commit 680b1d591d610924e147347173e93c39260fce44 Author: MSVSphere Packaging Team Date: Fri Apr 14 16:05:02 2023 +0300 import selinux-policy-38.1.8-1.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8fc26dc --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/container-selinux.tgz +SOURCES/selinux-policy-c918655.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata new file mode 100644 index 0000000..ed55b12 --- /dev/null +++ b/.selinux-policy.metadata @@ -0,0 +1,2 @@ +f8c84201555bcfb72477285b591f65fa9afc97eb SOURCES/container-selinux.tgz +63939f054fb0b450d87ce3de2cd349e54b51be54 SOURCES/selinux-policy-c918655.tar.gz diff --git a/SOURCES/Makefile.devel b/SOURCES/Makefile.devel new file mode 100644 index 0000000..b1c6bfe --- /dev/null +++ b/SOURCES/Makefile.devel @@ -0,0 +1,22 @@ +# installation paths +SHAREDIR := /usr/share/selinux + +AWK ?= gawk +NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)) + +ifeq ($(MLSENABLED),) + MLSENABLED := 1 +endif + +ifeq ($(MLSENABLED),1) + NTYPE = mcs +endif + +ifeq ($(NAME),mls) + NTYPE = mls +endif + +TYPE ?= $(NTYPE) + +HEADERDIR := $(SHAREDIR)/devel/include +include $(HEADERDIR)/Makefile diff --git a/SOURCES/booleans-minimum.conf b/SOURCES/booleans-minimum.conf new file mode 100644 index 0000000..59dac1f --- /dev/null +++ b/SOURCES/booleans-minimum.conf @@ -0,0 +1,248 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +allow_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +allow_execstack = true + +# Allow ftpd to read cifs directories. +# +allow_ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +allow_ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +allow_gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +allow_httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +allow_saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +allow_zebra_write_config = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to send dbus messages to avahi +httpd_dbus_avahi = true + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# allow host key based authentication +# +allow_ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted +# +read_untrusted_content = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = false + +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# Allow users to read system messages. +# +user_dmesg = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = false + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow w to display everyone +# +user_ttyfile_stat = false + +# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. +# +write_untrusted_content = false + +# Allow all domains to talk to ttys +# +allow_daemons_use_tty = false + +# Allow login domains to polyinstatiate directories +# +allow_polyinstantiation = false + +# Allow all domains to dump core +# +allow_daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = false + +# Allows XServer to execute writable memory +# +allow_xserver_execmem = false + +# disallow guest accounts to execute files that they can create +# +allow_guest_exec_content = false +allow_xguest_exec_content = false + +# Only allow browser to use the web +# +browser_confine_xguest=false + +# Allow postfix locat to write to mail spool +# +allow_postfix_local_write_mail_spool=false + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile=true + +# Allow qemu to connect fully to the network +# +qemu_full_network=true + +# Allow nsplugin execmem/execstack for bad plugins +# +allow_nsplugin_execmem=true + +# Allow unconfined domain to transition to confined domain +# +allow_unconfined_nsplugin_transition=true + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# +allow_mount_anyfile = true diff --git a/SOURCES/booleans-mls.conf b/SOURCES/booleans-mls.conf new file mode 100644 index 0000000..65ccfa4 --- /dev/null +++ b/SOURCES/booleans-mls.conf @@ -0,0 +1,6 @@ +kerberos_enabled = true +mount_anyfile = true +polyinstantiation_enabled = true +ftpd_is_daemon = true +selinuxuser_ping = true +xserver_object_manager = true diff --git a/SOURCES/booleans-targeted.conf b/SOURCES/booleans-targeted.conf new file mode 100644 index 0000000..b62755a --- /dev/null +++ b/SOURCES/booleans-targeted.conf @@ -0,0 +1,24 @@ +gssd_read_tmp = true +httpd_builtin_scripting = true +httpd_enable_cgi = true +kerberos_enabled = true +mount_anyfile = true +nfs_export_all_ro = true +nfs_export_all_rw = true +nscd_use_shm = true +openvpn_enable_homedirs = true +postfix_local_write_mail_spool=true +pppd_can_insmod = false +privoxy_connect_any = true +selinuxuser_direct_dri_enabled = true +selinuxuser_execmem = true +selinuxuser_execstack = true +selinuxuser_rw_noexattrfile=true +selinuxuser_ping = true +squid_connect_any = true +telepathy_tcp_connect_generic_network_ports=true +unconfined_chrome_sandbox_transition=true +unconfined_mozilla_plugin_transition=true +xguest_exec_content = true +mozilla_plugin_can_network_connect = true +use_virtualbox = true diff --git a/SOURCES/booleans.subs_dist b/SOURCES/booleans.subs_dist new file mode 100644 index 0000000..fed7d8c --- /dev/null +++ b/SOURCES/booleans.subs_dist @@ -0,0 +1,54 @@ +allow_auditadm_exec_content auditadm_exec_content +allow_console_login login_console_enabled +allow_cvs_read_shadow cvs_read_shadow +allow_daemons_dump_core daemons_dump_core +allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper +allow_daemons_use_tty daemons_use_tty +allow_domain_fd_use domain_fd_use +allow_execheap selinuxuser_execheap +allow_execmod selinuxuser_execmod +allow_execstack selinuxuser_execstack +allow_ftpd_anon_write ftpd_anon_write +allow_ftpd_full_access ftpd_full_access +allow_ftpd_use_cifs ftpd_use_cifs +allow_ftpd_use_nfs ftpd_use_nfs +allow_gssd_read_tmp gssd_read_tmp +allow_guest_exec_content guest_exec_content +allow_httpd_anon_write httpd_anon_write +allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind +allow_httpd_mod_auth_pam httpd_mod_auth_pam +allow_httpd_sys_script_anon_write httpd_sys_script_anon_write +allow_kerberos kerberos_enabled +allow_mplayer_execstack mplayer_execstack +allow_mount_anyfile mount_anyfile +allow_nfsd_anon_write nfsd_anon_write +allow_polyinstantiation polyinstantiation_enabled +allow_postfix_local_write_mail_spool postfix_local_write_mail_spool +allow_rsync_anon_write rsync_anon_write +allow_saslauthd_read_shadow saslauthd_read_shadow +allow_secadm_exec_content secadm_exec_content +allow_smbd_anon_write smbd_anon_write +allow_ssh_keysign ssh_keysign +allow_staff_exec_content staff_exec_content +allow_sysadm_exec_content sysadm_exec_content +allow_user_exec_content user_exec_content +allow_user_mysql_connect selinuxuser_mysql_connect_enabled +allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled +allow_write_xshm xserver_clients_write_xshm +allow_xguest_exec_content xguest_exec_content +allow_xserver_execmem xserver_execmem +allow_ypbind nis_enabled +allow_zebra_write_config zebra_write_config +user_direct_dri selinuxuser_direct_dri_enabled +user_ping selinuxuser_ping +user_share_music selinuxuser_share_music +user_tcp_server selinuxuser_tcp_server +sepgsql_enable_pitr_implementation postgresql_can_rsync +sepgsql_enable_users_ddl postgresql_selinux_users_ddl +sepgsql_transmit_client_label postgresql_selinux_transmit_client_label +sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm +clamd_use_jit antivirus_use_jit +amavis_use_jit antivirus_use_jit +logwatch_can_sendmail logwatch_can_network_connect_mail +puppet_manage_all_files puppetagent_manage_all_files +virt_sandbox_use_nfs virt_use_nfs diff --git a/SOURCES/customizable_types b/SOURCES/customizable_types new file mode 100644 index 0000000..b3f6cb0 --- /dev/null +++ b/SOURCES/customizable_types @@ -0,0 +1,14 @@ +container_file_t +sandbox_file_t +svirt_image_t +svirt_home_t +svirt_sandbox_file_t +virt_content_t +httpd_user_htaccess_t +httpd_user_script_exec_t +httpd_user_rw_content_t +httpd_user_ra_content_t +httpd_user_content_t +git_session_content_t +home_bin_t +user_tty_device_t diff --git a/SOURCES/file_contexts.subs_dist b/SOURCES/file_contexts.subs_dist new file mode 100644 index 0000000..1bf4710 --- /dev/null +++ b/SOURCES/file_contexts.subs_dist @@ -0,0 +1,22 @@ +/run /var/run +/run/lock /var/lock +/run/systemd/system /usr/lib/systemd/system +/run/systemd/generator /usr/lib/systemd/system +/run/systemd/generator.late /usr/lib/systemd/system +/lib /usr/lib +/lib64 /usr/lib +/usr/lib64 /usr/lib +/usr/local/lib64 /usr/lib +/usr/local/lib32 /usr/lib +/etc/systemd/system /usr/lib/systemd/system +/var/lib/xguest/home /home +/var/named/chroot/usr/lib64 /usr/lib +/var/named/chroot/lib64 /usr/lib +/var/named/chroot/var /var +/home-inst /home +/home/home-inst /home +/var/roothome /root +/sbin /usr/sbin +/sysroot/tmp /tmp +/var/usrlocal /usr/local +/var/mnt /mnt diff --git a/SOURCES/macro-expander b/SOURCES/macro-expander new file mode 100644 index 0000000..2670b61 --- /dev/null +++ b/SOURCES/macro-expander @@ -0,0 +1,81 @@ +#!/bin/bash + +function usage { + echo "Usage: $0 [ -c | -t [ -M ] ] " + echo "Options: + -c generate CIL output + -t generate standard policy source format (.te) allow rules - this is default + -M generate complete module .te output +" +} + +function cleanup { + rm -rf $TEMP_STORE +} + +while getopts "chMt" opt; do + case $opt in + c) GENCIL=1 + ;; + t) GENTE=1 + ;; + M) GENTEMODULE=1 + ;; + h) usage + exit 0 + ;; + \?) usage + exit 1 + ;; + esac +done + +shift $((OPTIND-1)) + +SELINUX_MACRO=$1 + +if [ -z "$SELINUX_MACRO" ] +then + exit 1 +fi + +TEMP_STORE="$(mktemp -d)" +cd $TEMP_STORE || exit 1 + +IFS="(" +set $1 +SELINUX_DOMAIN="${2::-1}" + +echo -e "policy_module(expander, 1.0.0) \n" \ + "gen_require(\`\n" \ + "type $SELINUX_DOMAIN ; \n" \ + "')" > expander.te + +echo "$SELINUX_MACRO" >> expander.te + +make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null + +if [ "x$GENCIL" = "x1" ]; then + + make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null + MAKE_RESULT=$? + + if [ $MAKE_RESULT -ne 2 ] + then + /usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null + grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u + fi +fi + +if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then + m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null + if [ "x$GENTEMODULE" = "x1" ]; then + # sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp + sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp + else + grep '^\s*allow' expander.tmp | sed 's/^\s*//' + fi +fi + +cd - > /dev/null || exit 1 +cleanup diff --git a/SOURCES/modules-mls-base.conf b/SOURCES/modules-mls-base.conf new file mode 100644 index 0000000..5b21a3e --- /dev/null +++ b/SOURCES/modules-mls-base.conf @@ -0,0 +1,380 @@ +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# Layer: kernel +# Module: unlabelednet +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer:role +# Module: staff +# +# admin account +# +staff = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Layer:role +# Module: sysadm +# +# System Administrator +# +sysadm = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module diff --git a/SOURCES/modules-mls-contrib.conf b/SOURCES/modules-mls-contrib.conf new file mode 100644 index 0000000..bfa841f --- /dev/null +++ b/SOURCES/modules-mls-contrib.conf @@ -0,0 +1,1581 @@ +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: contrib +# Module: antivirus +# +# Anti-virus +# +antivirus = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: modules +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for Mozilla and related web browsers +# +gpg = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Module: gssproxy +# +# A proxy for GSSAPI credential handling +# +# +gssproxy = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: admin +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: lsm +# +# lsm policy +# +lsm = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: admin +# Module: mcelog +# +# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. +# +mcelog = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: service +# Module: openct +# +# Middleware framework for smart card terminals +# +openct = module + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + +# Layer: contrib +# Module: prelude +# +# SELinux policy for prelude +# +prelude = module + +# Layer: contrib +# Module: prosody +# +# SELinux policy for prosody flexible communications server for Jabber/XMPP +# +prosody = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +o# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +unprivuser = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: services +# Module: ulogd +# +# +# +ulogd = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: contrib +# Module: openvswitch +# +# SELinux policy for openvswitch programs +# +openvswitch = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: apps +# Module: wm +# +# X windows window manager +# +wm = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: contrib +# Module: mandb +# +# Policy for mandb +# +mandb = module diff --git a/SOURCES/modules-targeted-base.conf b/SOURCES/modules-targeted-base.conf new file mode 100644 index 0000000..e7456ef --- /dev/null +++ b/SOURCES/modules-targeted-base.conf @@ -0,0 +1,393 @@ +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# Layer: kernel +# Module: unconfined +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Module: staff +# +# admin account +# +staff = module + +# Layer:role +# Module: sysadm +# +# System Administrator +# +sysadm = module + +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf new file mode 100644 index 0000000..e6fcca7 --- /dev/null +++ b/SOURCES/modules-targeted-contrib.conf @@ -0,0 +1,2700 @@ +# Layer: services +# Module: abrt +# +# Automatic bug detection and reporting tool +# +abrt = module + +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aiccu +# +# SixXS Automatic IPv6 Connectivity Client Utility +# +aiccu = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: services +# Module: ajaxterm +# +# Web Based Terminal +# +ajaxterm = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: contrib +# Module: antivirus +# +# SELinux policy for antivirus programs +# +antivirus = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: contrib +# Module: authconfig +# +# Authorization configuration tool +# +authconfig = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: module +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: services +# Module: bcfg2 +# +# Configuration management server +# +bcfg2 = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: contrib +# Module: rngd +# +# Daemon used to feed random data from hardware device to kernel random device +# +rngd = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: services +# Module: blueman +# +# Blueman tools and system services. +# +blueman = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: bumblebee +# +# Support NVIDIA Optimus technology under Linux +# +bumblebee = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: services +# Module: callweaver +# +# callweaver telephony sever +# +callweaver = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cfengine +# +# cfengine +# +cfengine = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cloudform +# +# cloudform daemons +# +cloudform = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: cobbler +# +# cobbler +# +cobbler = module + +# Layer: services +# Module: collectd +# +# Statistics collection daemon for filling RRD files +# +collectd = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: condor +# +# policy for condor +# +condor = module + +# Layer: services +# Module: conman +# +# Conman is a program for connecting to remote consoles being managed by conmand +# +conman = module + +# Layer: services +# Module: consolekit +# +# ConsoleKit is a system daemon for tracking what users are logged +# +consolekit = module + +# Layer: services +# Module: couchdb +# +# Apache CouchDB database server +# +couchdb = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: ctdbd +# +# Cluster Daemon +# +ctdb = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: denyhosts +# +# script to help thwart ssh server attacks +# +denyhosts = module + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv-admin = module + +# Layer: services +# Module: dirsrv +# +# An 309 directory server +# +dirsrv = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: drbd +# +# DRBD mirrors a block device over the network to another machine. +# +drbd = module + +# Layer: services +# Module: dspam +# +# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering +# +dspam = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fcoe +# +# fcoe +# +fcoe = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: services +# Module: freqset +# +# Utility for CPU frequency scaling +# +freqset = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: contrib +# Module: glusterd +# +# policy for glusterd service +# +glusterd = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Module: gssproxy +# +# A proxy for GSSAPI credential handling +# +# +gssproxy = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services +# Module: hostapd +# +# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator +# +hostapd = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: icecast +# +# ShoutCast compatible streaming media server +# +icecast = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: system +# Module: isnsd +# +# +# +isns = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: jetty +# +# Java based http server +# +jetty = module + +# Layer: apps +# Module: jockey +# +# policy for jockey-backend +# +jockey = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: admin +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: keepalived +# +# keepalived - load-balancing and high-availability service +# +keepalived = module + +# Module: keyboardd +# +# system-setup-keyboard is a keyboard layout daemon that monitors +# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet +# +keyboardd = module + +# Layer: services +# Module: keystone +# +# openstack-keystone +# +keystone = module + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: l2ltpd +# +# Layer 2 Tunnelling Protocol Daemon +# +l2tp = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: likewise +# +# Likewise Active Directory support for UNIX +# +likewise = module + +# Layer: apps +# Module: livecd +# +# livecd creator +# +livecd = module + +# Layer: services +# Module: lldpad +# +# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon +# +lldpad = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: mailman +# +# Policy for mailscanner +# +mailscanner = module + +# Layer: apps +# Module: man2html +# +# policy for man2html apps +# +man2html = module + +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = module + +# Layer: apps +# Module: mediawiki +# +# mediawiki +# +mediawiki = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: services +# Module: mip6d +# +# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation +# +mip6d = module + +# Layer: services +# Module: mock +# +# Policy for mock rpm builder +# +mock = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: services +# Module: mpd +# +# mpd - daemon for playing music +# +mpd = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: contrib +# Module: mythtv +# +# Policy for Mythtv (Web Server) +# +mythtv = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: ninfod +# +# Respond to IPv6 Node Information Queries +# +ninfod = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nova +# +# openstack-nova +# +nova = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: numad +# +# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology +# +numad = module + +# Layer: services +# Module: nut +# +# nut - Network UPS Tools +# +nut = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + +# Layer: services +# Module: obex +# +# policy for obex-data-server +# +obex = module + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: service +# Module: openct +# +# Middleware framework for smart card terminals +# +openct = module + +# Layer: contrib +# Module: openshift-origin +# +# Origin version of openshift policy +# +openshift-origin = module +# Layer: contrib +# Module: openshift +# +# Core openshift policy +# +openshift = module + +# Layer: services +# Module: opensm +# +# InfiniBand subnet manager and administration (SM/SA) +# +opensm = module + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + +# Layer: contrib +# Module: openvswitch +# +# SELinux policy for openvswitch programs +# +openvswitch = module + +# Layer: services +# Module: openwsman +# +# WS-Management Server +# +openwsman = module + +# Layer: services +# Module: osad +# +# Client-side service written in Python that responds to pings +# +osad = module + +# Layer: contrib +# Module: prelude +# +# SELinux policy for prelude +# +prelude = module + +# Layer: contrib +# Module: prosody +# +# SELinux policy for prosody flexible communications server for Jabber/XMPP +# +prosody = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: services +# Module: passenger +# +# Passenger +# +passenger = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: services +# Module: pdns +# +# PowerDNS DNS server +# +pdns = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: contrib +# Module: pkcs +# +# daemon manages PKCS#11 objects between PKCS#11-enabled applications +# +pkcs = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: puppet +# +# A network tool for managing many disparate systems +# +puppet = module + +# Layer: apps +# Module: pwauth +# +# External plugin for mod_authnz_external authenticator +# +pwauth = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: services +# Module: quantum +# +# Quantum is a virtual network service for Openstack +# +quantum = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: services +# Module: rabbitmq +# +# rabbitmq daemons +# +rabbitmq = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: rasdaemon +# +# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing +# +rasdaemon = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: contrib +# Module: stapserver +# +# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA +# +realmd = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: rhev +# +# rhev policy module contains policies for rhev apps +# +rhev = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: services +# Module: rhsmcertd +# +# Subscription Management Certificate Daemon policy +# +rhsmcertd = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a sandbox +# +sandbox = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a X sandbox +# +sandboxX = module + +# Layer: services +# Module: sanlock +# +# sanlock policy +# +sanlock = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: services +# Module: sblim +# +# sblim +# +sblim = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: admin +# Module: sectoolm +# +# Policy for sectool-mechanism +# +sectoolm = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: contrib +# Module: sensord +# +# Sensor information logging daemon +# +sensord = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: services +# Module: sge +# +# policy for grindengine MPI jobs +# +sge = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: contrib +# Module: slpd +# +# OpenSLP server daemon to dynamically register services +# +slpd = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: smokeping +# +# Latency Logging and Graphing System +# +smokeping = module + +# Layer: admin +# Module: smoltclient +# +#The Fedora hardware profiler client +# +smoltclient = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: speech-dispatcher +# +# speech-dispatcher - server process managing speech requests in Speech Dispatcher +# +speech-dispatcher = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: services +# Module: sslh +# +# Applicative protocol(SSL/SSH) multiplexer +# +sslh = module + +# Layer: contrib +# Module: stapserver +# +# Instrumentation System Server +# +stapserver = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: svnserve +# +# policy for subversion service +# +svnserve = module + +# Layer: services +# Module: swift +# +# openstack-swift +# +swift = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: contrib +# Module: glusterd +# +# policy for tomcat service +# +tomcat = module +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: services +# Module: ulogd +# +# netfilter/iptables ULOG daemon +# +ulogd = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: services +# Module: usbmuxd +# +# Daemon for communicating with Apple's iPod Touch and iPhone +# +usbmuxd = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uuidd +# +# UUID generation daemon +# +uuidd = module + +# Layer: services +# Module: varnishd +# +# Varnishd http accelerator daemon +# +varnishd = module + +# Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module + +# Layer: services +# Module: vhostmd +# +# vhostmd - spice guest agent daemon. +# +vhostmd = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: apps +# Module: vhostmd +# +# vlock - Virtual Console lock program +# +vlock = module + +# Layer: services +# Module: vmtools +# +# VMware Tools daemon +# +vmtools = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: services +# Module: vnstatd +# +# Network traffic Monitor +# +vnstatd = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: services +# Module: wdmd +# +# wdmd policy +# +wdmd = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: zarafa +# +# Zarafa Collaboration Platform +# +zarafa = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zoneminder +# +# Zoneminder Camera Security Surveillance Solution +# +zoneminder = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: contrib +# Module: thin +# +# Policy for thin +# +thin = module + +# Layer: contrib +# Module: mandb +# +# Policy for mandb +# +mandb = module + +# Layer: services +# Module: pki +# +# policy for pki +# +pki = module + +# Layer: services +# Module: smsd +# +# policy for smsd +# +smsd = module + +# Layer: contrib +# Module: pesign +# +# policy for pesign +# +pesign = module + +# Layer: contrib +# Module: nsd +# +# Fast and lean authoritative DNS Name Server +# +nsd = module + +# Layer: contrib +# Module: iodine +# +# Fast and lean authoritative DNS Name Server +# +iodine = module + +# Layer: contrib +# Module: openhpid +# +# OpenHPI daemon runs as a background process and accepts connecti +# +openhpid = module + +# Layer: contrib +# Module: watchdog +# +# Watchdog policy +# +watchdog = module + +# Layer: contrib +# Module: oracleasm +# +# oracleasm policy +# +oracleasm = module + +# Layer: contrib +# Module: redis +# +# redis policy +# +redis = module + +# Layer: contrib +# Module: hypervkvp +# +# hypervkvp policy +# +hypervkvp = module + +# Layer: contrib +# Module: lsm +# +# lsm policy +# +lsm = module + +# Layer: contrib +# Module: motion +# +# Daemon for detect motion using a video4linux device +motion = module + +# Layer: contrib +# Module: rtas +# +# rtas policy +# +rtas = module + +# Layer: contrib +# Module: journalctl +# +# journalctl policy +# +journalctl = module + +# Layer: contrib +# Module: gdomap +# +# gdomap policy +# +gdomap = module + +# Layer: contrib +# Module: minidlna +# +# minidlna policy +# +minidlna = module + +# Layer: contrib +# Module: minissdpd +# +# minissdpd policy +# +minissdpd = module + +# Layer: contrib +# Module: freeipmi +# +# Remote-Console (out-of-band) and System Management Software (in-band) +# based on IntelligentPlatform Management Interface specification +# +freeipmi = module + +# Layer: contrib +# Module: mirrormanager +# +# mirrormanager policy +# +mirrormanager = module + +# Layer: contrib +# Module: snapper +# +# snapper policy +# +snapper = module + +# Layer: contrib +# Module: pcp +# +# pcp policy +# +pcp = module + +# Layer: contrib +# Module: geoclue +# +# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information +# +geoclue = module + +# Layer: contrib +# Module: rkhunter +# +# rkhunter policy for /var/lib/rkhunter +# +rkhunter = module + +# Layer: contrib +# Module: bacula +# +# bacula policy +# +bacula = module + +# Layer: contrib +# Module: rhnsd +# +# rhnsd policy +# +rhnsd = module + +# Layer: contrib +# Module: mongodb +# +# mongodb policy +# + +mongodb = module + +# Layer: contrib +# Module: iotop +# +# iotop policy +# + +iotop = module + +# Layer: contrib +# Module: kmscon +# +# kmscon policy +# + +kmscon = module + +# Layer: contrib +# Module: naemon +# +# naemon policy +# +naemon = module + +# Layer: contrib +# Module: brltty +# +# brltty policy +# +brltty = module + +# Layer: contrib +# Module: cpuplug +# +# cpuplug policy +# +cpuplug = module + +# Layer: contrib +# Module: mon_statd +# +# mon_statd policy +# +mon_statd = module + +# Layer: contrib +# Module: cinder +# +# openstack-cinder policy +# +cinder = module + +# Layer: contrib +# Module: linuxptp +# +# linuxptp policy +# +linuxptp = module + +# Layer: contrib +# Module: rolekit +# +# rolekit policy +# +rolekit = module + +# Layer: contrib +# Module: targetd +# +# targetd policy +# +targetd = module + +# Layer: contrib +# Module: hsqldb +# +# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. +# +hsqldb = module + +# Layer: contrib +# Module: blkmapd +# +# The blkmapd daemon performs device discovery and mapping for pNFS block layout client. +# +blkmapd = module + +# Layer: contrib +# Module: pkcs11proxyd +# +# pkcs11proxyd policy +# +pkcs11proxyd = module + +# Layer: contrib +# Module: ipmievd +# +# IPMI event daemon for sending events to syslog +# +ipmievd = module + +# Layer: contrib +# Module: openfortivpn +# +# Fortinet compatible SSL VPN daemons. +# +openfortivpn = module + +# Layer: contrib +# Module: fwupd +# +# fwupd is a daemon to allow session software to update device firmware. +# +fwupd = module + +# Layer: contrib +# Module: lttng-tools +# +# LTTng 2.x central tracing registry session daemon. +# +lttng-tools = module + +# Layer: contrib +# Module: rkt +# +# CLI for running app containers +# +rkt = module + +# Layer: contrib +# Module: opendnssec +# +# opendnssec +# +opendnssec = module + +# Layer: contrib +# Module: hwloc +# +# hwloc +# +hwloc = module + +# Layer: contrib +# Module: sbd +# +# sbd +# +sbd = module + +# Layer: contrib +# Module: tlp +# +# tlp +# +tlp = module + +# Layer: contrib +# Module: conntrackd +# +# conntrackd +# +conntrackd = module + +# Layer: contrib +# Module: tangd +# +# tangd +# +tangd = module + +# Layer: contrib +# Module: ibacm +# +# ibacm +# +ibacm = module + +# Layer: contrib +# Module: opafm +# +# opafm +# +opafm = module + +# Layer: contrib +# Module: boltd +# +# boltd +# +boltd = module + +# Layer: contrib +# Module: kpatch +# +# kpatch +# +kpatch = module + +# Layer: contrib +# Module: timedatex +# +# timedatex +# +timedatex = module + +# Layer: contrib +# Module: rrdcached +# +# rrdcached +# +rrdcached = module + +# Layer: contrib +# Module: stratisd +# +# stratisd +# +stratisd = module + +# Layer: contrib +# Module: ica +# +# ica +# +ica = module + +# Layer: contrib +# Module: insights_client +# +# insights_client +# +insights_client = module + +# Layer: contrib +# Module: stalld +# +# stalld +# +stalld = module + +# Layer: contrib +# Module: rhcd +# +# rhcd +# +rhcd = module + +# Layer: contrib +# Module: wireguard +# +# wireguard +# +wireguard = module + +# Layer: contrib +# Module: mptcpd +# +# mptcpd +# +mptcpd = module + +# Layer: contrib +# Module: rshim +# +# rshim +# +rshim = module diff --git a/SOURCES/permissivedomains.cil b/SOURCES/permissivedomains.cil new file mode 100644 index 0000000..400bcf6 --- /dev/null +++ b/SOURCES/permissivedomains.cil @@ -0,0 +1,2 @@ +(roleattributeset cil_gen_require system_r) + diff --git a/SOURCES/rpm.macros b/SOURCES/rpm.macros new file mode 100644 index 0000000..f63f5fe --- /dev/null +++ b/SOURCES/rpm.macros @@ -0,0 +1,182 @@ +# Copyright (C) 2017 Red Hat, Inc. All rights reserved. +# +# Author: Petr Lautrbach +# Author: Lukáš Vrabec +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# RPM macros for packages installing SELinux modules + +%_selinux_policy_version SELINUXPOLICYVERSION + +%_selinux_store_path SELINUXSTOREPATH +%_selinux_store_policy_path %{_selinux_store_path}/${_policytype} + +%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts +%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre + +%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom +%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp + +# %selinux_requires +%selinux_requires \ +Requires: selinux-policy >= %{_selinux_policy_version} \ +BuildRequires: pkgconfig(systemd) \ +BuildRequires: selinux-policy \ +BuildRequires: selinux-policy-devel \ +Requires(post): selinux-policy-base >= %{_selinux_policy_version} \ +Requires(post): libselinux-utils \ +Requires(post): policycoreutils \ +%if 0%{?fedora} || 0%{?rhel} > 7\ +Requires(post): policycoreutils-python-utils \ +%else \ +Requires(post): policycoreutils-python \ +%endif \ +%{nil} + +# %selinux_modules_install [-s ] [-p ] module [module]... +%selinux_modules_install("s:p:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ +fi \ +%{nil} + +# %selinux_modules_uninstall [-s ] [-p ] module [module]... +%selinux_modules_uninstall("s:p:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ $1 -eq 0 ]; then \ + if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + fi \ +fi \ +%{nil} + +# %selinux_relabel_pre [-s ] +%selinux_relabel_pre("s:") \ +if %{_sbindir}/selinuxenabled; then \ + if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ + fi \ + _policytype=%{-s*} \ + if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ + fi \ + if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \ + fi \ +fi \ +%{nil} + + +# %selinux_relabel_post [-s ] +%selinux_relabel_post("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + if [ -f %{_file_context_file_pre} ]; then \ + %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \ + rm -f %{_file_context_file_pre} \ + fi \ +fi \ +%{nil} + +# %selinux_set_booleans [-s ] boolean [boolean]... +%selinux_set_booleans("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \ + if [ ! -f %_file_custom_defined_booleans ]; then \ + /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ + fi \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_value=${boolean#*=} \ + boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \ + if [ -n "$boolean_local_string" ]; then \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \ + else \ + /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \ + fi \ + else \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ + /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ +fi \ +%{nil} + +# %selinux_unset_booleans [-s ] boolean [boolean]... +%selinux_unset_booleans("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \ + if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \ + semanage_import="${semanage_import}\\n${boolean_customized_string}" \ + fi \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ +fi \ +%{nil} diff --git a/SOURCES/securetty_types-minimum b/SOURCES/securetty_types-minimum new file mode 100644 index 0000000..7055096 --- /dev/null +++ b/SOURCES/securetty_types-minimum @@ -0,0 +1,4 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t diff --git a/SOURCES/securetty_types-mls b/SOURCES/securetty_types-mls new file mode 100644 index 0000000..89bf54d --- /dev/null +++ b/SOURCES/securetty_types-mls @@ -0,0 +1,6 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t +auditadm_tty_device_t +secureadm_tty_device_t diff --git a/SOURCES/securetty_types-targeted b/SOURCES/securetty_types-targeted new file mode 100644 index 0000000..7055096 --- /dev/null +++ b/SOURCES/securetty_types-targeted @@ -0,0 +1,4 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t diff --git a/SOURCES/selinux-check-proper-disable.service b/SOURCES/selinux-check-proper-disable.service new file mode 100644 index 0000000..8f3b4da --- /dev/null +++ b/SOURCES/selinux-check-proper-disable.service @@ -0,0 +1,15 @@ +[Unit] +Description=Check that SELinux is not disabled the unsafe way +ConditionKernelCommandLine=!selinux=0 +After=sysinit.target + +[Service] +Type=oneshot +EnvironmentFile=/etc/selinux/config +ExecCondition=test "$SELINUX" = disabled +ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.' +StandardOutput=journal+console +SyslogLevel=warning + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/selinux-policy.conf b/SOURCES/selinux-policy.conf new file mode 100644 index 0000000..f2f1ced --- /dev/null +++ b/SOURCES/selinux-policy.conf @@ -0,0 +1,4 @@ +z /sys/devices/system/cpu/online - - - +Z /sys/class/net - - - +z /sys/kernel/uevent_helper - - - +w /sys/fs/selinux/checkreqprot - - - - 0 diff --git a/SOURCES/setrans-minimum.conf b/SOURCES/setrans-minimum.conf new file mode 100644 index 0000000..09a6ce3 --- /dev/null +++ b/SOURCES/setrans-minimum.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/SOURCES/setrans-mls.conf b/SOURCES/setrans-mls.conf new file mode 100644 index 0000000..eb181d2 --- /dev/null +++ b/SOURCES/setrans-mls.conf @@ -0,0 +1,52 @@ +# +# Multi-Level Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be labeled with one of 16 levels and be categorized with 0-1023 +# categories defined by the admin. +# Objects can be in more than one category at a time. +# Users can modify this table to translate the MLS labels for different purpose. +# +# Assumptions: using below MLS labels. +# SystemLow +# SystemHigh +# Unclassified +# Secret with compartments A and B. +# +# SystemLow and SystemHigh +s0=SystemLow +s15:c0.c1023=SystemHigh +s0-s15:c0.c1023=SystemLow-SystemHigh + +# Unclassified level +s1=Unclassified + +# Secret level with compartments +s2=Secret +s2:c0=A +s2:c1=B + +# ranges for Unclassified +s0-s1=SystemLow-Unclassified +s1-s2=Unclassified-Secret +s1-s15:c0.c1023=Unclassified-SystemHigh + +# ranges for Secret with compartments +s0-s2=SystemLow-Secret +s0-s2:c0=SystemLow-Secret:A +s0-s2:c1=SystemLow-Secret:B +s0-s2:c0,c1=SystemLow-Secret:AB +s1-s2:c0=Unclassified-Secret:A +s1-s2:c1=Unclassified-Secret:B +s1-s2:c0,c1=Unclassified-Secret:AB +s2-s2:c0=Secret-Secret:A +s2-s2:c1=Secret-Secret:B +s2-s2:c0,c1=Secret-Secret:AB +s2-s15:c0.c1023=Secret-SystemHigh +s2:c0-s2:c0,c1=Secret:A-Secret:AB +s2:c0-s15:c0.c1023=Secret:A-SystemHigh +s2:c1-s2:c0,c1=Secret:B-Secret:AB +s2:c1-s15:c0.c1023=Secret:B-SystemHigh +s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh diff --git a/SOURCES/setrans-targeted.conf b/SOURCES/setrans-targeted.conf new file mode 100644 index 0000000..09a6ce3 --- /dev/null +++ b/SOURCES/setrans-targeted.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/SOURCES/users-minimum b/SOURCES/users-minimum new file mode 100644 index 0000000..66af860 --- /dev/null +++ b/SOURCES/users-minimum @@ -0,0 +1,39 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/SOURCES/users-mls b/SOURCES/users-mls new file mode 100644 index 0000000..8fad9ea --- /dev/null +++ b/SOURCES/users-mls @@ -0,0 +1,40 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SOURCES/users-targeted b/SOURCES/users-targeted new file mode 100644 index 0000000..a875306 --- /dev/null +++ b/SOURCES/users-targeted @@ -0,0 +1,41 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec new file mode 100644 index 0000000..d200ca4 --- /dev/null +++ b/SPECS/selinux-policy.spec @@ -0,0 +1,1801 @@ +# github repo with selinux-policy sources +%global giturl https://github.com/fedora-selinux/selinux-policy +%global commit c918655b6a1a2d56e13349b2de3d5ea4f01b2caa +%global shortcommit %(c=%{commit}; echo ${c:0:7}) + +%define distro redhat +%define polyinstatiate n +%define monolithic n +%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} +%define BUILD_DOC 1 +%endif +%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} +%define BUILD_TARGETED 1 +%endif +%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} +%define BUILD_MINIMUM 1 +%endif +%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} +%define BUILD_MLS 1 +%endif +%define POLICYVER 33 +%define POLICYCOREUTILSVER 3.4-1 +%define CHECKPOLICYVER 3.2 +Summary: SELinux policy configuration +Name: selinux-policy +Version: 38.1.8 +Release: 1%{?dist} +License: GPLv2+ +Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +Source1: modules-targeted-base.conf +Source31: modules-targeted-contrib.conf +Source2: booleans-targeted.conf +Source3: Makefile.devel +Source4: setrans-targeted.conf +Source5: modules-mls-base.conf +Source32: modules-mls-contrib.conf +Source6: booleans-mls.conf +Source8: setrans-mls.conf +Source14: securetty_types-targeted +Source15: securetty_types-mls +#Source16: modules-minimum.conf +Source17: booleans-minimum.conf +Source18: setrans-minimum.conf +Source19: securetty_types-minimum +Source20: customizable_types +Source22: users-mls +Source23: users-targeted +Source25: users-minimum +Source26: file_contexts.subs_dist +Source27: selinux-policy.conf +Source28: permissivedomains.cil +Source30: booleans.subs_dist + +# Tool helps during policy development, to expand system m4 macros to raw allow rules +# Git repo: https://github.com/fedora-selinux/macro-expander.git +Source33: macro-expander + +# Include SELinux policy for container from separate container-selinux repo +# Git repo: https://github.com/containers/container-selinux.git +Source35: container-selinux.tgz + +Source36: selinux-check-proper-disable.service + +# Provide rpm macros for packages installing SELinux modules +Source102: rpm.macros + +Url: %{giturl} +BuildArch: noarch +BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 +BuildRequires: make +BuildRequires: systemd-rpm-macros +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(post): /bin/awk /usr/bin/sha512sum +Requires(meta): rpm-plugin-selinux +Requires: selinux-policy-any = %{version}-%{release} +Provides: selinux-policy-base = %{version}-%{release} +Suggests: selinux-policy-targeted + +%description +SELinux core policy package. +Originally based off of reference policy, +the policy has been adjusted to provide support for Fedora. + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%dir %{_datadir}/selinux +%dir %{_datadir}/selinux/packages +%dir %{_sysconfdir}/selinux +%ghost %config(noreplace) %{_sysconfdir}/selinux/config +%ghost %{_sysconfdir}/sysconfig/selinux +%{_usr}/lib/tmpfiles.d/selinux-policy.conf +%{_rpmconfigdir}/macros.d/macros.selinux-policy +%{_unitdir}/selinux-check-proper-disable.service + +%package sandbox +Summary: SELinux sandbox policy +Requires(pre): selinux-policy-base = %{version}-%{release} +Requires(pre): selinux-policy-targeted = %{version}-%{release} + +%description sandbox +SELinux sandbox policy for use with the sandbox utility. + +%files sandbox +%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp + +%post sandbox +rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null +rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null +%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi; +exit 0 + +%preun sandbox +if [ $1 -eq 0 ] ; then + %{_sbindir}/semodule -n -d sandbox 2>/dev/null + if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy + fi; +fi; +exit 0 + +%package devel +Summary: SELinux policy development files +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Requires: m4 checkpolicy >= %{CHECKPOLICYVER} +Requires: /usr/bin/make +Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} + +%description devel +SELinux policy development package. +This package contains: +- interfaces, macros, and patterns for policy development +- a policy example +- the macro-expander utility +and some additional files. + +%files devel +%{_bindir}/macro-expander +%dir %{_datadir}/selinux/devel +%dir %{_datadir}/selinux/devel/include +%{_datadir}/selinux/devel/include/* +%exclude %{_datadir}/selinux/devel/include/contrib/container.if +%dir %{_datadir}/selinux/devel/html +%{_datadir}/selinux/devel/html/*html +%{_datadir}/selinux/devel/html/*css +%{_datadir}/selinux/devel/Makefile +%{_datadir}/selinux/devel/example.* +%{_datadir}/selinux/devel/policy.* +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info + +%post devel +%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null +exit 0 + +%package doc +Summary: SELinux policy documentation +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} + +%description doc +SELinux policy documentation package. +This package contains manual pages and documentation of the policy modules. + +%files doc +%{_mandir}/man*/* +%{_mandir}/ru/*/* +%doc %{_datadir}/doc/%{name} + +%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 + +%define makeCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ +cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ +cp -f selinux_config/users-%1 ./policy/users \ +#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ + +%define makeModulesConf() \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ +if [ %3 == "contrib" ];then \ + cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ + cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ +fi; \ + +%define installCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ +%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ +install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ +rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ +%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ +rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ +%nil + +%define fileList() \ +%defattr(-,root,root) \ +%dir %{_sysconfdir}/selinux/%1 \ +%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ +%dir %{_sysconfdir}/selinux/%1/logins \ +%dir %{_sharedstatedir}/selinux/%1/active \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ +%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ +%dir %{_sysconfdir}/selinux/%1/policy/ \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ +%{_sysconfdir}/selinux/%1/.policy.sha512 \ +%dir %{_sysconfdir}/selinux/%1/contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ +%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ +%dir %{_sysconfdir}/selinux/%1/contexts/files \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ +%{_sysconfdir}/selinux/%1/booleans.subs_dist \ +%config %{_sysconfdir}/selinux/%1/contexts/files/media \ +%dir %{_sysconfdir}/selinux/%1/contexts/users \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ +%dir %{_datadir}/selinux/%1 \ +%{_datadir}/selinux/%1/base.lst \ +%{_datadir}/selinux/%1/modules-base.lst \ +%{_datadir}/selinux/%1/modules-contrib.lst \ +%{_datadir}/selinux/%1/nonbasemodules.lst \ +%dir %{_sharedstatedir}/selinux/%1 \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \ +%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ +%nil + +%define relabel() \ +if [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config &> /dev/null || true; \ +fi; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ + %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ + rm -f ${FILE_CONTEXT}.pre; \ +fi; \ +if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ + continue; \ +fi; + +%define preInstall() \ +if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ + for MOD_NAME in ganesha ipa_custodia kdbus; do \ + if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ + %{_sbindir}/semodule -n -d $MOD_NAME; \ + fi; \ + done; \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ + [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ + fi; \ + touch %{_sysconfdir}/selinux/%1/.rebuild; \ + if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ + POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ + sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ + checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \ + if [ "$sha512" == "$checksha512" ] ; then \ + rm %{_sysconfdir}/selinux/%1/.rebuild; \ + fi; \ + fi; \ +fi; + +%define postInstall() \ +if [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config &> /dev/null || true; \ +fi; \ +if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ + rm %{_sysconfdir}/selinux/%2/.rebuild; \ +fi; \ +%{_sbindir}/semodule -B -n -s %2; \ +[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \ +if [ %1 -eq 1 ]; then \ + %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ +else \ +%relabel %2 \ +fi; + +%define modulesList() \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ +if [ -e ./policy/modules-contrib.conf ];then \ + awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ +fi; + +%define nonBaseModulesList() \ +contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ +base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ +for i in $contrib_modules $base_modules; do \ + if [ $i != "sandbox" ];then \ + echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ + fi; \ +done; + +# Make sure the config is consistent with what packages are installed in the system +# this covers cases when system is installed with selinux-policy-{mls,minimal} +# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not +# been rebooted yet. +# The macro should be called at the beginning of "post" (to make sure load_policy does not fail) +# and in "posttrans" (to make sure that the store is consistent when all package transitions are done) +# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable) +# Steps: +# * load values from config and its backup +# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so +# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used +# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't +%define checkConfigConsistency() \ +if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \ + . %{_sysconfdir}/selinux/.config_backup; \ +else \ + BACKUP_SELINUXTYPE=targeted; \ +fi; \ +if [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \ + if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \ + fi; \ + elif [ "%1" = "targeted" ]; then \ + if [ "%1" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ + fi; \ + elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \ + if [ "%1" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ + fi; \ + fi; \ +fi; + +# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names +# of variables inside so that they are easy to use later +# This should be done in "pretrans" because config content can change during RPM operations +# The macro has to be used in a script slot with "-p " +%define backupConfigLua() \ +local sysconfdir = rpm.expand("%{_sysconfdir}") \ +local config_file = sysconfdir .. "/selinux/config" \ +local config_backup = sysconfdir .. "/selinux/.config_backup" \ +os.remove(config_backup) \ +if posix.stat(config_file) then \ + local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \ + local content = f:read("*all") \ + f:close() \ + local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \ + local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \ + bf:write(backup) \ + bf:close() \ +end + +%build + +%prep +%setup -n %{name}-%{commit} -q +tar -C policy/modules/contrib -xf %{SOURCE35} + +mkdir selinux_config +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do + cp $i selinux_config +done + +%install +# Build targeted policy +%{__rm} -fR %{buildroot} +mkdir -p %{buildroot}%{_sysconfdir}/selinux +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +touch %{buildroot}%{_sysconfdir}/selinux/config +touch %{buildroot}%{_sysconfdir}/sysconfig/selinux +mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ +cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ +mkdir -p %{buildroot}%{_bindir} +install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ + +# Always create policy module package directories +mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ + +mkdir -p %{buildroot}%{_datadir}/selinux/packages + +# Install devel +make clean +%if %{BUILD_TARGETED} +# Build targeted policy +%makeCmds targeted mcs allow +%makeModulesConf targeted base contrib +%installCmds targeted mcs allow +# install permissivedomains.cil +%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28} +# recreate sandbox.pp +rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox +%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp +mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp +%modulesList targeted +%nonBaseModulesList targeted +%endif + +%if %{BUILD_MINIMUM} +# Build minimum policy +%makeCmds minimum mcs allow +%makeModulesConf targeted base contrib +%installCmds minimum mcs allow +rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox +%modulesList minimum +%nonBaseModulesList minimum +%endif + +%if %{BUILD_MLS} +# Build mls policy +%makeCmds mls mls deny +%makeModulesConf mls base contrib +%installCmds mls mls deny +%modulesList mls +%nonBaseModulesList mls +%endif + +# remove leftovers when save-previous=true (semanage.conf) is used +rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous + +mkdir -p %{buildroot}%{_mandir} +cp -R man/* %{buildroot}%{_mandir} +make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs +make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers +mkdir %{buildroot}%{_datadir}/selinux/devel/ +mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include +install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile +install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ +install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ +%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} +mkdir %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html + +mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d +install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy + +mkdir -p %{buildroot}%{_unitdir} +install -m 644 %{SOURCE36} %{buildroot}%{_unitdir} + +rm -rf selinux_config + +%post +%systemd_post selinux-check-proper-disable.service +if [ ! -s %{_sysconfdir}/selinux/config ]; then +# +# New install so we will default to targeted policy +# +echo " +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +# See also: +# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes +# +# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also +# fully disable SELinux during boot. If you need a system with SELinux +# fully disabled instead of SELinux running with no policy loaded, you +# need to pass selinux=0 to the kernel command line. You can use grubby +# to persistently set the bootloader to boot with selinux=0: +# +# grubby --update-kernel ALL --args selinux=0 +# +# To revert back to SELinux enabled: +# +# grubby --update-kernel ALL --remove-args selinux +# +SELINUX=enforcing +# SELINUXTYPE= can take one of these three values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=targeted + +" > %{_sysconfdir}/selinux/config + + ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux + %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : +else + . %{_sysconfdir}/selinux/config +fi +exit 0 + +%preun +%systemd_preun selinux-check-proper-disable.service + +%postun +%systemd_postun selinux-check-proper-disable.service +if [ $1 = 0 ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi +fi +exit 0 + +%if %{BUILD_TARGETED} +%package targeted +Summary: SELinux targeted policy +Provides: selinux-policy-any = %{version}-%{release} +Obsoletes: selinux-policy-targeted-sources < 2 +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: audispd-plugins <= 1.7.7-1 +Obsoletes: mod_fcgid-selinux <= %{version}-%{release} +Obsoletes: cachefilesd-selinux <= 0.10-1 +Conflicts: seedit +Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 +Conflicts: container-selinux < 2:1.12.1-22 + +%description targeted +SELinux targeted policy package. + +%pretrans targeted -p +%backupConfigLua + +%pre targeted +%preInstall targeted + +%post targeted +%checkConfigConsistency targeted +%postInstall $1 targeted +exit 0 + +%posttrans targeted +%checkConfigConsistency targeted + +%postun targeted +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "targeted" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + + +%triggerin -- pcre2 +%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB +exit 0 + +%triggerpostun -- selinux-policy-targeted < 3.12.1-74 +rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null +exit 0 + +%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138 +CR=$'\n' +INPUT="" +for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then + touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p + fi +done +for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do + INPUT="${INPUT}${CR}module -N -a $i" +done +for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do + cp $i %{_sharedstatedir}/selinux/targeted/active +done +echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi +exit 0 + +%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u +%fileList targeted +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains +%endif + +%if %{BUILD_MINIMUM} +%package minimum +Summary: SELinux minimum policy +Provides: selinux-policy-any = %{version}-%{release} +Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit +Conflicts: container-selinux <= 1.9.0-9 + +%description minimum +SELinux minimum policy package. + +%pretrans minimum -p +%backupConfigLua + +%pre minimum +%preInstall minimum +if [ $1 -ne 1 ]; then + %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst +fi + +%post minimum +%checkConfigConsistency minimum +contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` +basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` +if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then + mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled +fi +if [ $1 -eq 1 ]; then +for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +done +for p in $basepackages apache dbus inetd kerberos mta nis; do + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +done +%{_sbindir}/semanage import -S minimum -f - << __eof +login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ +login -m -s unconfined_u -r s0-s0:c0.c1023 root +__eof +%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null +%{_sbindir}/semodule -B -s minimum +else +instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` +for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +done +for p in $instpackages apache dbus inetd kerberos mta nis; do + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +done +%{_sbindir}/semodule -B -s minimum +%relabel minimum +fi +exit 0 + +%posttrans minimum +%checkConfigConsistency minimum + +%postun minimum +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "minimum" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + +%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138 +if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/* +fi +CR=$'\n' +INPUT="" +for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + fi +done +for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do + INPUT="${INPUT}${CR}module -N -a $i" +done +echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi +exit 0 + +%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u +%fileList minimum +%endif + +%if %{BUILD_MLS} +%package mls +Summary: SELinux MLS policy +Provides: selinux-policy-any = %{version}-%{release} +Obsoletes: selinux-policy-mls-sources < 2 +Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit +Conflicts: container-selinux <= 1.9.0-9 + +%description mls +SELinux MLS (Multi Level Security) policy package. + +%pretrans mls -p +%backupConfigLua + +%pre mls +%preInstall mls + +%post mls +%checkConfigConsistency mls +%postInstall $1 mls +exit 0 + +%posttrans mls +%checkConfigConsistency mls + +%postun mls +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "mls" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + +%triggerpostun mls -- selinux-policy-mls < 3.13.1-138 +CR=$'\n' +INPUT="" +for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then + touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p + fi +done +for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do + INPUT="${INPUT}${CR}module -N -a $i" +done +echo "$INPUT" | %{_sbindir}/semanage import -S mls -N +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi +exit 0 + + +%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u +%fileList mls +%endif + +%changelog +* Fri Apr 14 2023 MSVSphere Packaging Team - 38.1.8-1 +- Rebuilt for MSVSphere 9.2 beta + +* Thu Feb 16 2023 Nikola Knazekova - 38.1.8-1 +- Allow svirt to map svirt_image_t char files +Resolves: rhbz#2170482 +- Fix opencryptoki file names in /dev/shm +Resolves: rhbz#2166283 + +* Wed Feb 15 2023 Nikola Knazekova - 38.1.7-1 +- Allow staff_t getattr init pid chr & blk files and read krb5 +Resolves: rhbz#2112729 +- Allow firewalld to rw z90crypt device +Resolves: rhbz#2166877 +- Allow httpd work with tokens in /dev/shm +Resolves: rhbz#2166283 + +* Thu Feb 09 2023 Nikola Knazekova - 38.1.6-1 +- Allow modemmanager create hardware state information files +Resolves: rhbz#2149560 +- Dontaudit ftpd the execmem permission +Resolves: rhbz#2164434 +- Allow nm-dispatcher plugins read generic files in /proc +Resolves: rhbz#2164845 +- Label systemd-journald feature LogNamespace +Resolves: rhbz#2124797 +- Boolean: allow qemu-ga read ssh home directory +Resolves: rhbz#1917024 + +* Thu Jan 26 2023 Nikola Knazekova - 38.1.5-1 +- Reuse tmpfs_t also for the ramfs filesystem +Resolves: rhbz#2160391 +- Allow systemd-resolved watch tmpfs directories +Resolves: rhbz#2160391 +- Allow hostname_t to read network sysctls. +Resolves: rhbz#2161958 +- Allow ModemManager all permissions for netlink route socket +Resolves: rhbz#2149560 +- Allow unconfined user filetransition for sudo log files +Resolves: rhbz#2160388 +- Allow sudodomain use sudo.log as a logfile +Resolves: rhbz#2160388 +- Allow nm-cloud-setup dispatcher plugin restart nm services +Resolves: rhbz#2154414 +- Allow wg to send msg to kernel, write to syslog and dbus connections +Resolves: rhbz#2149452 +- Allow rshim bpf cap2 and read sssd public files +Resolves: rhbz#2080439 +- Allow svirt request the kernel to load a module +Resolves: rhbz#2144735 +- Rebase selinux-policy to the latest one in rawhide +Resolves: rhbz#2014606 + +* Thu Jan 12 2023 Nikola Knazekova - 38.1.4-1 +- Add lpr_roles to system_r roles +Resolves: rhbz#2152150 +- Allow insights client work with gluster and pcp +Resolves: rhbz#2152150 +- Add interfaces in domain, files, and unconfined modules +Resolves: rhbz#2152150 +- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t +Resolves: rhbz#2152150 +- Add insights additional capabilities +Resolves: rhbz#2152150 +- Revert "Allow insights-client run lpr and allow the proper role" +Resolves: rhbz#2152150 +- Allow prosody manage its runtime socket files +Resolves: rhbz#2157891 +- Allow syslogd read network sysctls +Resolves: rhbz#2156068 +- Allow NetworkManager and wpa_supplicant the bpf capability +Resolves: rhbz#2137085 +- Allow sysadm_t read/write ipmi devices +Resolves: rhbz#2158419 +- Allow wireguard to create udp sockets and read net_conf +Resolves: rhbz#2149452 +- Allow systemd-rfkill the bpf capability +Resolves: rhbz#2149390 +- Allow load_policy_t write to unallocated ttys +Resolves: rhbz#2145181 +- Allow winbind-rpcd manage samba_share_t files and dirs +Resolves: rhbz#2150680 + +* Thu Dec 15 2022 Nikola Knazekova - 38.1.3-1 +- Allow stalld to read /sys/kernel/security/lockdown file +Resolves: rhbz#2140673 +- Allow syslog the setpcap capability +Resolves: rhbz#2151841 +- Allow pulseaudio to write to session_dbusd tmp socket files +Resolves: rhbz#2132942 +- Allow keepalived to set resource limits +Resolves: rhbz#2151212 +- Add policy for mptcpd +Resolves: bz#1972222 +- Add policy for rshim +Resolves: rhbz#2080439 +- Allow insights-client dbus chat with abrt +Resolves: rhbz#2152166 +- Allow insights-client work with pcp and manage user config files +Resolves: rhbz#2152150 +- Allow insights-client run lpr and allow the proper role +Resolves: rhbz#2152150 +- Allow insights-client tcp connect to various ports +Resolves: rhbz#2152150 +- Allow insights-client dbus chat with various services +Resolves: rhbz#2152150 +- Allow journalctl relabel with var_log_t and syslogd_var_run_t files +Resolves: rhbz#2152823 + +* Wed Nov 30 2022 Zdenek Pytela - 38.1.2-1 +- Allow insights client communicate with cupsd, mysqld, openvswitch, redis +Resolves: rhbz#2124549 +- Allow insights client read raw memory devices +Resolves: rhbz#2124549 +- Allow networkmanager_dispatcher_plugin work with nscd +Resolves: rhbz#2149317 +- Allow ipsec_t only read tpm devices +Resolves: rhbz#2147380 +- Watch_sb all file type directories. +Resolves: rhbz#2139363 +- Add watch and watch_sb dosfs interface +Resolves: rhbz#2139363 +- Revert "define lockdown class and access" +Resolves: rhbz#2145266 +- Allow postfix/smtpd read kerberos key table +Resolves: rhbz#2145266 +- Remove the lockdown class from the policy +Resolves: rhbz#2145266 +- Remove label for /usr/sbin/bgpd +Resolves: rhbz#2145266 +- Revert "refpolicy: drop unused socket security classes" +Resolves: rhbz#2145266 + +* Mon Nov 21 2022 Zdenek Pytela - 38.1.1-1 +- Rebase selinux-policy to the latest one in rawhide +Resolves: rhbz#2082524 + +* Wed Nov 16 2022 Zdenek Pytela - 34.1.47-1 +- Add domain_unix_read_all_semaphores() interface +Resolves: rhbz#2123358 +- Allow chronyd talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2141255 +- Allow unbound connectto unix_stream_socket +Resolves: rhbz#2141236 +- added policy for systemd-socket-proxyd +Resolves: rhbz#2141606 +- Allow samba-dcerpcd use NSCD services over a unix stream socket +Resolves: rhbz#2121729 +- Allow insights-client unix_read all domain semaphores +Resolves: rhbz#2123358 +- Allow insights-client manage generic locks +Resolves: rhbz#2123358 +- Allow insights-client create gluster log dir with a transition +Resolves: rhbz#2123358 +- Allow insights-client domain transition on semanage execution +Resolves: rhbz#2123358 +- Disable rpm verification on interface_info +Resolves: rhbz#2134515 + +* Fri Nov 04 2022 Nikola Knazekova - 34.1.46-1 +- new version +Resolves: rhbz#2134827 + +* Thu Nov 03 2022 Nikola Knazekova - 34.1.45-1 +- Add watch_sb interfaces +Resolves: rhbz#2139363 +- Add watch interfaces +Resolves: rhbz#2139363 +- Allow dhcpd bpf capability to run bpf programs +Resolves: rhbz#2134827 +- Allow netutils and traceroute bpf capability to run bpf programs +Resolves: rhbz#2134827 +- Allow pkcs_slotd_t bpf capability to run bpf programs +Resolves: rhbz#2134827 +- Allow xdm bpf capability to run bpf programs +Resolves: rhbz#2134827 +- Allow pcscd bpf capability to run bpf programs +Resolves: rhbz#2134827 +- Allow lldpad bpf capability to run bpf programs +Resolves: rhbz#2134827 +- Allow keepalived bpf capability to run bpf programs +Resolves: rhbz#2134827 +- Allow ipsec bpf capability to run bpf programs +Resolves: rhbz#2134827 +- Allow fprintd bpf capability to run bpf programs +Resolves: rhbz#2134827 +- Allow iptables list cgroup directories +Resolves: rhbz#2134829 +- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files +Resolves: rhbz#2042515 +- Dontaudit dirsrv search filesystem sysctl directories +Resolves: rhbz#2134726 + +* Thu Oct 13 2022 Nikola Knazekova - 34.1.44-1 +- Allow insights-client domtrans on unix_chkpwd execution +Resolves: rhbz#2126091 +- Allow insights-client connect to postgresql with a unix socket +Resolves: rhbz#2126091 +- Allow insights-client send null signal to rpm and system cronjob +Resolves: rhbz#2126091 +- Allow insights-client manage samba var dirs +Resolves: rhbz#2126091 +- Allow rhcd compute selinux access vector +Resolves: rhbz#2126091 +- Add file context entries for insights-client and rhc +Resolves: rhbz#2126161 +- Allow pulseaudio create gnome content (~/.config) +Resolves: rhbz#2132942 +- Allow rhsmcertd execute gpg +Resolves: rhbz#2130204 +- Label ports 10161-10162 tcp/udp with snmp +Resolves: rhbz#2133221 +- Allow lldpad send to unconfined_t over a unix dgram socket +Resolves: rhbz#2112044 +- Label port 15354/tcp and 15354/udp with opendnssec +Resolves: rhbz#2057501 +- Allow aide to connect to systemd_machined with a unix socket. +Resolves: bz#2062936 +- Allow ftpd map ftpd_var_run files +Resolves: bz#2124943 +- Allow ptp4l respond to pmc +Resolves: rhbz#2131689 +- Allow radiusd connect to the radacct port +Resolves: rhbz#2132424 +- Allow xdm execute gnome-atspi services +Resolves: rhbz#2132244 +- Allow ptp4l_t name_bind ptp_event_port_t +Resolves: rhbz#2130170 +- Allow targetclid to manage tmp files +Resolves: rhbz#2127408 +- Allow sbd the sys_ptrace capability +Resolves: rhbz#2124695 + +* Thu Sep 08 2022 Zdenek Pytela - 34.1.43-1 +- Update rhcd policy for executing additional commands 5 +Resolves: rhbz#2119351 +- Update rhcd policy for executing additional commands 4 +Resolves: rhbz#2119351 +- Allow rhcd create rpm hawkey logs with correct label +Resolves: rhbz#2119351 +- Update rhcd policy for executing additional commands 3 +Resolves: rhbz#2119351 +- Allow sssd to set samba setting +Resolves: rhbz#2121125 +- Allow journalctl read rhcd fifo files +Resolves: rhbz#2119351 +- Update insights-client policy for additional commands execution 5 +Resolves: rhbz#2121125 +- Confine insights-client systemd unit +Resolves: rhbz#2121125 +- Update insights-client policy for additional commands execution 4 +Resolves: rhbz#2121125 +- Update insights-client policy for additional commands execution 3 +Resolves: rhbz#2121125 +- Allow rhcd execute all executables +Resolves: rhbz#2119351 +- Update rhcd policy for executing additional commands 2 +Resolves: rhbz#2119351 +- Update insights-client policy for additional commands execution 2 +Resolves: rhbz#2121125 + +* Mon Aug 29 2022 Zdenek Pytela - 34.1.42-1 +- Label /var/log/rhc-worker-playbook with rhcd_var_log_t +Resolves: rhbz#2119351 +- Update insights-client policy (auditctl, gpg, journal) +Resolves: rhbz#2107363 + +* Thu Aug 25 2022 Nikola Knazekova - 34.1.41-1 +- Allow unconfined domains to bpf all other domains +Resolves: RHBZ#2112014 +- Allow stalld get and set scheduling policy of all domains. +Resolves: rhbz#2105038 +- Allow unconfined_t transition to targetclid_home_t +Resolves: RHBZ#2106360 +- Allow samba-bgqd to read a printer list +Resolves: rhbz#2118977 +- Allow system_dbusd ioctl kernel with a unix stream sockets +Resolves: rhbz#2085392 +- Allow chronyd bind UDP sockets to ptp_event ports. +Resolves: RHBZ#2118631 +- Update tor_bind_all_unreserved_ports interface +Resolves: RHBZ#2089486 +- Remove permissive domain for rhcd_t +Resolves: rhbz#2119351 +- Allow unconfined and sysadm users transition for /root/.gnupg +Resolves: rhbz#2121125 +- Add gpg_filetrans_admin_home_content() interface +Resolves: rhbz#2121125 +- Update rhcd policy for executing additional commands +Resolves: rhbz#2119351 +- Update insights-client policy for additional commands execution +Resolves: rhbz#2119507 +- Add rpm setattr db files macro +Resolves: rhbz#2119507 +- Add userdom_view_all_users_keys() interface +Resolves: rhbz#2119507 +- Allow gpg read and write generic pty type +Resolves: rhbz#2119507 +- Allow chronyc read and write generic pty type +Resolves: rhbz#2119507 + +* Wed Aug 10 2022 Nikola Knazekova - 34.1.40-1 +- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd +Resolves: RHBZ#2088257 +- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t +Resolves: RHBZ#1976684 +- Allow samba-bgqd get a printer list +Resolves: rhbz#2112395 +- Allow networkmanager to signal unconfined process +Resolves: RHBZ#2074414 +- Update NetworkManager-dispatcher policy +Resolves: RHBZ#2101910 +- Allow openvswitch search tracefs dirs +Resolves: rhbz#1988164 +- Allow openvswitch use its private tmpfs files and dirs +Resolves: rhbz#1988164 +- Allow openvswitch fsetid capability +Resolves: rhbz#1988164 + +* Tue Aug 02 2022 Nikola Knazekova - 34.1.39-1 +- Add support for systemd-network-generator +Resolves: RHBZ#2111069 +- Allow systemd work with install_t unix stream sockets +Resolves: rhbz#2111206 +- Allow sa-update to get init status and start systemd files +Resolves: RHBZ#2061844 + +* Fri Jul 15 2022 Nikola Knazekova - 34.1.38-1 +- Allow some domains use sd_notify() +Resolves: rhbz#2056565 +- Revert "Allow rabbitmq to use systemd notify" +Resolves: rhbz#2056565 +- Update winbind_rpcd_t +Resolves: rhbz#2102084 +- Update chronyd_pid_filetrans() to allow create dirs +Resolves: rhbz#2101910 +- Allow keepalived read the contents of the sysfs filesystem +Resolves: rhbz#2098130 +- Define LIBSEPOL version 3.4-1 +Resolves: rhbz#2095688 + +* Wed Jun 29 2022 Zdenek Pytela - 34.1.37-1 +- Allow targetclid read /var/target files +Resolves: rhbz#2020169 +- Update samba-dcerpcd policy for kerberos usage 2 +Resolves: rhbz#2096521 +- Allow samba-dcerpcd work with sssd +Resolves: rhbz#2096521 +- Allow stalld set scheduling policy of kernel threads +Resolves: rhbz#2102224 + +* Tue Jun 28 2022 Zdenek Pytela - 34.1.36-1 +- Allow targetclid read generic SSL certificates (fixed) +Resolves: rhbz#2020169 +- Fix file context pattern for /var/target +Resolves: rhbz#2020169 +- Use insights_client_etc_t in insights_search_config() +Resolves: rhbz#1965013 + +* Fri Jun 24 2022 Zdenek Pytela - 34.1.35-1 +-Add the corecmd_watch_bin_dirs() interface +Resolves: rhbz#1965013 +- Update rhcd policy +Resolves: rhbz#1965013 +- Allow rhcd search insights configuration directories +Resolves: rhbz#1965013 +- Add the kernel_read_proc_files() interface +Resolves: rhbz#1965013 +- Update insights_client_filetrans_named_content() +Resolves: rhbz#2081425 +- Allow transition to insights_client named content +Resolves: rhbz#2081425 +- Add the insights_client_filetrans_named_content() interface +Resolves: rhbz#2081425 +- Update policy for insights-client to run additional commands 3 +Resolves: rhbz#2081425 +- Allow insights-client execute its private memfd: objects +Resolves: rhbz#2081425 +- Update policy for insights-client to run additional commands 2 +Resolves: rhbz#2081425 +- Use insights_client_tmp_t instead of insights_client_var_tmp_t +Resolves: rhbz#2081425 +- Change space indentation to tab in insights-client +Resolves: rhbz#2081425 +- Use socket permissions sets in insights-client +Resolves: rhbz#2081425 +- Update policy for insights-client to run additional commands +Resolves: rhbz#2081425 +- Allow init_t to rw insights_client unnamed pipe +Resolves: rhbz#2081425 +- Fix insights client +Resolves: rhbz#2081425 +- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling +Resolves: rhbz#2081425 +- Do not let system_cronjob_t create redhat-access-insights.log with var_log_t +Resolves: rhbz#2081425 +- Allow stalld get scheduling policy of kernel threads +Resolves: rhbz#2096776 +- Update samba-dcerpcd policy for kerberos usage +Resolves: rhbz#2096521 +- Allow winbind_rpcd_t connect to self over a unix_stream_socket +Resolves: rhbz#2096255 +- Allow dlm_controld send a null signal to a cluster daemon +Resolves: rhbz#2095884 +- Allow dhclient manage pid files used by chronyd +The chronyd_manage_pid_files() interface was added. +- Resolves: rhbz#2094155 +Allow install_t nnp_domtrans to setfiles_mac_t +- Resolves: rhbz#2073010 +- Allow rabbitmq to use systemd notify +Resolves: rhbz#2056565 +- Allow ksmctl create hardware state information files +Resolves: rhbz#2021131 +- Label /var/target with targetd_var_t +Resolves: rhbz#2020169 +- Allow targetclid read generic SSL certificates +Resolves: rhbz#2020169 + +* Thu Jun 09 2022 Zdenek Pytela - 34.1.34-1 +- Allow stalld setsched and sys_nice +Resolves: rhbz#2092864 +- Allow rhsmcertd to create cache file in /var/cache/cloud-what +Resolves: rhbz#2092333 +- Update policy for samba-dcerpcd +Resolves: rhbz#2083509 +- Add support for samba-dcerpcd +Resolves: rhbz#2083509 +- Allow rabbitmq to access its private memfd: objects +Resolves: rhbz#2056565 +- Confine targetcli +Resolves: rhbz#2020169 +- Add policy for wireguard +Resolves: 1964862 +- Label /var/cache/insights with insights_client_cache_t +Resolves: rhbz#2062136 +- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket +Resolves: rhbz#2094489 +- Allow auditd_t noatsecure for a transition to audisp_remote_t +Resolves: rhbz#2081907 + +* Fri May 27 2022 Zdenek Pytela - 34.1.33-1 +- Allow insights-client manage gpg admin home content +Resolves: rhbz#2062136 +- Add the gpg_manage_admin_home_content() interface +Resolves: rhbz#2062136 +- Add rhcd policy +Resolves: bz#1965013 +- Allow svirt connectto virtlogd +Resolves: rhbz#2000881 +- Add ksm service to ksmtuned +Resolves: rhbz#2021131 +- Allow nm-privhelper setsched permission and send system logs +Resolves: rhbz#2053639 +- Update the policy for systemd-journal-upload +Resolves: rhbz#2085369 +- Allow systemd-journal-upload watch logs and journal +Resolves: rhbz#2085369 +- Create a policy for systemd-journal-upload +Resolves: rhbz#2085369 +- Allow insights-client create and use unix_dgram_socket +Resolves: rhbz#2087765 +- Allow insights-client search gconf homedir +Resolves: rhbz#2087765 + +* Wed May 11 2022 Zdenek Pytela - 34.1.32-1 +- Dontaudit guest attempts to dbus chat with systemd domains +Resolves: rhbz#2062740 +- Dontaudit guest attempts to dbus chat with system bus types +Resolves: rhbz#2062740 +- Fix users for SELinux userspace 3.4 +Resolves: rhbz#2079290 +- Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template +Resolves: rhbz#2076681 +- Allow systemd-sleep get removable devices attributes +Resolves: rhbz#2082404 +- Allow systemd-sleep tlp_filetrans_named_content() +Resolves: rhbz#2082404 +- Allow systemd-sleep execute generic programs +Resolves: rhbz#2082404 +- Allow systemd-sleep execute shell +Resolves: rhbz#2082404 +- Allow systemd-sleep transition to sysstat_t +Resolves: rhbz#2082404 +- Allow systemd-sleep transition to tlp_t +Resolves: rhbz#2082404 +- Allow systemd-sleep transition to unconfined_service_t on bin_t executables +Resolves: rhbz#2082404 +- allow systemd-sleep to set timer for suspend-then-hibernate +Resolves: rhbz#2082404 +- Add default fc specifications for patterns in /opt +Resolves: rhbz#2081059 +- Use a named transition in systemd_hwdb_manage_config() +Resolves: rhbz#2061725 + +* Wed May 04 2022 Nikola Knazekova - 34.1.31-2 +- Remove "v" from the package version + +* Mon May 02 2022 Nikola Knazekova - v34.1.31-1 +- Label /var/run/machine-id as machineid_t +Resolves: rhbz#2061680 +- Allow insights-client create_socket_perms for tcp/udp sockets +Resolves: rhbz#2077377 +- Allow insights-client read rhnsd config files +Resolves: rhbz#2077377 +- Allow rngd drop privileges via setuid/setgid/setcap +Resolves: rhbz#2076642 +- Allow tmpreaper the sys_ptrace userns capability +Resolves: rhbz#2062823 +- Add stalld to modules.conf +Resolves: rhbz#2042614 +- New policy for stalld +Resolves: rhbz#2042614 +- Label new utility of NetworkManager nm-priv-helper +Resolves: rhbz#2053639 +- Exclude container.if from selinux-policy-devel +Resolves: rhbz#1861968 + +* Tue Apr 19 2022 Zdenek Pytela - 34.1.30-2 +- Update source branches to build a new package for RHEL 9.1.0 + +* Tue Apr 12 2022 Nikola Knazekova - 34.1.30-1 +- Allow administrative users the bpf capability +Resolves: RHBZ#2070982 +- Allow NetworkManager talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2064688 +- Allow hostapd talk with unconfined user over unix domain dgram socket +Resolves: rhbz#2064688 +- Allow fprintd read and write hardware state information +Resolves: rhbz#2062911 +- Allow fenced read kerberos key tables +Resolves: RHBZ#2060722 +- Allow init watch and watch_reads user ttys +Resolves: rhbz#2060289 +- Allow systemd watch and watch_reads console devices +Resolves: rhbz#2060289 +- Allow nmap create and use rdma socket +Resolves: RHBZ#2059603 + +* Thu Mar 31 2022 Zdenek Pytela - 34.1.29-1 +- Allow qemu-kvm create and use netlink rdma sockets +Resolves: rhbz#2063612 +- Label corosync-cfgtool with cluster_exec_t +Resolves: rhbz#2061277 + +* Thu Mar 24 2022 Zdenek Pytela - 34.1.28-1 +- Allow logrotate a domain transition to cluster administrative domain +Resolves: rhbz#2061277 +- Change the selinuxuser_execstack boolean value to true +Resolves: rhbz#2064274 + +* Thu Feb 24 2022 Zdenek Pytela - 34.1.27-1 +- Allow ModemManager connect to the unconfined user domain +Resolves: rhbz#2000196 +- Label /dev/wwan.+ with modem_manager_t +Resolves: rhbz#2000196 +- Allow systemd-coredump userns capabilities and root mounton +Resolves: rhbz#2057435 +- Allow systemd-coredump read and write usermodehelper state +Resolves: rhbz#2057435 +- Allow sysadm_passwd_t to relabel passwd and group files +Resolves: rhbz#2053458 +- Allow systemd-sysctl read the security state information +Resolves: rhbz#2056999 +- Remove unnecessary /etc file transitions for insights-client +Resolves: rhbz#2055823 +- Label all content in /var/lib/insights with insights_client_var_lib_t +Resolves: rhbz#2055823 +- Update insights-client policy +Resolves: rhbz#2055823 +- Update insights-client: fc pattern, motd, writing to etc +Resolves: rhbz#2055823 +- Update specfile to buildrequire policycoreutils-devel >= 3.3-5 +- Add modules_checksum to %files + +* Thu Feb 17 2022 Zdenek Pytela - 34.1.26-1 +- Remove permissive domain for insights_client_t +Resolves: rhbz#2055823 +- New policy for insight-client +Resolves: rhbz#2055823 +- Allow confined sysadmin to use tool vipw +Resolves: rhbz#2053458 +- Allow chage domtrans to sssd +Resolves: rhbz#2054657 +- Remove label for /usr/sbin/bgpd +Resolves: rhbz#2055578 +- Dontaudit pkcsslotd sys_admin capability +Resolves: rhbz#2055639 +- Do not change selinuxuser_execmod and selinuxuser_execstack +Resolves: rhbz#2055822 +- Allow tuned to read rhsmcertd config files +Resolves: rhbz#2055823 + +* Mon Feb 14 2022 Zdenek Pytela - 34.1.25-1 +- Allow systemd watch unallocated ttys +Resolves: rhbz#2054150 +- Allow alsa bind mixer controls to led triggers +Resolves: rhbz#2049732 +- Allow alsactl set group Process ID of a process +Resolves: rhbz#2049732 +- Allow unconfined to run virtd bpf +Resolves: rhbz#2033504 + +* Fri Feb 04 2022 Zdenek Pytela - 34.1.24-1 +- Allow tumblerd write to session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow login_userdomain write to session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow login_userdomain create session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow gkeyringd_domain write to session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow systemd-logind delete session_dbusd tmp socket files +Resolves: rhbz#2000039 +- Allow gdm-x-session write to session dbus tmp sock files +Resolves: rhbz#2000039 +- Allow sysadm_t nnp_domtrans to systemd_tmpfiles_t +Resolves: rhbz#2039453 +- Label exFAT utilities at /usr/sbin +Resolves: rhbz#1972225 + +* Wed Feb 02 2022 Zdenek Pytela - 34.1.23-1 +- Allow systemd nnp_transition to login_userdomain +Resolves: rhbz#2039453 +- Label /var/run/user/%{USERID}/dbus with session_dbusd_tmp_t +Resolves: rhbz#2000039 +- Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling +Resolves: rhbz#2000039 +- Allow scripts to enter LUKS password +Resolves: rhbz#2048521 +- Allow system_mail_t read inherited apache system content rw files +Resolves: rhbz#2049372 +- Add apache_read_inherited_sys_content_rw_files() interface +Related: rhbz#2049372 +- Allow sanlock get attributes of filesystems with extended attributes +Resolves: rhbz#2047811 +- Associate stratisd_data_t with device filesystem +Resolves: rhbz#2039974 +- Allow init read stratis data symlinks +Resolves: rhbz#2039974 +- Label /run/stratisd with stratisd_var_run_t +Resolves: rhbz#2039974 +- Allow domtrans to sssd_t and role access to sssd +Resolves: rhbz#2039757 +- Creating interface sssd_run_sssd() +Resolves: rhbz#2039757 +- Fix badly indented used interfaces +Resolves: rhbz#2039757 +- Allow domain transition to sssd_t +Resolves: rhbz#2039757 +- Label /dev/nvme-fabrics with fixed_disk_device_t +Resolves: rhbz#2039759 +- Allow local_login_t nnp_transition to login_userdomain +Resolves: rhbz#2039453 +- Allow xdm_t nnp_transition to login_userdomain +Resolves: rhbz#2039453 +- Make cupsd_lpd_t a daemon +Resolves: rhbz#2039449 +- Label utilities for exFAT filesystems with fsadm_exec_t +Resolves: rhbz#1972225 +- Dontaudit sfcbd sys_ptrace cap_userns +Resolves: rhbz#2040311 + +* Tue Jan 11 2022 Zdenek Pytela - 34.1.22-1 +- Allow sshd read filesystem sysctl files +Resolves: rhbz#2036585 +- Revert "Allow sshd read sysctl files" +Resolves: rhbz#2036585 + +* Mon Jan 10 2022 Zdenek Pytela - 34.1.21-1 +- Remove the lockdown class from the policy +Resolves: rhbz#2017848 +- Revert "define lockdown class and access" +Resolves: rhbz#2017848 +- Allow gssproxy access to various system files. +Resolves: rhbz#2026974 +- Allow gssproxy read, write, and map ica tmpfs files +Resolves: rhbz#2026974 +- Allow gssproxy read and write z90crypt device +Resolves: rhbz#2026974 +- Allow sssd_kcm read and write z90crypt device +Resolves: rhbz#2026974 +- Allow abrt_domain read and write z90crypt device +Resolves: rhbz#2026974 +- Allow NetworkManager read and write z90crypt device +Resolves: rhbz#2026974 +- Allow smbcontrol read the network state information +Resolves: rhbz#2038157 +- Allow virt_domain map vhost devices +Resolves: rhbz#2035702 +- Allow fcoemon request the kernel to load a module +Resolves: rhbz#2034463 +- Allow lldpd connect to snmpd with a unix domain stream socket +Resolves: rhbz#2033315 +- Allow ModemManager create a qipcrtr socket +Resolves: rhbz#2036582 +- Allow ModemManager request to load a kernel module +Resolves: rhbz#2036582 +- Allow sshd read sysctl files +Resolves: rhbz#2036585 + +* Wed Dec 15 2021 Zdenek Pytela - 34.1.20-1 +- Allow dnsmasq watch /etc/dnsmasq.d directories +Resolves: rhbz#2029866 +- Label /usr/lib/pcs/pcs_snmp_agent with cluster_exec_t +Resolves: rhbz#2029316 +- Allow lldpd use an snmp subagent over a tcp socket +Resolves: rhbz#2028561 +- Allow smbcontrol use additional socket types +Resolves: rhbz#2027751 +- Add write permisson to userfaultfd_anon_inode_perms +Resolves: rhbz#2027660 +- Allow xdm_t watch generic directories in /lib +Resolves: rhbz#1960010 +- Allow xdm_t watch fonts directories +Resolves: rhbz#1960010 +- Label /dev/ngXnY and /dev/nvme-subsysX with fixed_disk_device_t +Resolves: rhbz#2027994 +- Add hwtracing_device_t type for hardware-level tracing and debugging +Resolves: rhbz#2029392 +- Change dev_getattr_infiniband_dev() to use getattr_chr_files_pattern() +Resolves: rhbz#2028791 +- Allow arpwatch get attributes of infiniband_device_t devices +Resolves: rhbz#2028791 +- Allow tcpdump and nmap get attributes of infiniband_device_t +Resolves: rhbz#2028791 + +* Mon Nov 29 2021 Zdenek Pytela - 34.1.19-1 +- Allow redis get attributes of filesystems with extended attributes +Resolves: rhbz#2014611 +- Allow dirsrv read slapd tmpfs files +Resolves: rhbz#2015928 +- Revert "Label /dev/shm/dirsrv/ with dirsrv_tmpfs_t label" +Resolves: rhbz#2015928 +- Allow login_userdomain open/read/map system journal +Resolves: rhbz#2017838 +- Allow login_userdomain read and map /var/lib/systemd files +Resolves: rhbz#2017838 +- Allow nftables read NetworkManager unnamed pipes +Resolves: rhbz#2023456 +- Allow xdm watch generic directories in /var/lib +Resolves: rhbz#1960010 +- Allow xdm_t watch generic pid directories +Resolves: rhbz#1960010 + +* Mon Nov 01 2021 Zdenek Pytela - 34.1.18-1 +- Allow fetchmail search cgroup directories +Resolves: rhbz#2015118 +- Add the auth_read_passwd_file() interface +Resolves: rhbz#2014611 +- Allow redis-sentinel execute a notification script +Resolves: rhbz#2014611 +- Support new PING_CHECK health checker in keepalived +Resolves: rhbz#2014423 + +* Thu Oct 14 2021 Zdenek Pytela - 34.1.17-1 +- Label /usr/sbin/virtproxyd as virtd_exec_t +Resolves: rhbz#2002143 +- Allow at-spi-bus-launcher read and map xdm pid files +Resolves: rhbz#2011772 +- Remove references to init_watch_path_type attribute +Resolves: rhbz#2007960 +- Remove all redundant watch permissions for systemd +Resolves: rhbz#2007960 +- Allow systemd watch non_security_file_type dirs, files, lnk_files +Resolves: rhbz#2007960 +- Allow systemd-resolved watch /run/systemd +Resolves: rhbz#1992461 +- Allow sssd watch /run/systemd +Resolves: rhbz#1992461 + +* Thu Sep 23 2021 Zdenek Pytela - 34.1.16-1 +- Allow fprintd install a sleep delay inhibitor +Resolves: rhbz#1999537 +- Update mount_manage_pid_files() to use manage_files_pattern +Resolves: rhbz#1999997 +- Allow gnome at-spi processes create and use stream sockets +Resolves: rhbz#2004885 +- Allow haproxy list the sysfs directories content +Resolves: rhbz#1986823 +- Allow virtlogd_t read process state of user domains +Resolves: rhbz#1994592 +- Support hitless reloads feature in haproxy +Resolves: rhbz#1997182 +- Allow firewalld load kernel modules +Resolves: rhbz#1999152 +- Allow communication between at-spi and gdm processes +Resolves: rhbz#2003037 +- Remove "ipa = module" from modules-targeted-contrib.conf +Resolves: rhbz#2006039 + +* Mon Aug 30 2021 Zdenek Pytela - 34.1.15-1 +- Update ica_filetrans_named_content() with create_file_perms +Resolves: rhbz#1976180 +- Allow various domains work with ICA crypto accelerator +Resolves: rhbz#1976180 +- Add ica module +Resolves: rhbz#1976180 +- Revert "Support using ICA crypto accelerator on s390x arch" +Resolves: rhbz#1976180 +- Fix the gnome_atspi_domtrans() interface summary +Resolves: rhbz#1972655 +- Add support for at-spi +Resolves: rhbz#1972655 +- Add permissions for system dbus processes +Resolves: rhbz#1972655 +- Allow /tmp file transition for dbus-daemon also for sock_file +Resolves: rhbz#1972655 + +* Wed Aug 25 2021 Zdenek Pytela - 34.1.14-1 +- Support using ICA crypto accelerator on s390x arch +Resolves: rhbz#1976180 +- Allow systemd delete /run/systemd/default-hostname +Resolves: rhbz#1978507 +- Label /usr/bin/Xwayland with xserver_exec_t +Resolves: rhbz#1993151 +- Label /usr/libexec/gdm-runtime-config with xdm_exec_t +Resolves: rhbz#1993151 +- Allow tcpdump read system state information in /proc +Resolves: rhbz#1972577 +- Allow firewalld drop capabilities +Resolves: rhbz#1989641 + +* Thu Aug 12 2021 Zdenek Pytela - 34.1.13-1 +- Add "/" at the beginning of dev/shm/var\.lib\.opencryptoki.* regexp +Resolves: rhbz#1977915 +- Set default file context for /sys/firmware/efi/efivars +Resolves: rhbz#1972372 +- Allow tcpdump run as a systemd service +Resolves: rhbz#1972577 +- Allow nmap create and use netlink generic socket +Resolves: rhbz#1985212 +- Allow nscd watch system db files in /var/db +Resolves: rhbz#1989416 +- Allow systemd-gpt-auto-generator read udev pid files +Resolves: rhbz#1992638 + +* Tue Aug 10 2021 Zdenek Pytela - 34.1.12-1 +- Revert "update libs_filetrans_named_content() to have support for /usr/lib/debug directory" +Resolves: rhbz#1990813 +- Label /dev/crypto/nx-gzip with accelerator_device_t +Resolves: rhbz#1973953 +- Label /usr/bin/qemu-storage-daemon with virtd_exec_t +Resolves: rhbz#1977245 +- Allow systemd-machined stop generic service units +Resolves: rhbz#1979522 +- Label /.k5identity file allow read of this file to rpc.gssd +Resolves: rhbz#1980610 + +* Tue Aug 10 2021 Mohan Boddu - 34.1.11-2 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Thu Jul 29 2021 Zdenek Pytela - 34.1.11-1 +- Allow hostapd bind UDP sockets to the dhcpd port +Resolves: rhbz#1979968 +- Allow mdadm read iscsi pid files +Resolves: rhbz#1976073 +- Unconfined domains should not be confined +Resolves: rhbz#1977986 +- Allow NetworkManager_t to watch /etc +Resolves: rhbz#1980000 +- Allow using opencryptoki for ipsec +Resolves: rhbz#1977915 + +* Wed Jul 14 2021 Zdenek Pytela - 34.1.10-1 +- Allow bacula get attributes of cgroup filesystems +Resolves: rhbz#1976917 +- Label /dev/wmi/dell-smbios as acpi_device_t +Resolves: rhbz#1972382 +- Add the lockdown integrity permission to dev_map_userio_dev() +Resolves: rhbz#1966758 +- Allow virtlogd_t to create virt_var_lockd_t dir +Resolves: rhbz#1974875 + +* Tue Jun 22 2021 Zdenek Pytela - 34.1.9-1 +- Allow systemd-coredump getattr nsfs files and net_admin capability +Resolves: rhbz#1965372 +- Label /run/libvirt/common with virt_common_var_run_t +Resolves: rhbz#1969209 +- Label /usr/bin/arping plain file with netutils_exec_t +Resolves: rhbz#1952515 +- Make usbmuxd_t a daemon +Resolves: rhbz#1965411 +- Allow usbmuxd get attributes of cgroup filesystems +Resolves: rhbz#1965411 +- Label /dev/dma_heap/* char devices with dma_device_t +- Revert "Label /dev/dma_heap/* char devices with dma_device_t" +- Revert "Label /dev/dma_heap with dma_device_dir_t" +- Revert "Associate dma_device_dir_t with device filesystem" +Resolves: rhbz#1967818 +- Label /var/lib/kdump with kdump_var_lib_t +Resolves: rhbz#1965989 +- Allow systemd-timedated watch runtime dir and its parent +Resolves: rhbz#1970865 +- Label /run/fsck with fsadm_var_run_t +Resolves: rhbz#1970911 + +* Thu Jun 10 2021 Zdenek Pytela - 34.1.8-1 +- Associate dma_device_dir_t with device filesystem +Resolves: rhbz#1954116 +- Add default file context specification for dnf log files +Resolves: rhbz#1955223 +- Allow using opencryptoki for certmonger +Resolves: rhbz#1961756 +- Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans() +Resolves: rhbz#1961756 +- Allow httpd_sys_script_t read, write, and map hugetlbfs files +Resolves: rhbz#1964890 +- Dontaudit daemon open and read init_t file +Resolves: rhbz#1965412 +- Allow sanlock get attributes of cgroup filesystems +Resolves: rhbz#1965217 + +* Tue Jun 08 2021 Zdenek Pytela - 34.1.7-1 +- Set default file context for /var/run/systemd instead of /run/systemd +Resolves: rhbz#1966492 + +* Mon Jun 07 2021 Zdenek Pytela - 34.1.6-1 +- Label /dev/dma_heap with dma_device_dir_t +Resolves: rhbz#1954116 +- Allow pkcs-slotd create and use netlink_kobject_uevent_socket +Resolves: rhbz#1963252 +- Label /run/systemd/default-hostname with hostname_etc_t +Resolves: rhbz#1966492 + +* Thu May 27 2021 Zdenek Pytela - 34.1.5-1 +- Label /dev/trng with random_device_t +Resolves: rhbz#1962260 +- Label /dev/zram[0-9]+ block device files with fixed_disk_device_t +Resolves: rhbz#1954116 +- Label /dev/udmabuf character device with dma_device_t +Resolves: rhbz#1954116 +- Label /dev/dma_heap/* char devices with dma_device_t +Resolves: rhbz#1954116 +- Label /dev/acpi_thermal_rel char device with acpi_device_t +Resolves: rhbz#1954116 +- Allow fcoemon create sysfs files +Resolves: rhbz#1952292 + +* Wed May 12 2021 Zdenek Pytela - 34.1.4-1 +- Allow sysadm_t dbus chat with tuned +Resolves: rhbz#1953643 +- Allow tuned write profile files with file transition +Resolves: rhbz#1953643 +- Allow tuned manage perf_events +Resolves: rhbz#1953643 +- Make domains use kernel_write_perf_event() and kernel_manage_perf_event() +Resolves: rhbz#1953643 +- Add kernel_write_perf_event() and kernel_manage_perf_event() +Resolves: rhbz#1953643 +- Allow syslogd_t watch root and var directories +Resolves: rhbz#1957792 +- Allow tgtd create and use rdma socket +Resolves: rhbz#1955559 +- Allow aide connect to init with a unix socket +Resolves: rhbz#1926343 + +* Wed Apr 28 2021 Zdenek Pytela - 34.1.3-1 +- Allow domain create anonymous inodes +Resolves: rhbz#1954145 +- Add anon_inode class to the policy +Resolves: rhbz#1954145 +- Allow pluto IKEv2 / ESP over TCP +Resolves: rhbz#1951471 +- Add brltty new permissions required by new upstream version +Resolves: rhbz#1947842 +- Label /var/lib/brltty with brltty_var_lib_t +Resolves: rhbz#1947842 +- Allow login_userdomain create cgroup files +Resolves: rhbz#1951114 +- Allow aide connect to systemd-userdbd with a unix socket +Resolves: rhbz#1926343 +- Allow cups-lpd read its private runtime socket files +Resolves: rhbz#1947397 +- Label /etc/redis as redis_conf_t +Resolves: rhbz#1947874 +- Add file context specification for /usr/libexec/realmd +Resolves: rhbz#1946495 + +* Thu Apr 22 2021 Zdenek Pytela - 34.1.2-1 +- Further update make-rhat-patches.sh for RHEL 9.0 beta +- Add file context specification for /var/tmp/tmp-inst +Resolves: rhbz#1924656 + +* Wed Apr 21 2021 Zdenek Pytela - 34.1.1-1 +- Update selinux-policy.spec and make-rhat-patches.sh for RHEL 9.0 beta +- Allow unconfined_service_t confidentiality and integrity lockdown +Resolves: rhbz#1950267 + +* Fri Apr 16 2021 Mohan Boddu - 34-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937