forked from pool/selinux-policy
Accepting request 1184825 from home:cahu:branches:security:SELinux
- Update to version 20240702: * Allow manage dosfs_t files to snapperd * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records * Add auth_rw_wtmpdb_login_records to modules * Allow xdm_t to read-write to wtmpdb (bsc#1225984) * Introduce types for wtmpdb and rw interface * Introduce wtmp_file_type attribute * Revert "Add policy for wtmpdb (bsc#1210717)" OBS-URL: https://build.opensuse.org/request/show/1184825 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=230
This commit is contained in:
commit
290de72460
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.osc
|
22
Makefile.devel
Normal file
22
Makefile.devel
Normal file
@ -0,0 +1,22 @@
|
||||
# installation paths
|
||||
SHAREDIR := /usr/share/selinux
|
||||
|
||||
AWK ?= gawk
|
||||
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
|
||||
|
||||
ifeq ($(MLSENABLED),)
|
||||
MLSENABLED := 1
|
||||
endif
|
||||
|
||||
ifeq ($(MLSENABLED),1)
|
||||
NTYPE = mcs
|
||||
endif
|
||||
|
||||
ifeq ($(NAME),mls)
|
||||
NTYPE = mls
|
||||
endif
|
||||
|
||||
TYPE ?= $(NTYPE)
|
||||
|
||||
HEADERDIR := $(SHAREDIR)/devel/include
|
||||
include $(HEADERDIR)/Makefile
|
19
README.Update
Normal file
19
README.Update
Normal file
@ -0,0 +1,19 @@
|
||||
# How to update this project
|
||||
|
||||
This project is updated using obs services.
|
||||
The obs services pull from git repositories, which are specified in the `_service` file.
|
||||
Please contribute all changes to the upstream git repositories listed there.
|
||||
|
||||
To update this project to the upstream versions, please make sure you installed these obs services locally:
|
||||
```
|
||||
sudo zypper in obs-service-tar_scm obs-service-recompress obs-service-set_version obs-service-download_files
|
||||
```
|
||||
|
||||
Then, generate new tarballs, changelog and version number for this repository by running this command:
|
||||
```
|
||||
sh update.sh
|
||||
```
|
||||
|
||||
Afterwards, please check your local project state and remove old tarballs if necessary.
|
||||
Then proceed as usual with check-in and build.
|
||||
|
18
_service
Normal file
18
_service
Normal file
@ -0,0 +1,18 @@
|
||||
<services>
|
||||
<service name="tar_scm" mode="manual">
|
||||
<param name="version">1</param>
|
||||
<param name="versionformat">%cd</param>
|
||||
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="changesgenerate">enable</param>
|
||||
<param name="revision">factory</param>
|
||||
</service>
|
||||
<service name="recompress" mode="manual">
|
||||
<param name="compression">xz</param>
|
||||
<param name="file">*.tar</param>
|
||||
</service>
|
||||
<service name="set_version" mode="manual" >
|
||||
<param name="file">selinux-policy.spec</param>
|
||||
</service>
|
||||
</services>
|
||||
|
10
_servicedata
Normal file
10
_servicedata
Normal file
@ -0,0 +1,10 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
||||
<param name="changesrevision">174046c04175d806c0ea28d37f7b5ff8ac5afc8e</param></service><service name="tar_scm">
|
||||
<param name="url">https://github.com/containers/container-selinux.git</param>
|
||||
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
|
||||
<param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
|
||||
<param name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service><service name="tar_scm">
|
||||
<param name="url">https://gitlab.suse.de/cahu/selinux-policy.git</param>
|
||||
<param name="changesrevision">dd1ff3c6a1e2c1f22ddd13039191ea458d7fcc8d</param></service></servicedata>
|
232
booleans-minimum.conf
Normal file
232
booleans-minimum.conf
Normal file
@ -0,0 +1,232 @@
|
||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||
#
|
||||
allow_execmem = false
|
||||
|
||||
# Allow making a modified private filemapping executable (text relocation).
|
||||
#
|
||||
selinuxuser_execmod = false
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
selinuxuser_execstack = false
|
||||
|
||||
# Allow ftpd to read cifs directories.
|
||||
#
|
||||
ftpd_use_cifs = false
|
||||
|
||||
# Allow ftpd to read nfs directories.
|
||||
#
|
||||
ftpd_use_nfs = false
|
||||
|
||||
# Allow ftp servers to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_ftpd_anon_write = false
|
||||
|
||||
# Allow gssd to read temp directory.
|
||||
#
|
||||
gssd_read_tmp = true
|
||||
|
||||
# Allow Apache to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_httpd_anon_write = false
|
||||
|
||||
# Allow Apache to use mod_auth_pam module
|
||||
#
|
||||
httpd_mod_auth_pam = false
|
||||
|
||||
# Allow system to run with kerberos
|
||||
#
|
||||
allow_kerberos = true
|
||||
|
||||
# Allow rsync to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_rsync_anon_write = false
|
||||
|
||||
# Allow sasl to read shadow
|
||||
#
|
||||
saslauthd_read_shadow = false
|
||||
|
||||
# Allow samba to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_smbd_anon_write = false
|
||||
|
||||
# Allow system to run with NIS
|
||||
#
|
||||
allow_ypbind = false
|
||||
|
||||
# Allow zebra to write it own configuration files
|
||||
#
|
||||
zebra_write_config = false
|
||||
|
||||
# Enable extra rules in the cron domainto support fcron.
|
||||
#
|
||||
fcron_crond = false
|
||||
|
||||
#
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
httpd_can_network_connect_db = false
|
||||
|
||||
#
|
||||
# allow httpd to send dbus messages to avahi
|
||||
httpd_dbus_avahi = true
|
||||
|
||||
#
|
||||
# allow httpd to network relay
|
||||
httpd_can_network_relay = false
|
||||
|
||||
# Allow httpd to use built in scripting (usually php)
|
||||
#
|
||||
httpd_builtin_scripting = true
|
||||
|
||||
# Allow http daemon to tcp connect
|
||||
#
|
||||
httpd_can_network_connect = false
|
||||
|
||||
# Allow httpd cgi support
|
||||
#
|
||||
httpd_enable_cgi = true
|
||||
|
||||
# Allow httpd to act as a FTP server bylistening on the ftp port.
|
||||
#
|
||||
httpd_enable_ftp_server = false
|
||||
|
||||
# Allow httpd to read home directories
|
||||
#
|
||||
httpd_enable_homedirs = false
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
#
|
||||
httpd_ssi_exec = false
|
||||
|
||||
# Allow http daemon to communicate with the TTY
|
||||
#
|
||||
httpd_tty_comm = false
|
||||
|
||||
# Run CGI in the main httpd domain
|
||||
#
|
||||
httpd_unified = false
|
||||
|
||||
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
||||
#
|
||||
named_write_master_zones = false
|
||||
|
||||
# Allow nfs to be exported read/write.
|
||||
#
|
||||
nfs_export_all_rw = true
|
||||
|
||||
# Allow nfs to be exported read only
|
||||
#
|
||||
nfs_export_all_ro = true
|
||||
|
||||
# Allow pppd to load kernel modules for certain modems
|
||||
#
|
||||
pppd_can_insmod = false
|
||||
|
||||
# Allow reading of default_t files.
|
||||
#
|
||||
read_default_t = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_enable_home_dirs = false
|
||||
|
||||
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
|
||||
#
|
||||
squid_connect_any = false
|
||||
|
||||
# Support NFS home directories
|
||||
#
|
||||
use_nfs_home_dirs = true
|
||||
|
||||
# Support SAMBA home directories
|
||||
#
|
||||
use_samba_home_dirs = false
|
||||
|
||||
# Control users use of ping and traceroute
|
||||
#
|
||||
user_ping = false
|
||||
|
||||
# allow host key based authentication
|
||||
#
|
||||
ssh_keysign = false
|
||||
|
||||
# Allow pppd to be run for a regular user
|
||||
#
|
||||
pppd_for_user = false
|
||||
|
||||
# Allow spamd to write to users homedirs
|
||||
#
|
||||
spamd_enable_home_dirs = false
|
||||
|
||||
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||
#
|
||||
user_rw_noexattrfile = true
|
||||
|
||||
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
|
||||
#
|
||||
user_tcp_server = false
|
||||
|
||||
# Allow all domains to talk to ttys
|
||||
#
|
||||
daemons_use_tty = false
|
||||
|
||||
# Allow login domains to polyinstatiate directories
|
||||
#
|
||||
polyinstantiation_enabled = false
|
||||
|
||||
# Allow all domains to dump core
|
||||
#
|
||||
daemons_dump_core = true
|
||||
|
||||
# Allow samba to act as the domain controller
|
||||
#
|
||||
samba_domain_controller = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_run_unconfined = false
|
||||
|
||||
# Allows XServer to execute writable memory
|
||||
#
|
||||
xserver_execmem = false
|
||||
|
||||
# disallow guest accounts to execute files that they can create
|
||||
#
|
||||
guest_exec_content = false
|
||||
xguest_exec_content = false
|
||||
|
||||
# Allow postfix locat to write to mail spool
|
||||
#
|
||||
postfix_local_write_mail_spool = false
|
||||
|
||||
# Allow common users to read/write noexattrfile systems
|
||||
#
|
||||
user_rw_noexattrfile = true
|
||||
|
||||
# Allow qemu to connect fully to the network
|
||||
#
|
||||
qemu_full_network = true
|
||||
|
||||
# System uses init upstart program
|
||||
#
|
||||
init_upstart = true
|
||||
|
||||
# Allow mount to mount any file/dir
|
||||
#
|
||||
mount_anyfile = true
|
||||
|
||||
# Allow all domains to mmap files
|
||||
#
|
||||
domain_can_mmap_files = true
|
||||
|
||||
# Allow confined applications to use nscd shared memory
|
||||
#
|
||||
nscd_use_shm = true
|
||||
|
||||
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
|
||||
#
|
||||
unconfined_chrome_sandbox_transition = true
|
||||
|
||||
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
|
||||
#
|
||||
unconfined_mozilla_plugin_transition = true
|
232
booleans-mls.conf
Normal file
232
booleans-mls.conf
Normal file
@ -0,0 +1,232 @@
|
||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||
#
|
||||
allow_execmem = false
|
||||
|
||||
# Allow making a modified private filemapping executable (text relocation).
|
||||
#
|
||||
selinuxuser_execmod = false
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
selinuxuser_execstack = false
|
||||
|
||||
# Allow ftpd to read cifs directories.
|
||||
#
|
||||
ftpd_use_cifs = false
|
||||
|
||||
# Allow ftpd to read nfs directories.
|
||||
#
|
||||
ftpd_use_nfs = false
|
||||
|
||||
# Allow ftp servers to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_ftpd_anon_write = false
|
||||
|
||||
# Allow gssd to read temp directory.
|
||||
#
|
||||
gssd_read_tmp = true
|
||||
|
||||
# Allow Apache to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_httpd_anon_write = false
|
||||
|
||||
# Allow Apache to use mod_auth_pam module
|
||||
#
|
||||
httpd_mod_auth_pam = false
|
||||
|
||||
# Allow system to run with kerberos
|
||||
#
|
||||
allow_kerberos = true
|
||||
|
||||
# Allow rsync to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_rsync_anon_write = false
|
||||
|
||||
# Allow sasl to read shadow
|
||||
#
|
||||
saslauthd_read_shadow = false
|
||||
|
||||
# Allow samba to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_smbd_anon_write = false
|
||||
|
||||
# Allow system to run with NIS
|
||||
#
|
||||
allow_ypbind = false
|
||||
|
||||
# Allow zebra to write it own configuration files
|
||||
#
|
||||
zebra_write_config = false
|
||||
|
||||
# Enable extra rules in the cron domainto support fcron.
|
||||
#
|
||||
fcron_crond = false
|
||||
|
||||
#
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
httpd_can_network_connect_db = false
|
||||
|
||||
#
|
||||
# allow httpd to send dbus messages to avahi
|
||||
httpd_dbus_avahi = true
|
||||
|
||||
#
|
||||
# allow httpd to network relay
|
||||
httpd_can_network_relay = false
|
||||
|
||||
# Allow httpd to use built in scripting (usually php)
|
||||
#
|
||||
httpd_builtin_scripting = true
|
||||
|
||||
# Allow http daemon to tcp connect
|
||||
#
|
||||
httpd_can_network_connect = false
|
||||
|
||||
# Allow httpd cgi support
|
||||
#
|
||||
httpd_enable_cgi = true
|
||||
|
||||
# Allow httpd to act as a FTP server bylistening on the ftp port.
|
||||
#
|
||||
httpd_enable_ftp_server = false
|
||||
|
||||
# Allow httpd to read home directories
|
||||
#
|
||||
httpd_enable_homedirs = false
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
#
|
||||
httpd_ssi_exec = false
|
||||
|
||||
# Allow http daemon to communicate with the TTY
|
||||
#
|
||||
httpd_tty_comm = false
|
||||
|
||||
# Run CGI in the main httpd domain
|
||||
#
|
||||
httpd_unified = false
|
||||
|
||||
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
||||
#
|
||||
named_write_master_zones = false
|
||||
|
||||
# Allow nfs to be exported read/write.
|
||||
#
|
||||
nfs_export_all_rw = true
|
||||
|
||||
# Allow nfs to be exported read only
|
||||
#
|
||||
nfs_export_all_ro = true
|
||||
|
||||
# Allow pppd to load kernel modules for certain modems
|
||||
#
|
||||
pppd_can_insmod = false
|
||||
|
||||
# Allow reading of default_t files.
|
||||
#
|
||||
read_default_t = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_enable_home_dirs = false
|
||||
|
||||
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
|
||||
#
|
||||
squid_connect_any = false
|
||||
|
||||
# Support NFS home directories
|
||||
#
|
||||
use_nfs_home_dirs = true
|
||||
|
||||
# Support SAMBA home directories
|
||||
#
|
||||
use_samba_home_dirs = false
|
||||
|
||||
# Control users use of ping and traceroute
|
||||
#
|
||||
user_ping = false
|
||||
|
||||
# allow host key based authentication
|
||||
#
|
||||
ssh_keysign = false
|
||||
|
||||
# Allow pppd to be run for a regular user
|
||||
#
|
||||
pppd_for_user = false
|
||||
|
||||
# Allow spamd to write to users homedirs
|
||||
#
|
||||
spamd_enable_home_dirs = false
|
||||
|
||||
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||
#
|
||||
user_rw_noexattrfile = true
|
||||
|
||||
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
|
||||
#
|
||||
user_tcp_server = false
|
||||
|
||||
# Allow all domains to talk to ttys
|
||||
#
|
||||
daemons_use_tty = false
|
||||
|
||||
# Allow login domains to polyinstatiate directories
|
||||
#
|
||||
polyinstantiation_enabled = false
|
||||
|
||||
# Allow all domains to dump core
|
||||
#
|
||||
daemons_dump_core = true
|
||||
|
||||
# Allow samba to act as the domain controller
|
||||
#
|
||||
samba_domain_controller = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_run_unconfined = false
|
||||
|
||||
# Allows XServer to execute writable memory
|
||||
#
|
||||
xserver_execmem = false
|
||||
|
||||
# disallow guest accounts to execute files that they can create
|
||||
#
|
||||
guest_exec_content = false
|
||||
xguest_exec_content = false
|
||||
|
||||
# Allow postfix locat to write to mail spool
|
||||
#
|
||||
postfix_local_write_mail_spool = false
|
||||
|
||||
# Allow common users to read/write noexattrfile systems
|
||||
#
|
||||
user_rw_noexattrfile = true
|
||||
|
||||
# Allow qemu to connect fully to the network
|
||||
#
|
||||
qemu_full_network = true
|
||||
|
||||
# System uses init upstart program
|
||||
#
|
||||
init_upstart = true
|
||||
|
||||
# Allow mount to mount any file/dir
|
||||
#
|
||||
mount_anyfile = true
|
||||
|
||||
# Allow all domains to mmap files
|
||||
#
|
||||
domain_can_mmap_files = true
|
||||
|
||||
# Allow confined applications to use nscd shared memory
|
||||
#
|
||||
nscd_use_shm = true
|
||||
|
||||
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
|
||||
#
|
||||
unconfined_chrome_sandbox_transition = false
|
||||
|
||||
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
|
||||
#
|
||||
unconfined_mozilla_plugin_transition = false
|
232
booleans-targeted.conf
Normal file
232
booleans-targeted.conf
Normal file
@ -0,0 +1,232 @@
|
||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||
#
|
||||
allow_execmem = false
|
||||
|
||||
# Allow making a modified private filemapping executable (text relocation).
|
||||
#
|
||||
selinuxuser_execmod = false
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
selinuxuser_execstack = false
|
||||
|
||||
# Allow ftpd to read cifs directories.
|
||||
#
|
||||
ftpd_use_cifs = false
|
||||
|
||||
# Allow ftpd to read nfs directories.
|
||||
#
|
||||
ftpd_use_nfs = false
|
||||
|
||||
# Allow ftp servers to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_ftpd_anon_write = false
|
||||
|
||||
# Allow gssd to read temp directory.
|
||||
#
|
||||
gssd_read_tmp = true
|
||||
|
||||
# Allow Apache to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_httpd_anon_write = false
|
||||
|
||||
# Allow Apache to use mod_auth_pam module
|
||||
#
|
||||
httpd_mod_auth_pam = false
|
||||
|
||||
# Allow system to run with kerberos
|
||||
#
|
||||
allow_kerberos = true
|
||||
|
||||
# Allow rsync to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_rsync_anon_write = false
|
||||
|
||||
# Allow sasl to read shadow
|
||||
#
|
||||
saslauthd_read_shadow = false
|
||||
|
||||
# Allow samba to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_smbd_anon_write = false
|
||||
|
||||
# Allow system to run with NIS
|
||||
#
|
||||
allow_ypbind = false
|
||||
|
||||
# Allow zebra to write it own configuration files
|
||||
#
|
||||
zebra_write_config = false
|
||||
|
||||
# Enable extra rules in the cron domainto support fcron.
|
||||
#
|
||||
fcron_crond = false
|
||||
|
||||
#
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
httpd_can_network_connect_db = false
|
||||
|
||||
#
|
||||
# allow httpd to send dbus messages to avahi
|
||||
httpd_dbus_avahi = true
|
||||
|
||||
#
|
||||
# allow httpd to network relay
|
||||
httpd_can_network_relay = false
|
||||
|
||||
# Allow httpd to use built in scripting (usually php)
|
||||
#
|
||||
httpd_builtin_scripting = true
|
||||
|
||||
# Allow http daemon to tcp connect
|
||||
#
|
||||
httpd_can_network_connect = false
|
||||
|
||||
# Allow httpd cgi support
|
||||
#
|
||||
httpd_enable_cgi = true
|
||||
|
||||
# Allow httpd to act as a FTP server bylistening on the ftp port.
|
||||
#
|
||||
httpd_enable_ftp_server = false
|
||||
|
||||
# Allow httpd to read home directories
|
||||
#
|
||||
httpd_enable_homedirs = false
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
#
|
||||
httpd_ssi_exec = false
|
||||
|
||||
# Allow http daemon to communicate with the TTY
|
||||
#
|
||||
httpd_tty_comm = false
|
||||
|
||||
# Run CGI in the main httpd domain
|
||||
#
|
||||
httpd_unified = false
|
||||
|
||||
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
||||
#
|
||||
named_write_master_zones = false
|
||||
|
||||
# Allow nfs to be exported read/write.
|
||||
#
|
||||
nfs_export_all_rw = true
|
||||
|
||||
# Allow nfs to be exported read only
|
||||
#
|
||||
nfs_export_all_ro = true
|
||||
|
||||
# Allow pppd to load kernel modules for certain modems
|
||||
#
|
||||
pppd_can_insmod = false
|
||||
|
||||
# Allow reading of default_t files.
|
||||
#
|
||||
read_default_t = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_enable_home_dirs = false
|
||||
|
||||
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
|
||||
#
|
||||
squid_connect_any = false
|
||||
|
||||
# Support NFS home directories
|
||||
#
|
||||
use_nfs_home_dirs = true
|
||||
|
||||
# Support SAMBA home directories
|
||||
#
|
||||
use_samba_home_dirs = false
|
||||
|
||||
# Control users use of ping and traceroute
|
||||
#
|
||||
user_ping = false
|
||||
|
||||
# allow host key based authentication
|
||||
#
|
||||
ssh_keysign = false
|
||||
|
||||
# Allow pppd to be run for a regular user
|
||||
#
|
||||
pppd_for_user = false
|
||||
|
||||
# Allow spamd to write to users homedirs
|
||||
#
|
||||
spamd_enable_home_dirs = false
|
||||
|
||||
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||
#
|
||||
user_rw_noexattrfile = true
|
||||
|
||||
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
|
||||
#
|
||||
user_tcp_server = false
|
||||
|
||||
# Allow all domains to talk to ttys
|
||||
#
|
||||
daemons_use_tty = false
|
||||
|
||||
# Allow login domains to polyinstatiate directories
|
||||
#
|
||||
polyinstantiation_enabled = false
|
||||
|
||||
# Allow all domains to dump core
|
||||
#
|
||||
daemons_dump_core = true
|
||||
|
||||
# Allow samba to act as the domain controller
|
||||
#
|
||||
samba_domain_controller = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_run_unconfined = false
|
||||
|
||||
# Allows XServer to execute writable memory
|
||||
#
|
||||
xserver_execmem = false
|
||||
|
||||
# disallow guest accounts to execute files that they can create
|
||||
#
|
||||
guest_exec_content = false
|
||||
xguest_exec_content = false
|
||||
|
||||
# Allow postfix locat to write to mail spool
|
||||
#
|
||||
postfix_local_write_mail_spool = false
|
||||
|
||||
# Allow common users to read/write noexattrfile systems
|
||||
#
|
||||
user_rw_noexattrfile = true
|
||||
|
||||
# Allow qemu to connect fully to the network
|
||||
#
|
||||
qemu_full_network = true
|
||||
|
||||
# System uses init upstart program
|
||||
#
|
||||
init_upstart = true
|
||||
|
||||
# Allow mount to mount any file/dir
|
||||
#
|
||||
mount_anyfile = true
|
||||
|
||||
# Allow all domains to mmap files
|
||||
#
|
||||
domain_can_mmap_files = true
|
||||
|
||||
# Allow confined applications to use nscd shared memory
|
||||
#
|
||||
nscd_use_shm = true
|
||||
|
||||
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
|
||||
#
|
||||
unconfined_chrome_sandbox_transition = true
|
||||
|
||||
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
|
||||
#
|
||||
unconfined_mozilla_plugin_transition = true
|
54
booleans.subs_dist
Normal file
54
booleans.subs_dist
Normal file
@ -0,0 +1,54 @@
|
||||
allow_auditadm_exec_content auditadm_exec_content
|
||||
allow_console_login login_console_enabled
|
||||
allow_cvs_read_shadow cvs_read_shadow
|
||||
allow_daemons_dump_core daemons_dump_core
|
||||
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
|
||||
allow_daemons_use_tty daemons_use_tty
|
||||
allow_domain_fd_use domain_fd_use
|
||||
allow_execheap selinuxuser_execheap
|
||||
allow_execmod selinuxuser_execmod
|
||||
allow_execstack selinuxuser_execstack
|
||||
allow_ftpd_anon_write ftpd_anon_write
|
||||
allow_ftpd_full_access ftpd_full_access
|
||||
allow_ftpd_use_cifs ftpd_use_cifs
|
||||
allow_ftpd_use_nfs ftpd_use_nfs
|
||||
allow_gssd_read_tmp gssd_read_tmp
|
||||
allow_guest_exec_content guest_exec_content
|
||||
allow_httpd_anon_write httpd_anon_write
|
||||
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
|
||||
allow_httpd_mod_auth_pam httpd_mod_auth_pam
|
||||
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
|
||||
allow_kerberos kerberos_enabled
|
||||
allow_mplayer_execstack mplayer_execstack
|
||||
allow_mount_anyfile mount_anyfile
|
||||
allow_nfsd_anon_write nfsd_anon_write
|
||||
allow_polyinstantiation polyinstantiation_enabled
|
||||
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
|
||||
allow_rsync_anon_write rsync_anon_write
|
||||
allow_saslauthd_read_shadow saslauthd_read_shadow
|
||||
allow_secadm_exec_content secadm_exec_content
|
||||
allow_smbd_anon_write smbd_anon_write
|
||||
allow_ssh_keysign ssh_keysign
|
||||
allow_staff_exec_content staff_exec_content
|
||||
allow_sysadm_exec_content sysadm_exec_content
|
||||
allow_user_exec_content user_exec_content
|
||||
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
|
||||
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
|
||||
allow_write_xshm xserver_clients_write_xshm
|
||||
allow_xguest_exec_content xguest_exec_content
|
||||
allow_xserver_execmem xserver_execmem
|
||||
allow_ypbind nis_enabled
|
||||
allow_zebra_write_config zebra_write_config
|
||||
user_direct_dri selinuxuser_direct_dri_enabled
|
||||
user_ping selinuxuser_ping
|
||||
user_share_music selinuxuser_share_music
|
||||
user_tcp_server selinuxuser_tcp_server
|
||||
sepgsql_enable_pitr_implementation postgresql_can_rsync
|
||||
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
|
||||
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
|
||||
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
|
||||
clamd_use_jit antivirus_use_jit
|
||||
amavis_use_jit antivirus_use_jit
|
||||
logwatch_can_sendmail logwatch_can_network_connect_mail
|
||||
puppet_manage_all_files puppetagent_manage_all_files
|
||||
virt_sandbox_use_nfs virt_use_nfs
|
167
container.fc
Normal file
167
container.fc
Normal file
@ -0,0 +1,167 @@
|
||||
/root/\.docker gen_context(system_u:object_r:container_home_t,s0)
|
||||
|
||||
/usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/buildah -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
|
||||
/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
|
||||
/usr/local/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
|
||||
/usr/local/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
|
||||
/usr/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/s?bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
|
||||
/usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
/usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
||||
/usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
||||
/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
||||
/usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
||||
|
||||
/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/etc/buildkit(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
||||
/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
|
||||
/var/lib/shared(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir.
|
||||
/var/lib/containerd/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/nerdctl/[^/]*/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lib/buildkit(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/buildkit/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
# "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf" and "hosts.<RANDOM>", for OCI (runc) worker mode.
|
||||
/var/lib/buildkit/runc-.*/executor(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
# "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and hosts.<RANDOM>, for containerd worker mode.
|
||||
# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
|
||||
/var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/atomic(/.*)? <<none>>
|
||||
/var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/var/cache/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0)
|
||||
|
||||
/var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
|
||||
/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
|
||||
/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||
/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0)
|
||||
|
||||
/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
|
||||
|
||||
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0)
|
1044
container.if
Normal file
1044
container.if
Normal file
File diff suppressed because it is too large
Load Diff
1569
container.te
Normal file
1569
container.te
Normal file
File diff suppressed because it is too large
Load Diff
13
customizable_types
Normal file
13
customizable_types
Normal file
@ -0,0 +1,13 @@
|
||||
sandbox_file_t
|
||||
svirt_image_t
|
||||
svirt_home_t
|
||||
svirt_lxc_file_t
|
||||
virt_content_t
|
||||
httpd_user_htaccess_t
|
||||
httpd_user_script_exec_t
|
||||
httpd_user_rw_content_t
|
||||
httpd_user_ra_content_t
|
||||
httpd_user_content_t
|
||||
git_session_content_t
|
||||
home_bin_t
|
||||
user_tty_device_t
|
34
debug-build.sh
Normal file
34
debug-build.sh
Normal file
@ -0,0 +1,34 @@
|
||||
# This script creates a debugging and testing environment when working on the policy
|
||||
# Basically a fancy wrapper for "tar --exclude-vcs -cJf selinux-policy-20230321.tar.xz --transform 's,^,selinux-policy-20230321/,' -C selinux-policy ."
|
||||
#
|
||||
# 1. Get the git repository with 'osc service manualrun' or './update.sh'
|
||||
# 2. Do your changes in the selinux-policy repository, test around
|
||||
# 1. When you want to build locally to debug, call this script. It will create a .tar.xz with your current selinux-policy working directory.
|
||||
# 2. Build locally: e.g. with osc build
|
||||
# 3. Test your rpms that contain your changes and repeat
|
||||
# 3. When finished, commit your changes in the selinux-policy repository and push to git
|
||||
# 4. Run './update.sh' and checkin the changes to OBS
|
||||
|
||||
REPO_NAME=selinux-policy
|
||||
|
||||
# Check if git repository exists, if not ask the user to fetch the latest version
|
||||
if ! test -d "$REPO_NAME"; then
|
||||
echo "-$REPO_NAME does not exist. Please run 'osc service manualrun' or './update.sh' first."
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
# Get current version: Parse "Version: <current-version>" from specfile
|
||||
VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
|
||||
|
||||
# Create tar file with name like selinux-policy-<current-version>.tar.xz
|
||||
TAR_NAME=$REPO_NAME-$VERSION.tar.xz
|
||||
echo "Creating tar file: $TAR_NAME"
|
||||
tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
|
||||
|
||||
# Some helpful prompts
|
||||
if test $? -eq 0; then
|
||||
echo "Success! Now you can run your local build command, e.g. 'osc build'. It will take the archive that contains your changes."
|
||||
echo "You can also inspect the created archive with: 'tar tvf $REPO_NAME-$VERSION.tar.xz'"
|
||||
else
|
||||
echo "Error, creating archive failed"
|
||||
fi
|
19
file_contexts.subs_dist
Normal file
19
file_contexts.subs_dist
Normal file
@ -0,0 +1,19 @@
|
||||
/var/run /run
|
||||
/var/lock /run/lock
|
||||
/var/run/lock /var/lock
|
||||
/lib /usr/lib
|
||||
/lib64 /usr/lib
|
||||
/usr/lib64 /usr/lib
|
||||
/usr/local /usr
|
||||
/usr/local/lib64 /usr/lib
|
||||
/usr/local/lib32 /usr/lib
|
||||
/etc/systemd/system /usr/lib/systemd/system
|
||||
/run/systemd/system /usr/lib/systemd/system
|
||||
/run/systemd/generator /usr/lib/systemd/system
|
||||
/run/systemd/generator.early /usr/lib/systemd/system
|
||||
/run/systemd/generator.late /usr/lib/systemd/system
|
||||
/var/lib/xguest/home /home
|
||||
/var/run/netconfig /etc
|
||||
/var/adm/netconfig/md5/etc /etc
|
||||
/var/adm/netconfig/md5/var /var
|
||||
/usr/etc /etc
|
187
macros.selinux-policy
Normal file
187
macros.selinux-policy
Normal file
@ -0,0 +1,187 @@
|
||||
# Copyright (C) 2017 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# Author: Petr Lautrbach <plautrba@redhat.com>
|
||||
# Author: Lukáš Vrabec <lvrabec@redhat.com>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 2
|
||||
# of the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
## Changes done for openSUSE/SUSE:
|
||||
## - move /var/lib/rpm-state to /run/rpm-state and create that directory
|
||||
##
|
||||
|
||||
# RPM macros for packages installing SELinux modules
|
||||
|
||||
%_selinux_policy_version SELINUXPOLICYVERSION
|
||||
|
||||
%_selinux_store_path SELINUXSTOREPATH
|
||||
%_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
|
||||
|
||||
%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
|
||||
%_file_context_file_pre /var/adm/update-scripts/file_contexts.pre
|
||||
|
||||
%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
|
||||
%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
|
||||
|
||||
# %selinux_requires
|
||||
%selinux_requires \
|
||||
Requires: selinux-policy >= %{_selinux_policy_version} \
|
||||
BuildRequires: pkgconfig(systemd) \
|
||||
BuildRequires: selinux-policy \
|
||||
BuildRequires: selinux-policy-devel \
|
||||
Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
|
||||
Requires(post): libselinux-utils \
|
||||
Requires(post): policycoreutils \
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7 || 0%{suse_version} > 1500\
|
||||
Requires(post): policycoreutils-python-utils \
|
||||
%else \
|
||||
Requires(post): policycoreutils-python \
|
||||
%endif \
|
||||
%{nil}
|
||||
|
||||
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
|
||||
%selinux_modules_install("s:p:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
|
||||
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
|
||||
%selinux_modules_uninstall("s:p:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ $1 -eq 0 ]; then \
|
||||
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
%{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
|
||||
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
# %selinux_relabel_pre [-s <policytype>]
|
||||
%selinux_relabel_pre("s:") \
|
||||
if %{_sbindir}/selinuxenabled; then \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
mkdir -p $(dirname %{_file_context_file_pre}) \
|
||||
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
|
||||
# %selinux_relabel_post [-s <policytype>]
|
||||
%selinux_relabel_post("s:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
if [ -f %{_file_context_file_pre} ]; then \
|
||||
%{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
|
||||
rm -f %{_file_context_file_pre} \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
|
||||
%selinux_set_booleans("s:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ -d "%{_selinux_store_policy_path}" ]; then \
|
||||
LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
|
||||
if [ ! -f %_file_custom_defined_booleans ]; then \
|
||||
/bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
|
||||
fi \
|
||||
semanage_import='' \
|
||||
for boolean in %*; do \
|
||||
boolean_name=${boolean%=*} \
|
||||
boolean_value=${boolean#*=} \
|
||||
boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
|
||||
if [ -n "$boolean_local_string" ]; then \
|
||||
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
|
||||
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
|
||||
if [ -n "$boolean_customized_string" ]; then \
|
||||
/bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
|
||||
else \
|
||||
/bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
|
||||
fi \
|
||||
else \
|
||||
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
|
||||
boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
|
||||
/bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
|
||||
fi \
|
||||
done; \
|
||||
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
|
||||
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
|
||||
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
|
||||
%selinux_unset_booleans("s:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ -d "%{_selinux_store_policy_path}" ]; then \
|
||||
semanage_import='' \
|
||||
for boolean in %*; do \
|
||||
boolean_name=${boolean%=*} \
|
||||
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
|
||||
if [ -n "$boolean_customized_string" ]; then \
|
||||
awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \
|
||||
if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \
|
||||
semanage_import="${semanage_import}\\n${boolean_customized_string}" \
|
||||
fi \
|
||||
fi \
|
||||
done; \
|
||||
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
|
||||
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
|
||||
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
414
modules-minimum-base.conf
Normal file
414
modules-minimum-base.conf
Normal file
@ -0,0 +1,414 @@
|
||||
# Layer: kernel
|
||||
# Module: bootloader
|
||||
#
|
||||
# Policy for the kernel modules, kernel image, and bootloader.
|
||||
#
|
||||
bootloader = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corecommands
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for shells, and generic programs
|
||||
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||
#
|
||||
corecommands = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corenetwork
|
||||
# Required in base
|
||||
#
|
||||
# Policy controlling access to network objects
|
||||
#
|
||||
corenetwork = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: dmesg
|
||||
#
|
||||
# Policy for dmesg.
|
||||
#
|
||||
dmesg = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: netutils
|
||||
#
|
||||
# Network analysis utilities
|
||||
#
|
||||
netutils = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: sudo
|
||||
#
|
||||
# Execute a command with a substitute user
|
||||
#
|
||||
sudo = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: su
|
||||
#
|
||||
# Run shells with substitute user and group
|
||||
#
|
||||
su = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: usermanage
|
||||
#
|
||||
# Policy for managing user accounts.
|
||||
#
|
||||
usermanage = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: seunshare
|
||||
#
|
||||
# seunshare executable
|
||||
#
|
||||
seunshare = module
|
||||
|
||||
# Module: devices
|
||||
# Required in base
|
||||
#
|
||||
# Device nodes and interfaces for many basic system devices.
|
||||
#
|
||||
devices = base
|
||||
|
||||
# Module: domain
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for domains.
|
||||
#
|
||||
domain = base
|
||||
|
||||
# Layer: system
|
||||
# Module: userdomain
|
||||
#
|
||||
# Policy for user domains
|
||||
#
|
||||
userdomain = module
|
||||
|
||||
# Module: files
|
||||
# Required in base
|
||||
#
|
||||
# Basic filesystem types and interfaces.
|
||||
#
|
||||
files = base
|
||||
|
||||
# Layer: system
|
||||
# Module: miscfiles
|
||||
#
|
||||
# Miscelaneous files.
|
||||
#
|
||||
miscfiles = module
|
||||
|
||||
# Module: filesystem
|
||||
# Required in base
|
||||
#
|
||||
# Policy for filesystems.
|
||||
#
|
||||
filesystem = base
|
||||
|
||||
# Module: kernel
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||
#
|
||||
kernel = base
|
||||
|
||||
# Module: mcs
|
||||
# Required in base
|
||||
#
|
||||
# MultiCategory security policy
|
||||
#
|
||||
mcs = base
|
||||
|
||||
# Module: mls
|
||||
# Required in base
|
||||
#
|
||||
# Multilevel security policy
|
||||
#
|
||||
mls = base
|
||||
|
||||
# Module: selinux
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel security interface, in particular, selinuxfs.
|
||||
#
|
||||
selinux = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: storage
|
||||
#
|
||||
# Policy controlling access to storage devices
|
||||
#
|
||||
storage = base
|
||||
|
||||
# Module: terminal
|
||||
# Required in base
|
||||
#
|
||||
# Policy for terminals.
|
||||
#
|
||||
terminal = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: ubac
|
||||
#
|
||||
#
|
||||
#
|
||||
ubac = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: unconfined
|
||||
#
|
||||
# The unlabelednet module.
|
||||
#
|
||||
unlabelednet = module
|
||||
|
||||
# Layer: role
|
||||
# Module: auditadm
|
||||
#
|
||||
# auditadm account on tty logins
|
||||
#
|
||||
auditadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: logadm
|
||||
#
|
||||
# Minimally prived root role for managing logging system
|
||||
#
|
||||
logadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: secadm
|
||||
#
|
||||
# secadm account on tty logins
|
||||
#
|
||||
secadm = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm_secadm
|
||||
#
|
||||
# System Administrator with Security Admin rules
|
||||
#
|
||||
sysadm_secadm = module
|
||||
|
||||
# Module: staff
|
||||
#
|
||||
# admin account
|
||||
#
|
||||
staff = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm
|
||||
#
|
||||
# System Administrator
|
||||
#
|
||||
sysadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: unconfineduser
|
||||
#
|
||||
# The unconfined user domain.
|
||||
#
|
||||
unconfineduser = module
|
||||
|
||||
# Layer: role
|
||||
# Module: unprivuser
|
||||
#
|
||||
# Minimally privs guest account on tty logins
|
||||
#
|
||||
unprivuser = module
|
||||
|
||||
# Layer: services
|
||||
# Module: postgresql
|
||||
#
|
||||
# PostgreSQL relational database
|
||||
#
|
||||
postgresql = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ssh
|
||||
#
|
||||
# Secure shell client and server policy.
|
||||
#
|
||||
ssh = module
|
||||
|
||||
# Layer: services
|
||||
# Module: xserver
|
||||
#
|
||||
# X windows login display manager
|
||||
#
|
||||
xserver = module
|
||||
|
||||
# Module: application
|
||||
# Required in base
|
||||
#
|
||||
# Defines attributs and interfaces for all user applications
|
||||
#
|
||||
application = module
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
#
|
||||
authlogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: clock
|
||||
#
|
||||
# Policy for reading and setting the hardware clock.
|
||||
#
|
||||
clock = module
|
||||
|
||||
# Layer: system
|
||||
# Module: fstools
|
||||
#
|
||||
# Tools for filesystem management, such as mkfs and fsck.
|
||||
#
|
||||
fstools = module
|
||||
|
||||
# Layer: system
|
||||
# Module: getty
|
||||
#
|
||||
# Policy for getty.
|
||||
#
|
||||
getty = module
|
||||
|
||||
# Layer: system
|
||||
# Module: hostname
|
||||
#
|
||||
# Policy for changing the system host name.
|
||||
#
|
||||
hostname = module
|
||||
|
||||
# Layer: system
|
||||
# Module: init
|
||||
#
|
||||
# System initialization programs (init and init scripts).
|
||||
#
|
||||
init = module
|
||||
|
||||
# Layer: system
|
||||
# Module: ipsec
|
||||
#
|
||||
# TCP/IP encryption
|
||||
#
|
||||
ipsec = module
|
||||
|
||||
# Layer: system
|
||||
# Module: iptables
|
||||
#
|
||||
# Policy for iptables.
|
||||
#
|
||||
iptables = module
|
||||
|
||||
# Layer: system
|
||||
# Module: libraries
|
||||
#
|
||||
# Policy for system libraries.
|
||||
#
|
||||
libraries = module
|
||||
|
||||
# Layer: system
|
||||
# Module: locallogin
|
||||
#
|
||||
# Policy for local logins.
|
||||
#
|
||||
locallogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: logging
|
||||
#
|
||||
# Policy for the kernel message logger and system logging daemon.
|
||||
#
|
||||
logging = module
|
||||
|
||||
# Layer: system
|
||||
# Module: lvm
|
||||
#
|
||||
# Policy for logical volume management programs.
|
||||
#
|
||||
lvm = module
|
||||
|
||||
# Layer: system
|
||||
# Module: modutils
|
||||
#
|
||||
# Policy for kernel module utilities
|
||||
#
|
||||
modutils = module
|
||||
|
||||
# Layer: system
|
||||
# Module: mount
|
||||
#
|
||||
# Policy for mount.
|
||||
#
|
||||
mount = module
|
||||
|
||||
# Layer: system
|
||||
# Module: netlabel
|
||||
#
|
||||
# Basic netlabel types and interfaces.
|
||||
#
|
||||
netlabel = module
|
||||
|
||||
# Layer: system
|
||||
# Module: selinuxutil
|
||||
#
|
||||
# Policy for SELinux policy and userland applications.
|
||||
#
|
||||
selinuxutil = module
|
||||
|
||||
# Module: setrans
|
||||
# Required in base
|
||||
#
|
||||
# Policy for setrans
|
||||
#
|
||||
setrans = module
|
||||
|
||||
# Layer: system
|
||||
# Module: sysnetwork
|
||||
#
|
||||
# Policy for network configuration: ifconfig and dhcp client.
|
||||
#
|
||||
sysnetwork = module
|
||||
|
||||
# Layer: system
|
||||
# Module: systemd
|
||||
#
|
||||
# Policy for systemd components
|
||||
#
|
||||
systemd = module
|
||||
|
||||
# Layer: system
|
||||
# Module: udev
|
||||
#
|
||||
# Policy for udev.
|
||||
#
|
||||
udev = module
|
||||
|
||||
# Layer: system
|
||||
# Module: unconfined
|
||||
#
|
||||
# The unconfined domain.
|
||||
#
|
||||
unconfined = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: rpm
|
||||
#
|
||||
# Policy for the RPM package manager.
|
||||
#
|
||||
rpm = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: packagekit
|
||||
#
|
||||
# Temporary permissive module for packagekit
|
||||
#
|
||||
packagekit = module
|
||||
|
||||
# Layer: services
|
||||
# Module: nscd
|
||||
#
|
||||
# Name service cache daemon
|
||||
#
|
||||
nscd = module
|
2616
modules-minimum-contrib.conf
Normal file
2616
modules-minimum-contrib.conf
Normal file
File diff suppressed because it is too large
Load Diff
1
modules-minimum-disable.lst
Normal file
1
modules-minimum-disable.lst
Normal file
@ -0,0 +1 @@
|
||||
abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs
|
380
modules-mls-base.conf
Normal file
380
modules-mls-base.conf
Normal file
@ -0,0 +1,380 @@
|
||||
# Layer: kernel
|
||||
# Module: bootloader
|
||||
#
|
||||
# Policy for the kernel modules, kernel image, and bootloader.
|
||||
#
|
||||
bootloader = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corenetwork
|
||||
# Required in base
|
||||
#
|
||||
# Policy controlling access to network objects
|
||||
#
|
||||
corenetwork = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: dmesg
|
||||
#
|
||||
# Policy for dmesg.
|
||||
#
|
||||
dmesg = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: netutils
|
||||
#
|
||||
# Network analysis utilities
|
||||
#
|
||||
netutils = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: sudo
|
||||
#
|
||||
# Execute a command with a substitute user
|
||||
#
|
||||
sudo = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: su
|
||||
#
|
||||
# Run shells with substitute user and group
|
||||
#
|
||||
su = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: usermanage
|
||||
#
|
||||
# Policy for managing user accounts.
|
||||
#
|
||||
usermanage = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: seunshare
|
||||
#
|
||||
# seunshare executable
|
||||
#
|
||||
seunshare = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corecommands
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for shells, and generic programs
|
||||
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||
#
|
||||
corecommands = base
|
||||
|
||||
# Module: devices
|
||||
# Required in base
|
||||
#
|
||||
# Device nodes and interfaces for many basic system devices.
|
||||
#
|
||||
devices = base
|
||||
|
||||
# Module: domain
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for domains.
|
||||
#
|
||||
domain = base
|
||||
|
||||
# Layer: system
|
||||
# Module: userdomain
|
||||
#
|
||||
# Policy for user domains
|
||||
#
|
||||
userdomain = module
|
||||
|
||||
# Module: files
|
||||
# Required in base
|
||||
#
|
||||
# Basic filesystem types and interfaces.
|
||||
#
|
||||
files = base
|
||||
|
||||
# Module: filesystem
|
||||
# Required in base
|
||||
#
|
||||
# Policy for filesystems.
|
||||
#
|
||||
filesystem = base
|
||||
|
||||
# Module: kernel
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||
#
|
||||
kernel = base
|
||||
|
||||
# Module: mcs
|
||||
# Required in base
|
||||
#
|
||||
# MultiCategory security policy
|
||||
#
|
||||
mcs = base
|
||||
|
||||
# Module: mls
|
||||
# Required in base
|
||||
#
|
||||
# Multilevel security policy
|
||||
#
|
||||
mls = base
|
||||
|
||||
# Module: selinux
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel security interface, in particular, selinuxfs.
|
||||
#
|
||||
selinux = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: storage
|
||||
#
|
||||
# Policy controlling access to storage devices
|
||||
#
|
||||
storage = base
|
||||
|
||||
# Module: terminal
|
||||
# Required in base
|
||||
#
|
||||
# Policy for terminals.
|
||||
#
|
||||
terminal = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: ubac
|
||||
#
|
||||
#
|
||||
#
|
||||
ubac = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: unlabelednet
|
||||
#
|
||||
# The unlabelednet module.
|
||||
#
|
||||
unlabelednet = module
|
||||
|
||||
# Layer: role
|
||||
# Module: auditadm
|
||||
#
|
||||
# auditadm account on tty logins
|
||||
#
|
||||
auditadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: logadm
|
||||
#
|
||||
# Minimally prived root role for managing logging system
|
||||
#
|
||||
logadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: secadm
|
||||
#
|
||||
# secadm account on tty logins
|
||||
#
|
||||
secadm = module
|
||||
|
||||
# Layer:role
|
||||
# Module: staff
|
||||
#
|
||||
# admin account
|
||||
#
|
||||
staff = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm_secadm
|
||||
#
|
||||
# System Administrator with Security Admin rules
|
||||
#
|
||||
sysadm_secadm = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm
|
||||
#
|
||||
# System Administrator
|
||||
#
|
||||
sysadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: unprivuser
|
||||
#
|
||||
# Minimally privs guest account on tty logins
|
||||
#
|
||||
unprivuser = module
|
||||
|
||||
# Layer: services
|
||||
# Module: postgresql
|
||||
#
|
||||
# PostgreSQL relational database
|
||||
#
|
||||
postgresql = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ssh
|
||||
#
|
||||
# Secure shell client and server policy.
|
||||
#
|
||||
ssh = module
|
||||
|
||||
# Layer: services
|
||||
# Module: xserver
|
||||
#
|
||||
# X windows login display manager
|
||||
#
|
||||
xserver = module
|
||||
|
||||
# Module: application
|
||||
# Required in base
|
||||
#
|
||||
# Defines attributs and interfaces for all user applications
|
||||
#
|
||||
application = module
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
#
|
||||
authlogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: clock
|
||||
#
|
||||
# Policy for reading and setting the hardware clock.
|
||||
#
|
||||
clock = module
|
||||
|
||||
# Layer: system
|
||||
# Module: fstools
|
||||
#
|
||||
# Tools for filesystem management, such as mkfs and fsck.
|
||||
#
|
||||
fstools = module
|
||||
|
||||
# Layer: system
|
||||
# Module: getty
|
||||
#
|
||||
# Policy for getty.
|
||||
#
|
||||
getty = module
|
||||
|
||||
# Layer: system
|
||||
# Module: hostname
|
||||
#
|
||||
# Policy for changing the system host name.
|
||||
#
|
||||
hostname = module
|
||||
|
||||
# Layer: system
|
||||
# Module: init
|
||||
#
|
||||
# System initialization programs (init and init scripts).
|
||||
#
|
||||
init = module
|
||||
|
||||
# Layer: system
|
||||
# Module: ipsec
|
||||
#
|
||||
# TCP/IP encryption
|
||||
#
|
||||
ipsec = module
|
||||
|
||||
# Layer: system
|
||||
# Module: iptables
|
||||
#
|
||||
# Policy for iptables.
|
||||
#
|
||||
iptables = module
|
||||
|
||||
# Layer: system
|
||||
# Module: libraries
|
||||
#
|
||||
# Policy for system libraries.
|
||||
#
|
||||
libraries = module
|
||||
|
||||
# Layer: system
|
||||
# Module: locallogin
|
||||
#
|
||||
# Policy for local logins.
|
||||
#
|
||||
locallogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: logging
|
||||
#
|
||||
# Policy for the kernel message logger and system logging daemon.
|
||||
#
|
||||
logging = module
|
||||
|
||||
# Layer: system
|
||||
# Module: lvm
|
||||
#
|
||||
# Policy for logical volume management programs.
|
||||
#
|
||||
lvm = module
|
||||
|
||||
# Layer: system
|
||||
# Module: miscfiles
|
||||
#
|
||||
# Miscelaneous files.
|
||||
#
|
||||
miscfiles = module
|
||||
|
||||
# Layer: system
|
||||
# Module: modutils
|
||||
#
|
||||
# Policy for kernel module utilities
|
||||
#
|
||||
modutils = module
|
||||
|
||||
# Layer: system
|
||||
# Module: mount
|
||||
#
|
||||
# Policy for mount.
|
||||
#
|
||||
mount = module
|
||||
|
||||
# Layer: system
|
||||
# Module: netlabel
|
||||
#
|
||||
# Basic netlabel types and interfaces.
|
||||
#
|
||||
netlabel = module
|
||||
|
||||
# Layer: system
|
||||
# Module: selinuxutil
|
||||
#
|
||||
# Policy for SELinux policy and userland applications.
|
||||
#
|
||||
selinuxutil = module
|
||||
|
||||
# Module: setrans
|
||||
# Required in base
|
||||
#
|
||||
# Policy for setrans
|
||||
#
|
||||
setrans = module
|
||||
|
||||
# Layer: system
|
||||
# Module: sysnetwork
|
||||
#
|
||||
# Policy for network configuration: ifconfig and dhcp client.
|
||||
#
|
||||
sysnetwork = module
|
||||
|
||||
# Layer: system
|
||||
# Module: systemd
|
||||
#
|
||||
# Policy for systemd components
|
||||
#
|
||||
systemd = module
|
||||
|
||||
# Layer: system
|
||||
# Module: udev
|
||||
#
|
||||
# Policy for udev.
|
||||
#
|
||||
udev = module
|
1588
modules-mls-contrib.conf
Normal file
1588
modules-mls-contrib.conf
Normal file
File diff suppressed because it is too large
Load Diff
421
modules-targeted-base.conf
Normal file
421
modules-targeted-base.conf
Normal file
@ -0,0 +1,421 @@
|
||||
# Layer: kernel
|
||||
# Module: bootloader
|
||||
#
|
||||
# Policy for the kernel modules, kernel image, and bootloader.
|
||||
#
|
||||
bootloader = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corecommands
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for shells, and generic programs
|
||||
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||
#
|
||||
corecommands = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corenetwork
|
||||
# Required in base
|
||||
#
|
||||
# Policy controlling access to network objects
|
||||
#
|
||||
corenetwork = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: dmesg
|
||||
#
|
||||
# Policy for dmesg.
|
||||
#
|
||||
dmesg = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: netutils
|
||||
#
|
||||
# Network analysis utilities
|
||||
#
|
||||
netutils = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: sudo
|
||||
#
|
||||
# Execute a command with a substitute user
|
||||
#
|
||||
sudo = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: su
|
||||
#
|
||||
# Run shells with substitute user and group
|
||||
#
|
||||
su = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: usermanage
|
||||
#
|
||||
# Policy for managing user accounts.
|
||||
#
|
||||
usermanage = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: seunshare
|
||||
#
|
||||
# seunshare executable
|
||||
#
|
||||
seunshare = module
|
||||
|
||||
# Module: devices
|
||||
# Required in base
|
||||
#
|
||||
# Device nodes and interfaces for many basic system devices.
|
||||
#
|
||||
devices = base
|
||||
|
||||
# Module: domain
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for domains.
|
||||
#
|
||||
domain = base
|
||||
|
||||
# Layer: system
|
||||
# Module: userdomain
|
||||
#
|
||||
# Policy for user domains
|
||||
#
|
||||
userdomain = module
|
||||
|
||||
# Module: files
|
||||
# Required in base
|
||||
#
|
||||
# Basic filesystem types and interfaces.
|
||||
#
|
||||
files = base
|
||||
|
||||
# Layer: system
|
||||
# Module: miscfiles
|
||||
#
|
||||
# Miscelaneous files.
|
||||
#
|
||||
miscfiles = module
|
||||
|
||||
# Module: filesystem
|
||||
# Required in base
|
||||
#
|
||||
# Policy for filesystems.
|
||||
#
|
||||
filesystem = base
|
||||
|
||||
# Module: kernel
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||
#
|
||||
kernel = base
|
||||
|
||||
# Module: mcs
|
||||
# Required in base
|
||||
#
|
||||
# MultiCategory security policy
|
||||
#
|
||||
mcs = base
|
||||
|
||||
# Module: mls
|
||||
# Required in base
|
||||
#
|
||||
# Multilevel security policy
|
||||
#
|
||||
mls = base
|
||||
|
||||
# Module: selinux
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel security interface, in particular, selinuxfs.
|
||||
#
|
||||
selinux = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: storage
|
||||
#
|
||||
# Policy controlling access to storage devices
|
||||
#
|
||||
storage = base
|
||||
|
||||
# Module: terminal
|
||||
# Required in base
|
||||
#
|
||||
# Policy for terminals.
|
||||
#
|
||||
terminal = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: ubac
|
||||
#
|
||||
#
|
||||
#
|
||||
ubac = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: unconfined
|
||||
#
|
||||
# The unlabelednet module.
|
||||
#
|
||||
unlabelednet = module
|
||||
|
||||
# Layer: role
|
||||
# Module: auditadm
|
||||
#
|
||||
# auditadm account on tty logins
|
||||
#
|
||||
auditadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: logadm
|
||||
#
|
||||
# Minimally prived root role for managing logging system
|
||||
#
|
||||
logadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: secadm
|
||||
#
|
||||
# secadm account on tty logins
|
||||
#
|
||||
secadm = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm_secadm
|
||||
#
|
||||
# System Administrator with Security Admin rules
|
||||
#
|
||||
sysadm_secadm = module
|
||||
|
||||
# Module: staff
|
||||
#
|
||||
# admin account
|
||||
#
|
||||
staff = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm
|
||||
#
|
||||
# System Administrator
|
||||
#
|
||||
sysadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: unconfineduser
|
||||
#
|
||||
# The unconfined user domain.
|
||||
#
|
||||
unconfineduser = module
|
||||
|
||||
# Layer: role
|
||||
# Module: unprivuser
|
||||
#
|
||||
# Minimally privs guest account on tty logins
|
||||
#
|
||||
unprivuser = module
|
||||
|
||||
# Layer: services
|
||||
# Module: postgresql
|
||||
#
|
||||
# PostgreSQL relational database
|
||||
#
|
||||
postgresql = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ssh
|
||||
#
|
||||
# Secure shell client and server policy.
|
||||
#
|
||||
ssh = module
|
||||
|
||||
# Layer: services
|
||||
# Module: xserver
|
||||
#
|
||||
# X windows login display manager
|
||||
#
|
||||
xserver = module
|
||||
|
||||
# Module: application
|
||||
# Required in base
|
||||
#
|
||||
# Defines attributs and interfaces for all user applications
|
||||
#
|
||||
application = module
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
#
|
||||
authlogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: clock
|
||||
#
|
||||
# Policy for reading and setting the hardware clock.
|
||||
#
|
||||
clock = module
|
||||
|
||||
# Layer: system
|
||||
# Module: fstools
|
||||
#
|
||||
# Tools for filesystem management, such as mkfs and fsck.
|
||||
#
|
||||
fstools = module
|
||||
|
||||
# Layer: system
|
||||
# Module: getty
|
||||
#
|
||||
# Policy for getty.
|
||||
#
|
||||
getty = module
|
||||
|
||||
# Layer: system
|
||||
# Module: hostname
|
||||
#
|
||||
# Policy for changing the system host name.
|
||||
#
|
||||
hostname = module
|
||||
|
||||
# Layer: system
|
||||
# Module: init
|
||||
#
|
||||
# System initialization programs (init and init scripts).
|
||||
#
|
||||
init = module
|
||||
|
||||
# Layer: system
|
||||
# Module: ipsec
|
||||
#
|
||||
# TCP/IP encryption
|
||||
#
|
||||
ipsec = module
|
||||
|
||||
# Layer: system
|
||||
# Module: iptables
|
||||
#
|
||||
# Policy for iptables.
|
||||
#
|
||||
iptables = module
|
||||
|
||||
# Layer: system
|
||||
# Module: libraries
|
||||
#
|
||||
# Policy for system libraries.
|
||||
#
|
||||
libraries = module
|
||||
|
||||
# Layer: system
|
||||
# Module: locallogin
|
||||
#
|
||||
# Policy for local logins.
|
||||
#
|
||||
locallogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: logging
|
||||
#
|
||||
# Policy for the kernel message logger and system logging daemon.
|
||||
#
|
||||
logging = module
|
||||
|
||||
# Layer: system
|
||||
# Module: lvm
|
||||
#
|
||||
# Policy for logical volume management programs.
|
||||
#
|
||||
lvm = module
|
||||
|
||||
# Layer: system
|
||||
# Module: modutils
|
||||
#
|
||||
# Policy for kernel module utilities
|
||||
#
|
||||
modutils = module
|
||||
|
||||
# Layer: system
|
||||
# Module: mount
|
||||
#
|
||||
# Policy for mount.
|
||||
#
|
||||
mount = module
|
||||
|
||||
# Layer: system
|
||||
# Module: netlabel
|
||||
#
|
||||
# Basic netlabel types and interfaces.
|
||||
#
|
||||
netlabel = module
|
||||
|
||||
# Layer: system
|
||||
# Module: selinuxutil
|
||||
#
|
||||
# Policy for SELinux policy and userland applications.
|
||||
#
|
||||
selinuxutil = module
|
||||
|
||||
# Module: setrans
|
||||
# Required in base
|
||||
#
|
||||
# Policy for setrans
|
||||
#
|
||||
setrans = module
|
||||
|
||||
# Layer: system
|
||||
# Module: sysnetwork
|
||||
#
|
||||
# Policy for network configuration: ifconfig and dhcp client.
|
||||
#
|
||||
sysnetwork = module
|
||||
|
||||
# Layer: system
|
||||
# Module: systemd
|
||||
#
|
||||
# Policy for systemd components
|
||||
#
|
||||
systemd = module
|
||||
|
||||
# Layer: system
|
||||
# Module: udev
|
||||
#
|
||||
# Policy for udev.
|
||||
#
|
||||
udev = module
|
||||
|
||||
# Layer: system
|
||||
# Module: unconfined
|
||||
#
|
||||
# The unconfined domain.
|
||||
#
|
||||
unconfined = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: packagekit
|
||||
#
|
||||
# Temporary permissive module for packagekit
|
||||
#
|
||||
packagekit = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: rtorrent
|
||||
#
|
||||
# Policy for rtorrent
|
||||
#
|
||||
rtorrent = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: wicked
|
||||
#
|
||||
# Policy for wicked
|
||||
#
|
||||
wicked = module
|
||||
|
||||
# Layer: system
|
||||
# Module: rebootmgr
|
||||
#
|
||||
# Policy for rebootmgr
|
||||
#
|
||||
rebootmgr = module
|
2777
modules-targeted-contrib.conf
Normal file
2777
modules-targeted-contrib.conf
Normal file
File diff suppressed because it is too large
Load Diff
4
securetty_types-minimum
Normal file
4
securetty_types-minimum
Normal file
@ -0,0 +1,4 @@
|
||||
console_device_t
|
||||
sysadm_tty_device_t
|
||||
user_tty_device_t
|
||||
staff_tty_device_t
|
6
securetty_types-mls
Normal file
6
securetty_types-mls
Normal file
@ -0,0 +1,6 @@
|
||||
console_device_t
|
||||
sysadm_tty_device_t
|
||||
user_tty_device_t
|
||||
staff_tty_device_t
|
||||
auditadm_tty_device_t
|
||||
secureadm_tty_device_t
|
4
securetty_types-targeted
Normal file
4
securetty_types-targeted
Normal file
@ -0,0 +1,4 @@
|
||||
console_device_t
|
||||
sysadm_tty_device_t
|
||||
user_tty_device_t
|
||||
staff_tty_device_t
|
3
selinux-policy-20240702.tar.xz
Normal file
3
selinux-policy-20240702.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:bb5f624faac88d42e90be711332ebb9d3afa927a10203a349b09662d8dd7b9fd
|
||||
size 770784
|
9
selinux-policy-rpmlintrc
Normal file
9
selinux-policy-rpmlintrc
Normal file
@ -0,0 +1,9 @@
|
||||
addFilter("W: non-conffile-in-etc.*")
|
||||
addFilter("W: zero-length /etc/selinux/.*")
|
||||
addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
|
||||
addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
|
||||
addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
|
||||
addFilter("W: files-duplicate")
|
||||
addFilter("E: files-duplicated-waste")
|
||||
addFilter("W: zero-length")
|
||||
|
1948
selinux-policy.changes
Normal file
1948
selinux-policy.changes
Normal file
File diff suppressed because it is too large
Load Diff
3
selinux-policy.conf
Normal file
3
selinux-policy.conf
Normal file
@ -0,0 +1,3 @@
|
||||
z /sys/devices/system/cpu/online - - -
|
||||
Z /sys/class/net - - -
|
||||
z /sys/kernel/uevent_helper - - -
|
656
selinux-policy.spec
Normal file
656
selinux-policy.spec
Normal file
@ -0,0 +1,656 @@
|
||||
#
|
||||
# spec file for package selinux-policy
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
# There are almost no SUSE specific modifications available in the policy, so we utilize the
|
||||
# ones used by redhat and include also the SUSE specific ones (distro_suse_to_distro_redhat.patch)
|
||||
%define distro redhat
|
||||
%define ubac n
|
||||
%define polyinstatiate n
|
||||
%define monolithic n
|
||||
%define BUILD_TARGETED 1
|
||||
%define BUILD_MINIMUM 1
|
||||
%define BUILD_MLS 1
|
||||
|
||||
%define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
|
||||
%define CHECKPOLICYVER %POLICYCOREUTILSVER
|
||||
|
||||
Summary: SELinux policy configuration
|
||||
License: GPL-2.0-or-later
|
||||
Group: System/Management
|
||||
Name: selinux-policy
|
||||
Version: 20240702
|
||||
Release: 0
|
||||
Source0: %{name}-%{version}.tar.xz
|
||||
Source1: container.fc
|
||||
Source2: container.te
|
||||
Source3: container.if
|
||||
Source4: selinux-policy-rpmlintrc
|
||||
Source5: README.Update
|
||||
Source6: update.sh
|
||||
Source7: debug-build.sh
|
||||
|
||||
Source10: modules-targeted-base.conf
|
||||
Source11: modules-targeted-contrib.conf
|
||||
Source12: modules-mls-base.conf
|
||||
Source13: modules-mls-contrib.conf
|
||||
Source14: modules-minimum-base.conf
|
||||
Source15: modules-minimum-contrib.conf
|
||||
Source18: modules-minimum-disable.lst
|
||||
|
||||
Source20: booleans-targeted.conf
|
||||
Source21: booleans-mls.conf
|
||||
Source22: booleans-minimum.conf
|
||||
Source23: booleans.subs_dist
|
||||
|
||||
Source30: setrans-targeted.conf
|
||||
Source31: setrans-mls.conf
|
||||
Source32: setrans-minimum.conf
|
||||
|
||||
# Script to convert /var/run file context entries to /run
|
||||
Source37: varrun-convert.sh
|
||||
|
||||
Source40: securetty_types-targeted
|
||||
Source41: securetty_types-mls
|
||||
Source42: securetty_types-minimum
|
||||
|
||||
Source50: users-targeted
|
||||
Source51: users-mls
|
||||
Source52: users-minimum
|
||||
|
||||
Source60: selinux-policy.conf
|
||||
|
||||
Source91: Makefile.devel
|
||||
Source92: customizable_types
|
||||
#Source93: config.tgz
|
||||
Source94: file_contexts.subs_dist
|
||||
Source95: macros.selinux-policy
|
||||
|
||||
URL: https://github.com/fedora-selinux/selinux-policy.git
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildArch: noarch
|
||||
%if 0%{?suse_version} < 1600
|
||||
%define python_for_executables python311
|
||||
BuildRequires: %{python_for_executables}
|
||||
BuildRequires: %{python_for_executables}-policycoreutils
|
||||
%else
|
||||
BuildRequires: %primary_python
|
||||
BuildRequires: %{python_module policycoreutils}
|
||||
%endif
|
||||
BuildRequires: checkpolicy
|
||||
BuildRequires: gawk
|
||||
BuildRequires: libxml2-tools
|
||||
BuildRequires: m4
|
||||
BuildRequires: policycoreutils
|
||||
BuildRequires: policycoreutils-devel
|
||||
# we need selinuxenabled
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): pam-config
|
||||
Requires(posttrans): pam-config
|
||||
Requires(posttrans): selinux-tools
|
||||
Requires(posttrans): /usr/bin/sha512sum
|
||||
Recommends: audit
|
||||
Recommends: selinux-tools
|
||||
# for audit2allow
|
||||
Recommends: python3-policycoreutils
|
||||
Recommends: container-selinux
|
||||
Recommends: policycoreutils-python-utils
|
||||
Recommends: selinux-autorelabel
|
||||
|
||||
%define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
|
||||
|
||||
%define makeCmds() \
|
||||
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
|
||||
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
|
||||
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
|
||||
cp -f selinux_config/users-%1 ./policy/users \
|
||||
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
|
||||
|
||||
%define makeModulesConf() \
|
||||
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
|
||||
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
|
||||
if [ %3 == "contrib" ];then \
|
||||
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
|
||||
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
|
||||
fi; \
|
||||
|
||||
%define installCmds() \
|
||||
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
|
||||
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
|
||||
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
|
||||
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
|
||||
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
|
||||
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
|
||||
%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
||||
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
||||
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
|
||||
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
|
||||
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
|
||||
cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
|
||||
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \
|
||||
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
||||
rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
|
||||
%nil
|
||||
|
||||
%define fileList() \
|
||||
%defattr(-,root,root) \
|
||||
%dir %{_sysconfdir}/selinux/%1 \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
||||
%dir %{_sysconfdir}/selinux/%1/logins \
|
||||
%dir %{_sharedstatedir}/selinux/%1/active \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
|
||||
%dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \
|
||||
%dir %{_sharedstatedir}/selinux/%1/active/modules/100 \
|
||||
%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \
|
||||
%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
|
||||
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \
|
||||
%{_sysconfdir}/selinux/%1/.policy.sha512 \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts/files \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
|
||||
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
|
||||
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
||||
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
||||
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
|
||||
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts/users \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
|
||||
%dir %{_datadir}/selinux/%1 \
|
||||
%dir %{_datadir}/selinux/packages/%1 \
|
||||
%{_datadir}/selinux/%1/base.lst \
|
||||
%{_datadir}/selinux/%1/modules-base.lst \
|
||||
%{_datadir}/selinux/%1/modules-contrib.lst \
|
||||
%{_datadir}/selinux/%1/nonbasemodules.lst \
|
||||
%dir %{_sharedstatedir}/selinux/%1 \
|
||||
%{_sharedstatedir}/selinux/%1/active/commit_num \
|
||||
%{_sharedstatedir}/selinux/%1/active/users_extra \
|
||||
%{_sharedstatedir}/selinux/%1/active/homedir_template \
|
||||
%{_sharedstatedir}/selinux/%1/active/seusers \
|
||||
%{_sharedstatedir}/selinux/%1/active/file_contexts \
|
||||
%{_sharedstatedir}/selinux/%1/active/policy.kern \
|
||||
%{_sharedstatedir}/selinux/%1/active/modules_checksum \
|
||||
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
|
||||
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
|
||||
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
|
||||
%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
|
||||
%nil
|
||||
|
||||
%define relabel() \
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
||||
if selinuxenabled; then \
|
||||
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
||||
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
|
||||
rm -f ${FILE_CONTEXT}.pre; \
|
||||
fi; \
|
||||
if /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null;then \
|
||||
continue; \
|
||||
fi; \
|
||||
fi;
|
||||
|
||||
%define preInstall() \
|
||||
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
||||
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
|
||||
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
||||
fi; \
|
||||
touch %{_sysconfdir}/selinux/%1/.rebuild; \
|
||||
if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
|
||||
POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
|
||||
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
|
||||
checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
|
||||
if [ "$sha512" == "$checksha512" ] ; then \
|
||||
rm %{_sysconfdir}/selinux/%1/.rebuild; \
|
||||
fi; \
|
||||
fi; \
|
||||
fi;
|
||||
|
||||
%define postInstall() \
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
%{_libexecdir}/selinux/varrun-convert.sh %2; \
|
||||
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
|
||||
rm %{_sysconfdir}/selinux/%2/.rebuild; \
|
||||
/usr/sbin/semodule -B -n -s %2; \
|
||||
fi; \
|
||||
if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \
|
||||
touch /etc/selinux/.autorelabel \
|
||||
else \
|
||||
if [ "${SELINUXTYPE}" = "%2" ]; then \
|
||||
if selinuxenabled; then \
|
||||
load_policy; \
|
||||
else \
|
||||
# probably a first install of the policy \
|
||||
true; \
|
||||
fi; \
|
||||
fi; \
|
||||
if selinuxenabled; then \
|
||||
if [ %1 -eq 1 ]; then \
|
||||
/sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
|
||||
else \
|
||||
%relabel %2 \
|
||||
fi; \
|
||||
else \
|
||||
# run fixfiles on next boot \
|
||||
touch /.autorelabel \
|
||||
fi; \
|
||||
fi;
|
||||
|
||||
%define modulesList() \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
|
||||
if [ -e ./policy/modules-contrib.conf ];then \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
|
||||
fi;
|
||||
|
||||
%define nonBaseModulesList() \
|
||||
contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
|
||||
base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
|
||||
for i in $contrib_modules $base_modules; do \
|
||||
if [ $i != "sandbox" ];then \
|
||||
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
|
||||
fi; \
|
||||
done;
|
||||
|
||||
%description
|
||||
A complete SELinux policy that can be used as the system policy for a variety
|
||||
of systems and used as the basis for creating other policies.
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
%license COPYING
|
||||
%dir %{_datadir}/selinux
|
||||
%dir %{_datadir}/selinux/packages
|
||||
%dir %{_sysconfdir}/selinux
|
||||
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
||||
%{_tmpfilesdir}/selinux-policy.conf
|
||||
%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
%{_libexecdir}/selinux/varrun-convert.sh
|
||||
|
||||
%package sandbox
|
||||
Summary: SELinux policy sandbox
|
||||
Group: System/Management
|
||||
Requires(pre): selinux-policy-targeted = %{version}-%{release}
|
||||
|
||||
%description sandbox
|
||||
SELinux sandbox policy used for the policycoreutils-sandbox package
|
||||
|
||||
%files sandbox
|
||||
%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp
|
||||
|
||||
%post sandbox
|
||||
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
|
||||
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
|
||||
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
|
||||
if %{_sbindir}/selinuxenabled ; then
|
||||
%{_sbindir}/load_policy
|
||||
fi;
|
||||
exit 0
|
||||
|
||||
%preun sandbox
|
||||
if [ $1 -eq 0 ] ; then
|
||||
%{_sbindir}/semodule -n -d sandbox 2>/dev/null
|
||||
if %{_sbindir}/selinuxenabled ; then
|
||||
%{_sbindir}/load_policy
|
||||
fi;
|
||||
fi;
|
||||
exit 0
|
||||
|
||||
%prep
|
||||
|
||||
# set up selinux-policy
|
||||
%autosetup -n %{name}-%{version} -p1
|
||||
|
||||
# dirty hack for container-selinux, because selinux-policy won't build without it
|
||||
# upstream does not want to include it in main policy tree:
|
||||
# see discussion in https://github.com/containers/container-selinux/issues/186
|
||||
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do
|
||||
cp $i policy/modules/services/
|
||||
done
|
||||
|
||||
%build
|
||||
|
||||
%install
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/config
|
||||
mkdir -p %{buildroot}%{_tmpfilesdir}
|
||||
cp %{SOURCE60} %{buildroot}%{_tmpfilesdir}
|
||||
|
||||
# Adjust and install RPM macro file
|
||||
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
||||
install -m 644 %{SOURCE95} %{buildroot}%{_rpmconfigdir}/macros.d/
|
||||
sed -i 's|SELINUXPOLICYVERSION|%{version}-%{release}|' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
|
||||
# Always create policy module package directories
|
||||
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
|
||||
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
|
||||
|
||||
mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/
|
||||
|
||||
mkdir selinux_config
|
||||
for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
|
||||
cp $i selinux_config
|
||||
done
|
||||
|
||||
mkdir -p %{buildroot}%{_libexecdir}/selinux
|
||||
install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
|
||||
|
||||
make clean
|
||||
%if %{BUILD_TARGETED}
|
||||
%makeCmds targeted mcs allow
|
||||
%makeModulesConf targeted base contrib
|
||||
%installCmds targeted mcs allow
|
||||
# recreate sandbox.pp
|
||||
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
|
||||
%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
|
||||
mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
|
||||
%modulesList targeted
|
||||
%nonBaseModulesList targeted
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MINIMUM}
|
||||
%makeCmds minimum mcs allow
|
||||
%makeModulesConf targeted base contrib
|
||||
%installCmds minimum mcs allow
|
||||
install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst
|
||||
# Sandbox is only targeted
|
||||
rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
|
||||
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
|
||||
%modulesList minimum
|
||||
%nonBaseModulesList minimum
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MLS}
|
||||
%makeCmds mls mls deny
|
||||
%makeModulesConf mls base contrib
|
||||
%installCmds mls mls deny
|
||||
%modulesList mls
|
||||
%nonBaseModulesList mls
|
||||
%endif
|
||||
|
||||
# Install devel
|
||||
mkdir -p %{buildroot}%{_mandir}
|
||||
cp -R man/* %{buildroot}%{_mandir}
|
||||
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
|
||||
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
|
||||
mkdir %{buildroot}%{_datadir}/selinux/devel/
|
||||
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
|
||||
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
|
||||
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
|
||||
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
|
||||
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
|
||||
mkdir %{buildroot}%{_datadir}/selinux/devel/html
|
||||
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
|
||||
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
|
||||
rm %{buildroot}%{_mandir}/man8/container_selinux.8*
|
||||
rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if
|
||||
|
||||
%post
|
||||
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
||||
# new install, use old sysconfig file if that exists,
|
||||
# else create new one.
|
||||
if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then
|
||||
mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
|
||||
else
|
||||
echo "
|
||||
# This file controls the state of SELinux on the system.
|
||||
# SELinux can be completly disabled with the \"selinux=0\" kernel
|
||||
# commandline option.
|
||||
#
|
||||
# SELINUX= can take one of these three values:
|
||||
# enforcing - SELinux security policy is enforced.
|
||||
# permissive - SELinux prints warnings instead of enforcing.
|
||||
SELINUX=permissive
|
||||
# SELINUXTYPE= can take one of these three values:
|
||||
# targeted - Targeted processes are protected,
|
||||
# minimum - Modification of targeted policy. Only selected processes are protected.
|
||||
# mls - Multi Level Security protection.
|
||||
SELINUXTYPE=targeted
|
||||
|
||||
" > %{_sysconfdir}/selinux/config
|
||||
fi
|
||||
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy
|
||||
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
|
||||
fi
|
||||
%tmpfiles_create %_tmpfilesdir/selinux-policy.conf
|
||||
if [ $1 -eq 1 ]; then
|
||||
pam-config -a --selinux
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%define post_un() \
|
||||
# disable selinux if we uninstall a policy and it's the used one \
|
||||
if [ $1 -eq 0 ]; then \
|
||||
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
||||
source %{_sysconfdir}/selinux/config &> /dev/null || true \
|
||||
fi \
|
||||
if [ "$SELINUXTYPE" = "$2" ]; then \
|
||||
%{_sbindir}/setenforce 0 2> /dev/null \
|
||||
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
||||
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \
|
||||
fi \
|
||||
fi \
|
||||
pam-config -d --selinux \
|
||||
fi \
|
||||
exit 0
|
||||
|
||||
%postun
|
||||
if [ $1 = 0 ]; then
|
||||
%{_sbindir}/setenforce 0 2> /dev/null
|
||||
if [ -s %{_sysconfdir}/selinux/config ]; then
|
||||
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
|
||||
fi
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%package devel
|
||||
Summary: SELinux policy devel
|
||||
Group: System/Management
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: /usr/bin/make
|
||||
Requires: checkpolicy >= %{CHECKPOLICYVER}
|
||||
Requires: m4
|
||||
|
||||
%description devel
|
||||
SELinux policy development and man page package
|
||||
|
||||
%files devel
|
||||
%defattr(-,root,root,-)
|
||||
%doc %{_datadir}/man/ru/man8/*
|
||||
%doc %{_datadir}/man/man8/*
|
||||
%dir %{_datadir}/selinux/devel
|
||||
%dir %{_datadir}/selinux/devel/html/
|
||||
%doc %{_datadir}/selinux/devel/html/*
|
||||
%dir %{_datadir}/selinux/devel/include
|
||||
%{_datadir}/selinux/devel/include/*
|
||||
%{_datadir}/selinux/devel/Makefile
|
||||
%{_datadir}/selinux/devel/example.*
|
||||
|
||||
%package doc
|
||||
Summary: SELinux policy documentation
|
||||
Group: System/Management
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: /usr/bin/xdg-open
|
||||
|
||||
%description doc
|
||||
SELinux policy documentation package
|
||||
|
||||
%files doc
|
||||
%defattr(-,root,root,-)
|
||||
%doc %{_datadir}/doc/%{name}
|
||||
%{_datadir}/selinux/devel/policy.*
|
||||
|
||||
%if %{BUILD_TARGETED}
|
||||
%package targeted
|
||||
Summary: SELinux targeted base policy
|
||||
Group: System/Management
|
||||
Provides: selinux-policy-base = %{version}-%{release}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: selinux-policy = %{version}-%{release}
|
||||
|
||||
%description targeted
|
||||
SELinux policy targeted base module.
|
||||
|
||||
%pre targeted
|
||||
%preInstall targeted
|
||||
|
||||
%posttrans targeted
|
||||
%postInstall $1 targeted
|
||||
exit 0
|
||||
|
||||
%postun targeted
|
||||
%post_un $1 targeted
|
||||
|
||||
%triggerin -- libpcre2-8-0
|
||||
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
|
||||
exit 0
|
||||
|
||||
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
|
||||
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
|
||||
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
|
||||
%fileList targeted
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MINIMUM}
|
||||
%package minimum
|
||||
Summary: SELinux minimum base policy
|
||||
Group: System/Management
|
||||
Provides: selinux-policy-base = %{version}-%{release}
|
||||
Requires(post): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): /usr/bin/awk
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: selinux-policy = %{version}-%{release}
|
||||
|
||||
%description minimum
|
||||
SELinux policy minimum base module.
|
||||
|
||||
%pre minimum
|
||||
%preInstall minimum
|
||||
if [ $1 -ne 1 ]; then
|
||||
%{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
|
||||
fi
|
||||
|
||||
%post minimum
|
||||
contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
|
||||
basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
|
||||
mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null
|
||||
if [ $1 -eq 1 ]; then
|
||||
for p in $contribpackages; do
|
||||
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
||||
done
|
||||
for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do
|
||||
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
||||
done
|
||||
%{_sbindir}/semanage import -S minimum -f - << __eof
|
||||
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
|
||||
login -m -s unconfined_u -r s0-s0:c0.c1023 root
|
||||
__eof
|
||||
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
%{_sbindir}/semodule -B -s minimum
|
||||
else
|
||||
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
|
||||
for p in $contribpackages; do
|
||||
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
||||
done
|
||||
for p in $instpackages snapper dbus kerberos nscd rtkit; do
|
||||
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
||||
done
|
||||
%{_sbindir}/semodule -B -s minimum
|
||||
%relabel minimum
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%postun minimum
|
||||
%post_un $1 minimum
|
||||
|
||||
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
|
||||
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
|
||||
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
|
||||
%{_datadir}/selinux/minimum/modules-minimum-disable.lst
|
||||
%fileList minimum
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MLS}
|
||||
%package mls
|
||||
Summary: SELinux mls base policy
|
||||
Group: System/Management
|
||||
Provides: selinux-policy-base = %{version}-%{release}
|
||||
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER}
|
||||
Requires: setransd
|
||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||
Requires(pre): coreutils
|
||||
Requires(pre): selinux-policy = %{version}-%{release}
|
||||
Requires: selinux-policy = %{version}-%{release}
|
||||
|
||||
%description mls
|
||||
SELinux policy mls base module.
|
||||
|
||||
%pre mls
|
||||
%preInstall mls
|
||||
|
||||
%posttrans mls
|
||||
%postInstall $1 mls
|
||||
|
||||
%postun mls
|
||||
%post_un $1 mls
|
||||
|
||||
%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
|
||||
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
|
||||
%fileList mls
|
||||
%endif
|
||||
|
||||
%changelog
|
19
setrans-minimum.conf
Normal file
19
setrans-minimum.conf
Normal file
@ -0,0 +1,19 @@
|
||||
#
|
||||
# Multi-Category Security translation table for SELinux
|
||||
#
|
||||
# Uncomment the following to disable translation libary
|
||||
# disable=1
|
||||
#
|
||||
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||
# Objects can be in more than one category at a time.
|
||||
# Categories are stored in the system as c0-c1023. Users can use this
|
||||
# table to translate the categories into a more meaningful output.
|
||||
# Examples:
|
||||
# s0:c0=CompanyConfidential
|
||||
# s0:c1=PatientRecord
|
||||
# s0:c2=Unclassified
|
||||
# s0:c3=TopSecret
|
||||
# s0:c1,c3=CompanyConfidentialRedHat
|
||||
s0=SystemLow
|
||||
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||
s0:c0.c1023=SystemHigh
|
52
setrans-mls.conf
Normal file
52
setrans-mls.conf
Normal file
@ -0,0 +1,52 @@
|
||||
#
|
||||
# Multi-Level Security translation table for SELinux
|
||||
#
|
||||
# Uncomment the following to disable translation libary
|
||||
# disable=1
|
||||
#
|
||||
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
|
||||
# categories defined by the admin.
|
||||
# Objects can be in more than one category at a time.
|
||||
# Users can modify this table to translate the MLS labels for different purpose.
|
||||
#
|
||||
# Assumptions: using below MLS labels.
|
||||
# SystemLow
|
||||
# SystemHigh
|
||||
# Unclassified
|
||||
# Secret with compartments A and B.
|
||||
#
|
||||
# SystemLow and SystemHigh
|
||||
s0=SystemLow
|
||||
s15:c0.c1023=SystemHigh
|
||||
s0-s15:c0.c1023=SystemLow-SystemHigh
|
||||
|
||||
# Unclassified level
|
||||
s1=Unclassified
|
||||
|
||||
# Secret level with compartments
|
||||
s2=Secret
|
||||
s2:c0=A
|
||||
s2:c1=B
|
||||
|
||||
# ranges for Unclassified
|
||||
s0-s1=SystemLow-Unclassified
|
||||
s1-s2=Unclassified-Secret
|
||||
s1-s15:c0.c1023=Unclassified-SystemHigh
|
||||
|
||||
# ranges for Secret with compartments
|
||||
s0-s2=SystemLow-Secret
|
||||
s0-s2:c0=SystemLow-Secret:A
|
||||
s0-s2:c1=SystemLow-Secret:B
|
||||
s0-s2:c0,c1=SystemLow-Secret:AB
|
||||
s1-s2:c0=Unclassified-Secret:A
|
||||
s1-s2:c1=Unclassified-Secret:B
|
||||
s1-s2:c0,c1=Unclassified-Secret:AB
|
||||
s2-s2:c0=Secret-Secret:A
|
||||
s2-s2:c1=Secret-Secret:B
|
||||
s2-s2:c0,c1=Secret-Secret:AB
|
||||
s2-s15:c0.c1023=Secret-SystemHigh
|
||||
s2:c0-s2:c0,c1=Secret:A-Secret:AB
|
||||
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
|
||||
s2:c1-s2:c0,c1=Secret:B-Secret:AB
|
||||
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
|
||||
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
|
19
setrans-targeted.conf
Normal file
19
setrans-targeted.conf
Normal file
@ -0,0 +1,19 @@
|
||||
#
|
||||
# Multi-Category Security translation table for SELinux
|
||||
#
|
||||
# Uncomment the following to disable translation libary
|
||||
# disable=1
|
||||
#
|
||||
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||
# Objects can be in more than one category at a time.
|
||||
# Categories are stored in the system as c0-c1023. Users can use this
|
||||
# table to translate the categories into a more meaningful output.
|
||||
# Examples:
|
||||
# s0:c0=CompanyConfidential
|
||||
# s0:c1=PatientRecord
|
||||
# s0:c2=Unclassified
|
||||
# s0:c3=TopSecret
|
||||
# s0:c1,c3=CompanyConfidentialRedHat
|
||||
s0=SystemLow
|
||||
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||
s0:c0.c1023=SystemHigh
|
28
update.sh
Normal file
28
update.sh
Normal file
@ -0,0 +1,28 @@
|
||||
#!/bin/sh
|
||||
|
||||
date=$(date '+%Y%m%d')
|
||||
base_name_pattern='selinux-policy-*.tar.xz'
|
||||
echo Update to $date
|
||||
|
||||
old_tar_file=$(ls -1 $base_name_pattern)
|
||||
|
||||
osc service manualrun
|
||||
|
||||
if [ "$1" = "full" ]; then
|
||||
echo doing full update including container-selinux
|
||||
rm -rf container-selinux
|
||||
git clone --depth 1 https://github.com/containers/container-selinux.git
|
||||
rm -f container.*
|
||||
mv container-selinux/container.* .
|
||||
rm -rf container-selinux
|
||||
fi
|
||||
|
||||
# delete old files. Might need a better sanity check
|
||||
tar_cnt=$(ls -1 $base_name_pattern | wc -l)
|
||||
if [ $tar_cnt -gt 1 ]; then
|
||||
echo delte old file $old_tar_file
|
||||
rm "$old_tar_file"
|
||||
osc addremove
|
||||
fi
|
||||
|
||||
osc status
|
39
users-minimum
Normal file
39
users-minimum
Normal file
@ -0,0 +1,39 @@
|
||||
##################################
|
||||
#
|
||||
# Core User configuration.
|
||||
#
|
||||
|
||||
#
|
||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||
#
|
||||
# Note: Identities without a prefix wil not be listed
|
||||
# in the users_extra file used by genhomedircon.
|
||||
|
||||
#
|
||||
# system_u is the user identity for system processes and objects.
|
||||
# There should be no corresponding Unix user identity for system,
|
||||
# and a user process should never be assigned the system user
|
||||
# identity.
|
||||
#
|
||||
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# user_u is a generic user identity for Linux users who have no
|
||||
# SELinux user identity defined. The modified daemons will use
|
||||
# this user identity in the security context if there is no matching
|
||||
# SELinux user identity for a Linux user. If you do not want to
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
40
users-mls
Normal file
40
users-mls
Normal file
@ -0,0 +1,40 @@
|
||||
##################################
|
||||
#
|
||||
# Core User configuration.
|
||||
#
|
||||
|
||||
#
|
||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||
#
|
||||
# Note: Identities without a prefix wil not be listed
|
||||
# in the users_extra file used by genhomedircon.
|
||||
|
||||
#
|
||||
# system_u is the user identity for system processes and objects.
|
||||
# There should be no corresponding Unix user identity for system,
|
||||
# and a user process should never be assigned the system user
|
||||
# identity.
|
||||
#
|
||||
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# user_u is a generic user identity for Linux users who have no
|
||||
# SELinux user identity defined. The modified daemons will use
|
||||
# this user identity in the security context if there is no matching
|
||||
# SELinux user identity for a Linux user. If you do not want to
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(guest_u, user, guest_r, s0, s0)
|
||||
gen_user(xguest_u, user, xguest_r, s0, s0)
|
41
users-targeted
Normal file
41
users-targeted
Normal file
@ -0,0 +1,41 @@
|
||||
##################################
|
||||
#
|
||||
# Core User configuration.
|
||||
#
|
||||
|
||||
#
|
||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||
#
|
||||
# Note: Identities without a prefix wil not be listed
|
||||
# in the users_extra file used by genhomedircon.
|
||||
|
||||
#
|
||||
# system_u is the user identity for system processes and objects.
|
||||
# There should be no corresponding Unix user identity for system,
|
||||
# and a user process should never be assigned the system user
|
||||
# identity.
|
||||
#
|
||||
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# user_u is a generic user identity for Linux users who have no
|
||||
# SELinux user identity defined. The modified daemons will use
|
||||
# this user identity in the security context if there is no matching
|
||||
# SELinux user identity for a Linux user. If you do not want to
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(guest_u, user, guest_r, s0, s0)
|
||||
gen_user(xguest_u, user, xguest_r, s0, s0)
|
105
varrun-convert.sh
Normal file
105
varrun-convert.sh
Normal file
@ -0,0 +1,105 @@
|
||||
#!/bin/bash
|
||||
### varrun-convert.sh
|
||||
### convert legacy filecontext entries containing /var/run to /run
|
||||
### and load an extra selinux module with the new content
|
||||
### the script takes a policy name as an argument
|
||||
|
||||
# Set DEBUG=yes before running the script to get more verbose output
|
||||
# on the terminal and to the $LOG file
|
||||
if [ "${DEBUG}" = "yes" ]; then
|
||||
set -x
|
||||
fi
|
||||
|
||||
# Auxiliary and log files will be created in OUTPUTDIR
|
||||
OUTPUTDIR="/run/selinux-policy"
|
||||
LOG="$OUTPUTDIR/log"
|
||||
mkdir -p ${OUTPUTDIR}
|
||||
|
||||
if [ -z ${1} ]; then
|
||||
[ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
|
||||
exit
|
||||
fi
|
||||
|
||||
SEMODULEOPT="-s ${1}"
|
||||
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
|
||||
|
||||
# Take current file_contexts and unify whitespace separators
|
||||
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
|
||||
FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
|
||||
if [ ! -f ${FILE_CONTEXTS} ]; then
|
||||
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
|
||||
exit
|
||||
fi
|
||||
|
||||
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
|
||||
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
|
||||
exit 0
|
||||
fi
|
||||
|
||||
EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
|
||||
EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp"
|
||||
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
|
||||
EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
|
||||
|
||||
# Print only /var/run entries
|
||||
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
|
||||
|
||||
# Unify whitespace separators
|
||||
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
|
||||
sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
|
||||
|
||||
rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
|
||||
touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
|
||||
# Deduplicate already existing /var/run=/run entries
|
||||
while read line
|
||||
do
|
||||
subline="${line#/var}"
|
||||
if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
|
||||
# check for overal duplicate entries
|
||||
subline2=$(echo $line | sed -E -e 's/ \S+$//')
|
||||
if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then
|
||||
echo "$line"
|
||||
echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
|
||||
else
|
||||
>&2 echo "DUP: $line"
|
||||
fi
|
||||
fi
|
||||
done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Change /var/run to /run
|
||||
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Exception handling: packages with already duplicate entries
|
||||
sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Change format to cil
|
||||
sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Handle entries with <<none>> which do not match previous regexps
|
||||
sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Wrap each line with an optional block
|
||||
i=1
|
||||
while read line
|
||||
do
|
||||
echo "(optional extra_var_run_${i}"
|
||||
echo " $line"
|
||||
echo ")"
|
||||
((i++))
|
||||
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
|
||||
|
||||
# Load module
|
||||
[ -s ${EXTRA_VARRUN_CIL} ] &&
|
||||
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
|
||||
|
Loading…
Reference in New Issue
Block a user