pool/selinux-policy
SHA256
11
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main pool:devel
..
compare: pool:slfo-main
Branches Tags
pool:slfo-1.2 pool:slfo-main pool:factory pool:devel

1 Commits
factory ... slfo-main

Author SHA256 Message Date
Adrian Schröter
ffea25ac5c Sync changes to SLFO-1.2 branch 2025-08-20 17:59:08 +02:00
36 changed files with 1148 additions and 9560 deletions
Expand all files Collapse all files

6
_service
View File

@@ -1,11 +1,13 @@
<services>
<service name="tar_scm" mode="manual">
<param name="version">1</param>
<param name="versionformat">%cd</param>
<param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param>
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
<param name="scm">git</param>
<param name="changesgenerate">enable</param>
<param name="revision">factory</param>
<param name="match-tag">release-20250627</param>
<param name="versionrewrite-pattern">release-(.*)</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service name="recompress" mode="manual">
<param name="compression">xz</param>

8
_servicedata
View File

@@ -1,10 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
<param name="changesrevision">6e8cf2b0a771eddc3ae1bee3be0042bd3d9d8ba1</param></service><service name="tar_scm">
<param name="url">https://github.com/containers/container-selinux.git</param>
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
<param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
<param name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service><service name="tar_scm">
<param name="url">https://gitlab.suse.de/cahu/selinux-policy.git</param>
<param name="changesrevision">dd1ff3c6a1e2c1f22ddd13039191ea458d7fcc8d</param></service></servicedata>
<param name="changesrevision">15675827ab60cadbfa09c9c74505ad34032ffe33</param></service></servicedata>

232
booleans-minimum.conf
View File

@@ -1,232 +0,0 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true

232
booleans-mls.conf
View File

@@ -1,232 +0,0 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = false
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = false

232
booleans-targeted.conf
View File

@@ -1,232 +0,0 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = true
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true

54
booleans.subs_dist
View File

@@ -1,54 +0,0 @@
allow_auditadm_exec_content auditadm_exec_content
allow_console_login login_console_enabled
allow_cvs_read_shadow cvs_read_shadow
allow_daemons_dump_core daemons_dump_core
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
allow_daemons_use_tty daemons_use_tty
allow_domain_fd_use domain_fd_use
allow_execheap selinuxuser_execheap
allow_execmod selinuxuser_execmod
allow_execstack selinuxuser_execstack
allow_ftpd_anon_write ftpd_anon_write
allow_ftpd_full_access ftpd_full_access
allow_ftpd_use_cifs ftpd_use_cifs
allow_ftpd_use_nfs ftpd_use_nfs
allow_gssd_read_tmp gssd_read_tmp
allow_guest_exec_content guest_exec_content
allow_httpd_anon_write httpd_anon_write
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
allow_httpd_mod_auth_pam httpd_mod_auth_pam
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
allow_kerberos kerberos_enabled
allow_mplayer_execstack mplayer_execstack
allow_mount_anyfile mount_anyfile
allow_nfsd_anon_write nfsd_anon_write
allow_polyinstantiation polyinstantiation_enabled
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
allow_rsync_anon_write rsync_anon_write
allow_saslauthd_read_shadow saslauthd_read_shadow
allow_secadm_exec_content secadm_exec_content
allow_smbd_anon_write smbd_anon_write
allow_ssh_keysign ssh_keysign
allow_staff_exec_content staff_exec_content
allow_sysadm_exec_content sysadm_exec_content
allow_user_exec_content user_exec_content
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
allow_write_xshm xserver_clients_write_xshm
allow_xguest_exec_content xguest_exec_content
allow_xserver_execmem xserver_execmem
allow_ypbind nis_enabled
allow_zebra_write_config zebra_write_config
user_direct_dri selinuxuser_direct_dri_enabled
user_ping selinuxuser_ping
user_share_music selinuxuser_share_music
user_tcp_server selinuxuser_tcp_server
sepgsql_enable_pitr_implementation postgresql_can_rsync
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
clamd_use_jit antivirus_use_jit
amavis_use_jit antivirus_use_jit
logwatch_can_sendmail logwatch_can_network_connect_mail
puppet_manage_all_files puppetagent_manage_all_files
virt_sandbox_use_nfs virt_use_nfs

7
container.fc
View File

@@ -92,6 +92,8 @@
# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
/var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/ramalama(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/artifacts(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -109,6 +111,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/atomic(/.*)? <<none>>
/var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
/var/lib/containers/storage/artifacts(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -131,7 +134,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet/pod-resources(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0)
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
@@ -142,6 +145,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/crio(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
@@ -162,6 +166,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
/var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0)

4
container.if
View File

@@ -512,6 +512,7 @@ interface(`container_filetrans_named_content',`
files_pid_filetrans($1, container_var_run_t, dir, "containers")
files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers")
logging_log_filetrans($1, container_log_t, dir, "kube-apiserver")
logging_log_filetrans($1, container_log_t, dir, "lxc")
files_var_lib_filetrans($1, container_var_lib_t, dir, "containers")
files_var_lib_filetrans($1, container_file_t, dir, "origin")
@@ -536,6 +537,7 @@ interface(`container_filetrans_named_content',`
# workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work)
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "artifacts")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers")
@@ -561,6 +563,8 @@ interface(`container_filetrans_named_content',`
# Third-party snapshotters
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "artifacts")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")

35
container.te
View File

@@ -1,7 +1,8 @@
policy_module(container, 2.232.1)
policy_module(container, 2.238.0)
gen_require(`
class passwd rootok;
type system_conf_t;
')
########################################
@@ -757,6 +758,7 @@ tunable_policy(`container_connect_any',`
#
allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
role system_r types spc_t;
dontaudit spc_t self:memprotect mmap_zero;
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
@@ -807,6 +809,10 @@ optional_policy(`
allow daemon spc_t:dbus send_msg;
')
optional_policy(`
rtkit_scheduled(spc_t)
')
optional_policy(`
virt_transition_svirt_sandbox(spc_t, system_r)
virt_sandbox_entrypoint(spc_t)
@@ -979,6 +985,7 @@ allow container_domain container_runtime_domain:socket_class_set { accept append
kernel_getattr_proc(container_domain)
kernel_list_all_proc(container_domain)
kernel_mounton_all_proc(container_domain)
kernel_read_all_sysctls(container_domain)
kernel_dontaudit_write_kernel_sysctl(container_domain)
kernel_read_network_state(container_domain)
@@ -1252,6 +1259,7 @@ logging_read_all_logs(container_logreader_t)
allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
logging_read_audit_log(container_logreader_t)
logging_list_logs(container_logreader_t)
allow container_logreader_t container_log_t:file watch;
# Container Logwriter
container_domain_template(container_logwriter, container)
@@ -1261,6 +1269,7 @@ manage_files_pattern(container_logwriter_t, logfile, logfile)
manage_dirs_pattern(container_logwriter_t, logfile, logfile)
manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
logging_manage_audit_log(container_logwriter_t)
allow container_logwriter_t container_log_t:file watch;
optional_policy(`
gen_require(`
@@ -1450,11 +1459,14 @@ allow container_engine_t sysctl_t:{dir file} mounton;
allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
allow container_engine_t fusefs_t:file relabelto;
allow container_engine_t kernel_t:system module_request;
allow container_engine_t null_device_t:chr_file mounton;
allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
allow container_engine_t random_device_t:chr_file mounton;
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
allow container_engine_t urandom_device_t:chr_file mounton;
allow container_engine_t zero_device_t:chr_file mounton;
allow container_engine_t container_file_t:sock_file mounton;
allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms };
allow container_engine_t devpts_t:chr_file setattr;
manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
@@ -1483,6 +1495,17 @@ application_executable_file(kubelet_exec_t)
can_exec(container_runtime_t, kubelet_exec_t)
allow kubelet_t kubelet_exec_t:file entrypoint;
type kubelet_var_lib_t;
files_type(kubelet_var_lib_t)
manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources")
filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources")
ifdef(`enable_mcs',`
init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
')
@@ -1516,10 +1539,12 @@ allow container_device_t device_node:chr_file rw_chr_file_perms;
# Standard container which needs to be allowed to use any device and
# communicate with kubelet
container_domain_template(container_device_plugin, container)
typeattribute container_device_plugin_t container_net_domain;
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
kernel_read_debugfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)
stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t)
# Standard container which needs to be allowed to use any device and
# modify kubelet configuration
@@ -1592,6 +1617,8 @@ allow container_domain container_ro_file_t:file { entrypoint execmod execute exe
allow container_domain container_var_lib_t:file entrypoint;
allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
allow install_t container_runtime_t:process2 { nnp_transition nosuid_transition };
corecmd_entrypoint_all_executables(container_kvm_t)
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain mountpoint:file entrypoint;
@@ -1600,3 +1627,7 @@ tunable_policy(`deny_ptrace',`',`
allow container_domain self:process ptrace;
allow spc_t self:process ptrace;
')
# netavark needs to write to /run/sysctl.d and needs the right label for systemd to read it.
# https://issues.redhat.com/browse/RHEL-91380
files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d")

13
customizable_types
View File

@@ -1,13 +0,0 @@
sandbox_file_t
svirt_image_t
svirt_home_t
svirt_lxc_file_t
virt_content_t
httpd_user_htaccess_t
httpd_user_script_exec_t
httpd_user_rw_content_t
httpd_user_ra_content_t
httpd_user_content_t
git_session_content_t
home_bin_t
user_tty_device_t

2
debug-build.sh
View File

@@ -23,7 +23,7 @@ VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
# Create tar file with name like selinux-policy-<current-version>.tar.xz
TAR_NAME=$REPO_NAME-$VERSION.tar.xz
echo "Creating tar file: $TAR_NAME"
tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
tar --exclude-vcs -cJhf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
# Some helpful prompts
if test $? -eq 0; then

22
file_contexts.subs_dist
View File

@@ -1,22 +0,0 @@
/var/run /run
/var/lock /run/lock
/var/run/lock /var/lock
/lib /usr/lib
/lib64 /usr/lib
/usr/lib64 /usr/lib
/usr/local /usr
/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
/etc/systemd/system /usr/lib/systemd/system
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system
/run/systemd/generator.early /usr/lib/systemd/system
/run/systemd/generator.late /usr/lib/systemd/system
/var/lib/xguest/home /home
/var/run/netconfig /etc
/var/adm/netconfig/md5/etc /etc
/var/adm/netconfig/md5/var /var
/usr/etc /etc
/bin /usr/bin
/sbin /usr/bin
/usr/sbin /usr/bin

10
macros.selinux-policy
View File

@@ -117,9 +117,13 @@ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
if [ -f %{_file_context_file_pre} ] && [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
%{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
rm -f %{_file_context_file_pre} \
if [ -f %{_file_context_file_pre} ]; then \
if [ -z "${TRANSACTIONAL_UPDATE}" ]; then \
%{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
rm -f %{_file_context_file_pre} \
else \
touch /etc/selinux/.autorelabel \
fi \
fi \
fi \
%{nil}

414
modules-minimum-base.conf
View File

@@ -1,414 +0,0 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unconfineduser
#
# The unconfined user domain.
#
unconfineduser = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: admin
# Module: rpm
#
# Policy for the RPM package manager.
#
rpm = module
# Layer: contrib
# Module: packagekit
#
# Temporary permissive module for packagekit
#
packagekit = module
# Layer: services
# Module: nscd
#
# Name service cache daemon
#
nscd = module

2609
modules-minimum-contrib.conf
View File

File diff suppressed because it is too large Load Diff

1
modules-minimum-disable.lst
View File

@@ -1 +0,0 @@
abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs

52
modules-minimum.lst Normal file
View File

@@ -0,0 +1,52 @@
apache
application
auditadm
authlogin
base
bootloader
clock
dbus
dmesg
fstools
getty
hostname
inetd
init
ipsec
iptables
kerberos
libraries
locallogin
logadm
logging
lvm
miscfiles
modutils
mount
mta
netlabel
netutils
nis
postgresql
rpm
secadm
selinuxutil
setrans
seunshare
snapper
ssh
staff
su
sudo
sysadm
sysadm_secadm
sysnetwork
systemd
udev
unconfined
unconfineduser
unlabelednet
unprivuser
userdomain
usermanage
xserver

380
modules-mls-base.conf
View File

@@ -1,380 +0,0 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unlabelednet
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module

1581
modules-mls-contrib.conf
View File

File diff suppressed because it is too large Load Diff

421
modules-targeted-base.conf
View File

@@ -1,421 +0,0 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unconfineduser
#
# The unconfined user domain.
#
unconfineduser = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: contrib
# Module: packagekit
#
# Temporary permissive module for packagekit
#
packagekit = module
# Layer: contrib
# Module: rtorrent
#
# Policy for rtorrent
#
rtorrent = module
# Layer: contrib
# Module: wicked
#
# Policy for wicked
#
wicked = module
# Layer: system
# Module: rebootmgr
#
# Policy for rebootmgr
#
rebootmgr = module

2699
modules-targeted-contrib.conf
View File

File diff suppressed because it is too large Load Diff

4
securetty_types-minimum
View File

@@ -1,4 +0,0 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

6
securetty_types-mls
View File

@@ -1,6 +0,0 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t

4
securetty_types-targeted
View File

@@ -1,4 +0,0 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

3
selinux-policy-20241105.tar.xz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e5ea1d19388cfee6c2d8b7c95a17bf541872cec56ca3d761f501ef1487ecc5b9
size 775060

BIN
selinux-policy-20250627+git66.15675827a.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

9
selinux-policy-rpmlintrc
View File

@@ -1,9 +0,0 @@
addFilter("W: non-conffile-in-etc.*")
addFilter("W: zero-length /etc/selinux/.*")
addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
addFilter("W: files-duplicate")
addFilter("E: files-duplicated-waste")
addFilter("W: zero-length")

1139
selinux-policy.changes
View File

File diff suppressed because it is too large Load Diff

14
selinux-policy.rpmlintrc Normal file
View File

@@ -0,0 +1,14 @@
# SELinux policy packaging places a lot of files under /etc. This is by
# necessity at the moment, might get improved in the future.
addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* W: non-conffile-in-etc.*")
# Zero length files
addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* zero-length /etc/selinux/.*")
addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* zero-length /var/lib/selinux/.*")
# Hidden sha512 file
addFilter("selinux-policy-(targeted|minimum|mls|sandbox).* hidden-file-or-dir /etc/selinux/(targeted|minimum|mls|sandbox)/.policy.sha512")
# No check section needed
addFilter("W: no-%check-section")

302
selinux-policy.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package selinux-policy
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -36,51 +36,25 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
Version: 20241105
Version: 20250627+git66.15675827a
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
Source2: container.te
Source3: container.if
Source4: selinux-policy-rpmlintrc
Source4: selinux-policy.rpmlintrc
Source5: README.Update
Source6: update.sh
Source7: debug-build.sh
Source10: modules-targeted-base.conf
Source11: modules-targeted-contrib.conf
Source12: modules-mls-base.conf
Source13: modules-mls-contrib.conf
Source14: modules-minimum-base.conf
Source15: modules-minimum-contrib.conf
Source18: modules-minimum-disable.lst
Source20: booleans-targeted.conf
Source21: booleans-mls.conf
Source22: booleans-minimum.conf
Source23: booleans.subs_dist
Source30: setrans-targeted.conf
Source31: setrans-mls.conf
Source32: setrans-minimum.conf
Source40: securetty_types-targeted
Source41: securetty_types-mls
Source42: securetty_types-minimum
Source50: users-targeted
Source51: users-mls
Source52: users-minimum
Source18: modules-minimum.lst
Source60: selinux-policy.conf
Source91: Makefile.devel
Source92: customizable_types
#Source93: config.tgz
Source94: file_contexts.subs_dist
Source95: macros.selinux-policy
URL: https://github.com/fedora-selinux/selinux-policy.git
URL: https://github.com/openSUSE/selinux-policy
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%if 0%{?suse_version} < 1600
@@ -92,6 +66,7 @@ BuildRequires: %primary_python
BuildRequires: %{python_module policycoreutils}
%endif
BuildRequires: checkpolicy
BuildRequires: fdupes
BuildRequires: gawk
BuildRequires: libxml2-tools
BuildRequires: m4
@@ -116,17 +91,11 @@ Recommends: selinux-autorelabel
%define makeCmds() \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
cp -f selinux_config/users-%1 ./policy/users \
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \
install -p -m0644 ./dist/%1/users ./policy/users \
%define makeModulesConf() \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
if [ %3 == "contrib" ];then \
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
fi; \
install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \
%define installCmds() \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
@@ -137,14 +106,13 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
install -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
install -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
install -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
@@ -207,8 +175,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%dir %{_datadir}/selinux/%1 \
%dir %{_datadir}/selinux/packages/%1 \
%{_datadir}/selinux/%1/base.lst \
%{_datadir}/selinux/%1/modules-base.lst \
%{_datadir}/selinux/%1/modules-contrib.lst \
%{_datadir}/selinux/%1/modules.lst \
%{_datadir}/selinux/%1/nonbasemodules.lst \
%dir %{_sharedstatedir}/selinux/%1 \
%{_sharedstatedir}/selinux/%1/active/commit_num \
@@ -228,42 +195,40 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if selinuxenabled; then \
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
if [ $? = 0 ] && [ "${SELINUXTYPE}" = %1 ] && [ -f ${FILE_CONTEXT}.pre ]; then \
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi; \
if /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null;then \
continue; \
fi; \
/sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null; \
fi;
%define preInstall() \
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi; \
touch %{_sysconfdir}/selinux/%1/.rebuild; \
if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
if [ "$sha512" == "$checksha512" ] ; then \
rm %{_sysconfdir}/selinux/%1/.rebuild; \
fi; \
fi; \
if [ "$1" -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" = %1 ] && [ -f ${FILE_CONTEXT} ]; then \
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi; \
touch %{_sysconfdir}/selinux/%1/.rebuild; \
if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
POLICY_FILE=$(ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1); \
sha512=$(sha512sum "$POLICY_FILE" | cut -d ' ' -f 1); \
checksha512=$(cat %{_sysconfdir}/selinux/%1/.policy.sha512); \
if [ "$sha512" = "$checksha512" ] ; then \
rm %{_sysconfdir}/selinux/%1/.rebuild; \
fi; \
fi; \
fi;
%define postInstall() \
. %{_sysconfdir}/selinux/config; \
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%2/.rebuild; \
/usr/sbin/semodule -B -n -s %2; \
/usr/sbin/semodule -B -n -s %2 2> /dev/null; \
fi; \
if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \
touch /etc/selinux/.autorelabel \
else \
touch /etc/selinux/.autorelabel ; \
else \
if [ "${SELINUXTYPE}" = "%2" ]; then \
if selinuxenabled; then \
load_policy; \
@@ -276,28 +241,24 @@ else \
if [ %1 -eq 1 ]; then \
/sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
else \
%relabel %2 \
%relabel %2 ; \
fi; \
else \
# run fixfiles on next boot \
touch /.autorelabel \
touch /.autorelabel ; \
fi; \
fi;
%define modulesList() \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
if [ -e ./policy/modules-contrib.conf ];then \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
fi;
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
%define nonBaseModulesList() \
contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
for i in $contrib_modules $base_modules; do \
if [ $i != "sandbox" ];then \
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
fi; \
modules=$(cat %{buildroot}%{_datadir}/selinux/%1/modules.lst); \
for i in $modules; do \
if [ "$i" != "sandbox" ]; then \
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst ; \
fi; \
done;
%description
@@ -328,18 +289,18 @@ SELinux sandbox policy used for the policycoreutils-sandbox package
%post sandbox
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
%{_sbindir}/load_policy
fi;
exit 0
%preun sandbox
if [ $1 -eq 0 ] ; then
%{_sbindir}/semodule -n -d sandbox 2>/dev/null
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
fi;
if [ "$1" -eq 0 ] ; then
%{_sbindir}/semodule -n -d sandbox 2>/dev/null
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
fi;
fi;
exit 0
@@ -375,15 +336,10 @@ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/
mkdir selinux_config
for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
cp $i selinux_config
done
make clean
%if %{BUILD_TARGETED}
%makeCmds targeted mcs allow
%makeModulesConf targeted base contrib
%makeModulesConf targeted
%installCmds targeted mcs allow
# recreate sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
@@ -395,19 +351,19 @@ mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
%if %{BUILD_MINIMUM}
%makeCmds minimum mcs allow
%makeModulesConf targeted base contrib
%makeModulesConf targeted
%installCmds minimum mcs allow
install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst
# Sandbox is only targeted
rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
install -p -m 644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst
%modulesList minimum
%nonBaseModulesList minimum
%endif
%if %{BUILD_MLS}
%makeCmds mls mls deny
%makeModulesConf mls base contrib
%makeModulesConf mls
%installCmds mls mls deny
%modulesList mls
%nonBaseModulesList mls
@@ -420,7 +376,7 @@ make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot}
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
mkdir %{buildroot}%{_datadir}/selinux/devel/
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
install -m 644 %{SOURCE91} %{buildroot}%{_datadir}/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
@@ -429,62 +385,87 @@ mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
rm %{buildroot}%{_mandir}/man8/container_selinux.8*
rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if
%fdupes -s %{buildroot}%{_mandir}
%post
if [ ! -s %{_sysconfdir}/selinux/config ]; then
# new install, use old sysconfig file if that exists,
# else create new one.
if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then
mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
else
echo "
# new install, use old sysconfig file if that exists,
# else create new one.
if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then
mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
else
echo "
# This file controls the state of SELinux on the system.
# SELinux can be completly disabled with the \"selinux=0\" kernel
# commandline option.
#
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# SELINUX= can take one of these two values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
SELINUX=permissive
# Previously SELinux could be disabled by changing the value to
# 'disabled'. This is deprecated and should not be used anymore.
# If you want to disable linux add 'selinux=0' to the kernel
# command line. For details see
# https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
" > %{_sysconfdir}/selinux/config
fi
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
fi
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
fi
%tmpfiles_create %_tmpfilesdir/selinux-policy.conf
if [ $1 -eq 1 ]; then
if [ "$1" -eq 1 ]; then
pam-config -a --selinux
fi
%if 0%{?is_opensuse}
# 2025-04-07 cahu:
# Extremely ugly Workaround for t-u module removal issue
# (see bsc#1221342 bsc#1238062 bsc#1230643 bsc#1230938)
# This removes empty module folders in /var/lib/selinux that
# are created by microOS' create-dirs-from-rpmdb on rollback when the
# current policy has dropped the module that was still contained in an older
# snapshot. That means the removed module will also NOT be contained
# in previous snapshots. Also this can cause warnings during install due to rpmdb
# still containing the path that was deleted, which should go away in the subsequent
# installations.
# Can be dropped once PED-12491 is implemented.
if [ -n "${TRANSACTIONAL_UPDATE}" ]; then
for p in targeted minimum mls; do
if [ -d %{_sharedstatedir}/selinux/$p/active/modules/100 ]; then
find %{_sharedstatedir}/selinux/$p/active/modules/100 -type d -empty -delete -print
fi
done
fi
%endif
exit 0
%define post_un() \
# disable selinux if we uninstall a policy and it's the used one \
if [ $1 -eq 0 ]; then \
if [ "$1" -eq 0 ]; then \
if [ -s %{_sysconfdir}/selinux/config ]; then \
source %{_sysconfdir}/selinux/config &> /dev/null || true \
fi \
. %{_sysconfdir}/selinux/config > /dev/null 2>&1 || true ; \
fi; \
if [ "$SELINUXTYPE" = "$2" ]; then \
%{_sbindir}/setenforce 0 2> /dev/null \
%{_sbindir}/setenforce 0 2> /dev/null ; \
if [ -s %{_sysconfdir}/selinux/config ]; then \
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \
fi \
fi \
pam-config -d --selinux \
fi \
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config ; \
fi; \
fi; \
pam-config -d --selinux ; \
fi; \
exit 0
%postun
if [ $1 = 0 ]; then
%{_sbindir}/setenforce 0 2> /dev/null
if [ -s %{_sysconfdir}/selinux/config ]; then
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
fi
if [ "$1" = 0 ]; then
%{_sbindir}/setenforce 0 2> /dev/null
if [ -s %{_sysconfdir}/selinux/config ]; then
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
fi
fi
exit 0
@@ -495,14 +476,13 @@ Requires(pre): selinux-policy = %{version}-%{release}
Requires: /usr/bin/make
Requires: checkpolicy >= %{CHECKPOLICYVER}
Requires: m4
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
%description devel
SELinux policy development and man page package
SELinux policy development package
%files devel
%defattr(-,root,root,-)
%doc %{_datadir}/man/ru/man8/*
%doc %{_datadir}/man/man8/*
%dir %{_datadir}/selinux/devel
%dir %{_datadir}/selinux/devel/html/
%doc %{_datadir}/selinux/devel/html/*
@@ -510,6 +490,11 @@ SELinux policy development and man page package
%{_datadir}/selinux/devel/include/*
%{_datadir}/selinux/devel/Makefile
%{_datadir}/selinux/devel/example.*
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
%post devel
%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
exit 0
%package doc
Summary: SELinux policy documentation
@@ -518,11 +503,13 @@ Requires(pre): selinux-policy = %{version}-%{release}
Requires: /usr/bin/xdg-open
%description doc
SELinux policy documentation package
SELinux policy documentation and man page package
%files doc
%defattr(-,root,root,-)
%doc %{_datadir}/doc/%{name}
%doc %{_datadir}/man/ru/man8/*
%doc %{_datadir}/man/man8/*
%{_datadir}/selinux/devel/policy.*
%if %{BUILD_TARGETED}
@@ -548,7 +535,7 @@ exit 0
%post_un $1 targeted
%triggerin -- libpcre2-8-0
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null
exit 0
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
@@ -574,37 +561,38 @@ SELinux policy minimum base module.
%pre minimum
%preInstall minimum
if [ $1 -ne 1 ]; then
%{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
if [ "$1" -ne 1 ]; then
%{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
fi
%post minimum
contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null
if [ $1 -eq 1 ]; then
for p in $contribpackages; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
%{_sbindir}/semanage import -S minimum -f - << __eof
modules=$(cat %{_datadir}/selinux/minimum/modules.lst)
basemodules=$(cat %{_datadir}/selinux/minimum/base.lst)
enabledmodules=$(cat %{_datadir}/selinux/minimum/modules-enabled.lst)
mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled
if [ "$1" -eq 1 ]; then
for p in $modules; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
done
for p in $basemodules $enabledmodules; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
done
%{_sbindir}/semanage import -S minimum -f - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
%{_sbindir}/semodule -B -s minimum
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
%{_sbindir}/semodule -B -s minimum 2> /dev/null
else
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
for p in $contribpackages; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $instpackages snapper dbus kerberos nscd rtkit; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
%{_sbindir}/semodule -B -s minimum
%relabel minimum
instpackages=$(cat %{_datadir}/selinux/minimum/instmodules.lst)
for p in $modules; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
done
for p in $instpackages snapper dbus kerberos nscd rtkit; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/"$p"
done
%{_sbindir}/semodule -B -s minimum 2> /dev/null
%relabel minimum
fi
exit 0
@@ -614,7 +602,7 @@ exit 0
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
%{_datadir}/selinux/minimum/modules-minimum-disable.lst
%{_datadir}/selinux/minimum/modules-enabled.lst
%fileList minimum
%endif

19
setrans-minimum.conf
View File

@@ -1,19 +0,0 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

52
setrans-mls.conf
View File

@@ -1,52 +0,0 @@
#
# Multi-Level Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
# SystemLow
# SystemHigh
# Unclassified
# Secret with compartments A and B.
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh
# Unclassified level
s1=Unclassified
# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B
# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh
# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c1023=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

19
setrans-targeted.conf
View File

@@ -1,19 +0,0 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

39
users-minimum
View File

@@ -1,39 +0,0 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

40
users-mls
View File

@@ -1,40 +0,0 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

41
users-targeted
View File

@@ -1,41 +0,0 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)