1
0

Accepting request 1184825 from home:cahu:branches:security:SELinux

- Update to version 20240702:
  * Allow manage dosfs_t files to snapperd
  * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records
  * Add auth_rw_wtmpdb_login_records to modules
  * Allow xdm_t to read-write to wtmpdb (bsc#1225984)
  * Introduce types for wtmpdb and rw interface
  * Introduce wtmp_file_type attribute
  * Revert "Add policy for wtmpdb (bsc#1210717)"

OBS-URL: https://build.opensuse.org/request/show/1184825
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=230
This commit is contained in:
Cathy Hu 2024-07-02 10:36:37 +00:00 committed by Git OBS Bridge
commit 290de72460
40 changed files with 15049 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

22
Makefile.devel Normal file
View File

@ -0,0 +1,22 @@
# installation paths
SHAREDIR := /usr/share/selinux
AWK ?= gawk
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
ifeq ($(MLSENABLED),)
MLSENABLED := 1
endif
ifeq ($(MLSENABLED),1)
NTYPE = mcs
endif
ifeq ($(NAME),mls)
NTYPE = mls
endif
TYPE ?= $(NTYPE)
HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile

19
README.Update Normal file
View File

@ -0,0 +1,19 @@
# How to update this project
This project is updated using obs services.
The obs services pull from git repositories, which are specified in the `_service` file.
Please contribute all changes to the upstream git repositories listed there.
To update this project to the upstream versions, please make sure you installed these obs services locally:
```
sudo zypper in obs-service-tar_scm obs-service-recompress obs-service-set_version obs-service-download_files
```
Then, generate new tarballs, changelog and version number for this repository by running this command:
```
sh update.sh
```
Afterwards, please check your local project state and remove old tarballs if necessary.
Then proceed as usual with check-in and build.

18
_service Normal file
View File

@ -0,0 +1,18 @@
<services>
<service name="tar_scm" mode="manual">
<param name="version">1</param>
<param name="versionformat">%cd</param>
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
<param name="scm">git</param>
<param name="changesgenerate">enable</param>
<param name="revision">factory</param>
</service>
<service name="recompress" mode="manual">
<param name="compression">xz</param>
<param name="file">*.tar</param>
</service>
<service name="set_version" mode="manual" >
<param name="file">selinux-policy.spec</param>
</service>
</services>

10
_servicedata Normal file
View File

@ -0,0 +1,10 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
<param name="changesrevision">174046c04175d806c0ea28d37f7b5ff8ac5afc8e</param></service><service name="tar_scm">
<param name="url">https://github.com/containers/container-selinux.git</param>
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
<param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
<param name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service><service name="tar_scm">
<param name="url">https://gitlab.suse.de/cahu/selinux-policy.git</param>
<param name="changesrevision">dd1ff3c6a1e2c1f22ddd13039191ea458d7fcc8d</param></service></servicedata>

232
booleans-minimum.conf Normal file
View File

@ -0,0 +1,232 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true

232
booleans-mls.conf Normal file
View File

@ -0,0 +1,232 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = false
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = false

232
booleans-targeted.conf Normal file
View File

@ -0,0 +1,232 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true

54
booleans.subs_dist Normal file
View File

@ -0,0 +1,54 @@
allow_auditadm_exec_content auditadm_exec_content
allow_console_login login_console_enabled
allow_cvs_read_shadow cvs_read_shadow
allow_daemons_dump_core daemons_dump_core
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
allow_daemons_use_tty daemons_use_tty
allow_domain_fd_use domain_fd_use
allow_execheap selinuxuser_execheap
allow_execmod selinuxuser_execmod
allow_execstack selinuxuser_execstack
allow_ftpd_anon_write ftpd_anon_write
allow_ftpd_full_access ftpd_full_access
allow_ftpd_use_cifs ftpd_use_cifs
allow_ftpd_use_nfs ftpd_use_nfs
allow_gssd_read_tmp gssd_read_tmp
allow_guest_exec_content guest_exec_content
allow_httpd_anon_write httpd_anon_write
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
allow_httpd_mod_auth_pam httpd_mod_auth_pam
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
allow_kerberos kerberos_enabled
allow_mplayer_execstack mplayer_execstack
allow_mount_anyfile mount_anyfile
allow_nfsd_anon_write nfsd_anon_write
allow_polyinstantiation polyinstantiation_enabled
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
allow_rsync_anon_write rsync_anon_write
allow_saslauthd_read_shadow saslauthd_read_shadow
allow_secadm_exec_content secadm_exec_content
allow_smbd_anon_write smbd_anon_write
allow_ssh_keysign ssh_keysign
allow_staff_exec_content staff_exec_content
allow_sysadm_exec_content sysadm_exec_content
allow_user_exec_content user_exec_content
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
allow_write_xshm xserver_clients_write_xshm
allow_xguest_exec_content xguest_exec_content
allow_xserver_execmem xserver_execmem
allow_ypbind nis_enabled
allow_zebra_write_config zebra_write_config
user_direct_dri selinuxuser_direct_dri_enabled
user_ping selinuxuser_ping
user_share_music selinuxuser_share_music
user_tcp_server selinuxuser_tcp_server
sepgsql_enable_pitr_implementation postgresql_can_rsync
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
clamd_use_jit antivirus_use_jit
amavis_use_jit antivirus_use_jit
logwatch_can_sendmail logwatch_can_network_connect_mail
puppet_manage_all_files puppetagent_manage_all_files
virt_sandbox_use_nfs virt_use_nfs

167
container.fc Normal file
View File

@ -0,0 +1,167 @@
/root/\.docker gen_context(system_u:object_r:container_home_t,s0)
/usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/buildah -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
/usr/local/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
/usr/local/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
/usr/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
/usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/etc/buildkit(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/shared(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir.
/var/lib/containerd/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/nerdctl/[^/]*/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/buildkit(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/buildkit/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0)
# "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf" and "hosts.<RANDOM>", for OCI (runc) worker mode.
/var/lib/buildkit/runc-.*/executor(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
# "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and hosts.<RANDOM>, for containerd worker mode.
# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
/var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/atomic(/.*)? <<none>>
/var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/cache/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0)
/var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0)
/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0)
/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0)
/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0)

1044
container.if Normal file

File diff suppressed because it is too large Load Diff

1569
container.te Normal file

File diff suppressed because it is too large Load Diff

13
customizable_types Normal file
View File

@ -0,0 +1,13 @@
sandbox_file_t
svirt_image_t
svirt_home_t
svirt_lxc_file_t
virt_content_t
httpd_user_htaccess_t
httpd_user_script_exec_t
httpd_user_rw_content_t
httpd_user_ra_content_t
httpd_user_content_t
git_session_content_t
home_bin_t
user_tty_device_t

34
debug-build.sh Normal file
View File

@ -0,0 +1,34 @@
# This script creates a debugging and testing environment when working on the policy
# Basically a fancy wrapper for "tar --exclude-vcs -cJf selinux-policy-20230321.tar.xz --transform 's,^,selinux-policy-20230321/,' -C selinux-policy ."
#
# 1. Get the git repository with 'osc service manualrun' or './update.sh'
# 2. Do your changes in the selinux-policy repository, test around
# 1. When you want to build locally to debug, call this script. It will create a .tar.xz with your current selinux-policy working directory.
# 2. Build locally: e.g. with osc build
# 3. Test your rpms that contain your changes and repeat
# 3. When finished, commit your changes in the selinux-policy repository and push to git
# 4. Run './update.sh' and checkin the changes to OBS
REPO_NAME=selinux-policy
# Check if git repository exists, if not ask the user to fetch the latest version
if ! test -d "$REPO_NAME"; then
echo "-$REPO_NAME does not exist. Please run 'osc service manualrun' or './update.sh' first."
exit 1;
fi
# Get current version: Parse "Version: <current-version>" from specfile
VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
# Create tar file with name like selinux-policy-<current-version>.tar.xz
TAR_NAME=$REPO_NAME-$VERSION.tar.xz
echo "Creating tar file: $TAR_NAME"
tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
# Some helpful prompts
if test $? -eq 0; then
echo "Success! Now you can run your local build command, e.g. 'osc build'. It will take the archive that contains your changes."
echo "You can also inspect the created archive with: 'tar tvf $REPO_NAME-$VERSION.tar.xz'"
else
echo "Error, creating archive failed"
fi

19
file_contexts.subs_dist Normal file
View File

@ -0,0 +1,19 @@
/var/run /run
/var/lock /run/lock
/var/run/lock /var/lock
/lib /usr/lib
/lib64 /usr/lib
/usr/lib64 /usr/lib
/usr/local /usr
/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
/etc/systemd/system /usr/lib/systemd/system
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system
/run/systemd/generator.early /usr/lib/systemd/system
/run/systemd/generator.late /usr/lib/systemd/system
/var/lib/xguest/home /home
/var/run/netconfig /etc
/var/adm/netconfig/md5/etc /etc
/var/adm/netconfig/md5/var /var
/usr/etc /etc

187
macros.selinux-policy Normal file
View File

@ -0,0 +1,187 @@
# Copyright (C) 2017 Red Hat, Inc. All rights reserved.
#
# Author: Petr Lautrbach <plautrba@redhat.com>
# Author: Lukáš Vrabec <lvrabec@redhat.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
## Changes done for openSUSE/SUSE:
## - move /var/lib/rpm-state to /run/rpm-state and create that directory
##
# RPM macros for packages installing SELinux modules
%_selinux_policy_version SELINUXPOLICYVERSION
%_selinux_store_path SELINUXSTOREPATH
%_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
%_file_context_file_pre /var/adm/update-scripts/file_contexts.pre
%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
# %selinux_requires
%selinux_requires \
Requires: selinux-policy >= %{_selinux_policy_version} \
BuildRequires: pkgconfig(systemd) \
BuildRequires: selinux-policy \
BuildRequires: selinux-policy-devel \
Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
Requires(post): libselinux-utils \
Requires(post): policycoreutils \
%if 0%{?fedora} || 0%{?rhel} > 7 || 0%{suse_version} > 1500\
Requires(post): policycoreutils-python-utils \
%else \
Requires(post): policycoreutils-python \
%endif \
%{nil}
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_install("s:p:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
fi \
%{nil}
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_uninstall("s:p:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ $1 -eq 0 ]; then \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
fi \
fi \
%{nil}
# %selinux_relabel_pre [-s <policytype>]
%selinux_relabel_pre("s:") \
if %{_sbindir}/selinuxenabled; then \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
mkdir -p $(dirname %{_file_context_file_pre}) \
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
fi \
fi \
%{nil}
# %selinux_relabel_post [-s <policytype>]
%selinux_relabel_post("s:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
if [ -f %{_file_context_file_pre} ]; then \
%{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
rm -f %{_file_context_file_pre} \
fi \
fi \
%{nil}
# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
%selinux_set_booleans("s:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ -d "%{_selinux_store_policy_path}" ]; then \
LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
if [ ! -f %_file_custom_defined_booleans ]; then \
/bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
fi \
semanage_import='' \
for boolean in %*; do \
boolean_name=${boolean%=*} \
boolean_value=${boolean#*=} \
boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
if [ -n "$boolean_local_string" ]; then \
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
if [ -n "$boolean_customized_string" ]; then \
/bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
else \
/bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
fi \
else \
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
/bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
fi \
done; \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
fi \
fi \
%{nil}
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
%selinux_unset_booleans("s:") \
if [ -e /etc/selinux/config ]; then \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ -d "%{_selinux_store_policy_path}" ]; then \
semanage_import='' \
for boolean in %*; do \
boolean_name=${boolean%=*} \
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
if [ -n "$boolean_customized_string" ]; then \
awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \
if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \
semanage_import="${semanage_import}\\n${boolean_customized_string}" \
fi \
fi \
done; \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
fi \
fi \
%{nil}

414
modules-minimum-base.conf Normal file
View File

@ -0,0 +1,414 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unconfineduser
#
# The unconfined user domain.
#
unconfineduser = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: admin
# Module: rpm
#
# Policy for the RPM package manager.
#
rpm = module
# Layer: contrib
# Module: packagekit
#
# Temporary permissive module for packagekit
#
packagekit = module
# Layer: services
# Module: nscd
#
# Name service cache daemon
#
nscd = module

2616
modules-minimum-contrib.conf Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1 @@
abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs

380
modules-mls-base.conf Normal file
View File

@ -0,0 +1,380 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unlabelednet
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module

1588
modules-mls-contrib.conf Normal file

File diff suppressed because it is too large Load Diff

421
modules-targeted-base.conf Normal file
View File

@ -0,0 +1,421 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unconfineduser
#
# The unconfined user domain.
#
unconfineduser = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: contrib
# Module: packagekit
#
# Temporary permissive module for packagekit
#
packagekit = module
# Layer: contrib
# Module: rtorrent
#
# Policy for rtorrent
#
rtorrent = module
# Layer: contrib
# Module: wicked
#
# Policy for wicked
#
wicked = module
# Layer: system
# Module: rebootmgr
#
# Policy for rebootmgr
#
rebootmgr = module

File diff suppressed because it is too large Load Diff

4
securetty_types-minimum Normal file
View File

@ -0,0 +1,4 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

6
securetty_types-mls Normal file
View File

@ -0,0 +1,6 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t

4
securetty_types-targeted Normal file
View File

@ -0,0 +1,4 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bb5f624faac88d42e90be711332ebb9d3afa927a10203a349b09662d8dd7b9fd
size 770784

9
selinux-policy-rpmlintrc Normal file
View File

@ -0,0 +1,9 @@
addFilter("W: non-conffile-in-etc.*")
addFilter("W: zero-length /etc/selinux/.*")
addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
addFilter("W: files-duplicate")
addFilter("E: files-duplicated-waste")
addFilter("W: zero-length")

1948
selinux-policy.changes Normal file

File diff suppressed because it is too large Load Diff

3
selinux-policy.conf Normal file
View File

@ -0,0 +1,3 @@
z /sys/devices/system/cpu/online - - -
Z /sys/class/net - - -
z /sys/kernel/uevent_helper - - -

656
selinux-policy.spec Normal file
View File

@ -0,0 +1,656 @@
#
# spec file for package selinux-policy
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# There are almost no SUSE specific modifications available in the policy, so we utilize the
# ones used by redhat and include also the SUSE specific ones (distro_suse_to_distro_redhat.patch)
%define distro redhat
%define ubac n
%define polyinstatiate n
%define monolithic n
%define BUILD_TARGETED 1
%define BUILD_MINIMUM 1
%define BUILD_MLS 1
%define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
%define CHECKPOLICYVER %POLICYCOREUTILSVER
Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
Version: 20240702
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
Source2: container.te
Source3: container.if
Source4: selinux-policy-rpmlintrc
Source5: README.Update
Source6: update.sh
Source7: debug-build.sh
Source10: modules-targeted-base.conf
Source11: modules-targeted-contrib.conf
Source12: modules-mls-base.conf
Source13: modules-mls-contrib.conf
Source14: modules-minimum-base.conf
Source15: modules-minimum-contrib.conf
Source18: modules-minimum-disable.lst
Source20: booleans-targeted.conf
Source21: booleans-mls.conf
Source22: booleans-minimum.conf
Source23: booleans.subs_dist
Source30: setrans-targeted.conf
Source31: setrans-mls.conf
Source32: setrans-minimum.conf
# Script to convert /var/run file context entries to /run
Source37: varrun-convert.sh
Source40: securetty_types-targeted
Source41: securetty_types-mls
Source42: securetty_types-minimum
Source50: users-targeted
Source51: users-mls
Source52: users-minimum
Source60: selinux-policy.conf
Source91: Makefile.devel
Source92: customizable_types
#Source93: config.tgz
Source94: file_contexts.subs_dist
Source95: macros.selinux-policy
URL: https://github.com/fedora-selinux/selinux-policy.git
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%if 0%{?suse_version} < 1600
%define python_for_executables python311
BuildRequires: %{python_for_executables}
BuildRequires: %{python_for_executables}-policycoreutils
%else
BuildRequires: %primary_python
BuildRequires: %{python_module policycoreutils}
%endif
BuildRequires: checkpolicy
BuildRequires: gawk
BuildRequires: libxml2-tools
BuildRequires: m4
BuildRequires: policycoreutils
BuildRequires: policycoreutils-devel
# we need selinuxenabled
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): pam-config
Requires(posttrans): pam-config
Requires(posttrans): selinux-tools
Requires(posttrans): /usr/bin/sha512sum
Recommends: audit
Recommends: selinux-tools
# for audit2allow
Recommends: python3-policycoreutils
Recommends: container-selinux
Recommends: policycoreutils-python-utils
Recommends: selinux-autorelabel
%define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
%define makeCmds() \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
cp -f selinux_config/users-%1 ./policy/users \
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
%define makeModulesConf() \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
if [ %3 == "contrib" ];then \
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
fi; \
%define installCmds() \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%nil
%define fileList() \
%defattr(-,root,root) \
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
%dir %{_sysconfdir}/selinux/%1/logins \
%dir %{_sharedstatedir}/selinux/%1/active \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
%dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \
%dir %{_sharedstatedir}/selinux/%1/active/modules/100 \
%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \
%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
%dir %{_sysconfdir}/selinux/%1/policy/ \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \
%{_sysconfdir}/selinux/%1/.policy.sha512 \
%dir %{_sysconfdir}/selinux/%1/contexts \
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
%dir %{_sysconfdir}/selinux/%1/contexts/files \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
%dir %{_datadir}/selinux/%1 \
%dir %{_datadir}/selinux/packages/%1 \
%{_datadir}/selinux/%1/base.lst \
%{_datadir}/selinux/%1/modules-base.lst \
%{_datadir}/selinux/%1/modules-contrib.lst \
%{_datadir}/selinux/%1/nonbasemodules.lst \
%dir %{_sharedstatedir}/selinux/%1 \
%{_sharedstatedir}/selinux/%1/active/commit_num \
%{_sharedstatedir}/selinux/%1/active/users_extra \
%{_sharedstatedir}/selinux/%1/active/homedir_template \
%{_sharedstatedir}/selinux/%1/active/seusers \
%{_sharedstatedir}/selinux/%1/active/file_contexts \
%{_sharedstatedir}/selinux/%1/active/policy.kern \
%{_sharedstatedir}/selinux/%1/active/modules_checksum \
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
%nil
%define relabel() \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if selinuxenabled; then \
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi; \
if /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null;then \
continue; \
fi; \
fi;
%define preInstall() \
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi; \
touch %{_sysconfdir}/selinux/%1/.rebuild; \
if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
if [ "$sha512" == "$checksha512" ] ; then \
rm %{_sysconfdir}/selinux/%1/.rebuild; \
fi; \
fi; \
fi;
%define postInstall() \
. %{_sysconfdir}/selinux/config; \
%{_libexecdir}/selinux/varrun-convert.sh %2; \
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%2/.rebuild; \
/usr/sbin/semodule -B -n -s %2; \
fi; \
if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \
touch /etc/selinux/.autorelabel \
else \
if [ "${SELINUXTYPE}" = "%2" ]; then \
if selinuxenabled; then \
load_policy; \
else \
# probably a first install of the policy \
true; \
fi; \
fi; \
if selinuxenabled; then \
if [ %1 -eq 1 ]; then \
/sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
else \
%relabel %2 \
fi; \
else \
# run fixfiles on next boot \
touch /.autorelabel \
fi; \
fi;
%define modulesList() \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
if [ -e ./policy/modules-contrib.conf ];then \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \
fi;
%define nonBaseModulesList() \
contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \
base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \
for i in $contrib_modules $base_modules; do \
if [ $i != "sandbox" ];then \
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
fi; \
done;
%description
A complete SELinux policy that can be used as the system policy for a variety
of systems and used as the basis for creating other policies.
%files
%defattr(-,root,root,-)
%license COPYING
%dir %{_datadir}/selinux
%dir %{_datadir}/selinux/packages
%dir %{_sysconfdir}/selinux
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%{_tmpfilesdir}/selinux-policy.conf
%{_rpmconfigdir}/macros.d/macros.selinux-policy
%{_libexecdir}/selinux/varrun-convert.sh
%package sandbox
Summary: SELinux policy sandbox
Group: System/Management
Requires(pre): selinux-policy-targeted = %{version}-%{release}
%description sandbox
SELinux sandbox policy used for the policycoreutils-sandbox package
%files sandbox
%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp
%post sandbox
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
fi;
exit 0
%preun sandbox
if [ $1 -eq 0 ] ; then
%{_sbindir}/semodule -n -d sandbox 2>/dev/null
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
fi;
fi;
exit 0
%prep
# set up selinux-policy
%autosetup -n %{name}-%{version} -p1
# dirty hack for container-selinux, because selinux-policy won't build without it
# upstream does not want to include it in main policy tree:
# see discussion in https://github.com/containers/container-selinux/issues/186
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do
cp $i policy/modules/services/
done
%build
%install
mkdir -p %{buildroot}%{_sysconfdir}/selinux
touch %{buildroot}%{_sysconfdir}/selinux/config
mkdir -p %{buildroot}%{_tmpfilesdir}
cp %{SOURCE60} %{buildroot}%{_tmpfilesdir}
# Adjust and install RPM macro file
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
install -m 644 %{SOURCE95} %{buildroot}%{_rpmconfigdir}/macros.d/
sed -i 's|SELINUXPOLICYVERSION|%{version}-%{release}|' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
# Always create policy module package directories
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/
mkdir selinux_config
for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
cp $i selinux_config
done
mkdir -p %{buildroot}%{_libexecdir}/selinux
install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
make clean
%if %{BUILD_TARGETED}
%makeCmds targeted mcs allow
%makeModulesConf targeted base contrib
%installCmds targeted mcs allow
# recreate sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
%modulesList targeted
%nonBaseModulesList targeted
%endif
%if %{BUILD_MINIMUM}
%makeCmds minimum mcs allow
%makeModulesConf targeted base contrib
%installCmds minimum mcs allow
install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst
# Sandbox is only targeted
rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
%modulesList minimum
%nonBaseModulesList minimum
%endif
%if %{BUILD_MLS}
%makeCmds mls mls deny
%makeModulesConf mls base contrib
%installCmds mls mls deny
%modulesList mls
%nonBaseModulesList mls
%endif
# Install devel
mkdir -p %{buildroot}%{_mandir}
cp -R man/* %{buildroot}%{_mandir}
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
mkdir %{buildroot}%{_datadir}/selinux/devel/
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
mkdir %{buildroot}%{_datadir}/selinux/devel/html
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
rm %{buildroot}%{_mandir}/man8/container_selinux.8*
rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if
%post
if [ ! -s %{_sysconfdir}/selinux/config ]; then
# new install, use old sysconfig file if that exists,
# else create new one.
if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then
mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
else
echo "
# This file controls the state of SELinux on the system.
# SELinux can be completly disabled with the \"selinux=0\" kernel
# commandline option.
#
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
" > %{_sysconfdir}/selinux/config
fi
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
fi
%tmpfiles_create %_tmpfilesdir/selinux-policy.conf
if [ $1 -eq 1 ]; then
pam-config -a --selinux
fi
exit 0
%define post_un() \
# disable selinux if we uninstall a policy and it's the used one \
if [ $1 -eq 0 ]; then \
if [ -s %{_sysconfdir}/selinux/config ]; then \
source %{_sysconfdir}/selinux/config &> /dev/null || true \
fi \
if [ "$SELINUXTYPE" = "$2" ]; then \
%{_sbindir}/setenforce 0 2> /dev/null \
if [ -s %{_sysconfdir}/selinux/config ]; then \
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \
fi \
fi \
pam-config -d --selinux \
fi \
exit 0
%postun
if [ $1 = 0 ]; then
%{_sbindir}/setenforce 0 2> /dev/null
if [ -s %{_sysconfdir}/selinux/config ]; then
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config
fi
fi
exit 0
%package devel
Summary: SELinux policy devel
Group: System/Management
Requires(pre): selinux-policy = %{version}-%{release}
Requires: /usr/bin/make
Requires: checkpolicy >= %{CHECKPOLICYVER}
Requires: m4
%description devel
SELinux policy development and man page package
%files devel
%defattr(-,root,root,-)
%doc %{_datadir}/man/ru/man8/*
%doc %{_datadir}/man/man8/*
%dir %{_datadir}/selinux/devel
%dir %{_datadir}/selinux/devel/html/
%doc %{_datadir}/selinux/devel/html/*
%dir %{_datadir}/selinux/devel/include
%{_datadir}/selinux/devel/include/*
%{_datadir}/selinux/devel/Makefile
%{_datadir}/selinux/devel/example.*
%package doc
Summary: SELinux policy documentation
Group: System/Management
Requires(pre): selinux-policy = %{version}-%{release}
Requires: /usr/bin/xdg-open
%description doc
SELinux policy documentation package
%files doc
%defattr(-,root,root,-)
%doc %{_datadir}/doc/%{name}
%{_datadir}/selinux/devel/policy.*
%if %{BUILD_TARGETED}
%package targeted
Summary: SELinux targeted base policy
Group: System/Management
Provides: selinux-policy-base = %{version}-%{release}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
%description targeted
SELinux policy targeted base module.
%pre targeted
%preInstall targeted
%posttrans targeted
%postInstall $1 targeted
exit 0
%postun targeted
%post_un $1 targeted
%triggerin -- libpcre2-8-0
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
exit 0
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
%fileList targeted
%endif
%if %{BUILD_MINIMUM}
%package minimum
Summary: SELinux minimum base policy
Group: System/Management
Provides: selinux-policy-base = %{version}-%{release}
Requires(post): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): /usr/bin/awk
Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
%description minimum
SELinux policy minimum base module.
%pre minimum
%preInstall minimum
if [ $1 -ne 1 ]; then
%{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
fi
%post minimum
contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst`
basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst`
mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null
if [ $1 -eq 1 ]; then
for p in $contribpackages; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
%{_sbindir}/semanage import -S minimum -f - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
%{_sbindir}/semodule -B -s minimum
else
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
for p in $contribpackages; do
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
for p in $instpackages snapper dbus kerberos nscd rtkit; do
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
done
%{_sbindir}/semodule -B -s minimum
%relabel minimum
fi
exit 0
%postun minimum
%post_un $1 minimum
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
%{_datadir}/selinux/minimum/modules-minimum-disable.lst
%fileList minimum
%endif
%if %{BUILD_MLS}
%package mls
Summary: SELinux mls base policy
Group: System/Management
Provides: selinux-policy-base = %{version}-%{release}
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER}
Requires: setransd
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
%description mls
SELinux policy mls base module.
%pre mls
%preInstall mls
%posttrans mls
%postInstall $1 mls
%postun mls
%post_un $1 mls
%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
%fileList mls
%endif
%changelog

19
setrans-minimum.conf Normal file
View File

@ -0,0 +1,19 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

52
setrans-mls.conf Normal file
View File

@ -0,0 +1,52 @@
#
# Multi-Level Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
# SystemLow
# SystemHigh
# Unclassified
# Secret with compartments A and B.
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh
# Unclassified level
s1=Unclassified
# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B
# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh
# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c1023=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

19
setrans-targeted.conf Normal file
View File

@ -0,0 +1,19 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

28
update.sh Normal file
View File

@ -0,0 +1,28 @@
#!/bin/sh
date=$(date '+%Y%m%d')
base_name_pattern='selinux-policy-*.tar.xz'
echo Update to $date
old_tar_file=$(ls -1 $base_name_pattern)
osc service manualrun
if [ "$1" = "full" ]; then
echo doing full update including container-selinux
rm -rf container-selinux
git clone --depth 1 https://github.com/containers/container-selinux.git
rm -f container.*
mv container-selinux/container.* .
rm -rf container-selinux
fi
# delete old files. Might need a better sanity check
tar_cnt=$(ls -1 $base_name_pattern | wc -l)
if [ $tar_cnt -gt 1 ]; then
echo delte old file $old_tar_file
rm "$old_tar_file"
osc addremove
fi
osc status

39
users-minimum Normal file
View File

@ -0,0 +1,39 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

40
users-mls Normal file
View File

@ -0,0 +1,40 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

41
users-targeted Normal file
View File

@ -0,0 +1,41 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

105
varrun-convert.sh Normal file
View File

@ -0,0 +1,105 @@
#!/bin/bash
### varrun-convert.sh
### convert legacy filecontext entries containing /var/run to /run
### and load an extra selinux module with the new content
### the script takes a policy name as an argument
# Set DEBUG=yes before running the script to get more verbose output
# on the terminal and to the $LOG file
if [ "${DEBUG}" = "yes" ]; then
set -x
fi
# Auxiliary and log files will be created in OUTPUTDIR
OUTPUTDIR="/run/selinux-policy"
LOG="$OUTPUTDIR/log"
mkdir -p ${OUTPUTDIR}
if [ -z ${1} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
exit
fi
SEMODULEOPT="-s ${1}"
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
# Take current file_contexts and unify whitespace separators
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
if [ ! -f ${FILE_CONTEXTS} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
exit
fi
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
exit 0
fi
EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp"
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
# Print only /var/run entries
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
# Unify whitespace separators
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
# Deduplicate already existing /var/run=/run entries
while read line
do
subline="${line#/var}"
if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
# check for overal duplicate entries
subline2=$(echo $line | sed -E -e 's/ \S+$//')
if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then
echo "$line"
echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
else
>&2 echo "DUP: $line"
fi
fi
done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
# Change /var/run to /run
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
# Exception handling: packages with already duplicate entries
sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
# Change format to cil
sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
# Handle entries with <<none>> which do not match previous regexps
sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
# Wrap each line with an optional block
i=1
while read line
do
echo "(optional extra_var_run_${i}"
echo " $line"
echo ")"
((i++))
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
# Load module
[ -s ${EXTRA_VARRUN_CIL} ] &&
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}