rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=68

Browse Source
This commit is contained in:
Johannes Segitz 2018-11-27 09:16:35 +00:00 committed by Git OBS Bridge
parent f9b110e284
commit 50b70e6d39
70 changed files with 171012 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Makefile.devel Normal file
View File

@ -0,0 +1,22 @@
# installation paths
SHAREDIR := /usr/share/selinux
AWK ?= gawk
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
ifeq ($(MLSENABLED),)
MLSENABLED := 1
endif
ifeq ($(MLSENABLED),1)
NTYPE = mcs
endif
ifeq ($(NAME),mls)
NTYPE = mls
endif
TYPE ?= $(NTYPE)
HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile

22
add-overlayfs-as-xattr-capable.patch Normal file
View File

@ -0,0 +1,22 @@
commit b3a95b4aeb4ecc3ce5125aac2f114224fcead5b9
Author: Jason Zaman <jason@perfinion.com>
Date: Sun Oct 11 18:35:20 2015 +0800
Add overlayfs as an XATTR capable fs
The module is called "overlay" in the kernel
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,7 @@ fs_use_xattr gpfs gen_context(system_u:o
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);

12
allow-local_login_t-read-shadow.patch Normal file
View File

@ -0,0 +1,12 @@
Index: serefpolicy-3.12.1/policy/modules/system/locallogin.te
===================================================================
--- serefpolicy-3.12.1.orig/policy/modules/system/locallogin.te 2013-10-23 11:44:16.815098321 +0200
+++ serefpolicy-3.12.1/policy/modules/system/locallogin.te 2013-10-23 11:44:16.848098676 +0200
@@ -126,6 +126,7 @@ term_setattr_unallocated_ttys(local_logi
term_relabel_all_ptys(local_login_t)
term_setattr_generic_ptys(local_login_t)
+auth_read_shadow(local_login_t)
auth_rw_login_records(local_login_t)
auth_rw_faillog(local_login_t)
auth_manage_pam_console_data(local_login_t)

252
booleans-minimum.conf Normal file
View File

@ -0,0 +1,252 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
allow_execstack = true
# Allow ftpd to read cifs directories.
#
allow_ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
allow_ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
allow_gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
allow_httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
allow_saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
allow_zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
# Allow ftp to read and write files in the user home directories
#
ftp_home_dir = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
allow_ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
#
read_untrusted_content = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow regular users direct mouse access
#
user_direct_mouse = false
# Allow users to read system messages.
#
user_dmesg = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = false
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow w to display everyone
#
user_ttyfile_stat = false
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
#
write_untrusted_content = false
# Allow all domains to talk to ttys
#
allow_daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
allow_polyinstantiation = false
# Allow all domains to dump core
#
allow_daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
allow_xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
allow_guest_exec_content = false
allow_xguest_exec_content = false
# Only allow browser to use the web
#
browser_confine_xguest=false
# Allow postfix locat to write to mail spool
#
allow_postfix_local_write_mail_spool=false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile=true
# Allow qemu to connect fully to the network
#
qemu_full_network=true
# Allow nsplugin execmem/execstack for bad plugins
#
allow_nsplugin_execmem=true
# Allow unconfined domain to transition to confined domain
#
allow_unconfined_nsplugin_transition=true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
allow_mount_anyfile = true

6
booleans-mls.conf Normal file
View File

@ -0,0 +1,6 @@
kerberos_enabled = true
mount_anyfile = true
polyinstantiation_enabled = true
ftpd_is_daemon = true
selinuxuser_ping = true
xserver_object_manager = true

24
booleans-targeted.conf Normal file
View File

@ -0,0 +1,24 @@
gssd_read_tmp = true
httpd_builtin_scripting = true
httpd_enable_cgi = true
httpd_graceful_shutdown = true
kerberos_enabled = true
mount_anyfile = true
nfs_export_all_ro = true
nfs_export_all_rw = true
nscd_use_shm = true
openvpn_enable_homedirs = true
postfix_local_write_mail_spool=true
pppd_can_insmod = false
privoxy_connect_any = true
selinuxuser_direct_dri_enabled = true
selinuxuser_execmem = true
selinuxuser_execmod = true
selinuxuser_execstack = true
selinuxuser_rw_noexattrfile=true
selinuxuser_ping = true
squid_connect_any = true
telepathy_tcp_connect_generic_network_ports=true
unconfined_chrome_sandbox_transition=true
unconfined_mozilla_plugin_transition=true
xguest_exec_content = true

49
booleans.subs_dist Normal file
View File

@ -0,0 +1,49 @@
allow_auditadm_exec_content auditadm_exec_content
allow_console_login login_console_enabled
allow_cvs_read_shadow cvs_read_shadow
allow_daemons_dump_core daemons_dump_core
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
allow_daemons_use_tty daemons_use_tty
allow_domain_fd_use domain_fd_use
allow_execheap selinuxuser_execheap
allow_execmod selinuxuser_execmod
allow_execstack selinuxuser_execstack
allow_ftpd_anon_write ftpd_anon_write
allow_ftpd_full_access ftpd_full_access
allow_ftpd_use_cifs ftpd_use_cifs
allow_ftpd_use_nfs ftpd_use_nfs
allow_gssd_read_tmp gssd_read_tmp
allow_guest_exec_content guest_exec_content
allow_httpd_anon_write httpd_anon_write
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
allow_httpd_mod_auth_pam httpd_mod_auth_pam
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
allow_kerberos kerberos_enabled
allow_mplayer_execstack mplayer_execstack
allow_mount_anyfile mount_anyfile
allow_nfsd_anon_write nfsd_anon_write
allow_polyinstantiation polyinstantiation_enabled
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
allow_rsync_anon_write rsync_anon_write
allow_saslauthd_read_shadow saslauthd_read_shadow
allow_secadm_exec_content secadm_exec_content
allow_smbd_anon_write smbd_anon_write
allow_ssh_keysign ssh_keysign
allow_staff_exec_content staff_exec_content
allow_sysadm_exec_content sysadm_exec_content
allow_user_exec_content user_exec_content
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
allow_write_xshm xserver_clients_write_xshm
allow_xguest_exec_content xguest_exec_content
allow_xserver_execmem xserver_execmem
allow_ypbind nis_enabled
allow_zebra_write_config zebra_write_config
user_direct_dri selinuxuser_direct_dri_enabled
user_ping selinuxuser_ping
user_share_music selinuxuser_share_music
user_tcp_server selinuxuser_tcp_server
sepgsql_enable_pitr_implementation postgresql_can_rsync
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm

2
config
View File

@ -1,2 +0,0 @@
SELINUX=permissive
SELINUXTYPE=refpolicy-standard

3
config.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:652101e6cd75232a223d53d498a9190f0c21d513c9587d34956805fd56545ee2
size 3189

13
customizable_types Normal file
View File

@ -0,0 +1,13 @@
sandbox_file_t
svirt_image_t
svirt_home_t
svirt_lxc_file_t
virt_content_t
httpd_user_htaccess_t
httpd_user_script_exec_t
httpd_user_rw_content_t
httpd_user_ra_content_t
httpd_user_content_t
git_session_content_t
home_bin_t
user_tty_device_t

14
dont_use_xmllint_in_make_conf.patch Normal file
View File

@ -0,0 +1,14 @@
Index: serefpolicy-20140730/Makefile
===================================================================
--- serefpolicy-20140730.orig/Makefile 2014-07-30 16:48:48.379896000 +0200
+++ serefpolicy-20140730/Makefile 2015-02-25 12:37:11.262844720 +0100
@@ -431,9 +431,6 @@ $(polxml): $(layerxml) $(tunxml) $(boolx
$(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
$(verbose) cat $(tunxml) $(boolxml) >> $@
$(verbose) echo '</policy>' >> $@
- $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
- $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
- fi
xml: $(polxml)

13
file_contexts.subs_dist Normal file
View File

@ -0,0 +1,13 @@
/run /var/run
/run/lock /var/lock
/var/run/lock /var/lock
/lib /usr/lib
/lib64 /usr/lib
/usr/lib64 /usr/lib
/usr/local /usr
/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
/etc/systemd/system /usr/lib/systemd/system
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system
/var/lib/xguest/home /home

12
label_sysconfig.selinux-policy.patch Normal file
View File

@ -0,0 +1,12 @@
Index: serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc
===================================================================
--- serefpolicy-3.12.1.orig/policy/modules/system/selinuxutil.fc 2013-10-23 11:44:16.817098343 +0200
+++ serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc 2013-10-23 11:44:16.836098547 +0200
@@ -4,6 +4,7 @@
# /etc
#
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/sysconfig/selinux-policy gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)

23
label_var_run_rsyslog.patch Normal file
View File

@ -0,0 +1,23 @@
Index: serefpolicy-20140730/policy/modules/system/logging.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/logging.fc
+++ serefpolicy-20140730/policy/modules/system/logging.fc
@@ -83,6 +83,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
Index: serefpolicy-20140730/policy/modules/system/init.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/init.te
+++ serefpolicy-20140730/policy/modules/system/init.te
@@ -1676,3 +1676,6 @@ optional_policy(`
ccs_read_config(daemon)
')
')
+
+# relabel /var/run/rsyslog
+filetrans_pattern(init_t, var_run_t, syslogd_var_run_t, dir, "rsyslog")

416
modules-mls-base.conf Normal file
View File

@ -0,0 +1,416 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unlabelednet
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: logadm
#
# logadm account on tty logins
#
logadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: services
# Module: automount
#
# Filesystem automounter service.
#
automount = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module

1644
modules-mls-contrib.conf Normal file
View File

File diff suppressed because it is too large Load Diff

430
modules-targeted-base.conf Normal file
View File

@ -0,0 +1,430 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unconfineduser
#
# The unconfined user domain.
#
unconfineduser = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: apps
# Module: rssh
#
# Restricted (scp/sftp) only shell
#
rssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: services
# Module: automount
#
# Filesystem automounter service.
#
automount = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module

2238
modules-targeted-contrib.conf Normal file
View File

File diff suppressed because it is too large Load Diff

52618
policy-rawhide-base.patch Normal file
View File

File diff suppressed because it is too large Load Diff

110647
policy-rawhide-contrib.patch Normal file
View File

File diff suppressed because it is too large Load Diff

3
refpolicy-2.20081210.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2ac9bc01e21541ee8e5e374320e9daeee11d807a7c197142e5c9eea7e096ac77
size 458911

4
securetty_types-minimum Normal file
View File

@ -0,0 +1,4 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

6
securetty_types-mls Normal file
View File

@ -0,0 +1,6 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t

4
securetty_types-targeted Normal file
View File

@ -0,0 +1,4 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

74
selinux-policy-build_conf.patch
View File

@ -1,74 +0,0 @@
--- refpolicy-mcs/build.conf
+++ refpolicy-mcs/build.conf
@@ -12,13 +12,13 @@
# Policy Type
# standard, mls, mcs
-TYPE = standard
+TYPE = mcs
# Policy Name
# If set, this will be used as the policy
# name. Otherwise the policy type will be
# used for the name.
-NAME = refpolicy
+NAME = refpolicy-mcs
# Distribution
# Some distributions have portions of policy
@@ -27,7 +27,7 @@
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = suse
# Unknown Permissions Handling
# The behavior for handling permissions defined in the
--- refpolicy-mls/build.conf
+++ refpolicy-mls/build.conf
@@ -12,13 +12,13 @@
# Policy Type
# standard, mls, mcs
-TYPE = standard
+TYPE = mls
# Policy Name
# If set, this will be used as the policy
# name. Otherwise the policy type will be
# used for the name.
-NAME = refpolicy
+NAME = refpolicy-mls
# Distribution
# Some distributions have portions of policy
@@ -27,7 +27,7 @@
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = suse
# Unknown Permissions Handling
# The behavior for handling permissions defined in the
--- refpolicy-standard/build.conf
+++ refpolicy-standard/build.conf
@@ -18,7 +18,7 @@
# If set, this will be used as the policy
# name. Otherwise the policy type will be
# used for the name.
-NAME = refpolicy
+NAME = refpolicy-standard
# Distribution
# Some distributions have portions of policy
@@ -27,7 +27,7 @@
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = suse
# Unknown Permissions Handling
# The behavior for handling permissions defined in the

18
selinux-policy-rpmlintrc Normal file
View File

@ -0,0 +1,18 @@
addFilter("W: non-conffile-in-etc.*")
addFilter("W: zero-length /etc/selinux/.*")
addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
addFilter("W: files-duplicate /etc/selinux/minimum/seusers /etc/selinux/minimum/modules/active/seusers.final")
addFilter("W: files-duplicate /etc/selinux/minimum/contexts/files/file_contexts /etc/selinux/minimum/modules/active/file_contexts")
addFilter("W: files-duplicate /etc/selinux/minimum/modules/active/file_contexts.homedirs /etc/selinux/minimum/contexts/files/file_contexts.homedirs")
addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/seusers.final /etc/selinux/targeted/seusers")
addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/file_contexts /etc/selinux/targeted/contexts/files/file_contexts")
addFilter("W: files-duplicate /etc/selinux/targeted/contexts/files/file_contexts.homedirs /etc/selinux/targeted/modules/active/file_contexts.homedirs")
addFilter("W: files-duplicate /etc/selinux/mls/modules/active/seusers.final /etc/selinux/mls/seusers")
addFilter("W: files-duplicate /etc/selinux/mls/modules/active/file_contexts /etc/selinux/mls/contexts/files/file_contexts")
addFilter("W: files-duplicate /etc/selinux/mls/contexts/files/file_contexts.homedirs /etc/selinux/mls/modules/active/file_contexts.homedirs")
addFilter("E: files-duplicated-waste")
addFilter("E: files-duplicated-waste")
addFilter("E: files-duplicated-waste")

306
selinux-policy.changes
View File

@ -1,3 +1,309 @@
-------------------------------------------------------------------
Mon Mar 26 13:18:34 UTC 2018 - rgoldwyn@suse.com
- Add overlayfs as xattr capable (bsc#1073741)
* add-overlayfs-as-xattr-capable.patch
-------------------------------------------------------------------
Tue Dec 12 09:07:31 UTC 2017 - jsegitz@suse.com
- Added
* suse_modifications_glusterfs.patch
* suse_modifications_passenger.patch
* suse_modifications_stapserver.patch
to modify module name to make the current tools happy
-------------------------------------------------------------------
Wed Nov 29 13:20:22 UTC 2017 - rbrown@suse.com
- Repair erroneous changes introduced with %_fillupdir macro
-------------------------------------------------------------------
Thu Nov 23 13:53:09 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Wed Mar 15 21:50:32 UTC 2017 - mwilck@suse.com
- POLCYVER depends both on the libsemanage/policycoreutils version
and the kernel. The former is more important for us, kernel seems
to have all necessary features in Leap 42.1 already.
- Replaced = runtime dependencies on checkpolicy/policycoreutils
with "=". 2.5 policy is not supposed to work with 2.3 tools,
The runtime policy tools need to be same the policy was built with.
-------------------------------------------------------------------
Wed Mar 15 15:16:20 UTC 2017 - mwilck@suse.com
- Changes required by policycoreutils update to 2.5
* lots of spec file content needs to be conditional on
policycoreutils version.
- Specific policycoreutils 2.5 related changes:
* modules moved from /etc/selinux to /var/lib/selinux
(https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration)
* module path now includes includes priority. Users override default
policies by setting higher priority. Thus installed policy modules can be
fully verified by RPM.
* Installed modules have a different format and path.
Raw bzip2 doesn't suffice to create them any more, but we can process them
all in a single semodule -i command.
- Policy version depends on kernel / distro version
* do not touch policy.<version>, rather fail if it's not created
- Enabled building mls policy for Leap (not for SLES)
- Other
* Bug: "sandbox.disabled" should be "sandbox.pp.disabled" for old policycoreutils
* Bug: (minimum) additional modules that need to be activated: postfix
(required by apache), plymouthd (required by getty)
* Cleanup: /etc -> %{sysconfdir} etc.
-------------------------------------------------------------------
Thu Aug 13 08:14:34 UTC 2015 - jsegitz@novell.com
- fixed missing role assignment in cron_unconfined_role
-------------------------------------------------------------------
Tue Aug 11 08:36:17 UTC 2015 - jsegitz@novell.com
- Updated suse_modifications_ipsec.patch, removed dontaudits for
ipsec_mgmt_t and granted matching permissions
-------------------------------------------------------------------
Wed Aug 5 11:31:24 UTC 2015 - jsegitz@novell.com
- Added suse_modifications_ipsec.patch to grant additional privileges
to ipsec_mgmt_t
-------------------------------------------------------------------
Tue Jul 21 14:56:07 UTC 2015 - jsegitz@novell.com
- Minor changes for CC evaluation. Allow reading of /dev/random
and ipc_lock for dbus and dhcp
-------------------------------------------------------------------
Wed Jun 24 08:27:30 UTC 2015 - jsegitz@novell.com
- Transition from unconfined user to cron admin type
- Allow systemd_timedated_t to talk to unconfined dbus for minimal
policy (bsc#932826)
- Allow hostnamectl to set the hostname (bsc#933764)
-------------------------------------------------------------------
Wed May 20 14:05:04 UTC 2015 - jsegitz@novell.com
- Removed ability of staff_t and user_t to use svirt. Will reenable
this later on with a policy upgrade
Added suse_modifications_staff.patch
-------------------------------------------------------------------
Wed Feb 25 11:38:44 UTC 2015 - jsegitz@novell.com
- Added dont_use_xmllint_in_make_conf.patch to remove xmllint usage
in make conf. This currently breaks manual builds.
- Added BuildRequires for libxml2-tools to enable xmllint checks
once the issue mentioned above is solved
-------------------------------------------------------------------
Thu Jan 29 09:56:40 UTC 2015 - jsegitz@novell.com
- adjusted suse_modifications_ntp to match SUSE chroot paths
-------------------------------------------------------------------
Wed Jan 28 09:37:06 UTC 2015 - jsegitz@novell.com
- Added
* suse_additions_obs.patch to allow local builds by OBS
* suse_additions_sslh.patch to confine sslh
- Added suse_modifications_cron.patch to adjust crontabs contexts
- Modified suse_modifications_postfix.patch to match SUSE paths
- Modified suse_modifications_ssh.patch to bring boolean
sshd_forward_ports back
- Modified
* suse_modifications_dbus.patch
* suse_modifications_unprivuser.patch
* suse_modifications_xserver.patch
to allow users to be confined
- Added
* suse_modifications_apache.patch
* suse_modifications_ntp.patch
and modified
* suse_modifications_xserver.patch
to fix labels on startup scripts used by systemd
- Removed unused and incorrect interface dev_create_all_dev_nodes
from systemd-tmpfiles.patch
- Removed BuildRequire for selinux-policy-devel
-------------------------------------------------------------------
Fri Jan 23 15:52:02 UTC 2015 - jsegitz@novell.com
- Major cleanup of the spec file
-------------------------------------------------------------------
Fri Jan 23 11:44:52 UTC 2015 - jsegitz@novell.com
- removed suse_minimal_cc.patch and splitted them into
* suse_modifications_dbus.patch
* suse_modifications_policykit.patch
* suse_modifications_postfix.patch
* suse_modifications_rtkit.patch
* suse_modifications_unconfined.patch
* suse_modifications_systemd.patch
* suse_modifications_unconfineduser.patch
* suse_modifications_selinuxutil.patch
* suse_modifications_logging.patch
* suse_modifications_getty.patch
* suse_modifications_authlogin.patch
* suse_modifications_xserver.patch
* suse_modifications_ssh.patch
* suse_modifications_usermanage.patch
- Added suse_modifications_virt.patch to enable svirt on s390x
-------------------------------------------------------------------
Sat Nov 08 19:17:00 UTC 2014 - Led <ledest@gmail.com>
- fix bashism in post script
-------------------------------------------------------------------
Thu Sep 18 09:06:09 UTC 2014 - jsegitz@suse.com
Redid changes done by vcizek@suse.com in SLE12 package
- disable build of MLS policy
- removed outdated description files
* Alan_Rouse-openSUSE_with_SELinux.txt
* Alan_Rouse-Policy_Development_Process.txt
-------------------------------------------------------------------
Mon Sep 8 09:08:19 UTC 2014 - jsegitz@suse.com
- removed remove_duplicate_filetrans_pattern_rules.patch
-------------------------------------------------------------------
Fri Sep 5 11:22:02 UTC 2014 - jsegitz@suse.com
- Updated policy to include everything up until 20140730 (refpolicy and
fedora rawhide improvements). Rebased all patches that are still
necessary
- Removed permissivedomains.pp. Doesn't work with the new policy
- modified spec file so that all modifications for distro=redhat and
distro=suse will be used.
- added selinux-policy-rpmlintrc to suppress some warnings that aren't
valid for this package
- added suse_minimal_cc.patch to create a suse specific module to prevent
errors while using the minimum policy. Will rework them in the proper
places once the minimum policy is reworked to really only confine a
minimal set of domains.
-------------------------------------------------------------------
Tue Sep 2 13:31:58 UTC 2014 - vcizek@suse.com
- removed source files which were not used
* modules-minimum.conf, modules-mls.conf, modules-targeted.conf,
permissivedomains.fc, permissivedomains.if, permissivedomains.te,
seusers, seusers-mls, seusers-targeted, users_extra-mls,
users_extra-targeted
-------------------------------------------------------------------
Mon Jun 2 12:08:40 UTC 2014 - vcizek@suse.com
- remove duplicate filetrans_pattern rules
* fixes build with libsepol-2.3
* added remove_duplicate_filetrans_pattern_rules.patch
-------------------------------------------------------------------
Mon Dec 9 13:57:18 UTC 2013 - vcizek@suse.com
- enable build of mls and targeted policies
- fixes to the minimum policy:
- label /var/run/rsyslog correctly
* label_var_run_rsyslog.patch
- allow systemd-tmpfiles to create devices
* systemd-tmpfiles.patch
- add rules for sysconfig
* correctly label /dev/.sysconfig/network
* added sysconfig_network_scripts.patch
- run restorecon and fixfiles only if if selinux is enabled
- fix console login
* allow-local_login_t-read-shadow.patch
- allow rsyslog to write to xconsole
* xconsole.patch
- useradd needs to call selinux_check_access (via pam_rootok)
* useradd-netlink_selinux_socket.patch
-------------------------------------------------------------------
Mon Aug 12 02:08:15 CEST 2013 - ro@suse.de
- fix build on factory: newer rpm does not allow to mark
non-directories as dir anymore (like symlinks in this case)
-------------------------------------------------------------------
Thu Jul 11 11:00:14 UTC 2013 - coolo@suse.com
- install COPYING
-------------------------------------------------------------------
Fri Mar 22 11:52:43 UTC 2013 - vcizek@suse.com
- switch to Fedora as upstream
- added patches:
* policy-rawhide-base.patch
* policy-rawhide-contrib.patch
* type_transition_file_class.patch
* type_transition_contrib.patch
* label_sysconfig.selinux-policy.patch
-------------------------------------------------------------------
Tue Dec 11 13:40:27 UTC 2012 - vcizek@suse.com
- bump up policy version to 27, due to recent libsepol update
- dropped currently unused policy-rawhide.patch
- fix installing of file_contexts (this enables restorecond to run properly)
- Recommends: audit and setools
-------------------------------------------------------------------
Mon Dec 10 15:47:13 UTC 2012 - meissner@suse.com
- mark included files in source
-------------------------------------------------------------------
Mon Oct 22 18:47:00 UTC 2012 - vcizek@suse.com
- update to 2.20120725
- added selinux-policy-run_sepolgen_during_build.patch
- renamed patch with SUSE-specific policy to selinux-policy-SUSE.patch
- dropped policygentool and OLPC stuff
-------------------------------------------------------------------
Wed May 9 10:01:26 UTC 2012 - coolo@suse.com
- patch license to be in spdx.org format
-------------------------------------------------------------------
Fri May 21 16:05:49 CEST 2010 - prusnak@suse.cz
- use policy created by Alan Rouse
-------------------------------------------------------------------
Sat Apr 10 23:45:17 PDT 2010 - justinmattock@gmail.com
- Adjust selinux-policy.spec so that the policy
source tree is put in /usr/share/doc/packages/selinux-*
so users can build the policy [bnc#582404]
-------------------------------------------------------------------
Wed Apr 7 09:59:43 UTC 2010 - thomas@novell.com
- fixed fileperms of /etc/selinux/config to be 644 to allow
libselinux to read from it (bnc#582399)
this is also the default file mode in fedora 12
-------------------------------------------------------------------
Fri Jun 26 12:19:07 CEST 2009 - thomas@novell.com

2
selinux-policy.conf Normal file
View File

@ -0,0 +1,2 @@
z /sys/devices/system/cpu/online - - -
Z /sys/class/net - - -

767
selinux-policy.spec
View File

@ -1,110 +1,713 @@
#
# spec file for package selinux-policy
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates
%endif
# TODO: This turns on distro-specific policies.
# There are almost no SUSE specific modifications available in the policy, so we utilize the
# ones used by redhat and include also the SUSE specific ones (see sed statement below)
%define distro redhat
%define polyinstatiate n
%define monolithic n
%define BUILD_DOC 1
%define BUILD_TARGETED 1
%define BUILD_MINIMUM 1
%if 0%{suse_version} == 1315 && 0%{is_opensuse} == 0
%define BUILD_MLS 0
%else
%define BUILD_MLS 1
%endif
%if 0%{?suse_version} >= 1330 || ( 0%{?suse_version} == 1315 && 0%{?sle_version} >= 120200 )
%else
%endif
%define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
%define CHECKPOLICYVER %POLICYCOREUTILSVER
%define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else print "0" end }
# conditional stuff depending on policycoreutils version
# See https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration
%if %{coreutils_ge 2.5}
# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
# It depends on the kernel, but apparently more so on the libsemanage version.
%define POLICYVER 30
# macros calling module_store have to be defined using global, not define, and
# "lazy" evaluation
%global module_store() %{_localstatedir}/lib/selinux/%%{1}
%global policy_prio 100
%global module_dir active/modules/%{policy_prio}
%global module_disabled() %{module_store %%{1}}/active/modules/disabled/%%{2}
%global install_pp() \
(cd %{buildroot}/%{_usr}/share/selinux/%1/ \
/usr/sbin/semodule -s %%{1} -X %{policy_prio} -n -p %{buildroot} -i *.pp \
rm -f *pp*);
# FixMe 170315: None of these exist any more. Are they necessary?
%global files_base_pp() %nil
%global touch_file_contexts() touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local
%global files_file_contexts() %nil
%global mkdir_other() \
%{__mkdir} -p %{buildroot}%{module_store %%1}/active/modules/disabled
%global files_other() \
%dir %{module_store %%1}/active/modules \
%dir %{module_store %%1}/active/modules/disabled \
%{module_disabled %%1 sandbox}
%global files_dot_bin() %nil
%global rm_selinux_mod() rm -rf %%1
%else
# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
# It depends on the kernel, but apparently more so on the libsemanage version.
%define POLICYVER 29
%global module_store() %{_sysconfdir}/selinux/%%{1}/modules
%global module_dir active/modules
%global module_disabled() %{module_store %%{1}}/active/modules/%%{2}.pp.disabled
# FixMe 170315: Why is bzip2 used here rather than semodule -i?
%global install_pp() \
(cd %{buildroot}/%{_usr}/share/selinux/%%1/ \
bzip2 -c base.pp > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/base.pp \
rm -f base.pp \
for i in *.pp; do \
bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/modules/$i \
done \
rm -f *pp* );
# FixMe 170315:
# Why is base.pp installed in a different path than other modules?
# Requirement of policycoreutils 2.3 ??
%global files_base_pp() %verify(not md5 size mtime) %{module_store %%{1}}/active/base.pp
# FixMe 170315: do we really need these?
%global touch_file_contexts() \
touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.local \
touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs.bin \
touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.bin;
%global mkdir_other() %nil
# FixMe 170315: do we really need these?
%global files_file_contexts() \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.template
# FixMe 170315: do we really need these?
%global files_other() \
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/seusers.final \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/netfilter_contexts
%global files_dot_bin() %ghost %{module_store %%{1}}/active/*.bin
%global rm_selinux_mod() rm -f %%{1}.pp
%endif
Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
Version: 2.20081210
Release: 1
Url: http://oss.tresys.com/projects/refpolicy/
License: GPL v2
Group: System/Base
Summary: SELinux policies
Source: refpolicy-%{version}.tar.bz2
Source1: config
Patch0: %{name}-build_conf.patch
Version: 20140730
Release: 0
Source: serefpolicy-%{version}.tgz
Source1: serefpolicy-contrib-%{version}.tgz
Source10: modules-targeted-base.conf
Source11: modules-targeted-contrib.conf
Source12: modules-mls-base.conf
Source13: modules-mls-contrib.conf
#Source14: modules-minimum.conf
Source20: booleans-targeted.conf
Source21: booleans-mls.conf
Source22: booleans-minimum.conf
Source23: booleans.subs_dist
Source30: setrans-targeted.conf
Source31: setrans-mls.conf
Source32: setrans-minimum.conf
Source40: securetty_types-targeted
Source41: securetty_types-mls
Source42: securetty_types-minimum
Source50: users-targeted
Source51: users-mls
Source52: users-minimum
Source60: selinux-policy.conf
Source61: selinux-policy.sysconfig
Source90: selinux-policy-rpmlintrc
Source91: Makefile.devel
Source92: customizable_types
Source93: config.tgz
Source94: file_contexts.subs_dist
# base policy patches
Patch0001: policy-rawhide-base.patch
# The following two patches are a workaround for 812055
Patch0002: type_transition_file_class.patch
Patch0003: label_sysconfig.selinux-policy.patch
Patch0004: sysconfig_network_scripts.patch
Patch0005: allow-local_login_t-read-shadow.patch
Patch0006: xconsole.patch
Patch0007: useradd-netlink_selinux_socket.patch
Patch0008: systemd-tmpfiles.patch
Patch0009: label_var_run_rsyslog.patch
Patch0010: suse_modifications_unconfined.patch
Patch0011: suse_modifications_systemd.patch
Patch0012: suse_modifications_unconfineduser.patch
Patch0013: suse_modifications_selinuxutil.patch
Patch0014: suse_modifications_logging.patch
Patch0015: suse_modifications_getty.patch
Patch0016: suse_modifications_authlogin.patch
Patch0017: suse_modifications_xserver.patch
Patch0018: suse_modifications_ssh.patch
Patch0019: suse_modifications_usermanage.patch
Patch0020: suse_modifications_unprivuser.patch
Patch0021: dont_use_xmllint_in_make_conf.patch
Patch0022: suse_modifications_staff.patch
Patch0023: suse_modifications_ipsec.patch
Patch0024: add-overlayfs-as-xattr-capable.patch
# contrib patches
Patch1000: policy-rawhide-contrib.patch
Patch1001: type_transition_contrib.patch
Patch1002: suse_modifications_virt.patch
Patch1003: suse_modifications_dbus.patch
Patch1004: suse_modifications_policykit.patch
Patch1005: suse_modifications_postfix.patch
Patch1006: suse_modifications_rtkit.patch
Patch1007: suse_modifications_apache.patch
Patch1008: suse_modifications_ntp.patch
Patch1009: suse_modifications_cron.patch
Patch1010: suse_additions_sslh.patch
Patch1011: suse_additions_obs.patch
Patch1012: suse_modifications_glusterfs.patch
Patch1013: suse_modifications_passenger.patch
Patch1014: suse_modifications_stapserver.patch
Url: http://oss.tresys.com/repos/refpolicy/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: checkpolicy policycoreutils libsepol-devel python python-xml m4
BuildArch: noarch
# default is refpolicy-standard (mentioned in config)
Requires: selinux-policy-refpolicy-standard
BuildRequires: %fillup_prereq
BuildRequires: %insserv_prereq
BuildRequires: bzip2
BuildRequires: checkpolicy
BuildRequires: gawk
BuildRequires: libxml2-tools
BuildRequires: m4
BuildRequires: policycoreutils
BuildRequires: policycoreutils-python
BuildRequires: python
BuildRequires: python-xml
#BuildRequires: selinux-policy-devel
# we need selinuxenabled
Requires(post): selinux-tools
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(post): /bin/awk /usr/bin/sha512sum
Recommends: audit
Recommends: selinux-tools
# for audit2allow
Recommends: policycoreutils-python
%description
SELinux policy
%global makeCmds() \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
cp -f selinux_config/users-%1 ./policy/users \
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
%package refpolicy-standard
Group: System/Base
Summary: SELinux policy - Tresys Standard Refpolicy
Requires: selinux-policy
%global makeModulesConf() \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
if [ "%3" = "contrib" ];then \
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
fi; \
%description refpolicy-standard
%global installCmds() \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
make validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
%{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
%{mkdir_other %%1} \
touch %{buildroot}/%{module_store %%{1}}/semanage.read.LOCK \
touch %{buildroot}/%{module_store %%{1}}/semanage.trans.LOCK \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
%{touch_file_contexts %%1} \
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
touch %{buildroot}%{module_store %%{1}}/active/seusers \
touch %{buildroot}%{module_store %%{1}}/active/nodes.local \
touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \
touch %{buildroot}%{module_store %%{1}}/active/users.local \
cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
%install_pp %%1 \
touch %{buildroot}%{module_disabled %%1 sandbox} \
/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern \
ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{module_store %%{1}}/active/policy.kern \
%nil
SELinux policy - based on reference policy from Tresys - standard
%global fileList() \
%defattr(-,root,root) \
%dir %{_usr}/share/selinux/%1 \
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
%dir %{_sysconfdir}/selinux/%1/logins \
%dir %{module_store %%{1}} \
%verify(not md5 size mtime) %{module_store %%{1}}/semanage.read.LOCK \
%verify(not md5 size mtime) %{module_store %%{1}}/semanage.trans.LOCK \
%dir %attr(700,root,root) %dir %{module_store %%{1}}/active \
%dir %{module_store %%{1}}/%{module_dir} \
%verify(not md5 size mtime) %{module_store %%{1}}/active/policy.kern \
%verify(not md5 size mtime) %{module_store %%{1}}/active/commit_num \
%{files_base_pp %%1} \
%verify(not md5 size mtime) %{module_store %%{1}}/active/file_contexts \
%{files_file_contexts %%1} \
%{files_other %%1} \
%config(noreplace) %verify(not md5 size mtime) %{module_store %%{1}}/active/users_extra \
%verify(not md5 size mtime) %{module_store %%{1}}/active/homedir_template \
%{module_store %%{1}}/%{module_dir}/* \
%ghost %{module_store %%{1}}/active/*.local \
%{files_dot_bin %%1} \
%ghost %{module_store %%{1}}/active/seusers \
%dir %{_sysconfdir}/selinux/%1/policy/ \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
%{_sysconfdir}/selinux/%1/.policy.sha512 \
%dir %{_sysconfdir}/selinux/%1/contexts \
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
%dir %{_sysconfdir}/selinux/%1/contexts/files \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/*
%package refpolicy-mcs
Group: System/Base
Summary: SELinux policy - Tresys MCS Refpolicy
Requires: selinux-policy
%define relabel() \
. %{_sysconfdir}/sysconfig/selinux-policy; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if selinuxenabled; then \
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi; \
/sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null; \
/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null || true; \
fi;
%description refpolicy-mcs
%global preInstall() \
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" = %%1 -a -f ${FILE_CONTEXT} ]; then \
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi; \
touch %{_sysconfdir}/selinux/%%1/.rebuild; \
if [ -e %{_sysconfdir}/selinux/%%1/.policy.sha512 ]; then \
sha512=`sha512sum %{module_store %%{1}}/active/policy.kern | cut -d ' ' -f 1`; \
checksha512=`cat %{_sysconfdir}/selinux/%%1/.policy.sha512`; \
if [ "$sha512" = "$checksha512" ] ; then \
rm %{_sysconfdir}/selinux/%%1/.rebuild; \
fi; \
fi; \
fi;
SELinux policy - based on reference policy from Tresys - mcs
%global postInstall() \
. %{_sysconfdir}/selinux/config; \
if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%%2/.rebuild; \
(cd %{module_store %%2}/%{module_dir}; for _mod in shutdown amavis clamav gnomeclock matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp rgmanager corosync aisexec pacemaker; do %{rm_selinux_mod ${_mod}}; done ) \
/usr/sbin/semodule -B -n -s %%2; \
else \
touch %{module_disabled %%2 sandbox} \
fi; \
if [ "${SELINUXTYPE}" = "%2" ]; then \
if selinuxenabled; then \
load_policy; \
else \
# probably a first install of the policy \
true; \
fi; \
fi; \
if selinuxenabled; then \
if [ %1 -eq 1 ]; then \
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null; \
else \
%relabel %2 \
fi; \
else \
# run fixfiles on next boot \
touch /.autorelabel \
fi;
%package refpolicy-mls
Group: System/Base
Summary: SELinux policy - Tresys MLS Refpolicy
Requires: selinux-policy
%description refpolicy-mls
SELinux policy - based on reference policy from Tresys - mls
%prep
%setup -q -c -n selinux-policy -T
tar xfj %{SOURCE0} && mv refpolicy refpolicy-standard
tar xfj %{SOURCE0} && mv refpolicy refpolicy-mcs
tar xfj %{SOURCE0} && mv refpolicy refpolicy-mls
%patch0
%build
for i in standard mcs mls; do
cd refpolicy-$i
make conf
make policy
cd ..
done
%install
for i in standard mcs mls; do
cd refpolicy-$i
make DESTDIR=$RPM_BUILD_ROOT install
sed -i "s:^# edit $RPM_BUILD_ROOT:# edit :" $RPM_BUILD_ROOT%{_sysconfdir}/selinux/refpolicy-$i/contexts/files/file_contexts.homedirs
cd ..
done
install -m 600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/selinux/
%clean
rm -rf $RPM_BUILD_ROOT
%define modulesList() \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
if [ -e ./policy/modules-contrib.conf ];then \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
fi;
%files
%defattr(-,root,root)
%defattr(-,root,root,-)
%doc COPYING
%dir %{_usr}/share/selinux
%dir %{_sysconfdir}/selinux
%{_sysconfdir}/selinux/config
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%{_fillupdir}/sysconfig.%{name}
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
%files refpolicy-standard
%defattr(-,root,root)
%doc refpolicy-standard/COPYING refpolicy-standard/Changelog refpolicy-standard/README
%dir %{_sysconfdir}/selinux/refpolicy-standard
%{_sysconfdir}/selinux/refpolicy-standard/*
%description
SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of
systems and used as the basis for creating other policies.
%files refpolicy-mcs
%defattr(-,root,root)
%doc refpolicy-mcs/COPYING refpolicy-mcs/Changelog refpolicy-mcs/README
%dir %{_sysconfdir}/selinux/refpolicy-mcs
%{_sysconfdir}/selinux/refpolicy-mcs/*
%prep
# contrib modules
%setup -n serefpolicy-contrib-%{version} -q -b 1
%patch1000 -p1
%patch1001 -p1
%patch1002 -p1
%patch1003 -p1
%patch1004 -p1
%patch1005 -p1
%patch1006 -p1
%patch1007 -p1
%patch1008 -p1
%patch1009 -p1
%patch1010 -p1
%patch1011 -p1
%patch1012 -p1
%patch1013 -p1
%patch1014 -p1
%files refpolicy-mls
%defattr(-,root,root)
%doc refpolicy-mls/COPYING refpolicy-mls/Changelog refpolicy-mls/README
%dir %{_sysconfdir}/selinux/refpolicy-mls
%{_sysconfdir}/selinux/refpolicy-mls/*
# base policy
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
cp COPYING ..
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
%patch0006 -p0
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
%patch0010 -p1
%patch0011 -p1
%patch0012 -p1
%patch0013 -p1
%patch0014 -p1
%patch0015 -p1
%patch0016 -p1
%patch0017 -p1
%patch0018 -p1
%patch0019 -p1
%patch0020 -p1
%patch0021 -p1
%patch0022 -p1
%patch0023 -p1
%patch0024 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
# we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse
find "$refpolicy_path" -type f -print0 | xargs -0 sed -i -e 's/ifdef(`distro_suse/ifdef(`distro_redhat/g'
%build
%install
mkdir selinux_config
for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do
cp $i selinux_config
done
tar zxvf selinux_config/config.tgz
# Build targeted policy
%{__rm} -fR %{buildroot}
mkdir -p %{buildroot}%{_sysconfdir}/selinux
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/
# Always create policy module package directories
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
make clean
%if %{BUILD_TARGETED}
# Build targeted policy
mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
%makeCmds targeted mcs n allow
%makeModulesConf targeted base contrib
%installCmds targeted mcs n allow
%modulesList targeted
%endif
%if %{BUILD_MINIMUM}
# Build minimum policy
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
%makeCmds minimum mcs n allow
%makeModulesConf targeted base contrib
%installCmds minimum mcs n allow
%modulesList minimum
%endif
%if %{BUILD_MLS}
# Build mls policy
mkdir -p %{buildroot}%{_usr}/share/selinux/mls
%makeCmds mls mls n deny
%makeModulesConf mls base contrib
%installCmds mls mls n deny
%modulesList mls
%endif
# Install devel
mkdir -p %{buildroot}%{_mandir}
cp -R man/* %{buildroot}%{_mandir}
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
rm -rf selinux_config
# fillup sysconfig
mkdir -p %{buildroot}%{_fillupdir}
cp %{SOURCE61} %{buildroot}%{_fillupdir}/sysconfig.%{name}
%clean
%post
%{fillup_only}
if [ ! -s %{_sysconfdir}/selinux/config ]; then
# new install
ln -sf %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
else
. %{_sysconfdir}/sysconfig/selinux-policy
# if first time update booleans.local needs to be copied to sandbox
[ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local ] && mv %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local %{module_store targeted}/active/
[ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers
fi
exit 0
%postun
if [ $1 = 0 ]; then
setenforce 0 2> /dev/null
if [ -s %{_sysconfdir}/selinux/config ]; then
sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
fi
fi
exit 0
%package devel
Summary: SELinux policy devel
Group: System/Management
Requires(pre): selinux-policy = %{version}-%{release}
Requires: /usr/bin/make
Requires: checkpolicy >= %{CHECKPOLICYVER}
Requires: m4
%description devel
SELinux policy development and man page package
%files devel
%defattr(-,root,root,-)
%{_mandir}/ru/man8/ftpd_selinux.8.gz
%{_mandir}/ru/man8/httpd_selinux.8.gz
%{_mandir}/ru/man8/kerberos_selinux.8.gz
%{_mandir}/ru/man8/named_selinux.8.gz
%{_mandir}/ru/man8/nfs_selinux.8.gz
%{_mandir}/ru/man8/rsync_selinux.8.gz
%{_mandir}/ru/man8/samba_selinux.8.gz
%{_mandir}/ru/man8/ypbind_selinux.8.gz
%dir %{_usr}/share/selinux/devel
%dir %{_usr}/share/selinux/devel/include
%{_usr}/share/selinux/devel/include/*
%{_usr}/share/selinux/devel/Makefile
%{_usr}/share/selinux/devel/example.*
%package doc
Summary: SELinux policy documentation
Group: System/Management
Requires(pre): selinux-policy = %{version}-%{release}
Requires: /usr/bin/xdg-open
%description doc
SELinux policy documentation package
%files doc
%defattr(-,root,root,-)
%doc %{_usr}/share/doc/%{name}-%{version}
%{_usr}/share/selinux/devel/policy.*
%if %{BUILD_TARGETED}
%package targeted
Summary: SELinux targeted base policy
Group: System/Management
Provides: selinux-policy-base = %{version}-%{release}
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
%description targeted
SELinux Reference policy targeted base module.
%pre targeted
%preInstall targeted
%post targeted
%postInstall $1 targeted
exit 0
%files targeted
%defattr(-,root,root,-)
%fileList targeted
%{_usr}/share/selinux/targeted/modules-base.lst
%{_usr}/share/selinux/targeted/modules-contrib.lst
%endif
%if %{BUILD_MINIMUM}
%package minimum
Summary: SELinux minimum base policy
Group: System/Management
Provides: selinux-policy-base = %{version}-%{release}
Requires(post): policycoreutils-python = %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
Conflicts: seedit
%description minimum
SELinux Reference policy minimum base module.
%pre minimum
%preInstall minimum
if [ $1 -ne 1 ]; then
/usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ if ($3 != "Disabled") print $1; }' > /usr/share/selinux/minimum/instmodules.lst
fi
%post minimum
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
if [ $1 -eq 1 ]; then
for p in $contribpackages; do
touch %{module_disabled minimum $p}
done
# this is temporarily needed to make minimum policy work without errors. Will be included
# into the proper places later on
for p in $basepackages plymouthd postfix apache dbus inetd kerberos mta nis nscd cron; do
rm -f %{module_disabled minimum $p}
done
# those are default anyway
# /usr/sbin/semanage -S minimum -i - << __eof
# login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
# login -m -s unconfined_u -r s0-s0:c0.c1023 root
# __eof
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
/usr/sbin/semodule -B -s minimum
else
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
for p in $contribpackages; do
touch %{module_disabled minimum $p}
done
for p in $instpackages apache dbus inetd kerberos mta nis; do
rm -f %{module_disabled minimum $p}
done
/usr/sbin/semodule -B -s minimum
%relabel minimum
fi
exit 0
%files minimum
%defattr(-,root,root,-)
%fileList minimum
%{_usr}/share/selinux/minimum/modules-base.lst
%{_usr}/share/selinux/minimum/modules-contrib.lst
%endif
%if %{BUILD_MLS}
%package mls
Summary: SELinux mls base policy
Group: System/Management
Provides: selinux-policy-base = %{version}-%{release}
Obsoletes: selinux-policy-mls-sources < 2
Requires: policycoreutils-newrole = %{POLICYCOREUTILSVER}
Requires: setransd
Requires(pre): policycoreutils = %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
Conflicts: seedit
%description mls
SELinux Reference policy mls base module.
%pre mls
%preInstall mls
%post mls
%postInstall $1 mls
%files mls
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
%fileList mls
%{_usr}/share/selinux/mls/modules-base.lst
%{_usr}/share/selinux/mls/modules-contrib.lst
%endif
%changelog

11
selinux-policy.sysconfig Normal file
View File

@ -0,0 +1,11 @@
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
# minimum - Modification of targeted policy. Only selected processes are protected.
SELINUXTYPE=minimum

3
serefpolicy-20140730.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ef950250ca524c822fff44677af9d061d77e09b02cba2ce6444fb057d35f0dae
size 318859

3
serefpolicy-contrib-20140730.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a717a82690fc2f10de53241471112944cd99eedb1d4ffd05c7c8d6883cf31d11
size 467521

19
setrans-minimum.conf Normal file
View File

@ -0,0 +1,19 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

52
setrans-mls.conf Normal file
View File

@ -0,0 +1,52 @@
#
# Multi-Level Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
# SystemLow
# SystemHigh
# Unclassified
# Secret with compartments A and B.
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh
# Unclassified level
s1=Unclassified
# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B
# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh
# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c1023=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

19
setrans-targeted.conf Normal file
View File

@ -0,0 +1,19 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

96
suse_additions_obs.patch Normal file
View File

@ -0,0 +1,96 @@
Index: serefpolicy-contrib-20140730/obs.fc
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/obs.fc
@@ -0,0 +1,63 @@
+/usr/lib/build/Build(/.*)? -- gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/build/Build.pm -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/build/configs(/.*)? -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/baselibs_global.conf -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/baselibs_global-deb.conf -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-pkg -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-pkg-arch -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-pkg-deb -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-pkg-rpm -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-arch -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-dsc -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-kiwi -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-livebuild -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-mock -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-preinstallimage -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-spec -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-ec2 -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-emulator -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-kvm -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-lxc -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-openstack -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-qemu -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-uml -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-xen -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-zvm -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/lxc.conf -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/qemu-reg -- gen_context(system_u:object_r:etc_t,s0)
+
+/usr/lib/build/emulator/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/build -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/changelog2spec -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/common_functions -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/computeblocklists -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createarchdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createdebdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createrepomddeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createrpmdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createyastdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createzyppdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/debtransform -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/debtransformbz2 -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/debtransformzip -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/download -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/expanddeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/extractbuild -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/getbinaryid -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/init_buildsystem -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/killchroot -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/mkbaselibs -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/mkdrpms -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/order -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/queryconfig -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/signdummy -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/spec2changelog -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/spec_add_patch -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/spectool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/substitutedeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/unrpm -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/vc -- gen_context(system_u:object_r:bin_t,s0)
+
Index: serefpolicy-contrib-20140730/obs.if
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/obs.if
@@ -0,0 +1 @@
+#
Index: serefpolicy-contrib-20140730/obs.te
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/obs.te
@@ -0,0 +1,17 @@
+policy_module(obs, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# work out a real policy later on
+#type obs_t;
+#type obs_exec_t;
+#application_domain(obs_t, obs_exec_t)
+#
+#type obs_conf_t;
+#files_config_file(obs_conf_t)
+#
+#permissive obs_t;
+

149
suse_additions_sslh.patch Normal file
View File

@ -0,0 +1,149 @@
Index: serefpolicy-contrib-20140730/sslh.fc
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.fc
@@ -0,0 +1,9 @@
+/etc/conf.d/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0)
+/etc/default/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0)
+
+/etc/init.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
+/usr/lib/systemd/system/sslh.service -- gen_context(system_u:object_r:sslh_unit_file_t,s0)
+
+#/usr/sbin/rcsslh -- gen_context(system_u:object_r:sslh_exec_t,s0)
+/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0)
+
Index: serefpolicy-contrib-20140730/sslh.if
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.if
@@ -0,0 +1,77 @@
+## <summary>sslh Applicative Protocol Multiplexer</summary>
+
+#######################################
+## <summary>
+## Allow a domain to getattr on sslh binary.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sslh_getattr_exec',`
+ gen_require(`
+ type sslh_exec_t;
+ ')
+
+ allow $1 sslh_exec_t:file getattr;
+')
+
+#######################################
+## <summary>
+## Read sslh configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sslh_read_config',`
+ gen_require(`
+ type sslh_conf_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, sslh_conf_t, sslh_conf_t)
+ read_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
+
+######################################
+## <summary>
+## Write sslh configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sslh_write_config',`
+ gen_require(`
+ type sslh_conf_t;
+ ')
+
+ files_search_etc($1)
+ write_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
+
+####################################
+## <summary>
+## Manage sslh configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sslh_manage_config',`
+ gen_require(`
+ type sslh_conf_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
Index: serefpolicy-contrib-20140730/sslh.te
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.te
@@ -0,0 +1,48 @@
+policy_module(sslh, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sslh_t;
+type sslh_exec_t;
+init_daemon_domain(sslh_t, sslh_exec_t)
+
+type sslh_initrc_exec_t;
+init_script_file(sslh_initrc_exec_t)
+
+type sslh_conf_t;
+files_config_file(sslh_conf_t)
+
+type sslh_unit_file_t;
+systemd_unit_file(sslh_unit_file_t)
+
+########################################
+#
+# sslh local policy
+#
+
+allow sslh_t self:capability { setuid net_bind_service setgid };
+allow sslh_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow sslh_t self:process { setcap signal };
+allow sslh_t self:tcp_socket { getattr setopt bind create listen accept connect write read };
+
+corenet_tcp_bind_generic_node(sslh_t)
+corenet_tcp_bind_all_ports(sslh_t)
+corenet_tcp_connect_all_ports(sslh_t)
+
+corenet_udp_bind_all_ports(sslh_t)
+corenet_udp_send_generic_if(sslh_t)
+corenet_udp_receive_generic_if(sslh_t)
+
+read_files_pattern(sslh_t, sslh_conf_t, sslh_conf_t)
+
+nscd_shm_use(sslh_t)
+
+allow sslh_t nscd_var_run_t:file read;
+
+# dontaudit?
+#allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure };
+#allow sshd_t unconfined_t:process { siginh noatsecure };
+

12
suse_modifications_apache.patch Normal file
View File

@ -0,0 +1,12 @@
Index: serefpolicy-contrib-20140730/apache.fc
===================================================================
--- serefpolicy-contrib-20140730.orig/apache.fc
+++ serefpolicy-contrib-20140730/apache.fc
@@ -64,6 +64,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/start_apache2 -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)

14
suse_modifications_authlogin.patch Normal file
View File

@ -0,0 +1,14 @@
Index: serefpolicy-20140730/policy/modules/system/authlogin.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/authlogin.te
+++ serefpolicy-20140730/policy/modules/system/authlogin.te
@@ -152,6 +152,9 @@ seutil_dontaudit_use_newrole_fds(chkpwd_
userdom_dontaudit_use_user_ttys(chkpwd_t)
+allow chkpwd_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(chkpwd_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(chkpwd_t)

57
suse_modifications_cron.patch Normal file
View File

@ -0,0 +1,57 @@
Index: serefpolicy-contrib-20140730/cron.fc
===================================================================
--- serefpolicy-contrib-20140730.orig/cron.fc 2015-08-13 10:13:01.320203530 +0200
+++ serefpolicy-contrib-20140730/cron.fc 2015-08-13 10:13:01.620208372 +0200
@@ -55,6 +55,8 @@ ifdef(`distro_suse', `
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/tabs/[^/]* -- gen_context(system_u:object_r:user_cron_spool_t,s0)
')
ifdef(`distro_debian',`
Index: serefpolicy-contrib-20140730/cron.te
===================================================================
--- serefpolicy-contrib-20140730.orig/cron.te 2015-08-13 10:13:01.320203530 +0200
+++ serefpolicy-contrib-20140730/cron.te 2015-08-13 10:13:01.620208372 +0200
@@ -841,3 +841,9 @@ tunable_policy(`cron_userdomain_transiti
optional_policy(`
unconfined_domain(unconfined_cronjob_t)
')
+
+ifdef(`distro_suse',`
+ files_read_default_symlinks(crontab_t)
+ userdom_manage_user_home_dirs(crontab_t)
+ xserver_non_drawing_client(crontab_t)
+')
Index: serefpolicy-contrib-20140730/cron.if
===================================================================
--- serefpolicy-contrib-20140730.orig/cron.if 2015-08-13 10:13:01.320203530 +0200
+++ serefpolicy-contrib-20140730/cron.if 2015-08-13 10:14:06.153249993 +0200
@@ -158,7 +158,7 @@ interface(`cron_role',`
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_exec_t;
+ type unconfined_cronjob_t, admin_crontab_t, crontab_t, crontab_exec_t;
type crond_t, user_cron_spool_t;
bool cron_userdomain_transition;
')
@@ -168,14 +168,14 @@ interface(`cron_unconfined_role',`
# Declarations
#
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types { unconfined_cronjob_t admin_crontab_t crontab_t };
##############################
#
# Local policy
#
- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };

61
suse_modifications_dbus.patch Normal file
View File

@ -0,0 +1,61 @@
Index: serefpolicy-contrib-20140730/dbus.te
===================================================================
--- serefpolicy-contrib-20140730.orig/dbus.te 2015-07-21 16:39:25.588407411 +0200
+++ serefpolicy-contrib-20140730/dbus.te 2015-07-21 16:41:17.738197485 +0200
@@ -55,7 +55,7 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability2 block_suspend;
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid ipc_lock};
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -87,6 +87,7 @@ kernel_read_kernel_sysctls(system_dbusd_
kernel_stream_connect(system_dbusd_t)
dev_read_urand(system_dbusd_t)
+dev_read_rand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
dev_rw_inherited_input_dev(system_dbusd_t)
@@ -154,6 +155,8 @@ userdom_dontaudit_search_user_home_dirs(
userdom_home_reader(system_dbusd_t)
+allow system_dbusd_t var_run_t:sock_file write;
+
optional_policy(`
bind_domtrans(system_dbusd_t)
')
Index: serefpolicy-contrib-20140730/dbus.if
===================================================================
--- serefpolicy-contrib-20140730.orig/dbus.if 2015-07-21 16:39:25.588407411 +0200
+++ serefpolicy-contrib-20140730/dbus.if 2015-07-21 16:39:28.964461299 +0200
@@ -111,6 +111,26 @@ template(`dbus_role_template',`
logging_send_syslog_msg($1_dbusd_t)
+ ifdef(`distro_suse',`
+ gen_require(`
+ type config_home_t, xdm_var_run_t;
+ ')
+ allow $1_dbusd_t self:unix_stream_socket connectto;
+
+ # is this firefox mislabeled?
+ #allow $1_dbusd_t lib_t:file execute_no_trans;
+ allow $1_dbusd_t config_home_t:file { rename unlink create read write getattr };
+ allow $1_dbusd_t xdm_var_run_t:file { getattr open read };
+
+ allow $1_dbusd_t $1_t:dbus send_msg;
+
+ auth_login_pgm_domain($1_dbusd_t)
+ xserver_non_drawing_client($1_dbusd_t)
+ gnome_manage_home_config_dirs($1_dbusd_t)
+ gnome_delete_home_config_dirs($1_dbusd_t)
+ corenet_tcp_connect_xserver_port($1_dbusd_t)
+ ')
+
optional_policy(`
mozilla_domtrans_spec($1_dbusd_t, $1_t)
')

15
suse_modifications_getty.patch Normal file
View File

@ -0,0 +1,15 @@
Index: serefpolicy-20140730/policy/modules/system/getty.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/getty.te
+++ serefpolicy-20140730/policy/modules/system/getty.te
@@ -109,6 +109,10 @@ locallogin_domtrans(getty_t)
logging_send_syslog_msg(getty_t)
+allow getty_t var_run_t:sock_file write;
+plymouthd_exec_plymouth(getty_t)
+kernel_stream_connect(getty_t)
+
ifdef(`distro_gentoo',`
# Gentoo default /etc/issue makes agetty
# do a DNS lookup for the hostname

10
suse_modifications_glusterfs.patch Normal file
View File

@ -0,0 +1,10 @@
Index: serefpolicy-contrib-20140730/glusterd.te
===================================================================
--- serefpolicy-contrib-20140730.orig/glusterd.te 2017-12-11 17:38:13.448089663 +0100
+++ serefpolicy-contrib-20140730/glusterd.te 2017-12-11 17:38:52.960730655 +0100
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.1.2)
+policy_module(glusterd, 1.1.2)
## <desc>
## <p>

65
suse_modifications_ipsec.patch Normal file
View File

@ -0,0 +1,65 @@
Index: serefpolicy-20140730/policy/modules/system/ipsec.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/ipsec.te 2015-08-10 12:55:56.098645940 +0200
+++ serefpolicy-20140730/policy/modules/system/ipsec.te 2015-08-10 14:32:28.542764339 +0200
@@ -209,14 +209,18 @@ optional_policy(`
# ipsec_mgmt Local policy
#
-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin net_raw setpcap sys_nice sys_ptrace };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal setcap };
allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t self:netlink_route_socket nlmsg_write;
+allow ipsec_mgmt_t self:packet_socket { setopt create read write };
+allow ipsec_mgmt_t self:socket { bind create read write };
+allow ipsec_mgmt_t self:netlink_xfrm_socket { nlmsg_write write read bind create };
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -231,6 +235,8 @@ logging_log_filetrans(ipsec_mgmt_t, ipse
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
+# temporary fix until the rules above work
+allow ipsec_mgmt_t var_run_t:sock_file { write unlink };
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -269,6 +275,7 @@ kernel_read_software_raid_state(ipsec_mg
kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
+kernel_request_load_module(ipsec_mgmt_t)
domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
@@ -290,6 +297,10 @@ corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
+corenet_udp_bind_dhcpc_port(ipsec_mgmt_t)
+corenet_udp_bind_isakmp_port(ipsec_mgmt_t)
+corenet_udp_bind_generic_node(ipsec_mgmt_t)
+corenet_udp_bind_ipsecnat_port(ipsec_mgmt_t)
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
@@ -297,10 +308,7 @@ dev_read_urand(ipsec_mgmt_t)
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
-# suppress audit messages about unnecessary socket access
-# cjp: this seems excessive
-domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+# domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)

14
suse_modifications_logging.patch Normal file
View File

@ -0,0 +1,14 @@
Index: serefpolicy-20140730/policy/modules/system/logging.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/logging.te
+++ serefpolicy-20140730/policy/modules/system/logging.te
@@ -565,6 +565,9 @@ userdom_dontaudit_use_unpriv_user_fds(sy
userdom_search_user_home_dirs(syslogd_t)
userdom_rw_inherited_user_tmp_files(syslogd_t)
+allow syslogd_t var_run_t:file { read getattr open };
+allow syslogd_t var_run_t:sock_file write;
+
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
# and high priority messages to /dev/tty12

76
suse_modifications_ntp.patch Normal file
View File

@ -0,0 +1,76 @@
Index: serefpolicy-contrib-20140730/ntp.fc
===================================================================
--- serefpolicy-contrib-20140730.orig/ntp.fc
+++ serefpolicy-contrib-20140730/ntp.fc
@@ -1,25 +1,36 @@
/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-
-/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-
-/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
-
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-
-/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+
+# SUSE chroot
+/var/lib/ntp/etc/ntpd?.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/var/lib/ntp/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/var/lib/ntp/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp/var/run/ntp(/.*)? gen_context(system_u:object_r:ntpd_var_run_t,s0)
Index: serefpolicy-contrib-20140730/ntp.te
===================================================================
--- serefpolicy-contrib-20140730.orig/ntp.te
+++ serefpolicy-contrib-20140730/ntp.te
@@ -76,7 +76,7 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file lnk_file } )
can_exec(ntpd_t, ntpd_exec_t)

10
suse_modifications_passenger.patch Normal file
View File

@ -0,0 +1,10 @@
Index: serefpolicy-contrib-20140730/passenger.te
===================================================================
--- serefpolicy-contrib-20140730.orig/passenger.te 2017-12-11 17:38:13.276086872 +0100
+++ serefpolicy-contrib-20140730/passenger.te 2017-12-11 17:42:24.592161419 +0100
@@ -1,4 +1,4 @@
-policy_module(passanger, 1.1.1)
+policy_module(passenger, 1.1.1)
########################################
#

14
suse_modifications_policykit.patch Normal file
View File

@ -0,0 +1,14 @@
Index: serefpolicy-contrib-20140730/policykit.te
===================================================================
--- serefpolicy-contrib-20140730.orig/policykit.te
+++ serefpolicy-contrib-20140730/policykit.te
@@ -94,6 +94,9 @@ userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
userdom_dontaudit_search_admin_dir(policykit_t)
+allow policykit_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(policykit_t)
+
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)

49
suse_modifications_postfix.patch Normal file
View File

@ -0,0 +1,49 @@
Index: serefpolicy-contrib-20140730/postfix.te
===================================================================
--- serefpolicy-contrib-20140730.orig/postfix.te
+++ serefpolicy-contrib-20140730/postfix.te
@@ -132,6 +132,9 @@ allow postfix_master_t postfix_map_exec_
allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+allow postfix_master_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(postfix_master_t)
+
manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
Index: serefpolicy-contrib-20140730/postfix.fc
===================================================================
--- serefpolicy-contrib-20140730.orig/postfix.fc
+++ serefpolicy-contrib-20140730/postfix.fc
@@ -1,22 +1,6 @@
# postfix
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
-ifdef(`distro_redhat', `
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
@@ -30,7 +14,6 @@ ifdef(`distro_redhat', `
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)

14
suse_modifications_rtkit.patch Normal file
View File

@ -0,0 +1,14 @@
Index: serefpolicy-contrib-20140730/rtkit.te
===================================================================
--- serefpolicy-contrib-20140730.orig/rtkit.te
+++ serefpolicy-contrib-20140730/rtkit.te
@@ -20,6 +20,9 @@ init_script_file(rtkit_daemon_initrc_exe
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
+allow rtkit_daemon_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(rtkit_daemon_t)
+
kernel_read_system_state(rtkit_daemon_t)
domain_getsched_all_domains(rtkit_daemon_t)

13
suse_modifications_selinuxutil.patch Normal file
View File

@ -0,0 +1,13 @@
Index: serefpolicy-20140730/policy/modules/system/selinuxutil.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/selinuxutil.te
+++ serefpolicy-20140730/policy/modules/system/selinuxutil.te
@@ -337,6 +337,8 @@ optional_policy(`
xserver_dontaudit_exec_xauth(newrole_t)
')
+allow restorecond_t var_run_t:sock_file write;
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)

43
suse_modifications_ssh.patch Normal file
View File

@ -0,0 +1,43 @@
Index: serefpolicy-20140730/policy/modules/services/ssh.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/services/ssh.te
+++ serefpolicy-20140730/policy/modules/services/ssh.te
@@ -27,6 +27,16 @@ gen_tunable(ssh_sysadm_login, false)
## </desc>
gen_tunable(ssh_chroot_rw_homedirs, false)
+## <desc>
+## <p>
+## Allow sshd to forward port connections. This should work
+## out-of-the-box according to 11b328b4cfa484d55db01a0f127cbc94fa776f48
+## but it doesn't
+## </p>
+## </desc>
+##
+gen_tunable(sshd_forward_ports, false)
+
attribute ssh_dyntransition_domain;
attribute ssh_server;
attribute ssh_agent_type;
@@ -291,6 +301,11 @@ corenet_tcp_bind_xserver_port(sshd_t)
corenet_tcp_bind_vnc_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+tunable_policy(`sshd_forward_ports',`
+ corenet_tcp_bind_all_unreserved_ports(sshd_t)
+ corenet_tcp_connect_all_ports(sshd_t)
+')
+
auth_exec_login_program(sshd_t)
userdom_read_user_home_content_files(sshd_t)
@@ -300,6 +315,9 @@ userdom_spec_domtrans_unpriv_users(sshd_
userdom_signal_unpriv_users(sshd_t)
userdom_dyntransition_unpriv_users(sshd_t)
+allow sshd_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to

23
suse_modifications_staff.patch Normal file
View File

@ -0,0 +1,23 @@
Index: serefpolicy-20140730/policy/modules/roles/staff.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/roles/staff.te 2015-05-20 15:15:49.646097573 +0200
+++ serefpolicy-20140730/policy/modules/roles/staff.te 2015-05-20 15:59:47.483684401 +0200
@@ -388,18 +388,3 @@ ifndef(`distro_redhat',`
tunable_policy(`selinuxuser_execmod',`
userdom_execmod_user_home_files(staff_t)
')
-
-optional_policy(`
- virt_transition_svirt(staff_t, staff_r)
- virt_filetrans_home_content(staff_t)
-')
-
-optional_policy(`
- tunable_policy(`staff_use_svirt',`
- allow staff_t self:fifo_file relabelfrom;
- dev_rw_kvm(staff_t)
- virt_manage_images(staff_t)
- virt_stream_connect_svirt(staff_t)
- virt_exec(staff_t)
- ')
-')

10
suse_modifications_stapserver.patch Normal file
View File

@ -0,0 +1,10 @@
Index: serefpolicy-contrib-20140730/stapserver.te
===================================================================
--- serefpolicy-contrib-20140730.orig/stapserver.te 2017-12-11 17:38:13.312087456 +0100
+++ serefpolicy-contrib-20140730/stapserver.te 2017-12-11 17:46:03.915729618 +0100
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.1.0)
+policy_module(stapserver, 1.1.0)
########################################
#

40
suse_modifications_systemd.patch Normal file
View File

@ -0,0 +1,40 @@
Index: serefpolicy-20140730/policy/modules/system/systemd.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/systemd.te 2015-06-24 14:42:23.931790867 +0200
+++ serefpolicy-20140730/policy/modules/system/systemd.te 2015-06-24 15:34:50.677937166 +0200
@@ -189,6 +189,9 @@ userdom_manage_tmpfs_role(system_r, syst
xserver_dbus_chat(systemd_logind_t)
+allow systemd_logind_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(systemd_logind_t)
+
optional_policy(`
apache_read_tmp_files(systemd_logind_t)
')
@@ -528,9 +531,14 @@ allow systemd_hostnamed_t self:unix_stre
allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
+manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" )
files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
+# since we have unpredictable filenames for the link file we can't use a named transition
+create_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
+delete_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
+rename_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
kernel_dgram_send(systemd_hostnamed_t)
@@ -608,6 +616,10 @@ optional_policy(`
')
optional_policy(`
+ unconfined_dbus_send(systemd_timedated_t)
+')
+
+optional_policy(`
gnome_manage_usr_config(systemd_timedated_t)
gnome_manage_home_config(systemd_timedated_t)
gnome_manage_home_config_dirs(systemd_timedated_t)

15
suse_modifications_unconfined.patch Normal file
View File

@ -0,0 +1,15 @@
Index: serefpolicy-20140730/policy/modules/system/unconfined.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/unconfined.te
+++ serefpolicy-20140730/policy/modules/system/unconfined.te
@@ -15,6 +15,10 @@ unconfined_domain(unconfined_service_t)
corecmd_bin_entry_type(unconfined_service_t)
corecmd_shell_entry_type(unconfined_service_t)
+systemd_dbus_chat_localed(unconfined_service_t)
+systemd_dbus_chat_logind(unconfined_service_t)
+unconfined_shell_domtrans(unconfined_service_t)
+
optional_policy(`
rpm_transition_script(unconfined_service_t, system_r)
')

16
suse_modifications_unconfineduser.patch Normal file
View File

@ -0,0 +1,16 @@
Index: serefpolicy-20140730/policy/modules/roles/unconfineduser.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/roles/unconfineduser.te
+++ serefpolicy-20140730/policy/modules/roles/unconfineduser.te
@@ -79,6 +79,11 @@ domain_transition_all(unconfined_t)
usermanage_run_passwd(unconfined_t, unconfined_r)
+# FIXME SUSE
+#allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
+allow unconfined_t init_exec_t:file entrypoint;
+allow init_t unconfined_t:process transition;
+
tunable_policy(`deny_execmem',`',`
allow unconfined_t self:process execmem;
')

26
suse_modifications_unprivuser.patch Normal file
View File

@ -0,0 +1,26 @@
Index: serefpolicy-20140730/policy/modules/roles/unprivuser.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/roles/unprivuser.te 2015-05-20 15:15:49.646097573 +0200
+++ serefpolicy-20140730/policy/modules/roles/unprivuser.te 2015-05-20 16:00:16.212137319 +0200
@@ -259,17 +259,12 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- vmtools_run_helper(user_t, user_r)
+ vmtools_run_helper(user_t, user_r)
')
-optional_policy(`
- virt_transition_svirt(user_t, user_r)
- virt_filetrans_home_content(user_t)
+ifdef(`distro_suse',`
+ xserver_xsession_entry_type(user_t)
+ dbus_system_bus_client(user_t)
')
-optional_policy(`
- tunable_policy(`unprivuser_use_svirt',`
- virt_manage_images(user_t)
- ')
-')

24
suse_modifications_usermanage.patch Normal file
View File

@ -0,0 +1,24 @@
Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te
+++ serefpolicy-20140730/policy/modules/admin/usermanage.te
@@ -274,6 +274,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
# for when /root is the cwd
userdom_dontaudit_search_user_home_dirs(groupadd_t)
+allow groupadd_t self:netlink_selinux_socket { create bind };
+allow groupadd_t var_run_t:sock_file write;
+
optional_policy(`
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
@@ -572,6 +575,9 @@ userdom_home_filetrans_user_home_dir(use
userdom_manage_home_role(system_r, useradd_t)
userdom_delete_all_user_home_content(useradd_t)
+allow useradd_t var_run_t:sock_file write;
+selinux_compute_access_vector(useradd_t)
+
optional_policy(`
mta_manage_spool(useradd_t)
')

13
suse_modifications_virt.patch Normal file
View File

@ -0,0 +1,13 @@
Index: serefpolicy-contrib-20140730/virt.te
===================================================================
--- serefpolicy-contrib-20140730.orig/virt.te
+++ serefpolicy-contrib-20140730/virt.te
@@ -280,6 +280,8 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
+allow svirt_t qemu_exec_t:file execmod;
+
#######################################
#
# svirt_prot_exec local policy

36
suse_modifications_xserver.patch Normal file
View File

@ -0,0 +1,36 @@
Index: serefpolicy-20140730/policy/modules/services/xserver.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/services/xserver.fc
+++ serefpolicy-20140730/policy/modules/services/xserver.fc
@@ -97,6 +97,9 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
+#/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
Index: serefpolicy-20140730/policy/modules/services/xserver.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/services/xserver.te
+++ serefpolicy-20140730/policy/modules/services/xserver.te
@@ -810,6 +810,17 @@ ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
+ifndef(`distro_suse',`
+ # this is a neverallow, maybe dontaudit it
+ #allow xdm_t proc_kcore_t:file getattr;
+ allow xdm_t var_run_t:lnk_file create;
+ allow xdm_t var_lib_t:lnk_file read;
+
+ dev_getattr_all_blk_files( xdm_t )
+ dev_getattr_all_chr_files( xdm_t )
+ logging_r_xconsole(xdm_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_exec_nfs_files(xdm_t)
')

70
sysconfig_network_scripts.patch Normal file
View File

@ -0,0 +1,70 @@
Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.fc 2015-07-21 16:52:51.913277147 +0200
+++ serefpolicy-20140730/policy/modules/system/sysnetwork.fc 2015-07-21 16:52:55.461333779 +0200
@@ -11,6 +11,15 @@ ifdef(`distro_debian',`
/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+# SUSE
+# sysconfig network files are stored in /dev/.sysconfig
+/dev/.sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+# label netconfig files in /var/adm and /var/lib and /var/run
+/var/adm/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/lib/ntp/var(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+
+
#
# /etc
#
@@ -37,6 +46,10 @@ ifdef(`distro_redhat',`
/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/network/scripts/.* gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0)
+
#
# /sbin
#
Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.te 2015-07-21 16:52:51.913277147 +0200
+++ serefpolicy-20140730/policy/modules/system/sysnetwork.te 2015-07-21 16:54:15.998619244 +0200
@@ -60,7 +60,8 @@ ifdef(`distro_debian',`
#
# DHCP client local policy
#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+# need sys_admin to set hostname/domainname
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config sys_admin ipc_lock };
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -95,6 +96,12 @@ allow dhcpc_t net_conf_t:file relabel_fi
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
+# allow relabel of /dev/.sysconfig
+dev_associate(net_conf_t)
+
+# allow mv /etc/resolv.conf.netconfig
+allow dhcpc_t etc_runtime_t:file unlink;
+
# create temp files
manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
Index: serefpolicy-20140730/policy/modules/kernel/devices.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/kernel/devices.fc 2015-07-21 16:52:51.913277147 +0200
+++ serefpolicy-20140730/policy/modules/kernel/devices.fc 2015-07-21 16:52:55.461333779 +0200
@@ -2,6 +2,7 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
/dev/.* gen_context(system_u:object_r:device_t,s0)
+/dev/.sysconfig(/.*)? -d gen_context(system_u:object_r:net_conf_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)

43
systemd-tmpfiles.patch Normal file
View File

@ -0,0 +1,43 @@
Index: serefpolicy-20140730/policy/modules/system/systemd.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/systemd.te
+++ serefpolicy-20140730/policy/modules/system/systemd.te
@@ -320,6 +320,11 @@ dev_read_cpu_online(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
+# allow tmpfiles to create files/dirs in /dev
+systemd_tmpfiles_xconsole_create(systemd_tmpfiles_t)
+dev_getattr_autofs_dev(systemd_tmpfiles_t);
+dev_getattr_lvm_control(systemd_tmpfiles_t);
+dev_create_generic_dirs(systemd_tmpfiles_t);
domain_obj_id_change_exemption(systemd_tmpfiles_t)
# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
Index: serefpolicy-20140730/policy/modules/system/systemd.if
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/systemd.if
+++ serefpolicy-20140730/policy/modules/system/systemd.if
@@ -1458,3 +1458,22 @@ interface(`systemd_dontaudit_dbus_chat',
dontaudit $1 systemd_domain:dbus send_msg;
')
+
+########################################
+## <summary>
+## Allow systemd-tmpfiles to create xconsole_device_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfiles_xconsole_create',`
+ gen_require(`
+ type device_t, xconsole_device_t;
+ ')
+
+ create_fifo_files_pattern($1, device_t, xconsole_device_t);
+')
+

13
type_transition_contrib.patch Normal file
View File

@ -0,0 +1,13 @@
Index: serefpolicy-contrib-20140730/glusterd.te
===================================================================
--- serefpolicy-contrib-20140730.orig/glusterd.te
+++ serefpolicy-contrib-20140730/glusterd.te
@@ -68,7 +68,7 @@ allow glusterd_t self:unix_stream_socket
manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
+files_etc_filetrans(glusterd_t, glusterd_conf_t, file, "glusterfs")
manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)

24
type_transition_file_class.patch Normal file
View File

@ -0,0 +1,24 @@
Index: serefpolicy-20140730/policy/modules/system/miscfiles.if
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/miscfiles.if
+++ serefpolicy-20140730/policy/modules/system/miscfiles.if
@@ -896,7 +896,8 @@ interface(`miscfiles_etc_filetrans_local
')
files_etc_filetrans($1, locale_t, lnk_file)
- files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
+ files_etc_filetrans($1, locale_t, file, "localtime" )
+ files_etc_filetrans($1, locale_t, lnk_file, "localtime" )
files_etc_filetrans($1, locale_t, file, "locale.conf" )
files_etc_filetrans($1, locale_t, file, "timezone" )
files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
@@ -938,7 +939,8 @@ interface(`miscfiles_filetrans_locale_na
type locale_t;
')
- files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
+ files_etc_filetrans($1, locale_t, file, "localtime")
+ files_etc_filetrans($1, locale_t, lnk_file, "localtime")
files_etc_filetrans($1, locale_t, file, "locale.conf")
files_etc_filetrans($1, locale_t, file, "vconsole.conf")
files_etc_filetrans($1, locale_t, file, "locale.conf.new")

12
useradd-netlink_selinux_socket.patch Normal file
View File

@ -0,0 +1,12 @@
Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te
+++ serefpolicy-20140730/policy/modules/admin/usermanage.te
@@ -497,6 +497,7 @@ allow useradd_t self:unix_dgram_socket c
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
+allow useradd_t self:netlink_selinux_socket create_socket_perms;
manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)

38
users-minimum Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

38
users-mls Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

38
users-targeted Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

231
xconsole.patch Normal file
View File

@ -0,0 +1,231 @@
Basically, /dev/xconsole is a FIFO written to by syslog, and often is
present even when there is no X. Therefore, this should go into the
logging policy.
Patch attached.
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
Nothing prevents happiness like the memory of happiness. --- A. Gide //\
Die einzige Hoffnung auf Freude liegt in den menschlichen V_/_
Beziehungen. --- Antoine de Saint-Exupéry
["xconsole" (xconsole)]
Index: policy/modules/services/xserver.te
===================================================================
--- policy/modules/services/xserver.te.orig
+++ policy/modules/services/xserver.te
@@ -189,13 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
userdom_user_tmp_file(xauth_tmp_t)
-# this is not actually a device, its a pipe
-type xconsole_device_t;
-files_type(xconsole_device_t)
-dev_associate(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
type xdm_unconfined_exec_t;
application_executable_file(xdm_unconfined_exec_t)
@@ -437,7 +430,6 @@ allow xdm_t self:dbus { send_msg acquire
allow xdm_t xauth_home_t:file manage_file_perms;
-allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -663,6 +655,10 @@ libs_exec_lib_files(xdm_t)
libs_exec_ldconfig(xdm_t)
logging_read_generic_logs(xdm_t)
+logging_setattr_xconsole_pipes(xdm_t)
+
+# allow relabel of /dev/xconsole
+dev_associate(xconsole_device_t)
miscfiles_search_man_pages(xdm_t)
miscfiles_read_fonts(xdm_t)
Index: policy/modules/services/xserver.fc
===================================================================
--- policy/modules/services/xserver.fc.orig
+++ policy/modules/services/xserver.fc
@@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
#
-# /dev
-#
-/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
-
-#
# /etc
#
/etc/gdm(3)?/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
Index: policy/modules/system/logging.te
===================================================================
--- policy/modules/system/logging.te.orig
+++ policy/modules/system/logging.te
@@ -110,6 +110,12 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
')
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+
########################################
#
# Auditctl local policy
@@ -173,6 +179,9 @@ manage_files_pattern(auditd_t, auditd_va
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
+# log to xconsole
+allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
+
kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
@@ -631,11 +640,6 @@ optional_policy(`
udev_read_db(syslogd_t)
')
-optional_policy(`
- # log to the xconsole
- xserver_rw_console(syslogd_t)
-')
-
#####################################################
#
# syslog client rules
Index: policy/modules/system/logging.if
===================================================================
--- policy/modules/system/logging.if.orig
+++ policy/modules/system/logging.if
@@ -1431,3 +1431,40 @@ interface(`logging_filetrans_named_conte
logging_log_filetrans($1, var_log_t, dir, "anaconda")
')
+
+########################################
+## <summary>
+## Set the attributes of the xconsole named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_setattr_xconsole_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+## <summary>
+## Read the xconsole named pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_r_xconsole',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file { getattr read };
+')
+
Index: policy/modules/system/init.te
===================================================================
--- policy/modules/system/init.te.orig
+++ policy/modules/system/init.te
@@ -797,6 +797,7 @@ logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
+logging_setattr_xconsole_pipes(initrc_t)
# slapd needs to read cert files from its initscript
miscfiles_manage_generic_cert_files(initrc_t)
@@ -1453,9 +1454,6 @@ optional_policy(`
')
optional_policy(`
- # Set device ownerships/modes.
- xserver_setattr_console_pipes(initrc_t)
-
# init script wants to check if it needs to update windowmanagerlist
xserver_read_xdm_rw_config(initrc_t)
')
Index: policy/modules/system/logging.fc
===================================================================
--- policy/modules/system/logging.fc.orig
+++ policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
Index: policy/modules/services/xserver.if
===================================================================
--- policy/modules/services/xserver.if.orig
+++ policy/modules/services/xserver.if
@@ -635,42 +635,6 @@ interface(`xserver_manage_user_xauth',`
########################################
## <summary>
-## Set the attributes of the X windows console named pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_setattr_console_pipes',`
- gen_require(`
- type xconsole_device_t;
- ')
-
- allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the X windows console named pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_rw_console',`
- gen_require(`
- type xconsole_device_t;
- ')
-
- allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
-')
-
-########################################
-## <summary>
## Read XDM state files.
## </summary>
## <param name="domain">