commit
4f5124d6c8
@ -0,0 +1,2 @@
|
||||
SOURCES/container-selinux.tgz
|
||||
SOURCES/selinux-policy-6112821.tar.gz
|
@ -0,0 +1,2 @@
|
||||
af02e18349519dd577a4cc9bef8a3a78b26923f9 SOURCES/container-selinux.tgz
|
||||
c39699459cb607824f45fae42aa452e6f84fbc68 SOURCES/selinux-policy-6112821.tar.gz
|
@ -0,0 +1,22 @@
|
||||
# installation paths
|
||||
SHAREDIR := /usr/share/selinux
|
||||
|
||||
AWK ?= gawk
|
||||
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
|
||||
|
||||
ifeq ($(MLSENABLED),)
|
||||
MLSENABLED := 1
|
||||
endif
|
||||
|
||||
ifeq ($(MLSENABLED),1)
|
||||
NTYPE = mcs
|
||||
endif
|
||||
|
||||
ifeq ($(NAME),mls)
|
||||
NTYPE = mls
|
||||
endif
|
||||
|
||||
TYPE ?= $(NTYPE)
|
||||
|
||||
HEADERDIR := $(SHAREDIR)/devel/include
|
||||
include $(HEADERDIR)/Makefile
|
@ -0,0 +1,248 @@
|
||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||
#
|
||||
allow_execmem = false
|
||||
|
||||
# Allow making a modified private filemapping executable (text relocation).
|
||||
#
|
||||
allow_execmod = false
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
allow_execstack = true
|
||||
|
||||
# Allow ftpd to read cifs directories.
|
||||
#
|
||||
allow_ftpd_use_cifs = false
|
||||
|
||||
# Allow ftpd to read nfs directories.
|
||||
#
|
||||
allow_ftpd_use_nfs = false
|
||||
|
||||
# Allow ftp servers to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_ftpd_anon_write = false
|
||||
|
||||
# Allow gssd to read temp directory.
|
||||
#
|
||||
allow_gssd_read_tmp = true
|
||||
|
||||
# Allow Apache to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_httpd_anon_write = false
|
||||
|
||||
# Allow Apache to use mod_auth_pam module
|
||||
#
|
||||
allow_httpd_mod_auth_pam = false
|
||||
|
||||
# Allow system to run with kerberos
|
||||
#
|
||||
allow_kerberos = true
|
||||
|
||||
# Allow rsync to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_rsync_anon_write = false
|
||||
|
||||
# Allow sasl to read shadow
|
||||
#
|
||||
allow_saslauthd_read_shadow = false
|
||||
|
||||
# Allow samba to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_smbd_anon_write = false
|
||||
|
||||
# Allow system to run with NIS
|
||||
#
|
||||
allow_ypbind = false
|
||||
|
||||
# Allow zebra to write it own configuration files
|
||||
#
|
||||
allow_zebra_write_config = false
|
||||
|
||||
# Enable extra rules in the cron domainto support fcron.
|
||||
#
|
||||
fcron_crond = false
|
||||
|
||||
#
|
||||
# allow httpd to connect to mysql/posgresql
|
||||
httpd_can_network_connect_db = false
|
||||
|
||||
#
|
||||
# allow httpd to send dbus messages to avahi
|
||||
httpd_dbus_avahi = true
|
||||
|
||||
#
|
||||
# allow httpd to network relay
|
||||
httpd_can_network_relay = false
|
||||
|
||||
# Allow httpd to use built in scripting (usually php)
|
||||
#
|
||||
httpd_builtin_scripting = true
|
||||
|
||||
# Allow http daemon to tcp connect
|
||||
#
|
||||
httpd_can_network_connect = false
|
||||
|
||||
# Allow httpd cgi support
|
||||
#
|
||||
httpd_enable_cgi = true
|
||||
|
||||
# Allow httpd to act as a FTP server bylistening on the ftp port.
|
||||
#
|
||||
httpd_enable_ftp_server = false
|
||||
|
||||
# Allow httpd to read home directories
|
||||
#
|
||||
httpd_enable_homedirs = false
|
||||
|
||||
# Run SSI execs in system CGI script domain.
|
||||
#
|
||||
httpd_ssi_exec = false
|
||||
|
||||
# Allow http daemon to communicate with the TTY
|
||||
#
|
||||
httpd_tty_comm = false
|
||||
|
||||
# Run CGI in the main httpd domain
|
||||
#
|
||||
httpd_unified = false
|
||||
|
||||
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
||||
#
|
||||
named_write_master_zones = false
|
||||
|
||||
# Allow nfs to be exported read/write.
|
||||
#
|
||||
nfs_export_all_rw = true
|
||||
|
||||
# Allow nfs to be exported read only
|
||||
#
|
||||
nfs_export_all_ro = true
|
||||
|
||||
# Allow pppd to load kernel modules for certain modems
|
||||
#
|
||||
pppd_can_insmod = false
|
||||
|
||||
# Allow reading of default_t files.
|
||||
#
|
||||
read_default_t = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_enable_home_dirs = false
|
||||
|
||||
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
|
||||
#
|
||||
squid_connect_any = false
|
||||
|
||||
# Support NFS home directories
|
||||
#
|
||||
use_nfs_home_dirs = true
|
||||
|
||||
# Support SAMBA home directories
|
||||
#
|
||||
use_samba_home_dirs = false
|
||||
|
||||
# Control users use of ping and traceroute
|
||||
#
|
||||
user_ping = false
|
||||
|
||||
# allow host key based authentication
|
||||
#
|
||||
allow_ssh_keysign = false
|
||||
|
||||
# Allow pppd to be run for a regular user
|
||||
#
|
||||
pppd_for_user = false
|
||||
|
||||
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
|
||||
#
|
||||
read_untrusted_content = false
|
||||
|
||||
# Allow spamd to write to users homedirs
|
||||
#
|
||||
spamd_enable_home_dirs = false
|
||||
|
||||
# Allow regular users direct mouse access
|
||||
#
|
||||
user_direct_mouse = false
|
||||
|
||||
# Allow users to read system messages.
|
||||
#
|
||||
user_dmesg = false
|
||||
|
||||
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||
#
|
||||
user_rw_noexattrfile = false
|
||||
|
||||
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
|
||||
#
|
||||
user_tcp_server = false
|
||||
|
||||
# Allow w to display everyone
|
||||
#
|
||||
user_ttyfile_stat = false
|
||||
|
||||
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
|
||||
#
|
||||
write_untrusted_content = false
|
||||
|
||||
# Allow all domains to talk to ttys
|
||||
#
|
||||
allow_daemons_use_tty = false
|
||||
|
||||
# Allow login domains to polyinstatiate directories
|
||||
#
|
||||
allow_polyinstantiation = false
|
||||
|
||||
# Allow all domains to dump core
|
||||
#
|
||||
allow_daemons_dump_core = true
|
||||
|
||||
# Allow samba to act as the domain controller
|
||||
#
|
||||
samba_domain_controller = false
|
||||
|
||||
# Allow samba to export user home directories.
|
||||
#
|
||||
samba_run_unconfined = false
|
||||
|
||||
# Allows XServer to execute writable memory
|
||||
#
|
||||
allow_xserver_execmem = false
|
||||
|
||||
# disallow guest accounts to execute files that they can create
|
||||
#
|
||||
allow_guest_exec_content = false
|
||||
allow_xguest_exec_content = false
|
||||
|
||||
# Only allow browser to use the web
|
||||
#
|
||||
browser_confine_xguest=false
|
||||
|
||||
# Allow postfix locat to write to mail spool
|
||||
#
|
||||
allow_postfix_local_write_mail_spool=false
|
||||
|
||||
# Allow common users to read/write noexattrfile systems
|
||||
#
|
||||
user_rw_noexattrfile=true
|
||||
|
||||
# Allow qemu to connect fully to the network
|
||||
#
|
||||
qemu_full_network=true
|
||||
|
||||
# Allow nsplugin execmem/execstack for bad plugins
|
||||
#
|
||||
allow_nsplugin_execmem=true
|
||||
|
||||
# Allow unconfined domain to transition to confined domain
|
||||
#
|
||||
allow_unconfined_nsplugin_transition=true
|
||||
|
||||
# System uses init upstart program
|
||||
#
|
||||
init_upstart = true
|
||||
|
||||
# Allow mount to mount any file/dir
|
||||
#
|
||||
allow_mount_anyfile = true
|
@ -0,0 +1,6 @@
|
||||
kerberos_enabled = true
|
||||
mount_anyfile = true
|
||||
polyinstantiation_enabled = true
|
||||
ftpd_is_daemon = true
|
||||
selinuxuser_ping = true
|
||||
xserver_object_manager = true
|
@ -0,0 +1,25 @@
|
||||
gssd_read_tmp = true
|
||||
httpd_builtin_scripting = true
|
||||
httpd_enable_cgi = true
|
||||
kerberos_enabled = true
|
||||
mount_anyfile = true
|
||||
nfs_export_all_ro = true
|
||||
nfs_export_all_rw = true
|
||||
nscd_use_shm = true
|
||||
openvpn_enable_homedirs = true
|
||||
postfix_local_write_mail_spool=true
|
||||
pppd_can_insmod = false
|
||||
privoxy_connect_any = true
|
||||
selinuxuser_direct_dri_enabled = true
|
||||
selinuxuser_execmem = true
|
||||
selinuxuser_execmod = true
|
||||
selinuxuser_execstack = true
|
||||
selinuxuser_rw_noexattrfile=true
|
||||
selinuxuser_ping = true
|
||||
squid_connect_any = true
|
||||
telepathy_tcp_connect_generic_network_ports=true
|
||||
unconfined_chrome_sandbox_transition=true
|
||||
unconfined_mozilla_plugin_transition=true
|
||||
xguest_exec_content = true
|
||||
mozilla_plugin_can_network_connect = true
|
||||
use_virtualbox = true
|
@ -0,0 +1,54 @@
|
||||
allow_auditadm_exec_content auditadm_exec_content
|
||||
allow_console_login login_console_enabled
|
||||
allow_cvs_read_shadow cvs_read_shadow
|
||||
allow_daemons_dump_core daemons_dump_core
|
||||
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
|
||||
allow_daemons_use_tty daemons_use_tty
|
||||
allow_domain_fd_use domain_fd_use
|
||||
allow_execheap selinuxuser_execheap
|
||||
allow_execmod selinuxuser_execmod
|
||||
allow_execstack selinuxuser_execstack
|
||||
allow_ftpd_anon_write ftpd_anon_write
|
||||
allow_ftpd_full_access ftpd_full_access
|
||||
allow_ftpd_use_cifs ftpd_use_cifs
|
||||
allow_ftpd_use_nfs ftpd_use_nfs
|
||||
allow_gssd_read_tmp gssd_read_tmp
|
||||
allow_guest_exec_content guest_exec_content
|
||||
allow_httpd_anon_write httpd_anon_write
|
||||
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
|
||||
allow_httpd_mod_auth_pam httpd_mod_auth_pam
|
||||
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
|
||||
allow_kerberos kerberos_enabled
|
||||
allow_mplayer_execstack mplayer_execstack
|
||||
allow_mount_anyfile mount_anyfile
|
||||
allow_nfsd_anon_write nfsd_anon_write
|
||||
allow_polyinstantiation polyinstantiation_enabled
|
||||
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
|
||||
allow_rsync_anon_write rsync_anon_write
|
||||
allow_saslauthd_read_shadow saslauthd_read_shadow
|
||||
allow_secadm_exec_content secadm_exec_content
|
||||
allow_smbd_anon_write smbd_anon_write
|
||||
allow_ssh_keysign ssh_keysign
|
||||
allow_staff_exec_content staff_exec_content
|
||||
allow_sysadm_exec_content sysadm_exec_content
|
||||
allow_user_exec_content user_exec_content
|
||||
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
|
||||
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
|
||||
allow_write_xshm xserver_clients_write_xshm
|
||||
allow_xguest_exec_content xguest_exec_content
|
||||
allow_xserver_execmem xserver_execmem
|
||||
allow_ypbind nis_enabled
|
||||
allow_zebra_write_config zebra_write_config
|
||||
user_direct_dri selinuxuser_direct_dri_enabled
|
||||
user_ping selinuxuser_ping
|
||||
user_share_music selinuxuser_share_music
|
||||
user_tcp_server selinuxuser_tcp_server
|
||||
sepgsql_enable_pitr_implementation postgresql_can_rsync
|
||||
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
|
||||
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
|
||||
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
|
||||
clamd_use_jit antivirus_use_jit
|
||||
amavis_use_jit antivirus_use_jit
|
||||
logwatch_can_sendmail logwatch_can_network_connect_mail
|
||||
puppet_manage_all_files puppetagent_manage_all_files
|
||||
virt_sandbox_use_nfs virt_use_nfs
|
@ -0,0 +1,14 @@
|
||||
container_file_t
|
||||
sandbox_file_t
|
||||
svirt_image_t
|
||||
svirt_home_t
|
||||
svirt_sandbox_file_t
|
||||
virt_content_t
|
||||
httpd_user_htaccess_t
|
||||
httpd_user_script_exec_t
|
||||
httpd_user_rw_content_t
|
||||
httpd_user_ra_content_t
|
||||
httpd_user_content_t
|
||||
git_session_content_t
|
||||
home_bin_t
|
||||
user_tty_device_t
|
@ -0,0 +1,24 @@
|
||||
/var/run /run
|
||||
/var/lock /run/lock
|
||||
/run/systemd/system /usr/lib/systemd/system
|
||||
/run/systemd/generator /usr/lib/systemd/system
|
||||
/run/systemd/generator.early /usr/lib/systemd/system
|
||||
/run/systemd/generator.late /usr/lib/systemd/system
|
||||
/lib /usr/lib
|
||||
/lib64 /usr/lib
|
||||
/usr/lib64 /usr/lib
|
||||
/usr/local/lib64 /usr/lib
|
||||
/usr/local/lib32 /usr/lib
|
||||
/etc/systemd/system /usr/lib/systemd/system
|
||||
/var/lib/xguest/home /home
|
||||
/var/named/chroot/usr/lib64 /usr/lib
|
||||
/var/named/chroot/lib64 /usr/lib
|
||||
/var/named/chroot/var /var
|
||||
/home-inst /home
|
||||
/home/home-inst /home
|
||||
/var/roothome /root
|
||||
/sbin /usr/sbin
|
||||
/sysroot/tmp /tmp
|
||||
/var/usrlocal /usr/local
|
||||
/var/mnt /mnt
|
||||
/bin /usr/bin
|
@ -0,0 +1,81 @@
|
||||
#!/bin/bash
|
||||
|
||||
function usage {
|
||||
echo "Usage: $0 [ -c | -t [ -M ] ] <macro>"
|
||||
echo "Options:
|
||||
-c generate CIL output
|
||||
-t generate standard policy source format (.te) allow rules - this is default
|
||||
-M generate complete module .te output
|
||||
"
|
||||
}
|
||||
|
||||
function cleanup {
|
||||
rm -rf $TEMP_STORE
|
||||
}
|
||||
|
||||
while getopts "chMt" opt; do
|
||||
case $opt in
|
||||
c) GENCIL=1
|
||||
;;
|
||||
t) GENTE=1
|
||||
;;
|
||||
M) GENTEMODULE=1
|
||||
;;
|
||||
h) usage
|
||||
exit 0
|
||||
;;
|
||||
\?) usage
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
shift $((OPTIND-1))
|
||||
|
||||
SELINUX_MACRO=$1
|
||||
|
||||
if [ -z "$SELINUX_MACRO" ]
|
||||
then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP_STORE="$(mktemp -d)"
|
||||
cd $TEMP_STORE || exit 1
|
||||
|
||||
IFS="("
|
||||
set $1
|
||||
SELINUX_DOMAIN="${2::-1}"
|
||||
|
||||
echo -e "policy_module(expander, 1.0.0) \n" \
|
||||
"gen_require(\`\n" \
|
||||
"type $SELINUX_DOMAIN ; \n" \
|
||||
"')" > expander.te
|
||||
|
||||
echo "$SELINUX_MACRO" >> expander.te
|
||||
|
||||
make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null
|
||||
|
||||
if [ "x$GENCIL" = "x1" ]; then
|
||||
|
||||
make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null
|
||||
MAKE_RESULT=$?
|
||||
|
||||
if [ $MAKE_RESULT -ne 2 ]
|
||||
then
|
||||
/usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null
|
||||
grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then
|
||||
m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null
|
||||
if [ "x$GENTEMODULE" = "x1" ]; then
|
||||
# sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp
|
||||
sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp
|
||||
else
|
||||
grep '^\s*allow' expander.tmp | sed 's/^\s*//'
|
||||
fi
|
||||
fi
|
||||
|
||||
cd - > /dev/null || exit 1
|
||||
cleanup
|
@ -0,0 +1,380 @@
|
||||
# Layer: kernel
|
||||
# Module: bootloader
|
||||
#
|
||||
# Policy for the kernel modules, kernel image, and bootloader.
|
||||
#
|
||||
bootloader = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corenetwork
|
||||
# Required in base
|
||||
#
|
||||
# Policy controlling access to network objects
|
||||
#
|
||||
corenetwork = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: dmesg
|
||||
#
|
||||
# Policy for dmesg.
|
||||
#
|
||||
dmesg = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: netutils
|
||||
#
|
||||
# Network analysis utilities
|
||||
#
|
||||
netutils = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: sudo
|
||||
#
|
||||
# Execute a command with a substitute user
|
||||
#
|
||||
sudo = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: su
|
||||
#
|
||||
# Run shells with substitute user and group
|
||||
#
|
||||
su = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: usermanage
|
||||
#
|
||||
# Policy for managing user accounts.
|
||||
#
|
||||
usermanage = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: seunshare
|
||||
#
|
||||
# seunshare executable
|
||||
#
|
||||
seunshare = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corecommands
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for shells, and generic programs
|
||||
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||
#
|
||||
corecommands = base
|
||||
|
||||
# Module: devices
|
||||
# Required in base
|
||||
#
|
||||
# Device nodes and interfaces for many basic system devices.
|
||||
#
|
||||
devices = base
|
||||
|
||||
# Module: domain
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for domains.
|
||||
#
|
||||
domain = base
|
||||
|
||||
# Layer: system
|
||||
# Module: userdomain
|
||||
#
|
||||
# Policy for user domains
|
||||
#
|
||||
userdomain = module
|
||||
|
||||
# Module: files
|
||||
# Required in base
|
||||
#
|
||||
# Basic filesystem types and interfaces.
|
||||
#
|
||||
files = base
|
||||
|
||||
# Module: filesystem
|
||||
# Required in base
|
||||
#
|
||||
# Policy for filesystems.
|
||||
#
|
||||
filesystem = base
|
||||
|
||||
# Module: kernel
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||
#
|
||||
kernel = base
|
||||
|
||||
# Module: mcs
|
||||
# Required in base
|
||||
#
|
||||
# MultiCategory security policy
|
||||
#
|
||||
mcs = base
|
||||
|
||||
# Module: mls
|
||||
# Required in base
|
||||
#
|
||||
# Multilevel security policy
|
||||
#
|
||||
mls = base
|
||||
|
||||
# Module: selinux
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel security interface, in particular, selinuxfs.
|
||||
#
|
||||
selinux = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: storage
|
||||
#
|
||||
# Policy controlling access to storage devices
|
||||
#
|
||||
storage = base
|
||||
|
||||
# Module: terminal
|
||||
# Required in base
|
||||
#
|
||||
# Policy for terminals.
|
||||
#
|
||||
terminal = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: ubac
|
||||
#
|
||||
#
|
||||
#
|
||||
ubac = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: unlabelednet
|
||||
#
|
||||
# The unlabelednet module.
|
||||
#
|
||||
unlabelednet = module
|
||||
|
||||
# Layer: role
|
||||
# Module: auditadm
|
||||
#
|
||||
# auditadm account on tty logins
|
||||
#
|
||||
auditadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: logadm
|
||||
#
|
||||
# Minimally prived root role for managing logging system
|
||||
#
|
||||
logadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: secadm
|
||||
#
|
||||
# secadm account on tty logins
|
||||
#
|
||||
secadm = module
|
||||
|
||||
# Layer:role
|
||||
# Module: staff
|
||||
#
|
||||
# admin account
|
||||
#
|
||||
staff = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm_secadm
|
||||
#
|
||||
# System Administrator with Security Admin rules
|
||||
#
|
||||
sysadm_secadm = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm
|
||||
#
|
||||
# System Administrator
|
||||
#
|
||||
sysadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: unprivuser
|
||||
#
|
||||
# Minimally privs guest account on tty logins
|
||||
#
|
||||
unprivuser = module
|
||||
|
||||
# Layer: services
|
||||
# Module: postgresql
|
||||
#
|
||||
# PostgreSQL relational database
|
||||
#
|
||||
postgresql = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ssh
|
||||
#
|
||||
# Secure shell client and server policy.
|
||||
#
|
||||
ssh = module
|
||||
|
||||
# Layer: services
|
||||
# Module: xserver
|
||||
#
|
||||
# X windows login display manager
|
||||
#
|
||||
xserver = module
|
||||
|
||||
# Module: application
|
||||
# Required in base
|
||||
#
|
||||
# Defines attributs and interfaces for all user applications
|
||||
#
|
||||
application = module
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
#
|
||||
authlogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: clock
|
||||
#
|
||||
# Policy for reading and setting the hardware clock.
|
||||
#
|
||||
clock = module
|
||||
|
||||
# Layer: system
|
||||
# Module: fstools
|
||||
#
|
||||
# Tools for filesystem management, such as mkfs and fsck.
|
||||
#
|
||||
fstools = module
|
||||
|
||||
# Layer: system
|
||||
# Module: getty
|
||||
#
|
||||
# Policy for getty.
|
||||
#
|
||||
getty = module
|
||||
|
||||
# Layer: system
|
||||
# Module: hostname
|
||||
#
|
||||
# Policy for changing the system host name.
|
||||
#
|
||||
hostname = module
|
||||
|
||||
# Layer: system
|
||||
# Module: init
|
||||
#
|
||||
# System initialization programs (init and init scripts).
|
||||
#
|
||||
init = module
|
||||
|
||||
# Layer: system
|
||||
# Module: ipsec
|
||||
#
|
||||
# TCP/IP encryption
|
||||
#
|
||||
ipsec = module
|
||||
|
||||
# Layer: system
|
||||
# Module: iptables
|
||||
#
|
||||
# Policy for iptables.
|
||||
#
|
||||
iptables = module
|
||||
|
||||
# Layer: system
|
||||
# Module: libraries
|
||||
#
|
||||
# Policy for system libraries.
|
||||
#
|
||||
libraries = module
|
||||
|
||||
# Layer: system
|
||||
# Module: locallogin
|
||||
#
|
||||
# Policy for local logins.
|
||||
#
|
||||
locallogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: logging
|
||||
#
|
||||
# Policy for the kernel message logger and system logging daemon.
|
||||
#
|
||||
logging = module
|
||||
|
||||
# Layer: system
|
||||
# Module: lvm
|
||||
#
|
||||
# Policy for logical volume management programs.
|
||||
#
|
||||
lvm = module
|
||||
|
||||
# Layer: system
|
||||
# Module: miscfiles
|
||||
#
|
||||
# Miscelaneous files.
|
||||
#
|
||||
miscfiles = module
|
||||
|
||||
# Layer: system
|
||||
# Module: modutils
|
||||
#
|
||||
# Policy for kernel module utilities
|
||||
#
|
||||
modutils = module
|
||||
|
||||
# Layer: system
|
||||
# Module: mount
|
||||
#
|
||||
# Policy for mount.
|
||||
#
|
||||
mount = module
|
||||
|
||||
# Layer: system
|
||||
# Module: netlabel
|
||||
#
|
||||
# Basic netlabel types and interfaces.
|
||||
#
|
||||
netlabel = module
|
||||
|
||||
# Layer: system
|
||||
# Module: selinuxutil
|
||||
#
|
||||
# Policy for SELinux policy and userland applications.
|
||||
#
|
||||
selinuxutil = module
|
||||
|
||||
# Module: setrans
|
||||
# Required in base
|
||||
#
|
||||
# Policy for setrans
|
||||
#
|
||||
setrans = module
|
||||
|
||||
# Layer: system
|
||||
# Module: sysnetwork
|
||||
#
|
||||
# Policy for network configuration: ifconfig and dhcp client.
|
||||
#
|
||||
sysnetwork = module
|
||||
|
||||
# Layer: system
|
||||
# Module: systemd
|
||||
#
|
||||
# Policy for systemd components
|
||||
#
|
||||
systemd = module
|
||||
|
||||
# Layer: system
|
||||
# Module: udev
|
||||
#
|
||||
# Policy for udev.
|
||||
#
|
||||
udev = module
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,393 @@
|
||||
# Layer: kernel
|
||||
# Module: bootloader
|
||||
#
|
||||
# Policy for the kernel modules, kernel image, and bootloader.
|
||||
#
|
||||
bootloader = module
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corecommands
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for shells, and generic programs
|
||||
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||
#
|
||||
corecommands = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corenetwork
|
||||
# Required in base
|
||||
#
|
||||
# Policy controlling access to network objects
|
||||
#
|
||||
corenetwork = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: dmesg
|
||||
#
|
||||
# Policy for dmesg.
|
||||
#
|
||||
dmesg = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: netutils
|
||||
#
|
||||
# Network analysis utilities
|
||||
#
|
||||
netutils = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: sudo
|
||||
#
|
||||
# Execute a command with a substitute user
|
||||
#
|
||||
sudo = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: su
|
||||
#
|
||||
# Run shells with substitute user and group
|
||||
#
|
||||
su = module
|
||||
|
||||
# Layer: admin
|
||||
# Module: usermanage
|
||||
#
|
||||
# Policy for managing user accounts.
|
||||
#
|
||||
usermanage = module
|
||||
|
||||
# Layer: apps
|
||||
# Module: seunshare
|
||||
#
|
||||
# seunshare executable
|
||||
#
|
||||
seunshare = module
|
||||
|
||||
# Module: devices
|
||||
# Required in base
|
||||
#
|
||||
# Device nodes and interfaces for many basic system devices.
|
||||
#
|
||||
devices = base
|
||||
|
||||
# Module: domain
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for domains.
|
||||
#
|
||||
domain = base
|
||||
|
||||
# Layer: system
|
||||
# Module: userdomain
|
||||
#
|
||||
# Policy for user domains
|
||||
#
|
||||
userdomain = module
|
||||
|
||||
# Module: files
|
||||
# Required in base
|
||||
#
|
||||
# Basic filesystem types and interfaces.
|
||||
#
|
||||
files = base
|
||||
|
||||
# Layer: system
|
||||
# Module: miscfiles
|
||||
#
|
||||
# Miscelaneous files.
|
||||
#
|
||||
miscfiles = module
|
||||
|
||||
# Module: filesystem
|
||||
# Required in base
|
||||
#
|
||||
# Policy for filesystems.
|
||||
#
|
||||
filesystem = base
|
||||
|
||||
# Module: kernel
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||
#
|
||||
kernel = base
|
||||
|
||||
# Module: mcs
|
||||
# Required in base
|
||||
#
|
||||
# MultiCategory security policy
|
||||
#
|
||||
mcs = base
|
||||
|
||||
# Module: mls
|
||||
# Required in base
|
||||
#
|
||||
# Multilevel security policy
|
||||
#
|
||||
mls = base
|
||||
|
||||
# Module: selinux
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel security interface, in particular, selinuxfs.
|
||||
#
|
||||
selinux = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: storage
|
||||
#
|
||||
# Policy controlling access to storage devices
|
||||
#
|
||||
storage = base
|
||||
|
||||
# Module: terminal
|
||||
# Required in base
|
||||
#
|
||||
# Policy for terminals.
|
||||
#
|
||||
terminal = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: ubac
|
||||
#
|
||||
#
|
||||
#
|
||||
ubac = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: unconfined
|
||||
#
|
||||
# The unlabelednet module.
|
||||
#
|
||||
unlabelednet = module
|
||||
|
||||
# Layer: role
|
||||
# Module: auditadm
|
||||
#
|
||||
# auditadm account on tty logins
|
||||
#
|
||||
auditadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: logadm
|
||||
#
|
||||
# Minimally prived root role for managing logging system
|
||||
#
|
||||
logadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: secadm
|
||||
#
|
||||
# secadm account on tty logins
|
||||
#
|
||||
secadm = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm_secadm
|
||||
#
|
||||
# System Administrator with Security Admin rules
|
||||
#
|
||||
sysadm_secadm = module
|
||||
|
||||
# Module: staff
|
||||
#
|
||||
# admin account
|
||||
#
|
||||
staff = module
|
||||
|
||||
# Layer:role
|
||||
# Module: sysadm
|
||||
#
|
||||
# System Administrator
|
||||
#
|
||||
sysadm = module
|
||||
|
||||
# Layer: role
|
||||
# Module: unconfineduser
|
||||
#
|
||||
# The unconfined user domain.
|
||||
#
|
||||
unconfineduser = module
|
||||
|
||||
# Layer: role
|
||||
# Module: unprivuser
|
||||
#
|
||||
# Minimally privs guest account on tty logins
|
||||
#
|
||||
unprivuser = module
|
||||
|
||||
# Layer: services
|
||||
# Module: postgresql
|
||||
#
|
||||
# PostgreSQL relational database
|
||||
#
|
||||
postgresql = module
|
||||
|
||||
# Layer: services
|
||||
# Module: ssh
|
||||
#
|
||||
# Secure shell client and server policy.
|
||||
#
|
||||
ssh = module
|
||||
|
||||
# Layer: services
|
||||
# Module: xserver
|
||||
#
|
||||
# X windows login display manager
|
||||
#
|
||||
xserver = module
|
||||
|
||||
# Module: application
|
||||
# Required in base
|
||||
#
|
||||
# Defines attributs and interfaces for all user applications
|
||||
#
|
||||
application = module
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
#
|
||||
authlogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: clock
|
||||
#
|
||||
# Policy for reading and setting the hardware clock.
|
||||
#
|
||||
clock = module
|
||||
|
||||
# Layer: system
|
||||
# Module: fstools
|
||||
#
|
||||
# Tools for filesystem management, such as mkfs and fsck.
|
||||
#
|
||||
fstools = module
|
||||
|
||||
# Layer: system
|
||||
# Module: getty
|
||||
#
|
||||
# Policy for getty.
|
||||
#
|
||||
getty = module
|
||||
|
||||
# Layer: system
|
||||
# Module: hostname
|
||||
#
|
||||
# Policy for changing the system host name.
|
||||
#
|
||||
hostname = module
|
||||
|
||||
# Layer: system
|
||||
# Module: init
|
||||
#
|
||||
# System initialization programs (init and init scripts).
|
||||
#
|
||||
init = module
|
||||
|
||||
# Layer: system
|
||||
# Module: ipsec
|
||||
#
|
||||
# TCP/IP encryption
|
||||
#
|
||||
ipsec = module
|
||||
|
||||
# Layer: system
|
||||
# Module: iptables
|
||||
#
|
||||
# Policy for iptables.
|
||||
#
|
||||
iptables = module
|
||||
|
||||
# Layer: system
|
||||
# Module: libraries
|
||||
#
|
||||
# Policy for system libraries.
|
||||
#
|
||||
libraries = module
|
||||
|
||||
# Layer: system
|
||||
# Module: locallogin
|
||||
#
|
||||
# Policy for local logins.
|
||||
#
|
||||
locallogin = module
|
||||
|
||||
# Layer: system
|
||||
# Module: logging
|
||||
#
|
||||
# Policy for the kernel message logger and system logging daemon.
|
||||
#
|
||||
logging = module
|
||||
|
||||
# Layer: system
|
||||
# Module: lvm
|
||||
#
|
||||
# Policy for logical volume management programs.
|
||||
#
|
||||
lvm = module
|
||||
|
||||
# Layer: system
|
||||
# Module: modutils
|
||||
#
|
||||
# Policy for kernel module utilities
|
||||
#
|
||||
modutils = module
|
||||
|
||||
# Layer: system
|
||||
# Module: mount
|
||||
#
|
||||
# Policy for mount.
|
||||
#
|
||||
mount = module
|
||||
|
||||
# Layer: system
|
||||
# Module: netlabel
|
||||
#
|
||||
# Basic netlabel types and interfaces.
|
||||
#
|
||||
netlabel = module
|
||||
|
||||
# Layer: system
|
||||
# Module: selinuxutil
|
||||
#
|
||||
# Policy for SELinux policy and userland applications.
|
||||
#
|
||||
selinuxutil = module
|
||||
|
||||
# Module: setrans
|
||||
# Required in base
|
||||
#
|
||||
# Policy for setrans
|
||||
#
|
||||
setrans = module
|
||||
|
||||
# Layer: system
|
||||
# Module: sysnetwork
|
||||
#
|
||||
# Policy for network configuration: ifconfig and dhcp client.
|
||||
#
|
||||
sysnetwork = module
|
||||
|
||||
# Layer: system
|
||||
# Module: systemd
|
||||
#
|
||||
# Policy for systemd components
|
||||
#
|
||||
systemd = module
|
||||
|
||||
# Layer: system
|
||||
# Module: udev
|
||||
#
|
||||
# Policy for udev.
|
||||
#
|
||||
udev = module
|
||||
|
||||
# Layer: system
|
||||
# Module: unconfined
|
||||
#
|
||||
# The unconfined domain.
|
||||
#
|
||||
unconfined = module
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,2 @@
|
||||
(roleattributeset cil_gen_require system_r)
|
||||
|
@ -0,0 +1,186 @@
|
||||
# Copyright (C) 2017 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# Author: Petr Lautrbach <plautrba@redhat.com>
|
||||
# Author: Lukáš Vrabec <lvrabec@redhat.com>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 2
|
||||
# of the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# RPM macros for packages installing SELinux modules
|
||||
|
||||
%_selinux_policy_version SELINUXPOLICYVERSION
|
||||
|
||||
%_selinux_store_path SELINUXSTOREPATH
|
||||
%_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
|
||||
|
||||
%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
|
||||
%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre
|
||||
|
||||
%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
|
||||
%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
|
||||
|
||||
# %selinux_requires
|
||||
%selinux_requires \
|
||||
Requires: selinux-policy >= %{_selinux_policy_version} \
|
||||
BuildRequires: pkgconfig(systemd) \
|
||||
BuildRequires: selinux-policy \
|
||||
BuildRequires: selinux-policy-devel \
|
||||
Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
|
||||
Requires(post): libselinux-utils \
|
||||
Requires(post): policycoreutils \
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7\
|
||||
Requires(post): policycoreutils-python-utils \
|
||||
%else \
|
||||
Requires(post): policycoreutils-python \
|
||||
%endif \
|
||||
%{nil}
|
||||
|
||||
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
|
||||
%selinux_modules_install("s:p:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
%{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
|
||||
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
|
||||
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
|
||||
%{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
|
||||
%selinux_modules_uninstall("s:p:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ $1 -eq 0 ]; then \
|
||||
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
%{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
|
||||
%{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
|
||||
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
|
||||
%{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
# %selinux_relabel_pre [-s <policytype>]
|
||||
%selinux_relabel_pre("s:") \
|
||||
if %{_sbindir}/selinuxenabled; then \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
|
||||
# %selinux_relabel_post [-s <policytype>]
|
||||
%selinux_relabel_post("s:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
if [ -f %{_file_context_file_pre} ]; then \
|
||||
%{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
|
||||
rm -f %{_file_context_file_pre} \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
|
||||
%selinux_set_booleans("s:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ -d "%{_selinux_store_policy_path}" ]; then \
|
||||
LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
|
||||
if [ ! -f %_file_custom_defined_booleans ]; then \
|
||||
/bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
|
||||
fi \
|
||||
semanage_import='' \
|
||||
for boolean in %*; do \
|
||||
boolean_name=${boolean%=*} \
|
||||
boolean_value=${boolean#*=} \
|
||||
boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
|
||||
if [ -n "$boolean_local_string" ]; then \
|
||||
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
|
||||
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
|
||||
if [ -n "$boolean_customized_string" ]; then \
|
||||
/bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
|
||||
else \
|
||||
/bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
|
||||
fi \
|
||||
else \
|
||||
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
|
||||
boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
|
||||
/bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
|
||||
fi \
|
||||
done; \
|
||||
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
|
||||
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
|
||||
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
||||
|
||||
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
|
||||
%selinux_unset_booleans("s:") \
|
||||
if [ -e /etc/selinux/config ]; then \
|
||||
. /etc/selinux/config \
|
||||
fi \
|
||||
_policytype=%{-s*} \
|
||||
if [ -z "${_policytype}" ]; then \
|
||||
_policytype="targeted" \
|
||||
fi \
|
||||
if [ -d "%{_selinux_store_policy_path}" ]; then \
|
||||
semanage_import='' \
|
||||
for boolean in %*; do \
|
||||
boolean_name=${boolean%=*} \
|
||||
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
|
||||
if [ -n "$boolean_customized_string" ]; then \
|
||||
awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \
|
||||
if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \
|
||||
semanage_import="${semanage_import}\\n${boolean_customized_string}" \
|
||||
fi \
|
||||
fi \
|
||||
done; \
|
||||
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
|
||||
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
|
||||
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
|
||||
fi \
|
||||
fi \
|
||||
%{nil}
|
@ -0,0 +1,4 @@
|
||||
console_device_t
|
||||
sysadm_tty_device_t
|
||||
user_tty_device_t
|
||||
staff_tty_device_t
|
@ -0,0 +1,6 @@
|
||||
console_device_t
|
||||
sysadm_tty_device_t
|
||||
user_tty_device_t
|
||||
staff_tty_device_t
|
||||
auditadm_tty_device_t
|
||||
secureadm_tty_device_t
|
@ -0,0 +1,4 @@
|
||||
console_device_t
|
||||
sysadm_tty_device_t
|
||||
user_tty_device_t
|
||||
staff_tty_device_t
|
@ -0,0 +1,15 @@
|
||||
[Unit]
|
||||
Description=Check that SELinux is not disabled the unsafe way
|
||||
ConditionKernelCommandLine=!selinux=0
|
||||
After=sysinit.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=/etc/selinux/config
|
||||
ExecCondition=test "$SELINUX" = disabled
|
||||
ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
|
||||
StandardOutput=journal+console
|
||||
SyslogLevel=warning
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,4 @@
|
||||
z /sys/devices/system/cpu/online - - -
|
||||
Z /sys/class/net - - -
|
||||
z /sys/kernel/uevent_helper - - -
|
||||
w /sys/fs/selinux/checkreqprot - - - - 0
|
@ -0,0 +1,19 @@
|
||||
#
|
||||
# Multi-Category Security translation table for SELinux
|
||||
#
|
||||
# Uncomment the following to disable translation libary
|
||||
# disable=1
|
||||
#
|
||||
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||
# Objects can be in more than one category at a time.
|
||||
# Categories are stored in the system as c0-c1023. Users can use this
|
||||
# table to translate the categories into a more meaningful output.
|
||||
# Examples:
|
||||
# s0:c0=CompanyConfidential
|
||||
# s0:c1=PatientRecord
|
||||
# s0:c2=Unclassified
|
||||
# s0:c3=TopSecret
|
||||
# s0:c1,c3=CompanyConfidentialRedHat
|
||||
s0=SystemLow
|
||||
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||
s0:c0.c1023=SystemHigh
|
@ -0,0 +1,52 @@
|
||||
#
|
||||
# Multi-Level Security translation table for SELinux
|
||||
#
|
||||
# Uncomment the following to disable translation libary
|
||||
# disable=1
|
||||
#
|
||||
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
|
||||
# categories defined by the admin.
|
||||
# Objects can be in more than one category at a time.
|
||||
# Users can modify this table to translate the MLS labels for different purpose.
|
||||
#
|
||||
# Assumptions: using below MLS labels.
|
||||
# SystemLow
|
||||
# SystemHigh
|
||||
# Unclassified
|
||||
# Secret with compartments A and B.
|
||||
#
|
||||
# SystemLow and SystemHigh
|
||||
s0=SystemLow
|
||||
s15:c0.c1023=SystemHigh
|
||||
s0-s15:c0.c1023=SystemLow-SystemHigh
|
||||
|
||||
# Unclassified level
|
||||
s1=Unclassified
|
||||
|
||||
# Secret level with compartments
|
||||
s2=Secret
|
||||
s2:c0=A
|
||||
s2:c1=B
|
||||
|
||||
# ranges for Unclassified
|
||||
s0-s1=SystemLow-Unclassified
|
||||
s1-s2=Unclassified-Secret
|
||||
s1-s15:c0.c1023=Unclassified-SystemHigh
|
||||
|
||||
# ranges for Secret with compartments
|
||||
s0-s2=SystemLow-Secret
|
||||
s0-s2:c0=SystemLow-Secret:A
|
||||
s0-s2:c1=SystemLow-Secret:B
|
||||
s0-s2:c0,c1=SystemLow-Secret:AB
|
||||
s1-s2:c0=Unclassified-Secret:A
|
||||
s1-s2:c1=Unclassified-Secret:B
|
||||
s1-s2:c0,c1=Unclassified-Secret:AB
|
||||
s2-s2:c0=Secret-Secret:A
|
||||
s2-s2:c1=Secret-Secret:B
|
||||
s2-s2:c0,c1=Secret-Secret:AB
|
||||
s2-s15:c0.c1023=Secret-SystemHigh
|
||||
s2:c0-s2:c0,c1=Secret:A-Secret:AB
|
||||
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
|
||||
s2:c1-s2:c0,c1=Secret:B-Secret:AB
|
||||
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
|
||||
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
|
@ -0,0 +1,19 @@
|
||||
#
|
||||
# Multi-Category Security translation table for SELinux
|
||||
#
|
||||
# Uncomment the following to disable translation libary
|
||||
# disable=1
|
||||
#
|
||||
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||
# Objects can be in more than one category at a time.
|
||||
# Categories are stored in the system as c0-c1023. Users can use this
|
||||
# table to translate the categories into a more meaningful output.
|
||||
# Examples:
|
||||
# s0:c0=CompanyConfidential
|
||||
# s0:c1=PatientRecord
|
||||
# s0:c2=Unclassified
|
||||
# s0:c3=TopSecret
|
||||
# s0:c1,c3=CompanyConfidentialRedHat
|
||||
s0=SystemLow
|
||||
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||
s0:c0.c1023=SystemHigh
|
@ -0,0 +1,39 @@
|
||||
##################################
|
||||
#
|
||||
# Core User configuration.
|
||||
#
|
||||
|
||||
#
|
||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||
#
|
||||
# Note: Identities without a prefix wil not be listed
|
||||
# in the users_extra file used by genhomedircon.
|
||||
|
||||
#
|
||||
# system_u is the user identity for system processes and objects.
|
||||
# There should be no corresponding Unix user identity for system,
|
||||
# and a user process should never be assigned the system user
|
||||
# identity.
|
||||
#
|
||||
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# user_u is a generic user identity for Linux users who have no
|
||||
# SELinux user identity defined. The modified daemons will use
|
||||
# this user identity in the security context if there is no matching
|
||||
# SELinux user identity for a Linux user. If you do not want to
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
@ -0,0 +1,40 @@
|
||||
##################################
|
||||
#
|
||||
# Core User configuration.
|
||||
#
|
||||
|
||||
#
|
||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||
#
|
||||
# Note: Identities without a prefix wil not be listed
|
||||
# in the users_extra file used by genhomedircon.
|
||||
|
||||
#
|
||||
# system_u is the user identity for system processes and objects.
|
||||
# There should be no corresponding Unix user identity for system,
|
||||
# and a user process should never be assigned the system user
|
||||
# identity.
|
||||
#
|
||||
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# user_u is a generic user identity for Linux users who have no
|
||||
# SELinux user identity defined. The modified daemons will use
|
||||
# this user identity in the security context if there is no matching
|
||||
# SELinux user identity for a Linux user. If you do not want to
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(guest_u, user, guest_r, s0, s0)
|
||||
gen_user(xguest_u, user, xguest_r, s0, s0)
|
@ -0,0 +1,41 @@
|
||||
##################################
|
||||
#
|
||||
# Core User configuration.
|
||||
#
|
||||
|
||||
#
|
||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||
#
|
||||
# Note: Identities without a prefix wil not be listed
|
||||
# in the users_extra file used by genhomedircon.
|
||||
|
||||
#
|
||||
# system_u is the user identity for system processes and objects.
|
||||
# There should be no corresponding Unix user identity for system,
|
||||
# and a user process should never be assigned the system user
|
||||
# identity.
|
||||
#
|
||||
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# user_u is a generic user identity for Linux users who have no
|
||||
# SELinux user identity defined. The modified daemons will use
|
||||
# this user identity in the security context if there is no matching
|
||||
# SELinux user identity for a Linux user. If you do not want to
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(guest_u, user, guest_r, s0, s0)
|
||||
gen_user(xguest_u, user, xguest_r, s0, s0)
|
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
### varrun-convert.sh
|
||||
### convert legacy filecontext entries containing /var/run to /run
|
||||
### and load an extra selinux module with the new content
|
||||
### the script takes a policy name as an argument
|
||||
|
||||
# Set DEBUG=yes before running the script to get more verbose output
|
||||
if [ "${DEBUG}" = "yes" ]; then
|
||||
set -x
|
||||
fi
|
||||
|
||||
# Look for working files and log in OUTPUTDIR
|
||||
OUTPUTDIR="/run/selinux-policy"
|
||||
LOG="$OUTPUTDIR/log"
|
||||
mkdir -p ${OUTPUTDIR}
|
||||
|
||||
if [ -z ${1} ]; then
|
||||
[ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
|
||||
exit
|
||||
fi
|
||||
|
||||
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
|
||||
if [ ! -f ${FILE_CONTEXTS} ]; then
|
||||
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
|
||||
exit
|
||||
fi
|
||||
|
||||
SEMODULEOPT="-s ${1}"
|
||||
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
|
||||
|
||||
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
|
||||
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
|
||||
exit
|
||||
fi
|
||||
|
||||
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
|
||||
EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil"
|
||||
|
||||
# Print only /var/run entries
|
||||
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Unify whitespace separators
|
||||
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Change /var/run to /run
|
||||
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Exception handling: packages with already duplicate entries
|
||||
sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Change format to cil
|
||||
sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
|
||||
sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Handle entries with <<none>> which do not match previous regexps
|
||||
sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
|
||||
|
||||
# Wrap each line with an optional block
|
||||
i=1
|
||||
while read line
|
||||
do
|
||||
echo "(optional extra_var_run_${i}"
|
||||
echo " $line"
|
||||
echo ")"
|
||||
((i++))
|
||||
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
|
||||
|
||||
# Load module
|
||||
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
|
||||
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue