell(container_runtime_domain) +corecmd_exec_all_executables(container_runtime_domain) +corecmd_bin_entry_type(container_runtime_domain) +corecmd_shell_entry_type(container_runtime_domain) + +corenet_tcp_bind_generic_node(container_runtime_domain) +corenet_tcp_sendrecv_generic_if(container_runtime_domain) +corenet_tcp_sendrecv_generic_node(container_runtime_domain) +corenet_tcp_sendrecv_generic_port(container_runtime_domain) +corenet_tcp_bind_all_ports(container_runtime_domain) +corenet_tcp_connect_http_port(container_runtime_domain) +corenet_tcp_connect_commplex_main_port(container_runtime_domain) +corenet_udp_sendrecv_generic_if(container_runtime_domain) +corenet_udp_sendrecv_generic_node(container_runtime_domain) +corenet_udp_sendrecv_all_ports(container_runtime_domain) +corenet_udp_bind_generic_node(container_runtime_domain) +corenet_udp_bind_all_ports(container_runtime_domain) + +files_read_kernel_modules(container_runtime_domain) +files_read_config_files(container_runtime_domain) +files_dontaudit_getattr_all_dirs(container_runtime_domain) +files_dontaudit_getattr_all_files(container_runtime_domain) +files_execmod_all_files(container_runtime_domain) +files_search_all(container_runtime_domain) +files_read_usr_symlinks(container_runtime_domain) +files_search_locks(container_runtime_domain) +files_dontaudit_unmount_all_mountpoints(container_runtime_domain) + +fs_read_cgroup_files(container_runtime_domain) +fs_read_tmpfs_symlinks(container_runtime_domain) +fs_search_all(container_runtime_domain) +fs_getattr_all_fs(container_runtime_domain) +fs_rw_onload_sockets(container_runtime_domain) + +auth_dontaudit_getattr_shadow(container_runtime_domain) + +init_read_state(container_runtime_domain) +init_status(container_runtime_domain) +init_stop(container_runtime_domain) +init_start(container_runtime_domain) +init_manage_config_transient_files(container_runtime_domain) + +logging_send_audit_msgs(container_runtime_domain) + +miscfiles_read_localization(container_runtime_domain) +miscfiles_dontaudit_access_check_cert(container_runtime_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(container_runtime_domain) +miscfiles_read_fonts(container_runtime_domain) +miscfiles_read_hwdata(container_runtime_domain) +fs_relabel_cgroup_dirs(container_runtime_domain) +# fs_relabel_cgroup_files(container_runtime_domain) +allow container_runtime_domain container_domain:file relabelfrom; + +mount_domtrans(container_runtime_domain) + +seutil_read_default_contexts(container_runtime_domain) +seutil_read_config(container_runtime_domain) + +sysnet_dns_name_resolve(container_runtime_domain) +sysnet_exec_ifconfig(container_runtime_domain) + +optional_policy(` + cron_system_entry(container_runtime_t, container_runtime_exec_t) +') + +optional_policy(` + ssh_use_ptys(container_runtime_domain) +') + +optional_policy(` + rpm_exec(container_runtime_domain) + rpm_read_cache(container_runtime_domain) + rpm_read_db(container_runtime_domain) + rpm_exec(container_runtime_domain) +') + +optional_policy(` + fstools_domtrans(container_runtime_domain) +') + +optional_policy(` + gen_require(` + role unconfined_r; + ') + iptables_run(container_runtime_domain, unconfined_r) + + container_read_pid_files(iptables_t) + container_read_state(iptables_t) + container_append_file(iptables_t) + allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms; + allow iptables_t container_file_type:dir list_dir_perms; +') + +optional_policy(` + openvswitch_stream_connect(container_runtime_domain) +') + +optional_policy(` + gen_require(` + attribute named_filetrans_domain; + ') + container_filetrans_named_content(named_filetrans_domain) +') + +# +# lxc rules +# + +allow container_runtime_domain self:capability ~{ sys_module }; +allow container_runtime_domain self:capability2 ~{ mac_override mac_admin }; +allow container_runtime_domain self:cap_userns ~{ sys_module }; +allow container_runtime_domain self:cap2_userns ~{ mac_override mac_admin }; + +allow container_runtime_domain self:process { getcap setcap setexec setpgid setsched signal_perms }; + +allow container_runtime_domain self:netlink_route_socket rw_netlink_socket_perms;; +allow container_runtime_domain self:netlink_xfrm_socket create_netlink_socket_perms; +allow container_runtime_domain self:netlink_audit_socket create_netlink_socket_perms; +allow container_runtime_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow container_runtime_domain self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow container_runtime_domain container_var_lib_t:dir mounton; +allow container_runtime_domain container_var_lib_t:chr_file mounton; +can_exec(container_runtime_domain, container_var_lib_t) + +kernel_dontaudit_setsched(container_runtime_domain) +kernel_get_sysvipc_info(container_runtime_domain) +kernel_request_load_module(container_runtime_domain) +kernel_mounton_messages(container_runtime_domain) +kernel_mounton_all_proc(container_runtime_domain) +kernel_mounton_all_sysctls(container_runtime_domain) +kernel_list_all_proc(container_runtime_domain) +kernel_read_all_sysctls(container_runtime_domain) +kernel_rw_net_sysctls(container_runtime_domain) +kernel_rw_unix_sysctls(container_runtime_domain) +kernel_dontaudit_search_kernel_sysctl(container_runtime_domain) +kernel_dontaudit_access_check_proc(container_runtime_domain) +kernel_dontaudit_setattr_proc_files(container_runtime_domain) +kernel_dontaudit_setattr_proc_dirs(container_runtime_domain) +kernel_dontaudit_write_usermodehelper_state(container_runtime_domain) + +dev_setattr_null_dev(container_runtime_t) +dev_getattr_all(container_runtime_domain) +dev_getattr_sysfs_fs(container_runtime_domain) +dev_read_rand(container_runtime_domain) +dev_read_urand(container_runtime_domain) +dev_read_lvm_control(container_runtime_domain) +dev_rw_sysfs(container_runtime_domain) +dev_rw_loop_control(container_runtime_domain) +dev_rw_lvm_control(container_runtime_domain) +dev_read_mtrr(container_runtime_domain) + +userdom_map_user_home_files(container_runtime_t) + +files_getattr_isid_type_dirs(container_runtime_domain) +files_manage_isid_type_dirs(container_runtime_domain) +files_manage_isid_type_files(container_runtime_domain) +files_manage_isid_type_symlinks(container_runtime_domain) +files_manage_isid_type_chr_files(container_runtime_domain) +files_manage_isid_type_blk_files(container_runtime_domain) +files_manage_etc_dirs(container_runtime_domain) +files_manage_etc_files(container_runtime_domain) +files_exec_isid_files(container_runtime_domain) +files_mounton_isid(container_runtime_domain) +files_mounton_non_security(container_runtime_domain) +files_mounton_isid_type_chr_file(container_runtime_domain) + +files_mounton_isid(container_runtime_domain) +fs_getattr_all_fs(container_runtime_domain) +fs_list_hugetlbfs(container_runtime_domain) +fs_manage_cgroup_dirs(container_runtime_domain) +fs_manage_cgroup_files(container_runtime_domain) +fs_manage_hugetlbfs_files(container_runtime_domain) +fs_mount_all_fs(container_runtime_domain) +fs_read_tmpfs_symlinks(container_runtime_domain) +fs_read_tmpfs_symlinks(container_runtime_domain) +fs_relabelfrom_tmpfs(container_runtime_domain) +fs_relabelfrom_xattr_fs(container_runtime_domain) +fs_remount_all_fs(container_runtime_domain) +fs_rw_inherited_tmpfs_files(container_runtime_domain) +fs_rw_nsfs_files(container_runtime_domain) +fs_search_tmpfs(container_runtime_domain) +fs_set_xattr_fs_quotas(container_runtime_domain) +fs_unmount_all_fs(container_runtime_domain) + + +term_use_generic_ptys(container_runtime_domain) +term_use_ptmx(container_runtime_domain) +term_getattr_pty_fs(container_runtime_domain) +term_relabel_pty_fs(container_runtime_domain) +term_mounton_unallocated_ttys(container_runtime_domain) + +modutils_domtrans_kmod(container_runtime_domain) + +systemd_status_all_unit_files(container_runtime_domain) +systemd_start_systemd_services(container_runtime_domain) +systemd_dbus_chat_logind(container_runtime_domain) +systemd_chat_resolved(container_runtime_domain) + +userdom_stream_connect(container_runtime_domain) +userdom_search_user_home_content(container_runtime_domain) +userdom_read_all_users_state(container_runtime_domain) +userdom_relabel_user_home_files(container_runtime_domain) +userdom_relabel_user_tmp_files(container_runtime_domain) +userdom_relabel_user_tmp_dirs(container_runtime_domain) +userdom_use_inherited_user_terminals(container_runtime_domain) +userdom_use_user_ptys(container_runtime_domain) +userdom_connectto_stream(container_runtime_domain) +allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt }; + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(container_runtime_domain) + fs_manage_nfs_files(container_runtime_domain) + fs_manage_nfs_named_sockets(container_runtime_domain) + fs_manage_nfs_symlinks(container_runtime_domain) + fs_remount_nfs(container_runtime_domain) + fs_mount_nfs(container_runtime_domain) + fs_exec_nfs_files(container_runtime_domain) + kernel_rw_fs_sysctls(container_runtime_domain) + allow container_runtime_domain nfs_t:file execmod; +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(container_runtime_domain) + fs_manage_cifs_dirs(container_runtime_domain) + fs_manage_cifs_named_sockets(container_runtime_domain) + fs_manage_cifs_symlinks(container_runtime_domain) + fs_exec_cifs_files(container_runtime_domain) + allow container_runtime_domain cifs_t:file execmod; + + fs_manage_cifs_files(container_domain) + fs_manage_cifs_dirs(container_domain) + fs_manage_cifs_named_sockets(container_domain) + fs_manage_cifs_symlinks(container_domain) + fs_exec_cifs_files(container_domain) + allow container_domain cifs_t:file execmod; +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(container_domain) + fs_manage_nfs_files(container_domain) + fs_manage_nfs_named_sockets(container_domain) + fs_manage_nfs_symlinks(container_domain) + fs_mount_nfs(container_domain) + fs_unmount_nfs(container_domain) + fs_exec_nfs_files(container_domain) + allow container_domain nfs_t:file execmod; +') + +gen_require(` + type cephfs_t; +') + +tunable_policy(`container_use_cephfs',` + manage_files_pattern(container_domain, cephfs_t, cephfs_t) + manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t) + manage_dirs_pattern(container_domain, cephfs_t, cephfs_t) + exec_files_pattern(container_domain, cephfs_t, cephfs_t) + allow container_domain cephfs_t:file execmod; +') + +tunable_policy(`container_read_certs',` + miscfiles_read_all_certs(container_domain) +') + +gen_require(` + type ecryptfs_t; +') + +tunable_policy(`container_use_ecryptfs',` + manage_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) + manage_lnk_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) + manage_dirs_pattern(container_domain, ecryptfs_t, ecryptfs_t) + exec_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) + allow container_domain ecryptfs_t:file execmod; +') + +fs_manage_fusefs_named_sockets(container_runtime_domain) +fs_manage_fusefs_dirs(container_runtime_domain) +fs_manage_fusefs_files(container_runtime_domain) +fs_manage_fusefs_symlinks(container_runtime_domain) +fs_mount_fusefs(container_runtime_domain) +fs_exec_fusefs_files(container_runtime_domain) +storage_rw_fuse(container_runtime_domain) + +files_search_all(container_domain) +container_read_share_files(container_domain) +container_exec_share_files(container_domain) +allow container_domain container_ro_file_t:file execmod; +container_lib_filetrans(container_domain,container_file_t, sock_file) +container_use_ptys(container_domain) +container_spc_stream_connect(container_domain) + +optional_policy(` + apache_exec_modules(container_runtime_domain) + apache_read_sys_content(container_runtime_domain) +') + +optional_policy(` + gpm_getattr_gpmctl(container_runtime_domain) +') + +optional_policy(` + dbus_system_bus_client(container_runtime_domain) + dbus_session_bus_client(container_runtime_domain) + init_dbus_chat(container_runtime_domain) + init_start_transient_unit(container_runtime_domain) + + optional_policy(` + systemd_dbus_chat_logind(container_runtime_domain) + systemd_dbus_chat_machined(container_runtime_domain) + ') + + optional_policy(` + dnsmasq_dbus_chat(container_runtime_domain) + ') + + optional_policy(` + firewalld_dbus_chat(container_runtime_domain) + ') +') + +optional_policy(` + lvm_domtrans(container_runtime_domain) +') + +optional_policy(` + gen_require(` + type systemd_logind_t; + ') + + domtrans_pattern(systemd_logind_t, container_runtime_exec_t , container_runtime_t) + container_manage_dirs(systemd_logind_t) + container_manage_files(systemd_logind_t) +') + +optional_policy(` + udev_read_db(container_runtime_domain) +') + +optional_policy(` + gen_require(` + role unconfined_r; + ') + role unconfined_r types container_user_domain; + role unconfined_r types spc_t; + unconfined_domain(container_runtime_t) + unconfined_run_to(container_runtime_t, container_runtime_exec_t) + allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map }; + allow container_runtime_domain unconfined_t:fifo_file setattr; + allow unconfined_domain_type container_domain:process {transition dyntransition}; + allow unconfined_t unlabeled_t:key manage_key_perms; + allow container_runtime_t unconfined_t:process transition; + allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint; + fs_fusefs_entrypoint(unconfined_domain_type) + + domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t) +') + +optional_policy(` + gen_require(` + type virtd_lxc_t; + ') + virt_read_config(container_runtime_domain) + virt_exec(container_runtime_domain) + virt_stream_connect(container_runtime_domain) + virt_stream_connect_sandbox(container_runtime_domain) + virt_exec_sandbox_files(container_runtime_domain) + virt_manage_sandbox_files(container_runtime_domain) + virt_relabel_sandbox_filesystem(container_runtime_domain) + # for lxc + virt_mounton_sandbox_file(container_runtime_domain) +# virt_attach_sandbox_tun_iface(container_runtime_domain) + allow container_runtime_domain container_domain:tun_socket relabelfrom; + virt_sandbox_entrypoint(container_runtime_domain) + allow container_runtime_domain virtd_lxc_t:unix_stream_socket { rw_stream_socket_perms connectto }; + +') + +tunable_policy(`container_connect_any',` + corenet_tcp_connect_all_ports(container_runtime_domain) + corenet_sendrecv_all_packets(container_runtime_domain) + corenet_tcp_sendrecv_all_ports(container_runtime_domain) +') + +######################################## +# +# spc local policy +# +allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; +role system_r types spc_t; + +domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) +domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) +domtrans_pattern(container_runtime_domain, fusefs_t, spc_t) +fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file }) + +allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition }; +allow spc_t container_file_type:file execmod; + +admin_pattern(spc_t, kubernetes_file_t) + +allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms; +allow spc_t { container_ro_file_t container_file_t }:system module_load; + +allow container_runtime_domain spc_t:process { dyntransition setsched signal_perms }; +ps_process_pattern(container_runtime_domain, spc_t) +allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom }; +allow spc_t unlabeled_t:key manage_key_perms; +allow spc_t unlabeled_t:socket_class_set create_socket_perms; +fs_fusefs_entrypoint(spc_t) +corecmd_entrypoint_all_executables(spc_t) + +init_dbus_chat(spc_t) + +optional_policy(` + systemd_dbus_chat_machined(spc_t) + systemd_dbus_chat_logind(spc_t) + systemd_dbus_chat_timedated(spc_t) + systemd_dbus_chat_localed(spc_t) +') + +domain_transition_all(spc_t) + +anaconda_domtrans_install(spc_t) + +optional_policy(` + dbus_chat_system_bus(spc_t) + dbus_chat_session_bus(spc_t) + dnsmasq_dbus_chat(spc_t) +') + +optional_policy(` + unconfined_domain_noaudit(spc_t) + domain_ptrace_all_domains(spc_t) + # This should eventually be in upstream policy. + # https://github.com/fedora-selinux/selinux-policy/pull/806 + allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run }; + allow daemon spc_t:dbus send_msg; +') + +optional_policy(` + virt_transition_svirt_sandbox(spc_t, system_r) + virt_sandbox_entrypoint(spc_t) + virt_sandbox_domtrans(container_runtime_domain, spc_t) + virt_transition_svirt(spc_t, system_r) + virt_sandbox_entrypoint(container_file_t) + virt_sandbox_entrypoint(container_ro_file_t) + + gen_require(` + attribute virt_domain; + type virtd_t; + role unconfined_r; + ') + role unconfined_r types virt_domain; + role unconfined_r types virtd_t; + container_spc_read_state(virt_domain) + container_spc_rw_pipes(virt_domain) + allow container_runtime_t virtd_t:process transition; + allow container_runtime_t virt_domain:process transition; + allow virt_domain container_file_t:file entrypoint; + allow virtd_t container_file_t:file entrypoint; + manage_files_pattern(virt_domain, container_file_t, container_file_t) + manage_dirs_pattern(virt_domain, container_file_t, container_file_t) + manage_lnk_files_pattern(virt_domain, container_file_t, container_file_t) + read_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t) + read_lnk_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t) + + can_exec(virt_domain, container_file_t) + + manage_files_pattern(virtd_t, container_file_t, container_file_t) + manage_dirs_pattern(virtd_t, container_file_t, container_file_t) + manage_lnk_files_pattern(virtd_t, container_file_t, container_file_t) + read_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t) + read_lnk_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t) + + can_exec(virtd_t, container_file_t) + + +') + +######################################## +# +# container_auth local policy +# +allow container_auth_t self:fifo_file rw_fifo_file_perms; +allow container_auth_t self:unix_stream_socket create_stream_socket_perms; +dontaudit container_auth_t self:capability net_admin; + +container_stream_connect(container_auth_t) + +manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file }) + +stream_connect_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) +list_dirs_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t) + +domain_use_interactive_fds(container_auth_t) + +kernel_read_net_sysctls(container_auth_t) + +auth_use_nsswitch(container_auth_t) + +files_read_etc_files(container_auth_t) + +miscfiles_read_localization(container_auth_t) + +sysnet_dns_name_resolve(container_auth_t) + +######################################## +# +# container_t local policy +# +# Currently this is called in virt.te +# virt_sandbox_domain_template(container) +# typealias container_t alias svirt_lxc_net_t; +gen_require(` + type container_t; + type container_file_t; +') +container_manage_files_template(container, container) + +typeattribute container_file_t container_file_type, user_home_type; +typeattribute container_t container_domain, container_net_domain, container_user_domain; +allow container_user_domain self:process getattr; +allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint; +allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms; +allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map }; +allow container_domain container_runtime_t:unix_dgram_socket sendto; + +allow container_domain container_runtime_domain:tun_socket relabelfrom; +allow container_domain container_runtime_domain:fd use; +allow container_runtime_domain container_domain:fd use; +allow container_domain self:socket_class_set { create_socket_perms map accept }; +allow container_domain self:lnk_file setattr; +allow container_domain self:user_namespace create; + +dontaudit container_domain self:capability fsetid; +allow container_domain self:association sendto; +allow container_domain self:dir list_dir_perms; +dontaudit container_domain self:dir { write add_name }; +allow container_domain self:file rw_file_perms; +allow container_domain self:lnk_file read_file_perms; +allow container_domain self:fifo_file create_fifo_file_perms; +allow container_domain self:fifo_file watch; +allow container_domain self:filesystem associate; +allow container_domain self:key manage_key_perms; +allow container_domain self:netlink_route_socket r_netlink_socket_perms; +allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_domain self:netlink_xfrm_socket create_socket_perms; +allow container_domain self:packet_socket create_socket_perms; +allow container_domain self:passwd rootok; +allow container_domain self:peer recv; +allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate}; +allow container_domain self:sem create_sem_perms; +allow container_domain self:shm create_shm_perms; +allow container_domain self:socket create_socket_perms; +allow container_domain self:tcp_socket create_socket_perms; +allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue }; +allow container_domain self:udp_socket create_socket_perms; +allow container_domain self:unix_dgram_socket create_socket_perms; +allow container_domain self:unix_stream_socket create_stream_socket_perms; +dontaudit container_domain self:capability2 block_suspend ; +allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms }; +fs_fusefs_entrypoint(spc_t) + +container_read_share_files(container_domain) +container_exec_share_files(container_domain) +container_use_ptys(container_domain) +container_spc_stream_connect(container_domain) + +dev_dontaudit_mounton_sysfs(container_domain) +dev_dontaudit_mounton_sysfs(container_domain) +dev_dontaudit_mounton_sysfs(container_domain) +dev_getattr_mtrr_dev(container_domain) +dev_list_sysfs(container_domain) +dev_mounton_sysfs(container_t) +dev_read_mtrr(container_domain) +dev_read_rand(container_domain) +dev_read_sysfs(container_domain) +dev_read_urand(container_domain) +dev_rw_inherited_dri(container_domain) +dev_rw_kvm(container_domain) +dev_rwx_zero(container_domain) +dev_write_rand(container_domain) +dev_write_urand(container_domain) +allow container_domain sysfs_t:dir watch; + +dontaudit container_domain container_runtime_tmpfs_t:dir read; +allow container_domain container_runtime_tmpfs_t:dir mounton; +can_exec(container_domain, container_runtime_tmpfs_t) + +allow container_domain self:key manage_key_perms; +dontaudit container_domain container_domain:key search; + +allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; +allow container_domain self:fifo_file manage_file_perms; +allow container_domain self:msg all_msg_perms; +allow container_domain self:sem create_sem_perms; +allow container_domain self:shm create_shm_perms; +allow container_domain self:msgq create_msgq_perms; +allow container_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow container_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow container_domain self:passwd rootok; +allow container_domain self:filesystem associate; +allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write }; + +kernel_getattr_proc(container_domain) +kernel_list_all_proc(container_domain) +kernel_read_all_sysctls(container_domain) +kernel_dontaudit_write_kernel_sysctl(container_domain) +kernel_read_network_state(container_domain) +kernel_rw_net_sysctls(container_domain) +kernel_rw_unix_sysctls(container_domain) +kernel_dontaudit_search_kernel_sysctl(container_domain) +kernel_dontaudit_access_check_proc(container_domain) +kernel_dontaudit_setattr_proc_files(container_domain) +kernel_dontaudit_setattr_proc_dirs(container_domain) +kernel_dontaudit_write_usermodehelper_state(container_domain) +kernel_read_irq_sysctls(container_domain) +kernel_get_sysvipc_info(container_domain) + +fs_dontaudit_getattr_all_dirs(container_domain) +fs_dontaudit_getattr_all_files(container_domain) +fs_dontaudit_remount_tmpfs(container_domain) +fs_dontaudit_remount_tmpfs(container_domain) +fs_exec_fusefs_files(container_domain) +fs_exec_hugetlbfs_files(container_domain) +fs_fusefs_entrypoint(container_domain) +fs_getattr_all_fs(container_domain) +fs_list_cgroup_dirs(container_domain) +fs_list_hugetlbfs(container_domain) +fs_manage_bpf_files(container_domain) +fs_manage_fusefs_dirs(container_domain) +fs_manage_fusefs_files(container_domain) +fs_manage_fusefs_named_pipes(container_domain) +fs_manage_fusefs_named_sockets(container_domain) +fs_manage_fusefs_symlinks(container_domain) +fs_manage_hugetlbfs_files(container_domain) +fs_mount_fusefs(container_domain) +fs_unmount_fusefs(container_domain) +fs_mount_tmpfs(container_domain) +fs_unmount_tmpfs(container_domain) +fs_mount_xattr_fs(container_domain) +fs_unmount_xattr_fs(container_domain) +fs_mounton_cgroup(container_domain) +fs_mounton_fusefs(container_domain) +fs_read_cgroup_files(container_domain) +fs_read_nsfs_files(container_domain) +fs_read_tmpfs_symlinks(container_domain) +fs_remount_xattr_fs(container_domain) +fs_rw_inherited_tmpfs_files(container_domain) +fs_rw_onload_sockets(container_domain) +fs_search_tmpfs(container_domain) +fs_unmount_cgroup(container_domain) +fs_unmount_fusefs(container_domain) +fs_unmount_nsfs(container_domain) +fs_unmount_xattr_fs(container_domain) + +term_use_all_inherited_terms(container_domain) + +userdom_use_user_ptys(container_domain) +userdom_rw_inherited_user_pipes(container_domain) + +domain_user_exemption_target(container_t) +domain_dontaudit_link_all_domains_keyrings(container_domain) +domain_dontaudit_search_all_domains_keyrings(container_domain) +domain_dontaudit_search_all_domains_state(container_domain) + +virt_sandbox_net_domain(container_t) + +logging_send_syslog_msg(container_t) + +gen_require(` + type container_file_t; +') +# fs_associate_cgroupfs(container_file_t) +gen_require(` + type cgroup_t; +') + +files_read_kernel_modules(container_domain) + +allow container_file_t cgroup_t:filesystem associate; +term_pty(container_file_t) +logging_log_file(container_file_t) +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_t self:capability sys_admin; + allow container_t self:cap_userns sys_admin; +') + +allow container_domain self:cap_userns sys_admin; +allow container_domain self:process { getsession execstack execmem }; + +corenet_unconfined(container_t) + +optional_policy(` + virt_default_capabilities(container_t) +') +kernel_rw_rpc_sysctls(container_domain) +kernel_rw_net_sysctls(container_domain) +kernel_read_messages(container_t) +kernel_read_network_state(container_domain) +kernel_dontaudit_write_proc_files(container_domain) + +# Container Net Domain +corenet_tcp_bind_generic_node(container_net_domain) +corenet_udp_bind_generic_node(container_net_domain) +corenet_raw_bind_generic_node(container_net_domain) +corenet_tcp_sendrecv_all_ports(container_net_domain) +corenet_udp_sendrecv_all_ports(container_net_domain) +corenet_udp_bind_all_ports(container_net_domain) +corenet_tcp_bind_all_ports(container_net_domain) +corenet_tcp_connect_all_ports(container_net_domain) + +allow container_net_domain self:udp_socket create_socket_perms; +allow container_net_domain self:tcp_socket create_stream_socket_perms; +allow container_net_domain self:tun_socket create_socket_perms; +allow container_net_domain self:netlink_route_socket create_netlink_socket_perms; +allow container_net_domain self:sctp_socket listen; +allow container_net_domain self:packet_socket create_socket_perms; +allow container_net_domain self:socket create_socket_perms; +allow container_net_domain self:rawip_socket create_stream_socket_perms; +allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms; + +allow container_domain spc_t:unix_stream_socket { read write }; +kernel_unlabeled_domtrans(container_runtime_domain, spc_t) +kernel_unlabeled_entry_type(spc_t) +allow container_runtime_domain unlabeled_t:key manage_key_perms; +#kernel_dontaudit_write_usermodehelper_state(container_t) +gen_require(` + type usermodehelper_t; +') +dontaudit container_domain usermodehelper_t:file write; + +sysnet_read_config(container_domain) + +allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; + +optional_policy(` + gssproxy_stream_connect(container_domain) +') + +optional_policy(` + rpm_read_cache(container_domain) + rpm_read_db(container_domain) + rpm_transition_script(spc_t, system_r) +') + +optional_policy(` + sssd_stream_connect(container_domain) +') + +optional_policy(` + systemd_dbus_chat_logind(container_domain) +') + +tunable_policy(`container_manage_cgroup',` + fs_manage_cgroup_dirs(container_domain) + fs_manage_cgroup_files(container_domain) +') + +storage_rw_fuse(container_domain) +allow container_domain fusefs_t:file { mounton execmod }; +allow container_domain fusefs_t:filesystem remount; + +tunable_policy(`virt_sandbox_use_netlink',` + allow container_domain self:netlink_socket create_socket_perms; + allow container_domain self:netlink_tcpdiag_socket create_netlink_socket_perms; + allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; +', ` + logging_dontaudit_send_audit_msgs(container_domain) +') + +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(container_t) +') + +optional_policy(` + gen_require(` + type sysctl_kernel_ns_last_pid_t; + ') + + kernel_search_network_sysctl(container_domain) + allow container_domain sysctl_kernel_ns_last_pid_t:file rw_file_perms; + allow container_domain sysctl_kernel_ns_last_pid_t:dir list_dir_perms; +') + +tunable_policy(`virt_sandbox_use_all_caps',` + allow container_domain self:capability ~{ sys_module }; + allow container_domain self:capability2 ~{ mac_override mac_admin }; + allow container_domain self:cap_userns ~{ sys_module }; + allow container_domain self:cap2_userns ~{ mac_override mac_admin }; +') + +tunable_policy(`virt_sandbox_use_mknod',` + allow container_domain self:capability mknod; + allow container_domain self:cap_userns mknod; +') + +optional_policy(` + gen_require(` + role unconfined_r; + type unconfined_service_t; + type unconfined_service_exec_t; + ') + + virt_transition_svirt_sandbox(unconfined_service_t, system_r) + container_filetrans_named_content(unconfined_service_t) + container_runtime_domtrans(unconfined_service_t) + role_transition unconfined_r unconfined_service_exec_t system_r; + allow container_runtime_domain unconfined_service_t:fifo_file setattr; + allow unconfined_service_t container_domain:process dyntransition; + allow unconfined_service_t unlabeled_t:key manage_key_perms; +') + +optional_policy(` + gen_require(` + attribute unconfined_domain_type; + ') + + container_filetrans_named_content(unconfined_domain_type) + allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition }; + allow unconfined_domain_type unlabeled_t:key manage_key_perms; +') + +# +# container_userns_t policy +# +container_domain_template(container_userns, container) + +typeattribute container_userns_t sandbox_net_domain, container_user_domain; +dev_mount_sysfs_fs(container_userns_t) +dev_mounton_sysfs(container_userns_t) + +fs_mount_tmpfs(container_userns_t) +fs_unmount_tmpfs(container_userns_t) +fs_relabelfrom_tmpfs(container_userns_t) +fs_remount_cgroup(container_userns_t) + +kernel_mount_proc(container_userns_t) +kernel_mounton_proc(container_userns_t) + +term_use_generic_ptys(container_userns_t) +term_setattr_generic_ptys(container_userns_t) +term_mount_pty_fs(container_userns_t) + +allow container_userns_t self:capability ~{ sys_module }; +allow container_userns_t self:capability2 ~{ mac_override mac_admin }; +allow container_userns_t self:cap_userns ~{ sys_module }; +allow container_userns_t self:cap2_userns ~{ mac_override mac_admin }; +allow container_userns_t self:capability mknod; +allow container_userns_t self:cap_userns mknod; + +optional_policy(` + gen_require(` + type proc_t, proc_kcore_t; + type sysctl_t, sysctl_irq_t; + ') + + allow container_userns_t proc_t:filesystem { remount }; + allow container_userns_t proc_kcore_t:file mounton; + allow container_userns_t sysctl_irq_t:dir mounton; + allow container_userns_t sysctl_t:dir mounton; + allow container_userns_t sysctl_t:file mounton; +') + + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_userns_t self:capability sys_admin; + allow container_userns_t self:cap_userns sys_admin; +') + +# Container Logreader +container_domain_template(container_logreader, container) +typeattribute container_logreader_t container_net_domain; +logging_read_all_logs(container_logreader_t) +# Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges +allow container_logreader_t logfile:lnk_file read_lnk_file_perms; +logging_read_audit_log(container_logreader_t) +logging_list_logs(container_logreader_t) + +# Container Logwriter +container_domain_template(container_logwriter, container) +typeattribute container_logwriter_t container_net_domain; +logging_read_all_logs(container_logwriter_t) +manage_files_pattern(container_logwriter_t, logfile, logfile) +manage_dirs_pattern(container_logwriter_t, logfile, logfile) +manage_lnk_files_pattern(container_logwriter_t, logfile, logfile) +logging_manage_audit_log(container_logwriter_t) + +optional_policy(` + gen_require(` + type sysadm_t, staff_t, user_t; + role sysadm_r, staff_r, user_r; + attribute userdomain; + ') + + allow userdomain container_domain:process transition; + + can_exec(userdomain, container_runtime_exec_t) + container_manage_files(userdomain) + container_manage_share_dirs(userdomain) + container_manage_share_files(userdomain) + + allow userdomain conmon_exec_t:file entrypoint; + container_runtime_run(sysadm_t, sysadm_r) + role sysadm_r types container_domain; + role sysadm_r types spc_t; + + container_runtime_run(staff_t, staff_r) + role staff_r types container_user_domain; + + allow userdomain self:cap_userns ~{ sys_module }; + container_read_state(userdomain) + allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh }; + container_runtime_run(user_t, user_r) + role user_r types container_user_domain; + + staff_role_change_to(system_r) + + allow staff_t container_runtime_t:process signal_perms; + allow staff_t container_domain:process signal_perms; + allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt }; +') + +gen_require(` + type init_t; +') +container_manage_lib_files(init_t) +container_manage_lib_dirs(init_t) +container_manage_share_files(init_t) +container_manage_share_dirs(init_t) +container_filetrans_named_content(init_t) +container_runtime_read_tmpfs_files(init_t) + +gen_require(` + attribute device_node; + type device_t; + attribute sysctl_type; +') +dontaudit container_domain device_node:chr_file setattr; +dontaudit container_domain sysctl_type:file write; +allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt }; + +allow container_t proc_t:filesystem remount; + +# Container kvm - Policy for running kata containers +container_domain_template(container_kvm, container) +typeattribute container_kvm_t container_net_domain, container_user_domain; + +type container_kvm_var_run_t; +files_pid_file(container_kvm_var_run_t) +filetrans_pattern(container_kvm_t, container_var_run_t, container_kvm_var_run_t, {file sock_file dir}) +filetrans_pattern(container_runtime_t, container_var_run_t, container_kvm_var_run_t, dir, "kata-containers") + +manage_dirs_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_fifo_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_sock_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_lnk_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file }) +files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file }) +allow container_kvm_t container_kvm_var_run_t:{file dir} mounton; + +allow container_kvm_t container_runtime_t:unix_stream_socket rw_stream_socket_perms; + +container_stream_connect(container_kvm_t) + +allow container_kvm_t container_runtime_t:tun_socket attach_queue; + +dev_rw_inherited_vhost(container_kvm_t) +dev_rw_vfio_dev(container_kvm_t) + +corenet_rw_inherited_tun_tap_dev(container_kvm_t) +corecmd_exec_shell(container_kvm_t) +corecmd_exec_bin(container_kvm_t) +corecmd_bin_entry_type(container_kvm_t) + +# virtiofs causes these AVC messages. +kernel_mount_proc(container_kvm_t) +kernel_mounton_proc(container_kvm_t) +kernel_unmount_proc(container_kvm_t) +kernel_dgram_send(container_kvm_t) +files_mounton_rootfs(container_kvm_t) + +auth_read_passwd(container_kvm_t) +logging_send_syslog_msg(container_kvm_t) + +optional_policy(` + qemu_entry_type(container_kvm_t) + qemu_exec(container_kvm_t) + allow container_kvm_t qemu_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; +') + +manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t) + +dev_rw_kvm(container_kvm_t) + +sssd_read_public_files(container_kvm_t) + +# Container init - Policy for running systemd based containers +container_domain_template(container_init, container) +typeattribute container_init_t container_init_domain, container_net_domain, container_user_domain; + +corenet_unconfined(container_init_t) + +allow container_init_t device_t:filesystem { remount unmount }; + +dev_mounton_sysfs(container_init_domain) + +fs_manage_cgroup_dirs(container_init_domain) +fs_manage_cgroup_files(container_init_domain) +fs_mounton_cgroup(container_init_domain) +fs_unmount_cgroup(container_init_domain) +fs_unmount_tmpfs(container_init_domain) + +kernel_mounton_proc(container_init_t) +kernel_unmount_proc(container_init_t) + +logging_send_syslog_msg(container_init_t) + +allow container_init_domain proc_t:filesystem remount; + +optional_policy(` + virt_default_capabilities(container_init_t) +') + +tunable_policy(`container_use_devices',` + allow container_domain device_node:chr_file {rw_chr_file_perms map}; + allow container_domain device_node:blk_file {rw_blk_file_perms map}; +') + +tunable_policy(`container_use_xserver_devices',` + dev_getattr_xserver_misc_dev(container_t) + dev_rw_xserver_misc(container_t) +') + +tunable_policy(`container_use_dri_devices',` + dev_rw_dri(container_domain) +') + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_init_t self:capability sys_admin; + allow container_init_t self:cap_userns sys_admin; +') + +allow container_init_domain self:netlink_audit_socket nlmsg_relay; + +# container_engine_t is for running a container engine within a container +# +container_domain_template(container_engine, container) +typeattribute container_engine_t container_net_domain; + +fs_mounton_cgroup(container_engine_t) +fs_unmount_cgroup(container_engine_t) +fs_manage_cgroup_dirs(container_engine_t) +fs_manage_cgroup_files(container_engine_t) +fs_write_cgroup_files(container_engine_t) +fs_remount_cgroup(container_engine_t) +fs_mount_all_fs(container_engine_t) +fs_remount_all_fs(container_engine_t) +fs_unmount_all_fs(container_engine_t) +kernel_mounton_all_sysctls(container_engine_t) +kernel_mount_proc(container_engine_t) +kernel_mounton_proc(container_engine_t) +kernel_mounton_core_if(container_engine_t) +kernel_mounton_systemd_ProtectKernelTunables(container_engine_t) +term_mount_pty_fs(container_engine_t) +term_use_generic_ptys(container_engine_t) + +allow container_engine_t container_file_t:chr_file mounton; +allow container_engine_t filesystem_type:{dir file} mounton; +allow container_engine_t proc_kcore_t:file mounton; +allow container_engine_t proc_t:filesystem remount; +allow container_engine_t sysctl_t:{dir file} mounton; +allow container_engine_t fusefs_t:dir { relabelfrom relabelto }; +allow container_engine_t fusefs_t:file relabelto; +allow container_engine_t kernel_t:system module_request; +allow container_engine_t null_device_t:chr_file mounton; +allow container_engine_t random_device_t:chr_file mounton; +allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read; +allow container_engine_t urandom_device_t:chr_file mounton; +allow container_engine_t zero_device_t:chr_file mounton; + +manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t) + +optional_policy(` + gen_require(` + type devtty_t; + ') + allow container_engine_t devtty_t:chr_file mounton; +') + +type kubelet_t, container_runtime_domain; +domain_type(kubelet_t) + +optional_policy(` + gen_require(` + role unconfined_r; + ') + role unconfined_r types kubelet_t; + unconfined_domain(kubelet_t) +') + +manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t) + +type kubelet_exec_t; +application_executable_file(kubelet_exec_t) +can_exec(container_runtime_t, kubelet_exec_t) +allow kubelet_t kubelet_exec_t:file entrypoint; + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mls_systemhigh) +') +mls_trusted_object(kubelet_t) + +init_daemon_domain(kubelet_t, kubelet_exec_t) + +admin_pattern(kubelet_t, kubernetes_file_t) + +optional_policy(` + gen_require(` + type sysadm_t; + role sysadm_r; + role unconfined_r; + ') + + container_kubelet_run(sysadm_t, sysadm_r) + + unconfined_run_to(kubelet_t, kubelet_exec_t) + role_transition unconfined_r kubelet_exec_t system_r; +') + +# Standard container which needs to be allowed to use any device +container_domain_template(container_device, container) +allow container_device_t device_node:chr_file rw_chr_file_perms; + +# Standard container which needs to be allowed to use any device and +# communicate with kubelet +container_domain_template(container_device_plugin, container) +allow container_device_plugin_t device_node:chr_file rw_chr_file_perms; +dev_rw_sysfs(container_device_plugin_t) +kernel_read_debugfs(container_device_plugin_t) +container_kubelet_stream_connect(container_device_plugin_t) + +# Standard container which needs to be allowed to use any device and +# modify kubelet configuration +container_domain_template(container_device_plugin_init, container) +allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms; +dev_rw_sysfs(container_device_plugin_init_t) +manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) +manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) +manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) + +optional_policy(` + gen_require(` + type syslogd_t; + ') + + allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms; + logging_send_syslog_msg(container_runtime_t) +') + + +manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) + +tunable_policy(`sshd_launch_containers',` + gen_require(` + type sshd_t; + type systemd_logind_t; + type iptables_var_run_t; + ') + + container_runtime_domtrans(sshd_t) + dontaudit systemd_logind_t iptables_var_run_t:dir read; +') + +role container_user_r; +userdom_restricted_user_template(container_user) +userdom_manage_home_role(container_user_r, container_user_t) + +allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop }; + +role container_user_r types container_domain; +role container_user_r types container_user_domain; +role container_user_r types container_net_domain; +role container_user_r types container_file_type; +container_runtime_run(container_user_t, container_user_r) +unconfined_role_change_to(container_user_r) + +container_use_ptys(container_user_t) + +fs_manage_cgroup_dirs(container_user_t) +fs_manage_cgroup_files(container_user_t) + +selinux_compute_access_vector(container_user_t) +systemd_dbus_chat_hostnamed(container_user_t) +systemd_start_systemd_services(container_user_t) + +allow container_runtime_t container_user_t:process transition; +allow container_runtime_t container_user_t:process2 nnp_transition; +allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms; + +allow container_user_t container_file_t:chr_file manage_chr_file_perms; +allow container_user_t container_file_t:file entrypoint; + +allow container_domain container_file_t:file entrypoint; +allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read }; +allow container_domain container_var_lib_t:file entrypoint; +allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write }; + +corecmd_entrypoint_all_executables(container_kvm_t) +allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; +allow svirt_sandbox_domain mountpoint:file entrypoint; + +tunable_policy(`deny_ptrace',`',` + allow container_domain self:process ptrace; + allow spc_t self:process ptrace; +') diff --git a/customizable_types b/customizable_types new file mode 100644 index 0000000..854cbf6 --- /dev/null +++ b/customizable_types @@ -0,0 +1,13 @@ +sandbox_file_t +svirt_image_t +svirt_home_t +svirt_lxc_file_t +virt_content_t +httpd_user_htaccess_t +httpd_user_script_exec_t +httpd_user_rw_content_t +httpd_user_ra_content_t +httpd_user_content_t +git_session_content_t +home_bin_t +user_tty_device_t diff --git a/debug-build.sh b/debug-build.sh new file mode 100644 index 0000000..44a626f --- /dev/null +++ b/debug-build.sh @@ -0,0 +1,34 @@ +# This script creates a debugging and testing environment when working on the policy +# Basically a fancy wrapper for "tar --exclude-vcs -cJf selinux-policy-20230321.tar.xz --transform 's,^,selinux-policy-20230321/,' -C selinux-policy ." +# +# 1. Get the git repository with 'osc service manualrun' or './update.sh' +# 2. Do your changes in the selinux-policy repository, test around +# 1. When you want to build locally to debug, call this script. It will create a .tar.xz with your current selinux-policy working directory. +# 2. Build locally: e.g. with osc build +# 3. Test your rpms that contain your changes and repeat +# 3. When finished, commit your changes in the selinux-policy repository and push to git +# 4. Run './update.sh' and checkin the changes to OBS + +REPO_NAME=selinux-policy + +# Check if git repository exists, if not ask the user to fetch the latest version +if ! test -d "$REPO_NAME"; then + echo "-$REPO_NAME does not exist. Please run 'osc service manualrun' or './update.sh' first." + exit 1; +fi + +# Get current version: Parse "Version: " from specfile +VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec) + +# Create tar file with name like selinux-policy-.tar.xz +TAR_NAME=$REPO_NAME-$VERSION.tar.xz +echo "Creating tar file: $TAR_NAME" +tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME . + +# Some helpful prompts +if test $? -eq 0; then + echo "Success! Now you can run your local build command, e.g. 'osc build'. It will take the archive that contains your changes." + echo "You can also inspect the created archive with: 'tar tvf $REPO_NAME-$VERSION.tar.xz'" +else + echo "Error, creating archive failed" +fi diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist new file mode 100644 index 0000000..b316d2e --- /dev/null +++ b/file_contexts.subs_dist @@ -0,0 +1,22 @@ +/var/run /run +/var/lock /run/lock +/var/run/lock /var/lock +/lib /usr/lib +/lib64 /usr/lib +/usr/lib64 /usr/lib +/usr/local /usr +/usr/local/lib64 /usr/lib +/usr/local/lib32 /usr/lib +/etc/systemd/system /usr/lib/systemd/system +/run/systemd/system /usr/lib/systemd/system +/run/systemd/generator /usr/lib/systemd/system +/run/systemd/generator.early /usr/lib/systemd/system +/run/systemd/generator.late /usr/lib/systemd/system +/var/lib/xguest/home /home +/var/run/netconfig /etc +/var/adm/netconfig/md5/etc /etc +/var/adm/netconfig/md5/var /var +/usr/etc /etc +/bin /usr/bin +/sbin /usr/bin +/usr/sbin /usr/bin diff --git a/macros.selinux-policy b/macros.selinux-policy new file mode 100644 index 0000000..77f8aa9 --- /dev/null +++ b/macros.selinux-policy @@ -0,0 +1,187 @@ +# Copyright (C) 2017 Red Hat, Inc. All rights reserved. +# +# Author: Petr Lautrbach +# Author: Lukáš Vrabec +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +## Changes done for openSUSE/SUSE: +## - move /var/lib/rpm-state to /run/rpm-state and create that directory +## + +# RPM macros for packages installing SELinux modules + +%_selinux_policy_version SELINUXPOLICYVERSION + +%_selinux_store_path SELINUXSTOREPATH +%_selinux_store_policy_path %{_selinux_store_path}/${_policytype} + +%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts +%_file_context_file_pre /var/adm/update-scripts/file_contexts.pre + +%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom +%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp + +# %selinux_requires +%selinux_requires \ +Requires: selinux-policy >= %{_selinux_policy_version} \ +BuildRequires: pkgconfig(systemd) \ +BuildRequires: selinux-policy \ +BuildRequires: selinux-policy-devel \ +Requires(post): selinux-policy-base >= %{_selinux_policy_version} \ +Requires(post): libselinux-utils \ +Requires(post): policycoreutils \ +%if 0%{?fedora} || 0%{?rhel} > 7 || 0%{suse_version} > 1500\ +Requires(post): policycoreutils-python-utils \ +%else \ +Requires(post): policycoreutils-python \ +%endif \ +%{nil} + +# %selinux_modules_install [-s ] [-p ] module [module]... +%selinux_modules_install("s:p:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ +fi \ +%{nil} + +# %selinux_modules_uninstall [-s ] [-p ] module [module]... +%selinux_modules_uninstall("s:p:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ $1 -eq 0 ]; then \ + if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + fi \ +fi \ +%{nil} + +# %selinux_relabel_pre [-s ] +%selinux_relabel_pre("s:") \ +if %{_sbindir}/selinuxenabled; then \ + if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ + fi \ + _policytype=%{-s*} \ + if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ + fi \ + if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + mkdir -p $(dirname %{_file_context_file_pre}) \ + [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \ + fi \ +fi \ +%{nil} + + +# %selinux_relabel_post [-s ] +%selinux_relabel_post("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + if [ -f %{_file_context_file_pre} ]; then \ + %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \ + rm -f %{_file_context_file_pre} \ + fi \ +fi \ +%{nil} + +# %selinux_set_booleans [-s ] boolean [boolean]... +%selinux_set_booleans("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \ + if [ ! -f %_file_custom_defined_booleans ]; then \ + /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ + fi \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_value=${boolean#*=} \ + boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \ + if [ -n "$boolean_local_string" ]; then \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \ + else \ + /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \ + fi \ + else \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ + /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ +fi \ +%{nil} + +# %selinux_unset_booleans [-s ] boolean [boolean]... +%selinux_unset_booleans("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \ + if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \ + semanage_import="${semanage_import}\\n${boolean_customized_string}" \ + fi \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ +fi \ +%{nil} diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf new file mode 100644 index 0000000..853e975 --- /dev/null +++ b/modules-minimum-base.conf @@ -0,0 +1,414 @@ +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# Layer: kernel +# Module: unconfined +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Module: staff +# +# admin account +# +staff = module + +# Layer:role +# Module: sysadm +# +# System Administrator +# +sysadm = module + +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: contrib +# Module: packagekit +# +# Temporary permissive module for packagekit +# +packagekit = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module diff --git a/modules-minimum-contrib.conf b/modules-minimum-contrib.conf new file mode 100644 index 0000000..be139ed --- /dev/null +++ b/modules-minimum-contrib.conf @@ -0,0 +1,2609 @@ +# Layer: services +# Module: abrt +# +# Automatic bug detection and reporting tool +# +abrt = module + +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aiccu +# +# SixXS Automatic IPv6 Connectivity Client Utility +# +aiccu = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: services +# Module: ajaxterm +# +# Web Based Terminal +# +ajaxterm = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: contrib +# Module: antivirus +# +# SELinux policy for antivirus programs +# +antivirus = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: contrib +# Module: authconfig +# +# Authorization configuration tool +# +authconfig = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: module +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: services +# Module: bcfg2 +# +# Configuration management server +# +bcfg2 = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: contrib +# Module: rngd +# +# Daemon used to feed random data from hardware device to kernel random device +# +rngd = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: services +# Module: blueman +# +# Blueman tools and system services. +# +blueman = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: bumblebee +# +# Support NVIDIA Optimus technology under Linux +# +bumblebee = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: services +# Module: callweaver +# +# callweaver telephony sever +# +callweaver = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cfengine +# +# cfengine +# +cfengine = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cloudform +# +# cloudform daemons +# +cloudform = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: cobbler +# +# cobbler +# +cobbler = module + +# Layer: services +# Module: collectd +# +# Statistics collection daemon for filling RRD files +# +collectd = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: condor +# +# policy for condor +# +condor = module + +# Layer: services +# Module: conman +# +# Conman is a program for connecting to remote consoles being managed by conmand +# +conman = module + +# Layer: services +# Module: consolekit +# +# ConsoleKit is a system daemon for tracking what users are logged +# +consolekit = module + +# Layer: services +# Module: couchdb +# +# Apache CouchDB database server +# +couchdb = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: ctdbd +# +# Cluster Daemon +# +ctdb = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: denyhosts +# +# script to help thwart ssh server attacks +# +denyhosts = module + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv-admin = module + +# Layer: services +# Module: dirsrv +# +# An 309 directory server +# +dirsrv = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: drbd +# +# DRBD mirrors a block device over the network to another machine. +# +drbd = module + +# Layer: services +# Module: dspam +# +# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering +# +dspam = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fcoe +# +# fcoe +# +fcoe = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: services +# Module: freqset +# +# Utility for CPU frequency scaling +# +freqset = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: contrib +# Module: glusterd +# +# policy for glusterd service +# +glusterd = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Module: gssproxy +# +# A proxy for GSSAPI credential handling +# +# +gssproxy = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services +# Module: hostapd +# +# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator +# +hostapd = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: icecast +# +# ShoutCast compatible streaming media server +# +icecast = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: system +# Module: isnsd +# +# +# +isns = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: jetty +# +# Java based http server +# +jetty = module + +# Layer: apps +# Module: jockey +# +# policy for jockey-backend +# +jockey = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: admin +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: keepalived +# +# keepalived - load-balancing and high-availability service +# +keepalived = module + +# Module: keyboardd +# +# system-setup-keyboard is a keyboard layout daemon that monitors +# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet +# +keyboardd = module + +# Layer: services +# Module: keystone +# +# openstack-keystone +# +keystone = module + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: l2ltpd +# +# Layer 2 Tunnelling Protocol Daemon +# +l2tp = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: likewise +# +# Likewise Active Directory support for UNIX +# +likewise = module + +# Layer: apps +# Module: livecd +# +# livecd creator +# +livecd = module + +# Layer: services +# Module: lldpad +# +# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon +# +lldpad = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: mailman +# +# Policy for mailscanner +# +mailscanner = module + +# Layer: apps +# Module: man2html +# +# policy for man2html apps +# +man2html = module + +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = module + +# Layer: apps +# Module: mediawiki +# +# mediawiki +# +mediawiki = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: services +# Module: mip6d +# +# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation +# +mip6d = module + +# Layer: services +# Module: mock +# +# Policy for mock rpm builder +# +mock = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: services +# Module: mpd +# +# mpd - daemon for playing music +# +mpd = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: contrib +# Module: mythtv +# +# Policy for Mythtv (Web Server) +# +mythtv = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: ninfod +# +# Respond to IPv6 Node Information Queries +# +ninfod = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nova +# +# openstack-nova +# +nova = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: numad +# +# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology +# +numad = module + +# Layer: services +# Module: nut +# +# nut - Network UPS Tools +# +nut = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + +# Layer: services +# Module: obex +# +# policy for obex-data-server +# +obex = module + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: service +# Module: openct +# +# Middleware framework for smart card terminals +# +openct = module + +# Layer: contrib +# Module: openshift-origin +# +# Origin version of openshift policy +# +openshift-origin = module +# Layer: contrib +# Module: openshift +# +# Core openshift policy +# +openshift = module + +# Layer: services +# Module: opensm +# +# InfiniBand subnet manager and administration (SM/SA) +# +opensm = module + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + +# Layer: contrib +# Module: openvswitch +# +# SELinux policy for openvswitch programs +# +openvswitch = module + +# Layer: services +# Module: openwsman +# +# WS-Management Server +# +openwsman = module + +# Layer: services +# Module: osad +# +# Client-side service written in Python that responds to pings +# +osad = module + +# Layer: contrib +# Module: prelude +# +# SELinux policy for prelude +# +prelude = module + +# Layer: contrib +# Module: prosody +# +# SELinux policy for prosody flexible communications server for Jabber/XMPP +# +prosody = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: services +# Module: passenger +# +# Passenger +# +passenger = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: services +# Module: pdns +# +# PowerDNS DNS server +# +pdns = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: contrib +# Module: pkcs +# +# daemon manages PKCS#11 objects between PKCS#11-enabled applications +# +pkcs = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: puppet +# +# A network tool for managing many disparate systems +# +puppet = module + +# Layer: apps +# Module: pwauth +# +# External plugin for mod_authnz_external authenticator +# +pwauth = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: services +# Module: quantum +# +# Quantum is a virtual network service for Openstack +# +quantum = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: services +# Module: rabbitmq +# +# rabbitmq daemons +# +rabbitmq = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: rasdaemon +# +# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing +# +rasdaemon = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: contrib +# Module: stapserver +# +# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA +# +realmd = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: rhev +# +# rhev policy module contains policies for rhev apps +# +rhev = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: services +# Module: rhsmcertd +# +# Subscription Management Certificate Daemon policy +# +rhsmcertd = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a sandbox +# +sandbox = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a X sandbox +# +sandboxX = module + +# Layer: services +# Module: sanlock +# +# sanlock policy +# +sanlock = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: services +# Module: sblim +# +# sblim +# +sblim = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: admin +# Module: sectoolm +# +# Policy for sectool-mechanism +# +sectoolm = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: contrib +# Module: sensord +# +# Sensor information logging daemon +# +sensord = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: services +# Module: sge +# +# policy for grindengine MPI jobs +# +sge = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: contrib +# Module: slpd +# +# OpenSLP server daemon to dynamically register services +# +slpd = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: smokeping +# +# Latency Logging and Graphing System +# +smokeping = module + +# Layer: admin +# Module: smoltclient +# +#The Fedora hardware profiler client +# +smoltclient = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: speech-dispatcher +# +# speech-dispatcher - server process managing speech requests in Speech Dispatcher +# +speech-dispatcher = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: services +# Module: sslh +# +# Applicative protocol(SSL/SSH) multiplexer +# +sslh = module + +# Layer: contrib +# Module: stapserver +# +# Instrumentation System Server +# +stapserver = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: svnserve +# +# policy for subversion service +# +svnserve = module + +# Layer: services +# Module: swift +# +# openstack-swift +# +swift = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: contrib +# Module: glusterd +# +# policy for tomcat service +# +tomcat = module +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: services +# Module: ulogd +# +# netfilter/iptables ULOG daemon +# +ulogd = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: services +# Module: usbmuxd +# +# Daemon for communicating with Apple's iPod Touch and iPhone +# +usbmuxd = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uuidd +# +# UUID generation daemon +# +uuidd = module + +# Layer: services +# Module: varnishd +# +# Varnishd http accelerator daemon +# +varnishd = module + +# Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module + +# Layer: services +# Module: vhostmd +# +# vhostmd - spice guest agent daemon. +# +vhostmd = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: apps +# Module: vhostmd +# +# vlock - Virtual Console lock program +# +vlock = module + +# Layer: services +# Module: vmtools +# +# VMware Tools daemon +# +vmtools = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: services +# Module: vnstatd +# +# Network traffic Monitor +# +vnstatd = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: services +# Module: wdmd +# +# wdmd policy +# +wdmd = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: zarafa +# +# Zarafa Collaboration Platform +# +zarafa = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zoneminder +# +# Zoneminder Camera Security Surveillance Solution +# +zoneminder = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: contrib +# Module: thin +# +# Policy for thin +# +thin = module + +# Layer: contrib +# Module: mandb +# +# Policy for mandb +# +mandb = module + +# Layer: services +# Module: pki +# +# policy for pki +# +pki = module + +# Layer: services +# Module: smsd +# +# policy for smsd +# +smsd = module + +# Layer: contrib +# Module: pesign +# +# policy for pesign +# +pesign = module + +# Layer: contrib +# Module: nsd +# +# Fast and lean authoritative DNS Name Server +# +nsd = module + +# Layer: contrib +# Module: iodine +# +# Fast and lean authoritative DNS Name Server +# +iodine = module + +# Layer: contrib +# Module: openhpid +# +# OpenHPI daemon runs as a background process and accepts connecti +# +openhpid = module + +# Layer: contrib +# Module: watchdog +# +# Watchdog policy +# +watchdog = module + +# Layer: contrib +# Module: oracleasm +# +# oracleasm policy +# +oracleasm = module + +# Layer: contrib +# Module: redis +# +# redis policy +# +redis = module + +# Layer: contrib +# Module: hypervkvp +# +# hypervkvp policy +# +hypervkvp = module + +# Layer: contrib +# Module: lsm +# +# lsm policy +# +lsm = module + +# Layer: contrib +# Module: motion +# +# Daemon for detect motion using a video4linux device +motion = module + +# Layer: contrib +# Module: rtas +# +# rtas policy +# +rtas = module + +# Layer: contrib +# Module: journalctl +# +# journalctl policy +# +journalctl = module + +# Layer: contrib +# Module: gdomap +# +# gdomap policy +# +gdomap = module + +# Layer: contrib +# Module: minidlna +# +# minidlna policy +# +minidlna = module + +# Layer: contrib +# Module: minissdpd +# +# minissdpd policy +# +minissdpd = module + +# Layer: contrib +# Module: freeipmi +# +# Remote-Console (out-of-band) and System Management Software (in-band) +# based on IntelligentPlatform Management Interface specification +# +freeipmi = module + +# Layer: contrib +# Module: mirrormanager +# +# mirrormanager policy +# +mirrormanager = module + +# Layer: contrib +# Module: snapper +# +# snapper policy +# +snapper = module + +# Layer: contrib +# Module: pcp +# +# pcp policy +# +pcp = module + +# Layer: contrib +# Module: geoclue +# +# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information +# +geoclue = module + +# Layer: contrib +# Module: rkhunter +# +# rkhunter policy for /var/lib/rkhunter +# +rkhunter = module + +# Layer: contrib +# Module: bacula +# +# bacula policy +# +bacula = module + +# Layer: contrib +# Module: rhnsd +# +# rhnsd policy +# +rhnsd = module + +# Layer: contrib +# Module: mongodb +# +# mongodb policy +# + +mongodb = module + +# Layer: contrib +# Module: iotop +# +# iotop policy +# + +iotop = module + +# Layer: contrib +# Module: kmscon +# +# kmscon policy +# + +kmscon = module + +# Layer: contrib +# Module: naemon +# +# naemon policy +# +naemon = module + +# Layer: contrib +# Module: brltty +# +# brltty policy +# +brltty = module + +# Layer: contrib +# Module: cpuplug +# +# cpuplug policy +# +cpuplug = module + +# Layer: contrib +# Module: mon_statd +# +# mon_statd policy +# +mon_statd = module + +# Layer: contrib +# Module: cinder +# +# openstack-cinder policy +# +cinder = module + +# Layer: contrib +# Module: linuxptp +# +# linuxptp policy +# +linuxptp = module + +# Layer: contrib +# Module: rolekit +# +# rolekit policy +# +rolekit = module + +# Layer: contrib +# Module: targetd +# +# targetd policy +# +targetd = module + +# Layer: contrib +# Module: hsqldb +# +# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. +# +hsqldb = module + +# Layer: contrib +# Module: blkmapd +# +# The blkmapd daemon performs device discovery and mapping for pNFS block layout client. +# +blkmapd = module + +# Layer: contrib +# Module: pkcs11proxyd +# +# pkcs11proxyd policy +# +pkcs11proxyd = module + +# Layer: contrib +# Module: ipmievd +# +# IPMI event daemon for sending events to syslog +# +ipmievd = module + +# Layer: contrib +# Module: openfortivpn +# +# Fortinet compatible SSL VPN daemons. +# +openfortivpn = module + +# Layer: contrib +# Module: fwupd +# +# fwupd is a daemon to allow session software to update device firmware. +# +fwupd = module + +# Layer: contrib +# Module: lttng-tools +# +# LTTng 2.x central tracing registry session daemon. +# +lttng-tools = module + +# Layer: contrib +# Module: rkt +# +# CLI for running app containers +# +rkt = module + +# Layer: contrib +# Module: opendnssec +# +# opendnssec +# +opendnssec = module + +# Layer: contrib +# Module: hwloc +# +# hwloc +# +hwloc = module + +# Layer: contrib +# Module: sbd +# +# sbd +# +sbd = module + +# Layer: contrib +# Module: tlp +# +# tlp +# +tlp = module + +# Layer: contrib +# Module: conntrackd +# +# conntrackd +# +conntrackd = module + +# Layer: contrib +# Module: tangd +# +# tangd +# +tangd = module + +# Layer: contrib +# Module: ibacm +# +# ibacm +# +ibacm = module + +# Layer: contrib +# Module: opafm +# +# opafm +# +opafm = module + +# Layer: contrib +# Module: boltd +# +# boltd +# +boltd = module + +# Layer: contrib +# Module: kpatch +# +# kpatch +# +kpatch = module diff --git a/modules-minimum-disable.lst b/modules-minimum-disable.lst new file mode 100644 index 0000000..b3fe239 --- /dev/null +++ b/modules-minimum-disable.lst @@ -0,0 +1 @@ +abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs diff --git a/modules-mls-base.conf b/modules-mls-base.conf new file mode 100644 index 0000000..29a3aa7 --- /dev/null +++ b/modules-mls-base.conf @@ -0,0 +1,380 @@ +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# Layer: kernel +# Module: unlabelednet +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer:role +# Module: staff +# +# admin account +# +staff = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Layer:role +# Module: sysadm +# +# System Administrator +# +sysadm = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf new file mode 100644 index 0000000..509900e --- /dev/null +++ b/modules-mls-contrib.conf @@ -0,0 +1,1581 @@ +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: contrib +# Module: antivirus +# +# Anti-virus +# +antivirus = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: modules +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for Mozilla and related web browsers +# +gpg = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Module: gssproxy +# +# A proxy for GSSAPI credential handling +# +# +gssproxy = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: admin +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: lsm +# +# lsm policy +# +lsm = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: admin +# Module: mcelog +# +# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. +# +mcelog = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: service +# Module: openct +# +# Middleware framework for smart card terminals +# +openct = module + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + +# Layer: contrib +# Module: prelude +# +# SELinux policy for prelude +# +prelude = module + +# Layer: contrib +# Module: prosody +# +# SELinux policy for prosody flexible communications server for Jabber/XMPP +# +prosody = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +o# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +unprivuser = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: services +# Module: ulogd +# +# +# +ulogd = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: services +# Module: virt_supplementary +# +# non-libvirt virtualization libraries +# +virt_supplementary = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: contrib +# Module: openvswitch +# +# SELinux policy for openvswitch programs +# +openvswitch = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: apps +# Module: wm +# +# X windows window manager +# +wm = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: contrib +# Module: mandb +# +# Policy for mandb +# +mandb = module diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf new file mode 100644 index 0000000..5e255b5 --- /dev/null +++ b/modules-targeted-base.conf @@ -0,0 +1,421 @@ +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# Layer: kernel +# Module: unconfined +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Module: staff +# +# admin account +# +staff = module + +# Layer:role +# Module: sysadm +# +# System Administrator +# +sysadm = module + +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: contrib +# Module: packagekit +# +# Temporary permissive module for packagekit +# +packagekit = module + +# Layer: contrib +# Module: rtorrent +# +# Policy for rtorrent +# +rtorrent = module + +# Layer: contrib +# Module: wicked +# +# Policy for wicked +# +wicked = module + +# Layer: system +# Module: rebootmgr +# +# Policy for rebootmgr +# +rebootmgr = module diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf new file mode 100644 index 0000000..639d404 --- /dev/null +++ b/modules-targeted-contrib.conf @@ -0,0 +1,2784 @@ +# Layer: services +# Module: abrt +# +# Automatic bug detection and reporting tool +# +abrt = module + +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aiccu +# +# SixXS Automatic IPv6 Connectivity Client Utility +# +aiccu = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: services +# Module: ajaxterm +# +# Web Based Terminal +# +ajaxterm = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: contrib +# Module: antivirus +# +# SELinux policy for antivirus programs +# +antivirus = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: contrib +# Module: authconfig +# +# Authorization configuration tool +# +authconfig = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: module +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: services +# Module: bcfg2 +# +# Configuration management server +# +bcfg2 = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: contrib +# Module: rngd +# +# Daemon used to feed random data from hardware device to kernel random device +# +rngd = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: services +# Module: blueman +# +# Blueman tools and system services. +# +blueman = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: bumblebee +# +# Support NVIDIA Optimus technology under Linux +# +bumblebee = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: services +# Module: callweaver +# +# callweaver telephony sever +# +callweaver = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cfengine +# +# cfengine +# +cfengine = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cloudform +# +# cloudform daemons +# +cloudform = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: cobbler +# +# cobbler +# +cobbler = module + +# Layer: services +# Module: collectd +# +# Statistics collection daemon for filling RRD files +# +collectd = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: condor +# +# policy for condor +# +condor = module + +# Layer: services +# Module: conman +# +# Conman is a program for connecting to remote consoles being managed by conmand +# +conman = module + +# Layer: services +# Module: consolekit +# +# ConsoleKit is a system daemon for tracking what users are logged +# +consolekit = module + +# Layer: services +# Module: couchdb +# +# Apache CouchDB database server +# +couchdb = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: ctdbd +# +# Cluster Daemon +# +ctdb = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: denyhosts +# +# script to help thwart ssh server attacks +# +denyhosts = module + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv-admin = module + +# Layer: services +# Module: dirsrv +# +# An 309 directory server +# +dirsrv = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: drbd +# +# DRBD mirrors a block device over the network to another machine. +# +drbd = module + +# Layer: services +# Module: dspam +# +# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering +# +dspam = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fcoe +# +# fcoe +# +fcoe = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: services +# Module: freqset +# +# Utility for CPU frequency scaling +# +freqset = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: contrib +# Module: glusterd +# +# policy for glusterd service +# +glusterd = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Module: gssproxy +# +# A proxy for GSSAPI credential handling +# +# +gssproxy = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services +# Module: hostapd +# +# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator +# +hostapd = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: icecast +# +# ShoutCast compatible streaming media server +# +icecast = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: system +# Module: isnsd +# +# +# +isns = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: jetty +# +# Java based http server +# +jetty = module + +# Layer: apps +# Module: jockey +# +# policy for jockey-backend +# +jockey = module + +# Layer: contrib +# Module: kanidm_unixd +# +# Kanidm Unix Integration Daemons and Tools +# +kanidm_unixd = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: admin +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: keepalived +# +# keepalived - load-balancing and high-availability service +# +keepalived = module + +# Module: keyboardd +# +# system-setup-keyboard is a keyboard layout daemon that monitors +# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet +# +keyboardd = module + +# Layer: services +# Module: keystone +# +# openstack-keystone +# +keystone = module + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: l2ltpd +# +# Layer 2 Tunnelling Protocol Daemon +# +l2tp = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: likewise +# +# Likewise Active Directory support for UNIX +# +likewise = module + +# Layer: apps +# Module: livecd +# +# livecd creator +# +livecd = module + +# Layer: services +# Module: lldpad +# +# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon +# +lldpad = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: mailman +# +# Policy for mailscanner +# +mailscanner = module + +# Layer: apps +# Module: man2html +# +# policy for man2html apps +# +man2html = module + +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = module + +# Layer: apps +# Module: mediawiki +# +# mediawiki +# +mediawiki = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: services +# Module: mip6d +# +# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation +# +mip6d = module + +# Layer: services +# Module: mock +# +# Policy for mock rpm builder +# +mock = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: services +# Module: mpd +# +# mpd - daemon for playing music +# +mpd = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: contrib +# Module: mythtv +# +# Policy for Mythtv (Web Server) +# +mythtv = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: ninfod +# +# Respond to IPv6 Node Information Queries +# +ninfod = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nova +# +# openstack-nova +# +nova = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: numad +# +# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology +# +numad = module + +# Layer: services +# Module: nut +# +# nut - Network UPS Tools +# +nut = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + +# Layer: services +# Module: obex +# +# policy for obex-data-server +# +obex = module + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: service +# Module: openct +# +# Middleware framework for smart card terminals +# +openct = module + +# Layer: contrib +# Module: openshift-origin +# +# Origin version of openshift policy +# +openshift-origin = module +# Layer: contrib +# Module: openshift +# +# Core openshift policy +# +openshift = module + +# Layer: services +# Module: opensm +# +# InfiniBand subnet manager and administration (SM/SA) +# +opensm = module + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + +# Layer: contrib +# Module: openvswitch +# +# SELinux policy for openvswitch programs +# +openvswitch = module + +# Layer: services +# Module: openwsman +# +# WS-Management Server +# +openwsman = module + +# Layer: services +# Module: osad +# +# Client-side service written in Python that responds to pings +# +osad = module + +# Layer: contrib +# Module: prelude +# +# SELinux policy for prelude +# +prelude = module + +# Layer: contrib +# Module: prosody +# +# SELinux policy for prosody flexible communications server for Jabber/XMPP +# +prosody = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: services +# Module: passenger +# +# Passenger +# +passenger = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: services +# Module: pdns +# +# PowerDNS DNS server +# +pdns = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: contrib +# Module: pkcs +# +# daemon manages PKCS#11 objects between PKCS#11-enabled applications +# +pkcs = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: puppet +# +# A network tool for managing many disparate systems +# +puppet = module + +# Layer: apps +# Module: pwauth +# +# External plugin for mod_authnz_external authenticator +# +pwauth = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: services +# Module: quantum +# +# Quantum is a virtual network service for Openstack +# +quantum = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: services +# Module: rabbitmq +# +# rabbitmq daemons +# +rabbitmq = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: rasdaemon +# +# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing +# +rasdaemon = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: contrib +# Module: stapserver +# +# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA +# +realmd = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: rhev +# +# rhev policy module contains policies for rhev apps +# +rhev = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: services +# Module: rhsmcertd +# +# Subscription Management Certificate Daemon policy +# +rhsmcertd = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a sandbox +# +sandbox = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a X sandbox +# +sandboxX = module + +# Layer: services +# Module: sanlock +# +# sanlock policy +# +sanlock = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: services +# Module: sblim +# +# sblim +# +sblim = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: admin +# Module: sectoolm +# +# Policy for sectool-mechanism +# +sectoolm = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: contrib +# Module: sensord +# +# Sensor information logging daemon +# +sensord = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: services +# Module: sge +# +# policy for grindengine MPI jobs +# +sge = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: contrib +# Module: slpd +# +# OpenSLP server daemon to dynamically register services +# +slpd = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: smokeping +# +# Latency Logging and Graphing System +# +smokeping = module + +# Layer: admin +# Module: smoltclient +# +#The Fedora hardware profiler client +# +smoltclient = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: speech-dispatcher +# +# speech-dispatcher - server process managing speech requests in Speech Dispatcher +# +speech-dispatcher = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: services +# Module: sslh +# +# Applicative protocol(SSL/SSH) multiplexer +# +sslh = module + +# Layer: contrib +# Module: stapserver +# +# Instrumentation System Server +# +stapserver = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: svnserve +# +# policy for subversion service +# +svnserve = module + +# Layer: services +# Module: swift +# +# openstack-swift +# +swift = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: contrib +# Module: glusterd +# +# policy for tomcat service +# +tomcat = module +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: services +# Module: ulogd +# +# netfilter/iptables ULOG daemon +# +ulogd = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: services +# Module: usbmuxd +# +# Daemon for communicating with Apple's iPod Touch and iPhone +# +usbmuxd = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uuidd +# +# UUID generation daemon +# +uuidd = module + +# Layer: services +# Module: varnishd +# +# Varnishd http accelerator daemon +# +varnishd = module + +# Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module + +# Layer: services +# Module: vhostmd +# +# vhostmd - spice guest agent daemon. +# +vhostmd = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: services +# Module: virt_supplementary +# +# non-libvirt virtualization libraries +# +virt_supplementary = module + +# Layer: apps +# Module: vhostmd +# +# vlock - Virtual Console lock program +# +vlock = module + +# Layer: services +# Module: vmtools +# +# VMware Tools daemon +# +vmtools = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: services +# Module: vnstatd +# +# Network traffic Monitor +# +vnstatd = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: services +# Module: wdmd +# +# wdmd policy +# +wdmd = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: zarafa +# +# Zarafa Collaboration Platform +# +zarafa = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zoneminder +# +# Zoneminder Camera Security Surveillance Solution +# +zoneminder = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: contrib +# Module: thin +# +# Policy for thin +# +thin = module + +# Layer: contrib +# Module: mandb +# +# Policy for mandb +# +mandb = module + +# Layer: services +# Module: pki +# +# policy for pki +# +pki = module + +# Layer: services +# Module: smsd +# +# policy for smsd +# +smsd = module + +# Layer: contrib +# Module: pesign +# +# policy for pesign +# +pesign = module + +# Layer: contrib +# Module: nsd +# +# Fast and lean authoritative DNS Name Server +# +nsd = module + +# Layer: contrib +# Module: iodine +# +# Fast and lean authoritative DNS Name Server +# +iodine = module + +# Layer: contrib +# Module: openhpid +# +# OpenHPI daemon runs as a background process and accepts connecti +# +openhpid = module + +# Layer: contrib +# Module: watchdog +# +# Watchdog policy +# +watchdog = module + +# Layer: contrib +# Module: oracleasm +# +# oracleasm policy +# +oracleasm = module + +# Layer: contrib +# Module: redis +# +# redis policy +# +redis = module + +# Layer: contrib +# Module: hypervkvp +# +# hypervkvp policy +# +hypervkvp = module + +# Layer: contrib +# Module: lsm +# +# lsm policy +# +lsm = module + +# Layer: contrib +# Module: motion +# +# Daemon for detect motion using a video4linux device +motion = module + +# Layer: contrib +# Module: rtas +# +# rtas policy +# +rtas = module + +# Layer: contrib +# Module: journalctl +# +# journalctl policy +# +journalctl = module + +# Layer: contrib +# Module: gdomap +# +# gdomap policy +# +gdomap = module + +# Layer: contrib +# Module: minidlna +# +# minidlna policy +# +minidlna = module + +# Layer: contrib +# Module: minissdpd +# +# minissdpd policy +# +minissdpd = module + +# Layer: contrib +# Module: freeipmi +# +# Remote-Console (out-of-band) and System Management Software (in-band) +# based on IntelligentPlatform Management Interface specification +# +freeipmi = module + +# Layer: contrib +# Module: mirrormanager +# +# mirrormanager policy +# +mirrormanager = module + +# Layer: contrib +# Module: snapper +# +# snapper policy +# +snapper = module + +# Layer: contrib +# Module: pcp +# +# pcp policy +# +pcp = module + +# Layer: contrib +# Module: geoclue +# +# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information +# +geoclue = module + +# Layer: contrib +# Module: rkhunter +# +# rkhunter policy for /var/lib/rkhunter +# +rkhunter = module + +# Layer: contrib +# Module: bacula +# +# bacula policy +# +bacula = module + +# Layer: contrib +# Module: rhnsd +# +# rhnsd policy +# +rhnsd = module + +# Layer: contrib +# Module: mongodb +# +# mongodb policy +# + +mongodb = module + +# Layer: contrib +# Module: iotop +# +# iotop policy +# + +iotop = module + +# Layer: contrib +# Module: kmscon +# +# kmscon policy +# + +kmscon = module + +# Layer: contrib +# Module: naemon +# +# naemon policy +# +naemon = module + +# Layer: contrib +# Module: brltty +# +# brltty policy +# +brltty = module + +# Layer: contrib +# Module: cpuplug +# +# cpuplug policy +# +cpuplug = module + +# Layer: contrib +# Module: mon_statd +# +# mon_statd policy +# +mon_statd = module + +# Layer: contrib +# Module: cinder +# +# openstack-cinder policy +# +cinder = module + +# Layer: contrib +# Module: linuxptp +# +# linuxptp policy +# +linuxptp = module + +# Layer: contrib +# Module: rolekit +# +# rolekit policy +# +rolekit = module + +# Layer: contrib +# Module: targetd +# +# targetd policy +# +targetd = module + +# Layer: contrib +# Module: hsqldb +# +# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. +# +hsqldb = module + +# Layer: contrib +# Module: blkmapd +# +# The blkmapd daemon performs device discovery and mapping for pNFS block layout client. +# +blkmapd = module + +# Layer: contrib +# Module: pkcs11proxyd +# +# pkcs11proxyd policy +# +pkcs11proxyd = module + +# Layer: contrib +# Module: ipmievd +# +# IPMI event daemon for sending events to syslog +# +ipmievd = module + +# Layer: contrib +# Module: openfortivpn +# +# Fortinet compatible SSL VPN daemons. +# +openfortivpn = module + +# Layer: contrib +# Module: fwupd +# +# fwupd is a daemon to allow session software to update device firmware. +# +fwupd = module + +# Layer: contrib +# Module: lttng-tools +# +# LTTng 2.x central tracing registry session daemon. +# +lttng-tools = module + +# Layer: contrib +# Module: rkt +# +# CLI for running app containers +# +rkt = module + +# Layer: contrib +# Module: opendnssec +# +# opendnssec +# +opendnssec = module + +# Layer: contrib +# Module: hwloc +# +# hwloc +# +hwloc = module + +# Layer: contrib +# Module: sbd +# +# sbd +# +sbd = module + +# Layer: contrib +# Module: tlp +# +# tlp +# +tlp = module + +# Layer: contrib +# Module: conntrackd +# +# conntrackd +# +conntrackd = module + +# Layer: contrib +# Module: tangd +# +# tangd +# +tangd = module + +# Layer: contrib +# Module: ibacm +# +# ibacm +# +ibacm = module + +# Layer: contrib +# Module: opafm +# +# opafm +# +opafm = module + +# Layer: contrib +# Module: boltd +# +# boltd +# +boltd = module + +# Layer: contrib +# Module: kpatch +# +# kpatch +# +kpatch = module + +# Layer: contrib +# Module: timedatex +# +# timedatex +# +timedatex = module + +# Layer: contrib +# Module: rrdcached +# +# rrdcached +# +rrdcached = module + +# Layer: contrib +# Module: stratisd +# +# stratisd +# +stratisd = module + +# Layer: contrib +# Module: ica +# +# ica +# +ica = module + +# Layer: contrib +# Module: fedoratp +# +# fedoratp +# +fedoratp = module + +# Layer: contrib +# Module: stalld +# +# stalld +# +stalld = module + +# Layer: contrib +# Module: rhcd +# +# rhcd +# +rhcd = module + +# Layer: contrib +# Module: wireguard +# +# wireguard +# +wireguard = module + +# Layer: contrib +# Module: keyutils +# +# keyutils - Linux Key Management Utilities +# +keyutils = module + +# Layer: contrib +# Module: cifsutils +# +# cifsutils - Utilities for managing CIFS mounts +# +cifsutils = module + +# Layer: contrib +# Module: boothd +# +# boothd - Booth cluster ticket manager +# +boothd = module + +# Layer: contrib +# Module: kafs +# +# kafs - Tools for kAFS +# +kafs = module + +# Layer: contrib +# Module: bootupd +# +# bootupd - bootloader update daemon +# +bootupd = module + +# Layer: contrib +# Module: fdo +# +# fdo - fido device onboard protocol for IoT devices +# +fdo = module + +# Layer: contrib +# Module: qatlib +# +# qatlib - Intel QuickAssist technology library and resources management +# +qatlib = module + +# Layer: contrib +# Module: afterburn +# +# afterburn +# +afterburn = module + +# Layer: contrib +# Module: nvme_stas +# +# nvme_stas +# +nvme_stas = module + +# Layer: contrib +# Module: coreos_installer +# +# coreos_installer +# +coreos_installer = module + +## Layer: contrib +## Module: libalternatives +## +## libalternatives +## +libalternatives = module + +## Layer: contrib +## Module: kiwi +## +## kiw +## +kiwi = module + +# Layer: contrib +# Module: sap +# +# sap +# +sap = module diff --git a/securetty_types-minimum b/securetty_types-minimum new file mode 100644 index 0000000..d13f103 --- /dev/null +++ b/securetty_types-minimum @@ -0,0 +1,4 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t diff --git a/securetty_types-mls b/securetty_types-mls new file mode 100644 index 0000000..c65327a --- /dev/null +++ b/securetty_types-mls @@ -0,0 +1,6 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t +auditadm_tty_device_t +secureadm_tty_device_t diff --git a/securetty_types-targeted b/securetty_types-targeted new file mode 100644 index 0000000..d13f103 --- /dev/null +++ b/securetty_types-targeted @@ -0,0 +1,4 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t diff --git a/selinux-policy-20240715.tar.xz b/selinux-policy-20240715.tar.xz new file mode 100644 index 0000000..997589e --- /dev/null +++ b/selinux-policy-20240715.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d29e5ff3f3f662f1da11bfa16c1549beb0e61685732e2f2e7f92c79ec48069d +size 770288 diff --git a/selinux-policy-20240726.tar.xz b/selinux-policy-20240726.tar.xz new file mode 100644 index 0000000..08ac64b --- /dev/null +++ b/selinux-policy-20240726.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0443ed2d643511f4e49308a6cb7c2f8664f6db5d2ff686fa6a793f594b8e2262 +size 770456 diff --git a/selinux-policy-20240802.tar.xz b/selinux-policy-20240802.tar.xz new file mode 100644 index 0000000..abb9e01 --- /dev/null +++ b/selinux-policy-20240802.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:389eb6d0c87588ac97f19506ee185209b08b0d82362746eb4d352e72aa1c9af2 +size 770836 diff --git a/selinux-policy-20240808.tar.xz b/selinux-policy-20240808.tar.xz new file mode 100644 index 0000000..06bdeb0 --- /dev/null +++ b/selinux-policy-20240808.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5b7e0c0db7b898402fee3f9257f17cf8af6fb5e43a2c8a1d0b791705a9db4150 +size 773280 diff --git a/selinux-policy-rpmlintrc b/selinux-policy-rpmlintrc new file mode 100644 index 0000000..b3f69e8 --- /dev/null +++ b/selinux-policy-rpmlintrc @@ -0,0 +1,9 @@ +addFilter("W: non-conffile-in-etc.*") +addFilter("W: zero-length /etc/selinux/.*") +addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512") +addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512") +addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512") +addFilter("W: files-duplicate") +addFilter("E: files-duplicated-waste") +addFilter("W: zero-length") + diff --git a/selinux-policy.changes b/selinux-policy.changes new file mode 100644 index 0000000..94b6827 --- /dev/null +++ b/selinux-policy.changes @@ -0,0 +1,2151 @@ +------------------------------------------------------------------- +Thu Aug 08 12:24:12 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240808: + * Use new kanidm interfaces + * Initial module for kanidm + * Update bootupd policy + * Allow rhsmcertd read/write access to /dev/papr-sysparm + * Label /dev/papr-sysparm and /dev/papr-vpd + * Allow abrt-dump-journal-core connect to winbindd + * Allow systemd-hostnamed shut down nscd + * Allow systemd-pstore send a message to syslogd over a unix domain + * Allow postfix_domain map postfix_etc_t files + * Allow microcode create /sys/devices/system/cpu/microcode/reload + * Allow rhsmcertd read, write, and map ica tmpfs files + * Support SGX devices + * Allow initrc_t transition to passwd_t + * Update fstab and cryptsetup generators policy + * Allow xdm_t read and write the dma device + * Update stalld policy for bpf usage + * Allow systemd_gpt_generator to getattr on DOS directories + * Make cgroup_memory_pressure_t a part of the file_type attribute + * Allow ssh_t to change role to system_r + * Update policy for coreos generators + * Allow init_t nnp domain transition to firewalld_t + * Label /run/modprobe.d with modules_conf_t + * Allow virtnodedevd run udev with a domain transition + * Allow virtnodedev_t create and use virtnodedev_lock_t + * Allow virtstoraged manage files with virt_content_t type + * Allow virtqemud unmount a filesystem with extended attributes + * Allow svirt_t connect to unconfined_t over a unix domain socket + * Update afterburn file transition policy + * Allow systemd_generator read attributes of all filesystems + * Allow fstab-generator read and write cryptsetup-generator unit file + * Allow cryptsetup-generator read and write fstab-generator unit file + * Allow systemd_generator map files in /etc + * Allow systemd_generator read init's process state + * Allow coreos-installer-generator read sssd public files + * Allow coreos-installer-generator work with partitions + * Label /etc/mdadm.conf.d with mdadm_conf_t + * Confine coreos generators + * Label /run/metadata with afterburn_runtime_t + * Allow afterburn list ssh home directory + * Label samba certificates with samba_cert_t + * Label /run/coreos-installer-reboot with coreos_installer_var_run_t + * Allow virtqemud read virt-dbus process state + * Allow staff user dbus chat with virt-dbus + * Allow staff use watch /run/systemd + * Allow systemd_generator to write kmsg + * Allow virtqemud connect to sanlock over a unix stream socket + * Allow virtqemud relabel virt_var_run_t directories + * Allow svirt_tcg_t read vm sysctls + * Allow virtnodedevd connect to systemd-userdbd over a unix socket + * Allow svirt read virtqemud fifo files + * Allow svirt attach_queue to a virtqemud tun_socket + * Allow virtqemud run ssh client with a transition + * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket + * Update keyutils policy + * Allow sshd_keygen_t connect to userdbd over a unix stream socket + * Allow postfix-smtpd read mysql config files + * Allow locate stream connect to systemd-userdbd + * Allow the staff user use wireshark + * Allow updatedb connect to userdbd over a unix stream socket + * Allow gpg_t set attributes of public-keys.d + * Allow gpg_t get attributes of login_userdomain stream + * Allow systemd_getty_generator_t read /proc/1/environ + * Allow systemd_getty_generator_t to read and write to tty_device_t + * Drop publicfile module + * Remove permissive domain for systemd_nsresourced_t + * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t + * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t + * Allow to create and delete socket files created by rhsm.service + * Allow virtnetworkd exec shell when virt_hooks_unconfined is on + * Allow unconfined_service_t transition to passwd_t + * Support /var is empty + * Allow abrt-dump-journal read all non_security socket files + * Allow timemaster write to sysfs files + * Dontaudit domain write cgroup files + * Label /usr/lib/node_modules/npm/bin with bin_t + * Allow ip the setexec permission + * Allow systemd-networkd write files in /var/lib/systemd/network + * Fix typo in systemd_nsresourced_prog_run_bpf() + +------------------------------------------------------------------- +Fri Aug 02 13:27:55 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240802: + * Dontaudit search of snapper grub plugin to nscd socket (bsc#1228745) + +------------------------------------------------------------------- +Wed Jul 31 16:18:29 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240731: + * Initial policy for ibft-rule-generator (bsc#1228402) + * Initial policy for systemd-status-mail (bsc#1228402) + +------------------------------------------------------------------- +Wed Jul 31 12:55:19 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240731: + * Fix labels for bind/named (bsc#1228372) + +------------------------------------------------------------------- +Mon Jul 29 15:50:11 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240729: + * Label /usr/libexec/netconfig/ppp/ip-up pppd_initrc_exec_t (bsc#1228385) + * Allow pppd to manage sysnet directories (bsc#1228385) + +------------------------------------------------------------------- +Fri Jul 26 13:38:26 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240726: + * Allow snapper grub plugin to manage unlabeled_t and read link files + +------------------------------------------------------------------- +Thu Jul 25 07:43:52 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240725: + * Initial policy for grub2 snapper plugin (bsc#1228205) + +------------------------------------------------------------------- +Tue Jul 16 10:57:07 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240716: + * Set microos autorelabel script to systemd_autorelabel_generator_t + * Allow systemd_generator to write kmsg + * Initial policy for systemd growpart-generator (bsc#1226824) + +------------------------------------------------------------------- +Mon Jul 15 11:55:43 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240715: + * Allow systemd_getty_generator_t read /proc/1/environ + * Allow systemd_getty_generator_t to read and write to tty_device_t (bsc#1226888) + +------------------------------------------------------------------- +Wed Jul 10 07:45:13 UTC 2024 - cathy.hu@suse.com + +- Enable sap module +- Add equivalency in file_contexts.subs_dist + * /bin /usr/bin + * /sbin /usr/bin + * /usr/sbin /usr/bin +- Update to version 20240710: + * Change fc in rebootmgr module for /sbin -> /usr/bin + * Change fc in rpm module for /sbin -> /usr/bin + * Change fc in rsync module for /sbin -> /usr/bin + * Change fc in wicked module for /sbin -> /usr/bin + * Confine libvirt-dbus + * Allow virtqemud the kill capability in user namespace + * Allow rshim get options of the netlink class for KOBJECT_UEVENT family + * Allow dhcpcd the kill capability + * Allow systemd-networkd list /var/lib/systemd/network + * Allow sysadm_t run systemd-nsresourced bpf programs + * Update policy for systemd generators interactions + * Allow create memory.pressure files with cgroup_memory_pressure_t + * Add support for libvirt hooks + * Allow certmonger read and write tpm devices + * Allow all domains to connect to systemd-nsresourced over a unix socket + * Allow systemd-machined read the vsock device + * Update policy for systemd generators + * Allow ptp4l_t request that the kernel load a kernel module + * Allow sbd to trace processes in user namespace + * Allow request-key execute scripts + * Update policy for haproxyd + * Update policy for systemd-nsresourced + * Correct sbin-related file context entries + * Allow login_userdomain execute systemd-tmpfiles in the caller domain + * Allow virt_driver_domain read files labeled unconfined_t + * Allow virt_driver_domain dbus chat with policykit + * Allow virtqemud manage nfs files when virt_use_nfs boolean is on + * Add rules for interactions between generators + * Label memory.pressure files with cgroup_memory_pressure_t + * Revert "Allow some systemd services write to cgroup files" + * Update policy for systemd-nsresourced + * Label /usr/bin/ntfsck with fsadm_exec_t + * Allow systemd_fstab_generator_t read tmpfs files + * Update policy for systemd-nsresourced + * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin + * Remove a few lines duplicated between {dkim,milter}.fc + * Alias /bin → /usr/bin and remove redundant paths + * Drop duplicate line for /usr/sbin/unix_chkpwd + * Drop duplicate paths for /usr/sbin + * Update systemd-generator policy + * Remove permissive domain for bootupd_t + * Remove permissive domain for coreos_installer_t + * Remove permissive domain for afterburn_t + * Add the sap module to modules.conf + * Move unconfined_domain(sap_unconfined_t) to an optional block + * Create the sap module + * Allow systemd-coredumpd sys_admin and sys_resource capabilities + * Allow systemd-coredump read nsfs files + * Allow generators auto file transition only for plain files + * Allow systemd-hwdb write to the kernel messages device + * Escape "interface" as a file name in a virt filetrans pattern + * Allow gnome-software work for login_userdomain + * Allow systemd-machined manage runtime sockets + * Revert "Allow systemd-machined manage runtime sockets" + * Allow postfix_domain connect to postgresql over a unix socket + * Dontaudit systemd-coredump sys_admin capability +- Update container-selinux + +------------------------------------------------------------------- +Tue Jul 02 10:03:44 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240702: + * Allow manage dosfs_t files to snapperd (bsc#1224120) + * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records + * Add auth_rw_wtmpdb_login_records to modules + * Allow xdm_t to read-write to wtmpdb (bsc#1225984) + * Introduce types for wtmpdb and rw interface + * Introduce wtmp_file_type attribute + * Revert "Add policy for wtmpdb (bsc#1210717)" + +------------------------------------------------------------------- +Mon Jun 17 14:36:01 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240617: + * Allow gnome control center to set autologin (bsc#1222978) + * Dontaudit xdm_t to getattr on root_t (bsc#1223145) + +------------------------------------------------------------------- +Thu Jun 13 08:12:47 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240613: + * Allow systemd_fstab_generator_t read tmpfs files (bsc#1223599) + +------------------------------------------------------------------- +Wed Jun 12 08:43:02 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240612: + * Allow all domains read and write z90crypt device + * Allow tpm2 generator setfscreate + * Allow systemd (PID 1) manage systemd conf files + * Allow pulseaudio map its runtime files + * Update policy for getty-generator + * Allow systemd-hwdb send messages to kernel unix datagram sockets + * Allow systemd-machined manage runtime sockets + * Allow fstab-generator create unit file symlinks + * Update policy for cryptsetup-generator + * Update policy for fstab-generator + * Allow virtqemud read vm sysctls + * Allow collectd to trace processes in user namespace + * Allow bootupd search efivarfs dirs + * Add policy for systemd-mountfsd + * Add policy for systemd-nsresourced + * Update policy generators + * Add policy for anaconda-generator + * Update policy for fstab and gpt generators + * Add policy for kdump-dep-generator + * Add policy for a generic generator + * Add policy for tpm2 generator + * Add policy for ssh-generator + * Add policy for second batch of generators + * Update policy for systemd generators + * ci: Adjust Cockpit test plans + * Allow journald read systemd config files and directories + * Allow systemd_domain read systemd_conf_t dirs + * Fix bad Python regexp escapes + * Allow fido services connect to postgres database + * Revert "Update the README.md file with the c10s branch information" + * Update the README.md file with the c10s branch information + * Allow postfix smtpd map aliases file + * Ensure dbus communication is allowed bidirectionally + * Label systemd configuration files with systemd_conf_t + * Label /run/systemd/machine with systemd_machined_var_run_t + * Allow systemd-hostnamed read the vsock device + * Allow sysadm execute dmidecode using sudo + * Allow sudodomain list files in /var + * Allow setroubleshootd get attributes of all sysctls + * Allow various services read and write z90crypt device + * Allow nfsidmap connect to systemd-homed + * Allow sandbox_x_client_t dbus chat with accountsd + * Allow system_cronjob_t dbus chat with avahi_t + * Allow staff_t the io_uring sqpoll permission + * Allow staff_t use the io_uring API + * Add support for secretmem anon inode + * Allow virtqemud read vfio devices + * Allow virtqemud get attributes of a tmpfs filesystem + * Allow svirt_t read vm sysctls + * Allow virtqemud create and unlink files in /etc/libvirt/ + * Allow virtqemud get attributes of cifs files + * Allow virtqemud get attributes of filesystems with extended attributes + * Allow virtqemud get attributes of NFS filesystems + * Allow virt_domain read and write usb devices conditionally + * Allow virtstoraged use the io_uring API + * Allow virtstoraged execute lvm programs in the lvm domain + * Allow virtnodevd_t map /var/lib files + * Allow svirt_tcg_t map svirt_image_t files + * Allow abrt-dump-journal-core connect to systemd-homed + * Allow abrt-dump-journal-core connect to systemd-machined + * Allow sssd create and use io_uring + * Allow selinux-relabel-generator create units dir + * Allow dbus-broker read/write inherited user ttys + * Define transitions for /run/libvirt/common and /run/libvirt/qemu + * Allow systemd-sleep read raw disk data + * Allow numad to trace processes in user namespace + * Allow abrt-dump-journal-core connect to systemd-userdbd + * Allow plymouthd read efivarfs files + * Update the auth_dontaudit_read_passwd_file() interface + * Label /dev/mmcblk0rpmb character device with removable_device_t + * fix hibernate on btrfs swapfile (F40) + * Allow nut to statfs() + * Allow system dbusd service status systemd services + * Allow systemd-timedated get the timemaster service status + * Allow keyutils-dns-resolver connect to the system log service + * Allow qemu-ga read vm sysctls + * postfix: allow qmgr to delete mails in bounce/ directory + +------------------------------------------------------------------- +Mon Jun 3 13:42:13 UTC 2024 - Johannes Segitz + +- Remove "Reference" from the package description. It's not the + reference policy, but the Fedora branch of the policy + +------------------------------------------------------------------- +Tue May 28 11:12:57 UTC 2024 - Cathy Hu + +- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate + python36 tooling + +------------------------------------------------------------------- +Wed May 8 11:06:43 UTC 2024 - Johannes Segitz + +- Fixed varrun-convert.sh script to not break because of duplicate + entries + +------------------------------------------------------------------- +Mon May 6 07:44:20 UTC 2024 - Johannes Segitz + +- Move to %posttrans to ensure selinux-policy got updated before + the commands run (bsc#1221720) + +------------------------------------------------------------------- +Mon Apr 15 13:23:40 UTC 2024 - Cathy Hu + +- Add file contexts "forwarding" to file_contexts.sub_dist + to fix systemd-gpt-auto-generator and systemd-fstab-generator + (bsc#1222736): + * /run/systemd/generator.early /usr/lib/systemd/system + * /run/systemd/generator.late /usr/lib/systemd/system + +------------------------------------------------------------------- +Thu Apr 11 15:13:31 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240411: + * Remove duplicate in sysnetwork.fc + * Rename /var/run/wicked* to /run/wicked* + * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc + * policy: support pidfs + * Confine selinux-autorelabel-generator.sh + * Allow logwatch_mail_t read/write to init over a unix stream socket + * Allow logwatch read logind sessions files + * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it + * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it + * Allow NetworkManager the sys_ptrace capability in user namespace + * dontaudit execmem for modemmanager + * Allow dhcpcd use unix_stream_socket + * Allow dhcpc read /run/netns files + * Update mmap_rw_file_perms to include the lock permission + * Allow plymouthd log during shutdown + * Add logging_watch_all_log_dirs() and logging_watch_all_log_files() + * Allow journalctl_t read filesystem sysctls + * Allow cgred_t to get attributes of cgroup filesystems + * Allow wdmd read hardware state information + * Allow wdmd list the contents of the sysfs directories + * Allow linuxptp configure phc2sys and chronyd over a unix domain socket + * Allow sulogin relabel tty1 + * Dontaudit sulogin the checkpoint_restore capability + * Modify sudo_role_template() to allow getpgid + * Allow userdomain get attributes of files on an nsfs filesystem + * Allow opafm create NFS files and directories + * Allow virtqemud create and unlink files in /etc/libvirt/ + * Allow virtqemud domain transition on swtpm execution + * Add the swtpm.if interface file for interactions with other domains + * Allow samba to have dac_override capability + * systemd: allow sys_admin capability for systemd_notify_t + * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets + * Allow thumb_t to watch and watch_reads mount_var_run_t + * Allow krb5kdc_t map krb5kdc_principal_t files + * Allow unprivileged confined user dbus chat with setroubleshoot + * Allow login_userdomain map files in /var + * Allow wireguard work with firewall-cmd + * Differentiate between staff and sysadm when executing crontab with sudo + * Add crontab_admin_domtrans interface + * Allow abrt_t nnp domain transition to abrt_handle_event_t + * Allow xdm_t to watch and watch_reads mount_var_run_t + * Dontaudit subscription manager setfscreate and read file contexts + * Don't audit crontab_domain write attempts to user home + * Transition from sudodomains to crontab_t when executing crontab_exec_t + * Add crontab_domtrans interface + * Fix label of pseudoterminals created from sudodomain + * Allow utempter_t use ptmx + * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket + * Allow admin user read/write on fixed_disk_device_t + * Only allow confined user domains to login locally without unconfined_login + * Add userdom_spec_domtrans_confined_admin_users interface + * Only allow admindomain to execute shell via ssh with ssh_sysadm_login + * Add userdom_spec_domtrans_admin_users interface + * Move ssh dyntrans to unconfined inside unconfined_login tunable policy + * Update ssh_role_template() for user ssh-agent type + * Allow init to inherit system DBus file descriptors + * Allow init to inherit fds from syslogd + * Allow any domain to inherit fds from rpm-ostree + * Update afterburn policy + * Allow init_t nnp domain transition to abrtd_t + * Rename all /var/lock file context entries to /run/lock + * Rename all /var/run file context entries to /run +- Add script varrun-convert.sh for locally existing modules + to be able to cope with the /var/run -> /run change +- Update embedded container-selinux to commit + a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e + +------------------------------------------------------------------- +Thu Mar 21 10:44:09 UTC 2024 - jsegitz@suse.com + +- Update to version 20240321: + * policy module for kiwi (bsc#1221109) + * dontaudit execmem for modemmanager (bsc#1219363) + +------------------------------------------------------------------- +Wed Mar 13 11:02:43 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240313: + * Assign alts_exec_t to files_type + +------------------------------------------------------------------- +Fri Mar 08 09:05:08 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240308: + * Support /bin/alts in the policy (bsc#1217530) + * Revert "Allow virtnetworkd_t to execute bin_t (bsc#1216903)" + +------------------------------------------------------------------- +Wed Mar 06 15:41:20 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240306: + * Replace init domtrans rule for confined users to allow exec init + * Update dbus_role_template() to allow user service status + * Allow polkit status all systemd services + * Allow setroubleshootd create and use inherited io_uring + * Allow load_policy read and write generic ptys + +------------------------------------------------------------------- +Mon Mar 04 16:19:28 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240304: + * Allow ssh-keygen to use the libica crypto module (bsc#1220373) + +------------------------------------------------------------------- +Mon Feb 05 15:48:02 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240205: + * Allow gpg manage rpm cache + * Allow login_userdomain name_bind to howl and xmsg udp ports + * Allow rules for confined users logged in plasma + * Label /dev/iommu with iommu_device_t + * Remove duplicate file context entries in /run + * Dontaudit getty and plymouth the checkpoint_restore capability + * Allow su domains write login records + * Revert "Allow su domains write login records" + * Allow login_userdomain delete session dbusd tmp socket files + * Allow unix dgram sendto between exim processes + * Allow su domains write login records + * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on + * Allow chronyd-restricted read chronyd key files + * Allow conntrackd_t to use bpf capability2 + * Allow systemd-networkd manage its runtime socket files + * Allow init_t nnp domain transition to colord_t + * Allow polkit status systemd services + * nova: Fix duplicate declarations + * Allow httpd work with PrivateTmp + * Add interfaces for watching and reading ifconfig_var_run_t + * Allow collectd read raw fixed disk device + * Allow collectd read udev pid files + * Set correct label on /etc/pki/pki-tomcat/kra + * Allow systemd domains watch system dbus pid socket files + * Allow certmonger read network sysctls + * Allow mdadm list stratisd data directories + * Allow syslog to run unconfined scripts conditionally + * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t + * Allow qatlib set attributes of vfio device files + * Allow systemd-sleep set attributes of efivarfs files + * Allow samba-dcerpcd read public files + * Allow spamd_update_t the sys_ptrace capability in user namespace + * Allow bluetooth devices work with alsa + * Allow alsa get attributes filesystems with extended attributes + * Allow hypervkvp_t write access to NetworkManager_etc_rw_t + * Add interface for write-only access to NetworkManager rw conf + * Allow systemd-sleep send a message to syslog over a unix dgram socket + * Allow init create and use netlink netfilter socket + * Allow qatlib load kernel modules + * Allow qatlib run lspci + * Allow qatlib manage its private runtime socket files + * Allow qatlib read/write vfio devices + * Label /etc/redis.conf with redis_conf_t + * Remove the lockdown-class rules from the policy + * Allow init read all non-security socket files + * Replace redundant dnsmasq pattern macros + * Remove unneeded symlink perms in dnsmasq.if + * Add additions to dnsmasq interface + * Allow nvme_stas_t create and use netlink kobject uevent socket + * Allow collectd connect to statsd port + * Allow keepalived_t to use sys_ptrace of cap_userns + * Allow dovecot_auth_t connect to postgresql using UNIX socket + * Make named_zone_t and named_var_run_t a part of the mountpoint attribute + * Allow sysadm execute traceroute in sysadm_t domain using sudo + * Allow sysadm execute tcpdump in sysadm_t domain using sudo + * Allow opafm search nfs directories + * Add support for syslogd unconfined scripts + * Allow gpsd use /dev/gnss devices + * Allow gpg read rpm cache + * Allow virtqemud additional permissions + * Allow virtqemud manage its private lock files + * Allow virtqemud use the io_uring api + * Allow ddclient send e-mail notifications + * Allow postfix_master_t map postfix data files + * Allow init create and use vsock sockets + * Allow thumb_t append to init unix domain stream sockets + * Label /dev/vas with vas_device_t + * Create interface selinux_watch_config and add it to SELinux users + * Update cifs interfaces to include fs_search_auto_mountpoints() + * Allow sudodomain read var auth files + * Allow spamd_update_t read hardware state information + * Allow virtnetworkd domain transition on tc command execution + * Allow sendmail MTA connect to sendmail LDA + * Allow auditd read all domains process state + * Allow rsync read network sysctls + * Add dhcpcd bpf capability to run bpf programs + * Dontaudit systemd-hwdb dac_override capability + * Allow systemd-sleep create efivarfs files + * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on + * Allow graphical applications work in Wayland + * Allow kdump work with PrivateTmp + * Allow dovecot-auth work with PrivateTmp + * Allow nfsd get attributes of all filesystems + * Allow unconfined_domain_type use io_uring cmd on domain + * ci: Only run Rawhide revdeps tests on the rawhide branch + * Label /var/run/auditd.state as auditd_var_run_t + * Allow fido-device-onboard (FDO) read the crack database + * Allow ip an explicit domain transition to other domains + * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t + * Allow winbind_rpcd_t processes access when samba_export_all_* is on + * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection + * Allow ntp to bind and connect to ntske port. + +------------------------------------------------------------------- +Tue Jan 16 08:54:51 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240116: + * Fix gitolite homedir paths (bsc#1218826) + +------------------------------------------------------------------- +Tue Jan 09 09:14:44 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240104: + * Allow keepalived_t read+write kernel_t pipes (bsc#1216060) + * allow rebootmgr to read the system state (bsc#1205931) + +------------------------------------------------------------------- +Tue Nov 28 14:40:23 UTC 2023 - Hu + +- Trigger rebuild of the policy when pcre2 gets updated to avoid + regex version mismatch errors (bsc#1216747). + +------------------------------------------------------------------- +Fri Nov 24 09:34:20 UTC 2023 - cathy.hu@suse.com + +- Update to version 20231124: + * Allow virtnetworkd_t to execute bin_t (bsc#1216903) + +------------------------------------------------------------------- +Wed Nov 22 14:37:56 UTC 2023 - Hu + +- Add new modules that were missed in the last update to + modules-mls-contrib.conf + +------------------------------------------------------------------- +Wed Nov 22 13:49:14 UTC 2023 - Hu + +- Add new modules that were missed in the last update to + modules-targeted-contrib.conf + +------------------------------------------------------------------- +Mon Oct 30 10:28:10 UTC 2023 - cathy.hu@suse.com + +- Update to version 20231030: + * Allow system_mail_t manage exim spool files and dirs + * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t + * Label /run/pcsd.socket with cluster_var_run_t + * ci: Run cockpit tests in PRs + * Add map_read map_write to kernel_prog_run_bpf + * Allow systemd-fstab-generator read all symlinks + * Allow systemd-fstab-generator the dac_override capability + * Allow rpcbind read network sysctls + * Support using systemd containers + * Allow sysadm_t to connect to iscsid using a unix domain stream socket + * Add policy for coreos installer + * Add policy for nvme-stas + * Confine systemd fstab,sysv,rc-local + * Label /etc/aliases.lmdb with etc_aliases_t + * Create policy for afterburn + * Make new virt drivers permissive + * Split virt policy, introduce virt_supplementary module + * Allow apcupsd cgi scripts read /sys + * Allow kernel_t to manage and relabel all files + * Add missing optional_policy() to files_relabel_all_files() + * Allow named and ndc use the io_uring api + * Deprecate common_anon_inode_perms usage + * Improve default file context(None) of /var/lib/authselect/backups + * Allow udev_t to search all directories with a filesystem type + * Implement proper anon_inode support + * Allow targetd write to the syslog pid sock_file + * Add ipa_pki_retrieve_key_exec() interface + * Allow kdumpctl_t to list all directories with a filesystem type + * Allow udev additional permissions + * Allow udev load kernel module + * Allow sysadm_t to mmap modules_object_t files + * Add the unconfined_read_files() and unconfined_list_dirs() interfaces + * Set default file context of HOME_DIR/tmp/.* to <> + * Allow kernel_generic_helper_t to execute mount(1) + * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t + * Allow systemd-localed create Xserver config dirs + * Allow sssd read symlinks in /etc/sssd + * Label /dev/gnss[0-9] with gnss_device_t + * Allow systemd-sleep read/write efivarfs variables + * ci: Fix version number of packit generated srpms + * Dontaudit rhsmcertd write memory device + * Allow ssh_agent_type create a sockfile in /run/user/USERID + * Set default file context of /var/lib/authselect/backups to <> + * Allow prosody read network sysctls + * Allow cupsd_t to use bpf capability + * Allow sssd domain transition on passkey_child execution conditionally + * Allow login_userdomain watch lnk_files in /usr + * Allow login_userdomain watch video4linux devices + * Change systemd-network-generator transition to include class file + * Revert "Change file transition for systemd-network-generator" + * Allow nm-dispatcher winbind plugin read/write samba var files + * Allow systemd-networkd write to cgroup files + * Allow kdump create and use its memfd: objects + * Allow fedora-third-party get generic filesystem attributes + * Allow sssd use usb devices conditionally + * Update policy for qatlib + * Allow ssh_agent_type manage generic cache home files + * Change file transition for systemd-network-generator + * Additional support for gnome-initial-setup + * Update gnome-initial-setup policy for geoclue + * Allow openconnect vpn open vhost net device + * Allow cifs.upcall to connect to SSSD also through the /var/run socket + * Grant cifs.upcall more required capabilities + * Allow xenstored map xenfs files + * Update policy for fdo + * Allow keepalived watch var_run dirs + * Allow svirt to rw /dev/udmabuf + * Allow qatlib to modify hardware state information. + * Allow key.dns_resolve connect to avahi over a unix stream socket + * Allow key.dns_resolve create and use unix datagram socket + * Use quay.io as the container image source for CI + * ci: Move srpm/rpm build to packit + * .copr: Avoid subshell and changing directory + * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file + * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t + * Make insights_client_t an unconfined domain + * Allow insights-client manage user temporary files + * Allow insights-client create all rpm logs with a correct label + * Allow insights-client manage generic logs + * Allow cloud_init create dhclient var files and init_t manage net_conf_t + * Allow insights-client read and write cluster tmpfs files + * Allow ipsec read nsfs files + * Make tuned work with mls policy + * Remove nsplugin_role from mozilla.if + * allow mon_procd_t self:cap_userns sys_ptrace + * Allow pdns name_bind and name_connect all ports + * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh + * ci: Move to actions/checkout@v3 version + * .copr: Replace chown call with standard workflow safe.directory setting + * .copr: Enable `set -u` for robustness + * .copr: Simplify root directory variable + * Allow rhsmcertd dbus chat with policykit + * Allow polkitd execute pkla-check-authorization with nnp transition + * Allow user_u and staff_u get attributes of non-security dirs + * Allow unconfined user filetrans chrome_sandbox_home_t + * Allow svnserve execute postdrop with a transition + * Do not make postfix_postdrop_t type an MTA executable file + * Allow samba-dcerpc service manage samba tmp files + * Add use_nfs_home_dirs boolean for mozilla_plugin + * Fix labeling for no-stub-resolv.conf + * Revert "Allow winbind-rpcd use its private tmp files" + * Allow upsmon execute upsmon via a helper script + * Allow openconnect vpn read/write inherited vhost net device + * Allow winbind-rpcd use its private tmp files + * Update samba-dcerpc policy for printing + * Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty + * Allow nscd watch system db dirs + * Allow qatlib to read sssd public files + * Allow fedora-third-party read /sys and proc + * Allow systemd-gpt-generator mount a tmpfs filesystem + * Allow journald write to cgroup files + * Allow rpc.mountd read network sysctls + * Allow blueman read the contents of the sysfs filesystem + * Allow logrotate_t to map generic files in /etc + * Boolean: Allow virt_qemu_ga create ssh directory + * Allow systemd-network-generator send system log messages + * Dontaudit the execute permission on sock_file globally + * Allow fsadm_t the file mounton permission + * Allow named and ndc the io_uring sqpoll permission + * Allow sssd io_uring sqpoll permission + * Fix location for /run/nsd + * Allow qemu-ga get fixed disk devices attributes + * Update bitlbee policy + * Label /usr/sbin/sos with sosreport_exec_t + * Update policy for the sblim-sfcb service + * Add the files_getattr_non_auth_dirs() interface + * Fix the CI to work with DNF5 + * Make systemd_tmpfiles_t MLS trusted for lowering the level of files + * Revert "Allow insights client map cache_home_t" + * Allow nfsidmapd connect to systemd-machined over a unix socket + * Allow snapperd connect to kernel over a unix domain stream socket + * Allow virt_qemu_ga_t create .ssh dir with correct label + * Allow targetd read network sysctls + * Set the abrt_handle_event boolean to on + * Permit kernel_t to change the user identity in object contexts + * Allow insights client map cache_home_t + * Label /usr/sbin/mariadbd with mysqld_exec_t + * Allow httpd tcp connect to redis port conditionally + * Label only /usr/sbin/ripd and ripngd with zebra_exec_t + * Dontaudit aide the execmem permission + * Remove permissive from fdo + * Allow sa-update manage spamc home files + * Allow sa-update connect to systemlog services + * Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t + * Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t + * Allow bootupd search EFI directory + * Change init_audit_control default value to true + * Allow nfsidmapd connect to systemd-userdbd with a unix socket + * Add the qatlib module + * Add the fdo module + * Add the bootupd module + * Set default ports for keylime policy + * Create policy for qatlib + * Add policy for FIDO Device Onboard + * Add policy for bootupd + * Add support for kafs-dns requested by keyutils + * Allow insights-client execmem + * Add support for chronyd-restricted + * Add init_explicit_domain() interface + * Allow fsadm_t to get attributes of cgroup filesystems + * Add list_dir_perms to kerberos_read_keytab + * Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t + * Allow sendmail manage its runtime files + +------------------------------------------------------------------- +Thu Oct 12 07:59:22 UTC 2023 - cathy.hu@suse.com + +- Update to version 20231012: + * Allow sssd_t watch permission to net_conf_t dirs (bsc#1216052) + * Revert fix for bsc#1205770 since it causes a regression for bsc#1214887 + +------------------------------------------------------------------- +Wed Oct 4 14:40:03 UTC 2023 - Johannes Segitz + +- Use /var/adm/update-scripts in macros.selinux-policy. The rpm state + directory doesn't exist on SUSE systems (bsc#1213593) + +------------------------------------------------------------------- +Tue Sep 19 07:57:02 UTC 2023 - Johannes Segitz + +- Modified update.sh to require first parameter "full" to also + update container-selinux. For maintenance updates you usually + don't want it to be updated + +------------------------------------------------------------------- +Fri Jul 28 14:49:04 UTC 2023 - filippo.bonazzi@suse.com + +- Update to version 20230728: + * Allow kdump_t to manage symlinks under kdump_var_lib_t (bsc#1213721) + * allow haveged to manage tmpfs directories (bsc#1213594) + +------------------------------------------------------------------- +Thu Jun 22 12:14:15 UTC 2023 - jsegitz@suse.com + +- Update to version 20230622: + * Allow keyutils_dns_resolver_exec_t be an entrypoint + * Allow collectd_t read network state symlinks + * Revert "Allow collectd_t read proc_net link files" + * Allow nfsd_t to list exports_t dirs + * Allow cupsd dbus chat with xdm + * Allow haproxy read hardware state information + * Label /dev/userfaultfd with userfaultfd_t + * Allow blueman send general signals to unprivileged user domains + * Allow dkim-milter domain transition to sendmail + +------------------------------------------------------------------- +Tue Apr 25 15:12:47 UTC 2023 - cathy.hu@suse.com + +- Update to version 20230425: + * Remove unneeded manage_dirs_pattern for lastlog_t (bsc#1210461) + * Add policy for wtmpdb (bsc#1210717) + +------------------------------------------------------------------- +Tue Apr 25 11:29:59 UTC 2023 - cathy.hu@suse.com + +- Update to version 20230425: + * Add support for lastlog2 (bsc#1210461) + * allow the chrony client to use unallocated ttys (bsc#1210672) + +------------------------------------------------------------------- +Thu Apr 20 10:47:16 UTC 2023 - jsegitz@suse.com + +- Update to version 20230420: + * libzypp creates temporary files in /var/adm/mount. Label it with + rpm_var_cache_t to prevent wrong labels in /var/cache/zypp + * only use rsync_exec_t for the rsync server, not for the client + (bsc#1209890) + * properly label sshd-gen-keys-start to ensure ssh host keys have proper + labels after creation + * Allow dovecot-deliver write to the main process runtime fifo files + * Allow dmidecode write to cloud-init tmp files + * Allow chronyd send a message to cloud-init over a datagram socket + * Allow cloud-init domain transition to insights-client domain + * Allow mongodb read filesystem sysctls + * Allow mongodb read network sysctls + * Allow accounts-daemon read generic systemd unit lnk files + * Allow blueman watch generic device dirs + * Allow nm-dispatcher tlp plugin create tlp dirs + * Allow systemd-coredump mounton /usr + * Allow rabbitmq to read network sysctls + * Allow certmonger dbus chat with the cron system domain + * Allow geoclue read network sysctls + * Allow geoclue watch the /etc directory + * Allow logwatch_mail_t read network sysctls + * allow systemd_resolved_t to bind to all nodes (bsc#1200182) + * Allow insights-client read all sysctls + * Allow passt manage qemu pid sock files + * Allow sssd read accountsd fifo files + * Add support for the passt_t domain + * Allow virtd_t and svirt_t work with passt + * Add new interfaces in the virt module + * Add passt interfaces defined conditionally + * Allow tshark the setsched capability + * Allow poweroff create connections to system dbus + * Allow wg load kernel modules, search debugfs dir + * Boolean: allow qemu-ga manage ssh home directory + * Label smtpd with sendmail_exec_t + * Label msmtp and msmtpd with sendmail_exec_t + * Allow dovecot to map files in /var/spool/dovecot + * Confine gnome-initial-setup + * Allow qemu-guest-agent create and use vsock socket + * Allow login_pgm setcap permission + * Allow chronyc read network sysctls + * Enhancement of the /usr/sbin/request-key helper policy + * Fix opencryptoki file names in /dev/shm + * Allow system_cronjob_t transition to rpm_script_t + * Revert "Allow system_cronjob_t domtrans to rpm_script_t" + * Add tunable to allow squid bind snmp port + * Allow staff_t getattr init pid chr & blk files and read krb5 + * Allow firewalld to rw z90crypt device + * Allow httpd work with tokens in /dev/shm + * Allow svirt to map svirt_image_t char files + * Allow sysadm_t run initrc_t script and sysadm_r role access + * Allow insights-client manage fsadm pid files + * Allowing snapper to create snapshots of /home/ subvolume/partition + * Add boolean qemu-ga to run unconfined script + * Label systemd-journald feature LogNamespace + * Add none file context for polyinstantiated tmp dirs + * Allow certmonger read the contents of the sysfs filesystem + * Add journalctl the sys_resource capability + * Allow nm-dispatcher plugins read generic files in /proc + +------------------------------------------------------------------- +Tue Mar 28 12:27:47 UTC 2023 - Hu + +- Add debug-build.sh script to make debugging without committing easier + +------------------------------------------------------------------- +Tue Mar 21 15:37:23 UTC 2023 - jsegitz@suse.com + +- Update to version 20230321: + * make kernel_t unconfined again + +------------------------------------------------------------------- +Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com + +- Update to version 20230316: + * prevent labeling of overlayfs filesystems based on the /var/lib/overlay + path + * allow kernel_t to relabel etc_t files + * allow kernel_t to relabel sysnet config files + * allow kernel_t to relabel systemd hwdb etc files + * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files + * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply + to files and lnk_files. lnk_files are commonly used in SUSE to allow easy + management of config files + * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic + interfaces to allow labeling on etc_t, not on the broader configfiles + attribute + * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The + watch permissions reported are already fixed in a current policy. +- Reinstate update.sh and remove container-selinux from the service. + Having both repos in there causes issues and update.sh makes the update + process easier in general. Updated README.Update + +------------------------------------------------------------------- +Tue Mar 7 08:49:05 UTC 2023 - Johannes Segitz + +- Remove erroneous SUSE man page. Will not be created with the + 3.5 toolchain + +------------------------------------------------------------------- +Tue Feb 14 21:41:54 UTC 2023 - Hu + +- Complete packaging rework: Move policy to git repository and + only use tar_scm obs service to refresh from there: + https://gitlab.suse.de/selinux/selinux-policy + + Please use `osc service manualrun` to update this OBS package to the + newest git version. + + * Added README.Update describing how to update this package + * Added _service file that pulls from selinux-policy and + upstream container-selinux and tars them + * Adapted selinux-policy.spec to build selinux-policy with + container-selinux + * Removed update.sh as no longer needed + * Removed suse specific modules as they are now covered by git commits + * packagekit.te packagekit.if packagekit.fc + * rebootmgr.te rebootmgr.if rebootmgr.fc + * rtorrent.te rtorrent.if rtorrent.fc + * wicked.te wicked.if wicked.fc + * Removed *.patch as they are now covered by git commits: + * distro_suse_to_distro_redhat.patch + * dontaudit_interface_kmod_tmpfs.patch + * fix_accountsd.patch + * fix_alsa.patch + * fix_apache.patch + * fix_auditd.patch + * fix_authlogin.patch + * fix_automount.patch + * fix_bitlbee.patch + * fix_chronyd.patch + * fix_cloudform.patch + * fix_colord.patch + * fix_corecommand.patch + * fix_cron.patch + * fix_dbus.patch + * fix_djbdns.patch + * fix_dnsmasq.patch + * fix_dovecot.patch + * fix_entropyd.patch + * fix_firewalld.patch + * fix_fwupd.patch + * fix_geoclue.patch + * fix_hypervkvp.patch + * fix_init.patch + * fix_ipsec.patch + * fix_iptables.patch + * fix_irqbalance.patch + * fix_java.patch + * fix_kernel.patch + * fix_kernel_sysctl.patch + * fix_libraries.patch + * fix_locallogin.patch + * fix_logging.patch + * fix_logrotate.patch + * fix_mcelog.patch + * fix_miscfiles.patch + * fix_nagios.patch + * fix_networkmanager.patch + * fix_nis.patch + * fix_nscd.patch + * fix_ntp.patch + * fix_openvpn.patch + * fix_postfix.patch + * fix_rpm.patch + * fix_rtkit.patch + * fix_screen.patch + * fix_selinuxutil.patch + * fix_sendmail.patch + * fix_smartmon.patch + * fix_snapper.patch + * fix_sslh.patch + * fix_sysnetwork.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_thunderbird.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_unprivuser.patch + * fix_userdomain.patch + * fix_usermanage.patch + * fix_wine.patch + * fix_xserver.patch + * sedoctool.patch + * systemd_domain_dyntrans_type.patch + +------------------------------------------------------------------- +Mon Feb 6 08:36:32 UTC 2023 - Johannes Segitz + +- Update to version 20230206. Refreshed: + * fix_entropyd.patch + * fix_networkmanager.patch + * fix_systemd_watch.patch + * fix_unconfineduser.patch +- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is + necessary as plymouth doesn't run in it's own domain in early boot + +------------------------------------------------------------------- +Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz + +- Update to version 20230125. Refreshed: + * distro_suse_to_distro_redhat.patch + * fix_dnsmasq.patch + * fix_init.patch + * fix_ipsec.patch + * fix_kernel_sysctl.patch + * fix_logging.patch + * fix_rpm.patch + * fix_selinuxutil.patch + * fix_systemd_watch.patch + * fix_userdomain.patch +- More flexible lib(exec) matching in fix_fwupd.patch +- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch +- Dropped fix_container.patch, is now upstream +- Added fix_entropyd.patch + * Added new interface entropyd_semaphore_filetrans to properly transfer + semaphore created during early boot. That doesn't work yet, so work + around with next item + * Allow reading tempfs files +- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace + to allow kmod_tmpfs_t files to be executed. Necessary for firewalld +- Added fix_rtkit.patch to fix labeling of binary +- Modified fix_ntp.patch: + * Proper labeling for start-ntpd + * Fixed label rules for chroot path + * Temporarily allow dac_override for ntpd_t (bsc#1207577) + * Add interface ntp_manage_pid_files to allow management of pid + files +- Updated fix_networkmanager.patch to allow managing ntp pid files + +------------------------------------------------------------------- +Thu Jan 12 13:01:47 UTC 2023 - Johannes Segitz + +- Update fix_container.patch to allow privileged containers to use + localectl (bsc#1207077) + +------------------------------------------------------------------- +Wed Jan 11 14:17:02 UTC 2023 - Johannes Segitz + +- Add fix_container.patch to allow privileged containers to use + timedatectl (bsc#1207054) + +------------------------------------------------------------------- +Thu Dec 15 16:11:15 UTC 2022 - Hu + +- Added fix_ipsec.patch: Allow AF_ALG socket creation for strongswan + (bnc#1206445) + +------------------------------------------------------------------- +Wed Dec 14 15:40:12 UTC 2022 - Hu + +- Added policy for wicked scripts under /etc/sysconfig/network/scripts + (bnc#1205770) + +------------------------------------------------------------------- +Wed Dec 14 09:16:26 UTC 2022 - Johannes Segitz + +- Add fix_sendmail.patch + * fix context of custom sendmail startup helper + * fix context of /var/run/sendmail and add necessary rules to manage + content in there + +------------------------------------------------------------------- +Tue Dec 13 08:36:01 UTC 2022 - Johannes Segitz + +- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and + nm-priv-helper until the packaging is adjusted (bsc#1206355) +- Update fix_chronyd.patch to allow sendto towards + NetworkManager_dispatcher_custom_t. Added new interface + networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357) +- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895) + +------------------------------------------------------------------- +Tue Dec 6 15:02:42 UTC 2022 - Johannes Segitz + +- Updated fix_networkmanager.patch to allow NetworkManager to watch + net_conf_t (bsc#1206109) + +------------------------------------------------------------------- +Wed Nov 30 19:28:58 UTC 2022 - Filippo Bonazzi + +- Add fix_irqbalance.patch: support netlink socket operations (bsc#1205434) + +------------------------------------------------------------------- +Wed Nov 30 19:08:33 UTC 2022 - Filippo Bonazzi + +- Drop fix_irqbalance.patch: superseded by upstream + +------------------------------------------------------------------- +Thu Nov 24 13:40:16 UTC 2022 - Hu + +- fix_sysnetwork.patch: firewalld uses /etc/sysconfig/network/ for + network interface definition instead of /etc/sysconfig/network-scripts/, + modified sysnetwork.fc to reflect that (bsc#1205580). + +------------------------------------------------------------------- +Wed Oct 19 11:45:57 UTC 2022 - Johannes Segitz + +- Update to version 20221019. Refreshed: + * distro_suse_to_distro_redhat.patch + * fix_apache.patch + * fix_chronyd.patch + * fix_cron.patch + * fix_init.patch + * fix_kernel_sysctl.patch + * fix_networkmanager.patch + * fix_rpm.patch + * fix_sysnetwork.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_unprivuser.patch + * fix_xserver.patch +- Dropped fix_cockpit.patch as this is now packaged with cockpit itself +- Remove the ipa module, freeip ships their own module +- Added fix_alsa.patch to allow reading of config files in home directories +- Extended fix_networkmanager.patch and fix_postfix.patch to account + for SUSE systems +- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc + queries the running processes +- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus + +------------------------------------------------------------------- +Fri Sep 30 07:14:49 UTC 2022 - Johannes Segitz + +- Updated quilt couldn't unpack tarball. This will cause ongoing issues + so drop the sed statement in the %prep section and add + distro_suse_to_distro_redhat.patch to add the necessary changes + via a patch + +------------------------------------------------------------------- +Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz + +- Update fix_networkmanager.patch to ensure NetworkManager chrony + dispatcher is properly labled and update fix_chronyd.patch to ensure + chrony helper script has proper label to be used by NetworkManager. + Also allow NetworkManager_dispatcher_custom_t to query systemd status + (bsc#1203824) + +------------------------------------------------------------------- +Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi + +- Update fix_xserver.patch to add greetd support (bsc#1198559) + +------------------------------------------------------------------- +Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz + +- Revamped rtorrent module + +------------------------------------------------------------------- +Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk + +- Move SUSE directory from manual page section to html docu + +------------------------------------------------------------------- +Wed Jul 27 14:00:55 UTC 2022 - Hu + +- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t + and NetworkManager_dispatcher_custom_t to access nscd socket + (bsc#1201741) + +------------------------------------------------------------------- +Thu Jul 26 10:50:21 UTC 2022 - Zdenek Kubala + +- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper + (bnc#1201015) + +------------------------------------------------------------------- +Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz + +- Update to version 20220714. Refreshed: + * fix_init.patch + * fix_systemd_watch.patch + +------------------------------------------------------------------- +Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz + +- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for + systemd_gpt_generator_t (bsc#1200911) + +------------------------------------------------------------------- +Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz + +- postfix: Label PID files and some helpers correctly (bsc#1197242) + +------------------------------------------------------------------- +Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz + +- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984) + +------------------------------------------------------------------- +Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz + +- Update to version 20220624. Refreshed: + * fix_init.patch + * fix_kernel_sysctl.patch + * fix_logging.patch + * fix_networkmanager.patch + * fix_unprivuser.patch + Dropped fix_hadoop.patch, not necessary anymore +* Updated fix_locallogin.patch to allow accesses for nss-systemd + (bsc#1199630) + +------------------------------------------------------------------- +Fri May 20 13:46:47 UTC 2022 - Johannes Segitz + +- Update to version 20220520 to pass stricter 3.4 toolchain checks + +------------------------------------------------------------------- +Fri May 20 09:14:58 UTC 2022 - Johannes Segitz + +- Update to version 20220428. Refreshed: + * fix_apache.patch + * fix_hadoop.patch + * fix_init.patch + * fix_iptables.patch + * fix_kernel_sysctl.patch + * fix_networkmanager.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_unprivuser.patch + * fix_usermanage.patch + * fix_wine.patch + +------------------------------------------------------------------- +Thu May 19 12:25:31 UTC 2022 - Johannes Segitz +- Add fix_dnsmasq.patch to fix problems with virtualization on Microos + (bsc#1199518) + +------------------------------------------------------------------- +Tue May 3 13:18:38 UTC 2022 - Johannes Segitz + +- Modified fix_init.patch to allow init to setup contrained environment + for accountsservice. This needs a better, more general solution + (bsc#1197610) + +------------------------------------------------------------------- +Mon May 2 11:27:49 UTC 2022 - Johannes Segitz + +- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition. + This happens in certain boot conditions (bsc#1182500) +- Changed fix_unconfineduser.patch to not transition into ldconfig_t + from unconfined_t (bsc#1197169) +------------------------------------------------------------------- +Thu Feb 17 12:24:13 UTC 2022 - Klaus Kämpf + +- use %license tag for COPYING file + +------------------------------------------------------------------- +Thu Feb 10 09:04:08 UTC 2022 - Johannes Segitz + +- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683) + +------------------------------------------------------------------- +Wed Feb 9 16:04:09 UTC 2022 - Filippo Bonazzi + +- Fix bitlbee runtime directory (bsc#1193230) + * add fix_bitlbee.patch + +------------------------------------------------------------------- +Mon Jan 24 07:33:34 UTC 2022 - Johannes Segitz + +- Update to version 20220124. Refreshed: + * fix_hadoop.patch + * fix_init.patch + * fix_kernel_sysctl.patch + * fix_systemd.patch + * fix_systemd_watch.patch +- Added fix_hypervkvp.patch to fix issues with hyperv labeling + (bsc#1193987) + +------------------------------------------------------------------- +Fri Jan 14 15:07:00 UTC 2022 - Johannes Segitz + +- Allow colord to use systemd hardenings (bsc#1194631) + +------------------------------------------------------------------- +Thu Nov 11 14:21:47 UTC 2021 - Johannes Segitz + +- Update to version 20211111. Refreshed: + * fix_dbus.patch + * fix_systemd.patch + * fix_authlogin.patch + * fix_auditd.patch + * fix_kernel_sysctl.patch + * fix_networkmanager.patch + * fix_chronyd.patch + * fix_unconfineduser.patch + * fix_unconfined.patch + * fix_firewalld.patch + * fix_init.patch + * fix_xserver.patch + * fix_logging.patch + * fix_hadoop.patch + +------------------------------------------------------------------- +Mon Oct 25 11:35:24 UTC 2021 - Marcus Meissner + +- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976) + +------------------------------------------------------------------- +Tue Sep 28 12:44:22 UTC 2021 - Enzo Matsumiya + +- Fix auditd service start with systemd hardening directives (boo#1190918) + * add fix_auditd.patch + +------------------------------------------------------------------- +Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz + +- Modified fix_systemd.patch to allow systemd gpt generator access to + udev files (bsc#1189280) + +------------------------------------------------------------------- +Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek + +- fix rebootmgr does not trigger the reboot properly (boo#1189878) + * fix managing /etc/rebootmgr.conf + * allow rebootmgr_t to cope with systemd and dbus messaging + +------------------------------------------------------------------- +Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz + +- Properly label cockpit files +- Allow wicked to communicate with network manager on DBUS (bsc#1188331) + +------------------------------------------------------------------- +Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek + +- Added policy module for rebootmgr (jsc#SMO-28) + +------------------------------------------------------------------- +Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel + +- Allow systemd-sysctl to read kernel specific sysctl.conf + (fix_kernel_sysctl.patch, boo#1184804) + +------------------------------------------------------------------- +Tue Aug 10 08:31:16 UTC 2021 - Ludwig Nussel + +- Fix quoting in postInstall macro + +------------------------------------------------------------------- +Fri Jul 16 07:11:57 UTC 2021 - Johannes Segitz + +- Update to version 20210716 +- Remove interfaces for container module before building the package + (bsc#1188184) +- Updated + * fix_init.patch + * fix_systemd_watch.patch + to adapt to upstream changes + +------------------------------------------------------------------- +Thu Jul 15 15:45:57 UTC 2021 - Callum Farmer + +- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing + here + +------------------------------------------------------------------- +Tue Jul 6 13:55:19 UTC 2021 - Alberto Planas Dominguez + +- Add tabrmd SELinux modules from upstream (bsc#1187925) + https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux +- Automatic spec-cleaner to fix ordering and misaligned spaces + +------------------------------------------------------------------- +Mon Jun 28 08:11:25 UTC 2021 - Johannes Segitz + +- Update to version 20210419 +- Dropped fix_gift.patch, module was removed +- Updated wicked.te to removed dropped interface +- Refreshed: + * fix_cockpit.patch + * fix_hadoop.patch + * fix_init.patch + * fix_logging.patch + * fix_logrotate.patch + * fix_networkmanager.patch + * fix_nscd.patch + * fix_rpm.patch + * fix_selinuxutil.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_thunderbird.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_unprivuser.patch + * fix_xserver.patch + +------------------------------------------------------------------- +Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel + +- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units + that trigger on changes in those. + Added fix_systemd_watch.patch +- own /usr/share/selinux/packages/$SELINUXTYPE/ and + /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install + files there + +------------------------------------------------------------------- +Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel + +- allow cockpit socket to bind nodes (fix_cockpit.patch) +- use %autosetup to get rid of endless patch lines + +------------------------------------------------------------------- +Tue Apr 27 06:30:08 UTC 2021 - Johannes Segitz + +- Updated fix_networkmanager.patch to allow NetworkManager to watch + its configuration directories +- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207) + +------------------------------------------------------------------- +Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz + +- Added Recommends for selinux-autorelabel (bsc#1181837) +- Prevent libreoffice fonts from changing types on every relabel + (bsc#1185265). Added fix_libraries.patch + +------------------------------------------------------------------- +Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz + +- Transition unconfined users to ldconfig type (bsc#1183121). + Extended fix_unconfineduser.patch + +------------------------------------------------------------------- +Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz + +- Update to version 20210419 +- Refreshed: + * fix_dbus.patch + * fix_hadoop.patch + * fix_init.patch + * fix_unprivuser.patch + +------------------------------------------------------------------- +Fri Mar 12 10:36:06 UTC 2021 - Ales Kedroutek + +- Adjust fix_init.patch to allow systemd to do sd-listen on + tcp socket [bsc#1183177] + +------------------------------------------------------------------- +Tue Mar 9 13:39:11 UTC 2021 - Johannes Segitz + +- Update to version 20210309 +- Refreshed + * fix_systemd.patch + * fix_selinuxutil.patch + * fix_iptables.patch + * fix_init.patch + * fix_logging.patch + * fix_nscd.patch + * fix_hadoop.patch + * fix_unconfineduser.patch + * fix_chronyd.patch + * fix_networkmanager.patch + * fix_cron.patch + * fix_usermanage.patch + * fix_unprivuser.patch + * fix_rpm.patch +- Ensure that /usr/etc is labeled according to /etc rules + +------------------------------------------------------------------- +Tue Feb 23 13:53:40 UTC 2021 - Thorsten Kukuk + +- Update to version 20210223 +- Change name of tar file to a more common schema to allow + parallel installation of several source versions +- Adjust fix_init.patch + +------------------------------------------------------------------- +Mon Jan 11 09:29:18 UTC 2021 - Thorsten Kukuk + +- Update to version 20210111 + - Drop fix_policykit.patch (integrated upstream) + - Adjust fix_iptables.patch + - update container policy + +------------------------------------------------------------------- +Tue Nov 10 08:52:35 UTC 2020 - Johannes Segitz + +- Updated fix_corecommand.patch to set correct types for the OBS + build tools + +------------------------------------------------------------------- +Thu Oct 29 08:47:51 UTC 2020 - Thorsten Kukuk + +- wicked.fc: add libexec directories +- Update to version 20201029 + - update container policy + +------------------------------------------------------------------- +Fri Oct 16 08:50:06 UTC 2020 - Thorsten Kukuk + +- Update to version 20201016 +- Use python3 to build (fc_sort.c was replaced by fc_sort.py which + uses python3) +- Drop SELINUX=disabled, "selinux=0" kernel commandline option has + to be used instead. New default is "permissive" [bsc#1176923]. + +------------------------------------------------------------------- +Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz + +- Update to version 20200910. Refreshed + * fix_authlogin.patch + * fix_nagios.patch + * fix_systemd.patch + * fix_usermanage.patch +- Delete suse_specific.patch, moved content into fix_selinuxutil.patch +- Cleanup of booleans-* presets + * Enabled + user_rw_noexattrfile + unconfined_chrome_sandbox_transition + unconfined_mozilla_plugin_transition + for the minimal policy + * Disabled + xserver_object_manager + for the MLS policy + * Disabled + openvpn_enable_homedirs + privoxy_connect_any + selinuxuser_direct_dri_enabled + selinuxuser_ping (aka user_ping) + squid_connect_any + telepathy_tcp_connect_generic_network_ports + for the targeted policy + Change your local config if you need them +- Build HTML version of manpages for the -devel package + +------------------------------------------------------------------- +Thu Sep 3 07:47:52 UTC 2020 - Johannes Segitz + +- Drop BuildRequires for python, python-xml. It's not needed anymore + +------------------------------------------------------------------- +Tue Sep 1 12:31:17 UTC 2020 - Johannes Segitz + +- Drop fix_dbus.patch_orig, was included by accident +- Drop segenxml_interpreter.patch, not used anymore + +------------------------------------------------------------------- +Tue Aug 11 14:25:58 UTC 2020 - Thorsten Kukuk + +- macros.selinux-policy: move rpm-state directory to /run and + make sure it exists + +------------------------------------------------------------------- +Wed Aug 5 11:29:05 UTC 2020 - Thorsten Kukuk + +- Cleanup spec file and follow more closely Fedora +- Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf +- Move config to /etc/selinux/config and create during %post install + to be compatible with upstream and documentation. +- Add RPM macros for SELinux (macros.selinux-policy) +- Install booleans.subs_dist +- Remove unused macros +- Sync make/install macros with Fedora spec file +- Introduce sandbox sub-package + +------------------------------------------------------------------- +Wed Jul 29 13:47:57 UTC 2020 - Thorsten Kukuk + +- Add policycoreutils-devel as BuildRequires + +------------------------------------------------------------------- +Fri Jul 17 08:30:52 UTC 2020 - Johannes Segitz + +- Update to version 20200717. Refreshed + * fix_fwupd.patch + * fix_hadoop.patch + * fix_init.patch + * fix_irqbalance.patch + * fix_logrotate.patch + * fix_nagios.patch + * fix_networkmanager.patch + * fix_postfix.patch + * fix_sysnetwork.patch + * fix_systemd.patch + * fix_thunderbird.patch + * fix_unconfined.patch + * fix_unprivuser.patch + * selinux-policy.spec +- Added update.sh to make updating easier + +------------------------------------------------------------------- +Tue Jul 14 13:18:43 UTC 2020 - Johannes Segitz + +- Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access + to accountsd dbus +- New patch: + * fix_nis.patch +- Updated patches: + * fix_postfix.patch: Transition is done in distribution specific script + +------------------------------------------------------------------- +Tue Jun 2 14:45:37 UTC 2020 - Johannes Segitz + +- Added module for wicked +- New patches: + * fix_authlogin.patch + * fix_screen.patch + * fix_unprivuser.patch + * fix_rpm.patch + * fix_apache.patch + +------------------------------------------------------------------- +Thu Mar 26 09:51:45 UTC 2020 - Johannes Segitz + +- Added module for rtorrent +- Enable snapper module in minimum policy to reduce issues on BTRFS + Updated fix_snapper.patch to prevent relabling of snapshot + +------------------------------------------------------------------- +Mon Mar 9 09:01:22 UTC 2020 - Johannes Segitz + +- New patches: + * fix_accountsd.patch + * fix_automount.patch + * fix_colord.patch + * fix_mcelog.patch + * fix_sslh.patch + * fix_nagios.patch + * fix_openvpn.patch + * fix_cron.patch + * fix_usermanage.patch + * fix_smartmon.patch + * fix_geoclue.patch + * suse_specific.patch + Default systems should now work without selinuxuser_execmod +- Removed xdm_entrypoint_pam.patch, necessary change is in + fix_unconfineduser.patch +- Enable SUSE specific settings again + +------------------------------------------------------------------- +Wed Feb 19 09:21:24 UTC 2020 - Johannes Segitz + +- Update to version 20200219 + Refreshed fix_hadoop.patch + Updated + * fix_dbus.patch + * fix_hadoop.patch + * fix_nscd.patch + * fix_xserver.patch + Renamed postfix_paths.patch to fix_postfix.patch + Added + * fix_init.patch + * fix_locallogin.patch + * fix_policykit.patch + * fix_iptables.patch + * fix_irqbalance.patch + * fix_ntp.patch + * fix_fwupd.patch + * fix_firewalld.patch + * fix_logrotate.patch + * fix_selinuxutil.patch + * fix_corecommand.patch + * fix_snapper.patch + * fix_systemd.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_chronyd.patch + * fix_networkmanager.patch + * xdm_entrypoint_pam.patch +- Removed modules minimum_temp_fixes and targeted_temp_fixes + from the corresponding policies +- Reduced default module list of minimum policy by removing + apache inetd nis postfix mta modules +- Adding/removing necessary pam config automatically +- Minimum and targeted policy: Enable domain_can_mmap_files by default +- Targeted policy: Disable selinuxuser_execmem, selinuxuser_execmod and + selinuxuser_execstack to have safe defaults + +------------------------------------------------------------------- +Mon Aug 9 12:11:28 UTC 2019 - Johannes Segitz + +- Moved back to fedora policy (20190802) +- Removed spec file conditionals for old SELinux userland +- Removed config.tgz +- Removed patches: + * label_sysconfig.selinux.patch + * label_var_run_rsyslog.patch + * suse_additions_obs.patch + * suse_additions_sslh.patch + * suse_modifications_apache.patch + * suse_modifications_cron.patch + * suse_modifications_getty.patch + * suse_modifications_logging.patch + * suse_modifications_ntp.patch + * suse_modifications_usermanage.patch + * suse_modifications_virt.patch + * suse_modifications_xserver.patch + * sysconfig_network_scripts.patch + * segenxml_interpreter.patch +- Added patches: + * fix_djbdns.patch + * fix_dbus.patch + * fix_gift.patch + * fix_java.patch + * fix_hadoop.patch + * fix_thunderbird.patch + * postfix_paths.patch + * fix_nscd.patch + * fix_sysnetwork.patch + * fix_logging.patch + * fix_xserver.patch + * fix_miscfiles.patch + to fix problems with the coresponding modules +- Added sedoctool.patch to prevent build failures +- This also adds three modules: + * packagekit.(te|if|fc) + Basic (currently permissive) module for packagekit + * minimum_temp_fixes.(te|if|fc) + and + * targeted_temp_fixes.(te|if|fc) + both are currently necessary to get the systems to boot in + enforcing mode. Most of them obviosly stem from mislabeled + files, so this needs to be worked through and then removed + eventually + Also selinuxuser_execstack, selinuxuser_execmod and + domain_can_mmap_files need to be enabled. Especially the first + two are bad and should be removed ASAP + +------------------------------------------------------------------- +Thu Jul 11 12:29:29 UTC 2019 - + +- Update to refpolicy 20190609. New modules for stubby and several + systemd updates, including initial support for systemd --user + sessions. + Refreshed + * label_var_run_rsyslog.patch + * suse_modifications_cron.patch + * suse_modifications_logging.patch + * suse_modifications_ntp.patch + * suse_modifications_usermanage.patch + * suse_modifications_xserver.patch + * sysconfig_network_scripts.patch + +------------------------------------------------------------------- +Mon Feb 4 07:59:49 UTC 2019 - jsegitz@suse.com + +- Update to refpolicy 20190201. New modules for chromium, hostapd, + and sigrok and minor fixes for existing modules. + Refreshed suse_modifications_usermanage.patch + +------------------------------------------------------------------- +Wed Nov 28 15:18:28 UTC 2018 - jsegitz@suse.com + +- Change default state to disabled and disable SELinux after + uninstallation of policy to prevent unbootable system + (bsc#1108949, bsc#1109590) + +------------------------------------------------------------------- +Tue Nov 27 15:20:03 UTC 2018 - jsegitz@suse.com + +- Use refpolicy 20180701 as a base +- Dropped patches + * allow-local_login_t-read-shadow.patch + * dont_use_xmllint_in_make_conf.patch + * label_sysconfig.selinux-policy.patch + * policy-rawhide-base.patch + * policy-rawhide-contrib.patch + * suse_modifications_authlogin.patch + * suse_modifications_dbus.patch + * suse_modifications_glusterfs.patch + * suse_modifications_ipsec.patch + * suse_modifications_passenger.patch + * suse_modifications_policykit.patch + * suse_modifications_postfix.patch + * suse_modifications_rtkit.patch + * suse_modifications_selinuxutil.patch + * suse_modifications_ssh.patch + * suse_modifications_staff.patch + * suse_modifications_stapserver.patch + * suse_modifications_systemd.patch + * suse_modifications_unconfined.patch + * suse_modifications_unconfineduser.patch + * suse_modifications_unprivuser.patch + * systemd-tmpfiles.patch + * type_transition_contrib.patch + * type_transition_file_class.patch + * useradd-netlink_selinux_socket.patch + * xconsole.patch + Rebased the other patches to apply to refpolicy +- Added segenxml_interpreter.patch to not use env in shebang +- Added rpmlintrc to surpress duplicate file warnings + +------------------------------------------------------------------- +Mon Mar 26 13:18:34 UTC 2018 - rgoldwyn@suse.com + +- Add overlayfs as xattr capable (bsc#1073741) + * add-overlayfs-as-xattr-capable.patch + +------------------------------------------------------------------- +Tue Dec 12 09:07:31 UTC 2017 - jsegitz@suse.com + +- Added + * suse_modifications_glusterfs.patch + * suse_modifications_passenger.patch + * suse_modifications_stapserver.patch + to modify module name to make the current tools happy + +------------------------------------------------------------------- +Wed Nov 29 13:20:22 UTC 2017 - rbrown@suse.com + +- Repair erroneous changes introduced with %_fillupdir macro + +------------------------------------------------------------------- +Thu Nov 23 13:53:09 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Wed Mar 15 21:50:32 UTC 2017 - mwilck@suse.com + +- POLCYVER depends both on the libsemanage/policycoreutils version + and the kernel. The former is more important for us, kernel seems + to have all necessary features in Leap 42.1 already. + +- Replaced = runtime dependencies on checkpolicy/policycoreutils + with "=". 2.5 policy is not supposed to work with 2.3 tools, + The runtime policy tools need to be same the policy was built with. + +------------------------------------------------------------------- +Wed Mar 15 15:16:20 UTC 2017 - mwilck@suse.com + +- Changes required by policycoreutils update to 2.5 + * lots of spec file content needs to be conditional on + policycoreutils version. + +- Specific policycoreutils 2.5 related changes: + * modules moved from /etc/selinux to /var/lib/selinux + (https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration) + * module path now includes includes priority. Users override default + policies by setting higher priority. Thus installed policy modules can be + fully verified by RPM. + * Installed modules have a different format and path. + Raw bzip2 doesn't suffice to create them any more, but we can process them + all in a single semodule -i command. + +- Policy version depends on kernel / distro version + * do not touch policy., rather fail if it's not created + +- Enabled building mls policy for Leap (not for SLES) + +- Other + * Bug: "sandbox.disabled" should be "sandbox.pp.disabled" for old policycoreutils + * Bug: (minimum) additional modules that need to be activated: postfix + (required by apache), plymouthd (required by getty) + * Cleanup: /etc -> %{sysconfdir} etc. + +------------------------------------------------------------------- +Thu Aug 13 08:14:34 UTC 2015 - jsegitz@novell.com + +- fixed missing role assignment in cron_unconfined_role + +------------------------------------------------------------------- +Tue Aug 11 08:36:17 UTC 2015 - jsegitz@novell.com + +- Updated suse_modifications_ipsec.patch, removed dontaudits for + ipsec_mgmt_t and granted matching permissions + +------------------------------------------------------------------- +Wed Aug 5 11:31:24 UTC 2015 - jsegitz@novell.com + +- Added suse_modifications_ipsec.patch to grant additional privileges + to ipsec_mgmt_t + +------------------------------------------------------------------- +Tue Jul 21 14:56:07 UTC 2015 - jsegitz@novell.com + +- Minor changes for CC evaluation. Allow reading of /dev/random + and ipc_lock for dbus and dhcp + +------------------------------------------------------------------- +Wed Jun 24 08:27:30 UTC 2015 - jsegitz@novell.com + +- Transition from unconfined user to cron admin type +- Allow systemd_timedated_t to talk to unconfined dbus for minimal + policy (bsc#932826) +- Allow hostnamectl to set the hostname (bsc#933764) + +------------------------------------------------------------------- +Wed May 20 14:05:04 UTC 2015 - jsegitz@novell.com + +- Removed ability of staff_t and user_t to use svirt. Will reenable + this later on with a policy upgrade + Added suse_modifications_staff.patch + +------------------------------------------------------------------- +Wed Feb 25 11:38:44 UTC 2015 - jsegitz@novell.com + +- Added dont_use_xmllint_in_make_conf.patch to remove xmllint usage + in make conf. This currently breaks manual builds. +- Added BuildRequires for libxml2-tools to enable xmllint checks + once the issue mentioned above is solved + +------------------------------------------------------------------- +Thu Jan 29 09:56:40 UTC 2015 - jsegitz@novell.com + +- adjusted suse_modifications_ntp to match SUSE chroot paths + +------------------------------------------------------------------- +Wed Jan 28 09:37:06 UTC 2015 - jsegitz@novell.com + +- Added + * suse_additions_obs.patch to allow local builds by OBS + * suse_additions_sslh.patch to confine sslh +- Added suse_modifications_cron.patch to adjust crontabs contexts +- Modified suse_modifications_postfix.patch to match SUSE paths +- Modified suse_modifications_ssh.patch to bring boolean + sshd_forward_ports back +- Modified + * suse_modifications_dbus.patch + * suse_modifications_unprivuser.patch + * suse_modifications_xserver.patch + to allow users to be confined +- Added + * suse_modifications_apache.patch + * suse_modifications_ntp.patch + and modified + * suse_modifications_xserver.patch + to fix labels on startup scripts used by systemd +- Removed unused and incorrect interface dev_create_all_dev_nodes + from systemd-tmpfiles.patch +- Removed BuildRequire for selinux-policy-devel + +------------------------------------------------------------------- +Fri Jan 23 15:52:02 UTC 2015 - jsegitz@novell.com + +- Major cleanup of the spec file + +------------------------------------------------------------------- +Fri Jan 23 11:44:52 UTC 2015 - jsegitz@novell.com + +- removed suse_minimal_cc.patch and splitted them into + * suse_modifications_dbus.patch + * suse_modifications_policykit.patch + * suse_modifications_postfix.patch + * suse_modifications_rtkit.patch + * suse_modifications_unconfined.patch + * suse_modifications_systemd.patch + * suse_modifications_unconfineduser.patch + * suse_modifications_selinuxutil.patch + * suse_modifications_logging.patch + * suse_modifications_getty.patch + * suse_modifications_authlogin.patch + * suse_modifications_xserver.patch + * suse_modifications_ssh.patch + * suse_modifications_usermanage.patch +- Added suse_modifications_virt.patch to enable svirt on s390x + +------------------------------------------------------------------- +Sat Nov 08 19:17:00 UTC 2014 - Led + +- fix bashism in post script + +------------------------------------------------------------------- +Thu Sep 18 09:06:09 UTC 2014 - jsegitz@suse.com + +Redid changes done by vcizek@suse.com in SLE12 package + +- disable build of MLS policy +- removed outdated description files + * Alan_Rouse-openSUSE_with_SELinux.txt + * Alan_Rouse-Policy_Development_Process.txt + +------------------------------------------------------------------- +Mon Sep 8 09:08:19 UTC 2014 - jsegitz@suse.com + +- removed remove_duplicate_filetrans_pattern_rules.patch + +------------------------------------------------------------------- +Fri Sep 5 11:22:02 UTC 2014 - jsegitz@suse.com + +- Updated policy to include everything up until 20140730 (refpolicy and + fedora rawhide improvements). Rebased all patches that are still + necessary +- Removed permissivedomains.pp. Doesn't work with the new policy +- modified spec file so that all modifications for distro=redhat and + distro=suse will be used. +- added selinux-policy-rpmlintrc to suppress some warnings that aren't + valid for this package +- added suse_minimal_cc.patch to create a suse specific module to prevent + errors while using the minimum policy. Will rework them in the proper + places once the minimum policy is reworked to really only confine a + minimal set of domains. + +------------------------------------------------------------------- +Tue Sep 2 13:31:58 UTC 2014 - vcizek@suse.com + +- removed source files which were not used + * modules-minimum.conf, modules-mls.conf, modules-targeted.conf, + permissivedomains.fc, permissivedomains.if, permissivedomains.te, + seusers, seusers-mls, seusers-targeted, users_extra-mls, + users_extra-targeted + +------------------------------------------------------------------- +Mon Jun 2 12:08:40 UTC 2014 - vcizek@suse.com + +- remove duplicate filetrans_pattern rules + * fixes build with libsepol-2.3 + * added remove_duplicate_filetrans_pattern_rules.patch + +------------------------------------------------------------------- +Mon Dec 9 13:57:18 UTC 2013 - vcizek@suse.com + +- enable build of mls and targeted policies +- fixes to the minimum policy: +- label /var/run/rsyslog correctly + * label_var_run_rsyslog.patch +- allow systemd-tmpfiles to create devices + * systemd-tmpfiles.patch +- add rules for sysconfig + * correctly label /dev/.sysconfig/network + * added sysconfig_network_scripts.patch +- run restorecon and fixfiles only if if selinux is enabled +- fix console login + * allow-local_login_t-read-shadow.patch +- allow rsyslog to write to xconsole + * xconsole.patch +- useradd needs to call selinux_check_access (via pam_rootok) + * useradd-netlink_selinux_socket.patch + +------------------------------------------------------------------- +Mon Aug 12 02:08:15 CEST 2013 - ro@suse.de + +- fix build on factory: newer rpm does not allow to mark + non-directories as dir anymore (like symlinks in this case) + +------------------------------------------------------------------- +Thu Jul 11 11:00:14 UTC 2013 - coolo@suse.com + +- install COPYING + +------------------------------------------------------------------- +Fri Mar 22 11:52:43 UTC 2013 - vcizek@suse.com + +- switch to Fedora as upstream +- added patches: + * policy-rawhide-base.patch + * policy-rawhide-contrib.patch + * type_transition_file_class.patch + * type_transition_contrib.patch + * label_sysconfig.selinux-policy.patch + +------------------------------------------------------------------- +Tue Dec 11 13:40:27 UTC 2012 - vcizek@suse.com + +- bump up policy version to 27, due to recent libsepol update +- dropped currently unused policy-rawhide.patch +- fix installing of file_contexts (this enables restorecond to run properly) +- Recommends: audit and setools + +------------------------------------------------------------------- +Mon Dec 10 15:47:13 UTC 2012 - meissner@suse.com + +- mark included files in source + +------------------------------------------------------------------- +Mon Oct 22 18:47:00 UTC 2012 - vcizek@suse.com + +- update to 2.20120725 +- added selinux-policy-run_sepolgen_during_build.patch +- renamed patch with SUSE-specific policy to selinux-policy-SUSE.patch +- dropped policygentool and OLPC stuff + +------------------------------------------------------------------- +Wed May 9 10:01:26 UTC 2012 - coolo@suse.com + +- patch license to be in spdx.org format + +------------------------------------------------------------------- +Fri May 21 16:05:49 CEST 2010 - prusnak@suse.cz + +- use policy created by Alan Rouse + +------------------------------------------------------------------- +Sat Apr 10 23:45:17 PDT 2010 - justinmattock@gmail.com + +- Adjust selinux-policy.spec so that the policy + source tree is put in /usr/share/doc/packages/selinux-* + so users can build the policy [bnc#582404] + +------------------------------------------------------------------- +Wed Apr 7 09:59:43 UTC 2010 - thomas@novell.com + +- fixed fileperms of /etc/selinux/config to be 644 to allow + libselinux to read from it (bnc#582399) + this is also the default file mode in fedora 12 + +------------------------------------------------------------------- +Fri Jun 26 12:19:07 CEST 2009 - thomas@novell.com + +- added config file for /etc/selinux/ + +------------------------------------------------------------------- +Wed Jan 14 14:20:23 CET 2009 - prusnak@suse.cz + +- updated to version 2008.12.10 + * Fix consistency of audioentropy and iscsi module naming. + * Debian file context fix for xen from Russell Coker. + * Xserver MLS fix from Eamon Walsh. + * Add omapi port for dhcpcd. + * Deprecate per-role templates and rolemap support. + * Implement user-based access control for use as role separations. + * Move shared library calls from individual modules to the domain module. + * Enable open permission checks policy capability. + * Remove hierarchy from portage module as it is not a good example of hieararchy. + * Remove enableaudit target from modular build as semodule -DB supplants it. + * Added modules: + - milter (Paul Howarth) + +------------------------------------------------------------------- +Thu Oct 16 16:08:32 CEST 2008 - prusnak@suse.cz + +- updated to version 2008.10.14 + * Debian update for NetworkManager/wpa_supplicant from Martin Orr. + * Logrotate and Bind updates from Vaclav Ovsik. + * Init script file and domain support. + * Glibc 2.7 fix from Vaclav Ovsik. + * Samba/winbind update from Mike Edenfield. + * Policy size optimization with a non-security file attribute from James Carter. + * Database labeled networking update from KaiGai Kohei. + * Several misc changes from the Fedora policy, cherry picked by David Hardeman. + * Large whitespace fix from Dominick Grift. + * Pam_mount fix for local login from Stefan Schulze Frielinghaus. + * Issuing commands to upstart is over a datagram socket, not the initctl named pipe. + * Updated init_telinit() to match. + * Added modules: + - cyphesis (Dan Walsh) + - memcached (Dan Walsh) + - oident (Dominick Grift) + - w3c (Dan Walsh) + +------------------------------------------------------------------- +Tue Jul 22 11:57:34 CEST 2008 - prusnak@suse.cz + +- initial version 2008.07.02 from tresys + diff --git a/selinux-policy.conf b/selinux-policy.conf new file mode 100644 index 0000000..9c7256f --- /dev/null +++ b/selinux-policy.conf @@ -0,0 +1,3 @@ +z /sys/devices/system/cpu/online - - - +Z /sys/class/net - - - +z /sys/kernel/uevent_helper - - - diff --git a/selinux-policy.spec b/selinux-policy.spec new file mode 100644 index 0000000..9b0370c --- /dev/null +++ b/selinux-policy.spec @@ -0,0 +1,656 @@ +# +# spec file for package selinux-policy +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# There are almost no SUSE specific modifications available in the policy, so we utilize the +# ones used by redhat and include also the SUSE specific ones (distro_suse_to_distro_redhat.patch) +%define distro redhat +%define ubac n +%define polyinstatiate n +%define monolithic n +%define BUILD_TARGETED 1 +%define BUILD_MINIMUM 1 +%define BUILD_MLS 1 + +%define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils) +%define CHECKPOLICYVER %POLICYCOREUTILSVER + +Summary: SELinux policy configuration +License: GPL-2.0-or-later +Group: System/Management +Name: selinux-policy +Version: 20240808 +Release: 0 +Source0: %{name}-%{version}.tar.xz +Source1: container.fc +Source2: container.te +Source3: container.if +Source4: selinux-policy-rpmlintrc +Source5: README.Update +Source6: update.sh +Source7: debug-build.sh + +Source10: modules-targeted-base.conf +Source11: modules-targeted-contrib.conf +Source12: modules-mls-base.conf +Source13: modules-mls-contrib.conf +Source14: modules-minimum-base.conf +Source15: modules-minimum-contrib.conf +Source18: modules-minimum-disable.lst + +Source20: booleans-targeted.conf +Source21: booleans-mls.conf +Source22: booleans-minimum.conf +Source23: booleans.subs_dist + +Source30: setrans-targeted.conf +Source31: setrans-mls.conf +Source32: setrans-minimum.conf + +# Script to convert /var/run file context entries to /run +Source37: varrun-convert.sh + +Source40: securetty_types-targeted +Source41: securetty_types-mls +Source42: securetty_types-minimum + +Source50: users-targeted +Source51: users-mls +Source52: users-minimum + +Source60: selinux-policy.conf + +Source91: Makefile.devel +Source92: customizable_types +#Source93: config.tgz +Source94: file_contexts.subs_dist +Source95: macros.selinux-policy + +URL: https://github.com/fedora-selinux/selinux-policy.git +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildArch: noarch +%if 0%{?suse_version} < 1600 +%define python_for_executables python311 +BuildRequires: %{python_for_executables} +BuildRequires: %{python_for_executables}-policycoreutils +%else +BuildRequires: %primary_python +BuildRequires: %{python_module policycoreutils} +%endif +BuildRequires: checkpolicy +BuildRequires: gawk +BuildRequires: libxml2-tools +BuildRequires: m4 +BuildRequires: policycoreutils +BuildRequires: policycoreutils-devel +# we need selinuxenabled +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): pam-config +Requires(posttrans): pam-config +Requires(posttrans): selinux-tools +Requires(posttrans): /usr/bin/sha512sum +Recommends: audit +Recommends: selinux-tools +# for audit2allow +Recommends: python3-policycoreutils +Recommends: container-selinux +Recommends: policycoreutils-python-utils +Recommends: selinux-autorelabel + +%define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 + +%define makeCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ +cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ +cp -f selinux_config/users-%1 ./policy/users \ +#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ + +%define makeModulesConf() \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ +if [ %3 == "contrib" ];then \ + cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ + cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ +fi; \ + +%define installCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ +%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ +%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ +install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \ +rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ +%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ +rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ +%nil + +%define fileList() \ +%defattr(-,root,root) \ +%dir %{_sysconfdir}/selinux/%1 \ +%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ +%dir %{_sysconfdir}/selinux/%1/logins \ +%dir %{_sharedstatedir}/selinux/%1/active \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ +%dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/100 \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ +%dir %{_sysconfdir}/selinux/%1/policy/ \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \ +%{_sysconfdir}/selinux/%1/.policy.sha512 \ +%dir %{_sysconfdir}/selinux/%1/contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ +%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ +%dir %{_sysconfdir}/selinux/%1/contexts/files \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ +%{_sysconfdir}/selinux/%1/booleans.subs_dist \ +%config %{_sysconfdir}/selinux/%1/contexts/files/media \ +%dir %{_sysconfdir}/selinux/%1/contexts/users \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ +%dir %{_datadir}/selinux/%1 \ +%dir %{_datadir}/selinux/packages/%1 \ +%{_datadir}/selinux/%1/base.lst \ +%{_datadir}/selinux/%1/modules-base.lst \ +%{_datadir}/selinux/%1/modules-contrib.lst \ +%{_datadir}/selinux/%1/nonbasemodules.lst \ +%dir %{_sharedstatedir}/selinux/%1 \ +%{_sharedstatedir}/selinux/%1/active/commit_num \ +%{_sharedstatedir}/selinux/%1/active/users_extra \ +%{_sharedstatedir}/selinux/%1/active/homedir_template \ +%{_sharedstatedir}/selinux/%1/active/seusers \ +%{_sharedstatedir}/selinux/%1/active/file_contexts \ +%{_sharedstatedir}/selinux/%1/active/policy.kern \ +%{_sharedstatedir}/selinux/%1/active/modules_checksum \ +%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%nil + +%define relabel() \ +. %{_sysconfdir}/selinux/config; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +if selinuxenabled; then \ + if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ + %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ + rm -f ${FILE_CONTEXT}.pre; \ + fi; \ + if /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null;then \ + continue; \ + fi; \ +fi; + +%define preInstall() \ +if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ + [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ + fi; \ + touch %{_sysconfdir}/selinux/%1/.rebuild; \ + if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ + POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ + sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ + checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \ + if [ "$sha512" == "$checksha512" ] ; then \ + rm %{_sysconfdir}/selinux/%1/.rebuild; \ + fi; \ + fi; \ +fi; + +%define postInstall() \ +. %{_sysconfdir}/selinux/config; \ +%{_libexecdir}/selinux/varrun-convert.sh %2; \ +if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ + rm %{_sysconfdir}/selinux/%2/.rebuild; \ + /usr/sbin/semodule -B -n -s %2; \ +fi; \ +if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \ + touch /etc/selinux/.autorelabel \ +else \ + if [ "${SELINUXTYPE}" = "%2" ]; then \ + if selinuxenabled; then \ + load_policy; \ + else \ + # probably a first install of the policy \ + true; \ + fi; \ + fi; \ + if selinuxenabled; then \ + if [ %1 -eq 1 ]; then \ + /sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ + else \ + %relabel %2 \ + fi; \ + else \ + # run fixfiles on next boot \ + touch /.autorelabel \ + fi; \ +fi; + +%define modulesList() \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ +if [ -e ./policy/modules-contrib.conf ];then \ + awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ +fi; + +%define nonBaseModulesList() \ +contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ +base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ +for i in $contrib_modules $base_modules; do \ + if [ $i != "sandbox" ];then \ + echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ + fi; \ +done; + +%description +A complete SELinux policy that can be used as the system policy for a variety +of systems and used as the basis for creating other policies. + +%files +%defattr(-,root,root,-) +%license COPYING +%dir %{_datadir}/selinux +%dir %{_datadir}/selinux/packages +%dir %{_sysconfdir}/selinux +%ghost %config(noreplace) %{_sysconfdir}/selinux/config +%{_tmpfilesdir}/selinux-policy.conf +%{_rpmconfigdir}/macros.d/macros.selinux-policy +%{_libexecdir}/selinux/varrun-convert.sh + +%package sandbox +Summary: SELinux policy sandbox +Group: System/Management +Requires(pre): selinux-policy-targeted = %{version}-%{release} + +%description sandbox +SELinux sandbox policy used for the policycoreutils-sandbox package + +%files sandbox +%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp + +%post sandbox +rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null +rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null +%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi; +exit 0 + +%preun sandbox +if [ $1 -eq 0 ] ; then + %{_sbindir}/semodule -n -d sandbox 2>/dev/null + if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy + fi; +fi; +exit 0 + +%prep + +# set up selinux-policy +%autosetup -n %{name}-%{version} -p1 + +# dirty hack for container-selinux, because selinux-policy won't build without it +# upstream does not want to include it in main policy tree: +# see discussion in https://github.com/containers/container-selinux/issues/186 +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do + cp $i policy/modules/services/ +done + +%build + +%install +mkdir -p %{buildroot}%{_sysconfdir}/selinux +touch %{buildroot}%{_sysconfdir}/selinux/config +mkdir -p %{buildroot}%{_tmpfilesdir} +cp %{SOURCE60} %{buildroot}%{_tmpfilesdir} + +# Adjust and install RPM macro file +mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d +install -m 644 %{SOURCE95} %{buildroot}%{_rpmconfigdir}/macros.d/ +sed -i 's|SELINUXPOLICYVERSION|%{version}-%{release}|' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy + +# Always create policy module package directories +mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ + +mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/ + +mkdir selinux_config +for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do + cp $i selinux_config +done + +mkdir -p %{buildroot}%{_libexecdir}/selinux +install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux + +make clean +%if %{BUILD_TARGETED} +%makeCmds targeted mcs allow +%makeModulesConf targeted base contrib +%installCmds targeted mcs allow +# recreate sandbox.pp +rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox +%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp +mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp +%modulesList targeted +%nonBaseModulesList targeted +%endif + +%if %{BUILD_MINIMUM} +%makeCmds minimum mcs allow +%makeModulesConf targeted base contrib +%installCmds minimum mcs allow +install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst +# Sandbox is only targeted +rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp +rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox +%modulesList minimum +%nonBaseModulesList minimum +%endif + +%if %{BUILD_MLS} +%makeCmds mls mls deny +%makeModulesConf mls base contrib +%installCmds mls mls deny +%modulesList mls +%nonBaseModulesList mls +%endif + +# Install devel +mkdir -p %{buildroot}%{_mandir} +cp -R man/* %{buildroot}%{_mandir} +make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs +make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers +mkdir %{buildroot}%{_datadir}/selinux/devel/ +mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include +install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile +install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ +install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ +%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} +mkdir %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html +rm %{buildroot}%{_mandir}/man8/container_selinux.8* +rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if + +%post +if [ ! -s %{_sysconfdir}/selinux/config ]; then + # new install, use old sysconfig file if that exists, + # else create new one. + if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then + mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config + else + echo " +# This file controls the state of SELinux on the system. +# SELinux can be completly disabled with the \"selinux=0\" kernel +# commandline option. +# +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +SELINUX=permissive +# SELINUXTYPE= can take one of these three values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=targeted + +" > %{_sysconfdir}/selinux/config + fi + ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy + %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : +fi +%tmpfiles_create %_tmpfilesdir/selinux-policy.conf +if [ $1 -eq 1 ]; then + pam-config -a --selinux +fi +exit 0 + +%define post_un() \ +# disable selinux if we uninstall a policy and it's the used one \ +if [ $1 -eq 0 ]; then \ + if [ -s %{_sysconfdir}/selinux/config ]; then \ + source %{_sysconfdir}/selinux/config &> /dev/null || true \ + fi \ + if [ "$SELINUXTYPE" = "$2" ]; then \ + %{_sbindir}/setenforce 0 2> /dev/null \ + if [ -s %{_sysconfdir}/selinux/config ]; then \ + sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \ + fi \ + fi \ + pam-config -d --selinux \ +fi \ +exit 0 + +%postun +if [ $1 = 0 ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ -s %{_sysconfdir}/selinux/config ]; then + sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config + fi +fi +exit 0 + +%package devel +Summary: SELinux policy devel +Group: System/Management +Requires(pre): selinux-policy = %{version}-%{release} +Requires: /usr/bin/make +Requires: checkpolicy >= %{CHECKPOLICYVER} +Requires: m4 + +%description devel +SELinux policy development and man page package + +%files devel +%defattr(-,root,root,-) +%doc %{_datadir}/man/ru/man8/* +%doc %{_datadir}/man/man8/* +%dir %{_datadir}/selinux/devel +%dir %{_datadir}/selinux/devel/html/ +%doc %{_datadir}/selinux/devel/html/* +%dir %{_datadir}/selinux/devel/include +%{_datadir}/selinux/devel/include/* +%{_datadir}/selinux/devel/Makefile +%{_datadir}/selinux/devel/example.* + +%package doc +Summary: SELinux policy documentation +Group: System/Management +Requires(pre): selinux-policy = %{version}-%{release} +Requires: /usr/bin/xdg-open + +%description doc +SELinux policy documentation package + +%files doc +%defattr(-,root,root,-) +%doc %{_datadir}/doc/%{name} +%{_datadir}/selinux/devel/policy.* + +%if %{BUILD_TARGETED} +%package targeted +Summary: SELinux targeted base policy +Group: System/Management +Provides: selinux-policy-base = %{version}-%{release} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} + +%description targeted +SELinux policy targeted base module. + +%pre targeted +%preInstall targeted + +%posttrans targeted +%postInstall $1 targeted +exit 0 + +%postun targeted +%post_un $1 targeted + +%triggerin -- libpcre2-8-0 +%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB +exit 0 + +%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u +%fileList targeted +%endif + +%if %{BUILD_MINIMUM} +%package minimum +Summary: SELinux minimum base policy +Group: System/Management +Provides: selinux-policy-base = %{version}-%{release} +Requires(post): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): /usr/bin/awk +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} + +%description minimum +SELinux policy minimum base module. + +%pre minimum +%preInstall minimum +if [ $1 -ne 1 ]; then + %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst +fi + +%post minimum +contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` +basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` +mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null +if [ $1 -eq 1 ]; then + for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + done + for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + done + %{_sbindir}/semanage import -S minimum -f - << __eof +login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ +login -m -s unconfined_u -r s0-s0:c0.c1023 root +__eof + /sbin/restorecon -R /root /var/log /var/run 2> /dev/null + %{_sbindir}/semodule -B -s minimum +else + instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` + for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + done + for p in $instpackages snapper dbus kerberos nscd rtkit; do + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + done + %{_sbindir}/semodule -B -s minimum + %relabel minimum +fi +exit 0 + +%postun minimum +%post_un $1 minimum + +%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u +%{_datadir}/selinux/minimum/modules-minimum-disable.lst +%fileList minimum +%endif + +%if %{BUILD_MLS} +%package mls +Summary: SELinux mls base policy +Group: System/Management +Provides: selinux-policy-base = %{version}-%{release} +Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} +Requires: setransd +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} + +%description mls +SELinux policy mls base module. + +%pre mls +%preInstall mls + +%posttrans mls +%postInstall $1 mls + +%postun mls +%post_un $1 mls + +%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u +%fileList mls +%endif + +%changelog diff --git a/setrans-minimum.conf b/setrans-minimum.conf new file mode 100644 index 0000000..77c700c --- /dev/null +++ b/setrans-minimum.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/setrans-mls.conf b/setrans-mls.conf new file mode 100644 index 0000000..57e7e3d --- /dev/null +++ b/setrans-mls.conf @@ -0,0 +1,52 @@ +# +# Multi-Level Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be labeled with one of 16 levels and be categorized with 0-1023 +# categories defined by the admin. +# Objects can be in more than one category at a time. +# Users can modify this table to translate the MLS labels for different purpose. +# +# Assumptions: using below MLS labels. +# SystemLow +# SystemHigh +# Unclassified +# Secret with compartments A and B. +# +# SystemLow and SystemHigh +s0=SystemLow +s15:c0.c1023=SystemHigh +s0-s15:c0.c1023=SystemLow-SystemHigh + +# Unclassified level +s1=Unclassified + +# Secret level with compartments +s2=Secret +s2:c0=A +s2:c1=B + +# ranges for Unclassified +s0-s1=SystemLow-Unclassified +s1-s2=Unclassified-Secret +s1-s15:c0.c1023=Unclassified-SystemHigh + +# ranges for Secret with compartments +s0-s2=SystemLow-Secret +s0-s2:c0=SystemLow-Secret:A +s0-s2:c1=SystemLow-Secret:B +s0-s2:c0,c1=SystemLow-Secret:AB +s1-s2:c0=Unclassified-Secret:A +s1-s2:c1=Unclassified-Secret:B +s1-s2:c0,c1=Unclassified-Secret:AB +s2-s2:c0=Secret-Secret:A +s2-s2:c1=Secret-Secret:B +s2-s2:c0,c1=Secret-Secret:AB +s2-s15:c0.c1023=Secret-SystemHigh +s2:c0-s2:c0,c1=Secret:A-Secret:AB +s2:c0-s15:c0.c1023=Secret:A-SystemHigh +s2:c1-s2:c0,c1=Secret:B-Secret:AB +s2:c1-s15:c0.c1023=Secret:B-SystemHigh +s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh diff --git a/setrans-targeted.conf b/setrans-targeted.conf new file mode 100644 index 0000000..77c700c --- /dev/null +++ b/setrans-targeted.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/update.sh b/update.sh new file mode 100644 index 0000000..056b1ea --- /dev/null +++ b/update.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +date=$(date '+%Y%m%d') +base_name_pattern='selinux-policy-*.tar.xz' +echo Update to $date + +old_tar_file=$(ls -1 $base_name_pattern) + +osc service manualrun + +if [ "$1" = "full" ]; then + echo doing full update including container-selinux + rm -rf container-selinux + git clone --depth 1 https://github.com/containers/container-selinux.git + rm -f container.* + mv container-selinux/container.* . + rm -rf container-selinux +fi + +# delete old files. Might need a better sanity check +tar_cnt=$(ls -1 $base_name_pattern | wc -l) +if [ $tar_cnt -gt 1 ]; then + echo delte old file $old_tar_file + rm "$old_tar_file" + osc addremove +fi + +osc status diff --git a/users-minimum b/users-minimum new file mode 100644 index 0000000..8ccacae --- /dev/null +++ b/users-minimum @@ -0,0 +1,39 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls new file mode 100644 index 0000000..167ba7c --- /dev/null +++ b/users-mls @@ -0,0 +1,40 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/users-targeted b/users-targeted new file mode 100644 index 0000000..e943336 --- /dev/null +++ b/users-targeted @@ -0,0 +1,41 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/varrun-convert.sh b/varrun-convert.sh new file mode 100644 index 0000000..270ce1e --- /dev/null +++ b/varrun-convert.sh @@ -0,0 +1,105 @@ +#!/bin/bash +### varrun-convert.sh +### convert legacy filecontext entries containing /var/run to /run +### and load an extra selinux module with the new content +### the script takes a policy name as an argument + +# Set DEBUG=yes before running the script to get more verbose output +# on the terminal and to the $LOG file +if [ "${DEBUG}" = "yes" ]; then + set -x +fi + +# Auxiliary and log files will be created in OUTPUTDIR +OUTPUTDIR="/run/selinux-policy" +LOG="$OUTPUTDIR/log" +mkdir -p ${OUTPUTDIR} + +if [ -z ${1} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG + exit +fi + +SEMODULEOPT="-s ${1}" +[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" + +# Take current file_contexts and unify whitespace separators +FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" +FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified" +if [ ! -f ${FILE_CONTEXTS} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG + exit +fi + +if ! grep -q ^/var/run ${FILE_CONTEXTS}; then + [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG + exit 0 +fi + +EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt" +EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp" +EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" +EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil" + +# Print only /var/run entries +grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP} + +# Unify whitespace separators +sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP} +sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED} + +rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP +touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP +# Deduplicate already existing /var/run=/run entries +while read line +do + subline="${line#/var}" + if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then + # check for overal duplicate entries + subline2=$(echo $line | sed -E -e 's/ \S+$//') + if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then + echo "$line" + echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP + else + >&2 echo "DUP: $line" + fi + fi +done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES} + +# Change /var/run to /run +sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} + +# Exception handling: packages with already duplicate entries +sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES} +sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES} +sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES} + +# Change format to cil +sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES} + +# Handle entries with <> which do not match previous regexps +sed -i s'/ <>$/ ())/' ${EXTRA_VARRUN_ENTRIES} + +# Wrap each line with an optional block +i=1 +while read line +do + echo "(optional extra_var_run_${i}" + echo " $line" + echo ")" + ((i++)) +done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} + +# Load module +[ -s ${EXTRA_VARRUN_CIL} ] && +/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL} +