From b3c16146ebee2e992812dc3356d4ca7c1ea8e15f Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 4 Dec 2024 09:46:41 +0300 Subject: [PATCH] import selinux-policy-40.13.16-1.el10 --- .gitignore | 2 +- .selinux-policy.metadata | 4 +- SOURCES/booleans-minimum.conf | 248 --- SOURCES/booleans-mls.conf | 6 - SOURCES/booleans-targeted.conf | 25 - SOURCES/booleans.subs_dist | 54 - SOURCES/customizable_types | 14 - SOURCES/file_contexts.subs_dist | 24 - SOURCES/modules-minimum.lst | 50 + SOURCES/modules-mls-base.conf | 380 ---- SOURCES/modules-mls-contrib.conf | 1581 -------------- SOURCES/modules-targeted-base.conf | 393 ---- SOURCES/modules-targeted-contrib.conf | 2806 ------------------------- SOURCES/permissivedomains.cil | 2 - SOURCES/rpm.macros | 42 +- SOURCES/securetty_types-minimum | 4 - SOURCES/securetty_types-mls | 6 - SOURCES/securetty_types-targeted | 4 - SOURCES/selinux-policy-mls.conf | 1 + SOURCES/selinux-policy-targeted.conf | 1 + SOURCES/setrans-minimum.conf | 19 - SOURCES/setrans-mls.conf | 52 - SOURCES/setrans-targeted.conf | 19 - SOURCES/users-minimum | 39 - SOURCES/users-mls | 40 - SOURCES/users-targeted | 41 - SOURCES/varrun-convert.sh | 31 +- SPECS/selinux-policy.spec | 1087 ++-------- 28 files changed, 235 insertions(+), 6740 deletions(-) delete mode 100644 SOURCES/booleans-minimum.conf delete mode 100644 SOURCES/booleans-mls.conf delete mode 100644 SOURCES/booleans-targeted.conf delete mode 100644 SOURCES/booleans.subs_dist delete mode 100644 SOURCES/customizable_types delete mode 100644 SOURCES/file_contexts.subs_dist create mode 100644 SOURCES/modules-minimum.lst delete mode 100644 SOURCES/modules-mls-base.conf delete mode 100644 SOURCES/modules-mls-contrib.conf delete mode 100644 SOURCES/modules-targeted-base.conf delete mode 100644 SOURCES/modules-targeted-contrib.conf delete mode 100644 SOURCES/permissivedomains.cil delete mode 100644 SOURCES/securetty_types-minimum delete mode 100644 SOURCES/securetty_types-mls delete mode 100644 SOURCES/securetty_types-targeted create mode 100644 SOURCES/selinux-policy-mls.conf create mode 100644 SOURCES/selinux-policy-targeted.conf delete mode 100644 SOURCES/setrans-minimum.conf delete mode 100644 SOURCES/setrans-mls.conf delete mode 100644 SOURCES/setrans-targeted.conf delete mode 100644 SOURCES/users-minimum delete mode 100644 SOURCES/users-mls delete mode 100644 SOURCES/users-targeted diff --git a/.gitignore b/.gitignore index 300ba49..c6393c0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-e464c3b.tar.gz +SOURCES/selinux-policy-3f0002a.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index e9110e2..12d2957 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,2 +1,2 @@ -a7770e3ebc8e88c6c514ec4a8fe532526e3798ae SOURCES/container-selinux.tgz -26ce88444772beacbefbd1647e4b89eca510518c SOURCES/selinux-policy-e464c3b.tar.gz +a93d442e55a089e898204de344ea212302d626d2 SOURCES/container-selinux.tgz +444104bed47e1d4da78a6e09764a5e42c4f757af SOURCES/selinux-policy-3f0002a.tar.gz diff --git a/SOURCES/booleans-minimum.conf b/SOURCES/booleans-minimum.conf deleted file mode 100644 index 59dac1f..0000000 --- a/SOURCES/booleans-minimum.conf +++ /dev/null @@ -1,248 +0,0 @@ -# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. -# -allow_execmem = false - -# Allow making a modified private filemapping executable (text relocation). -# -allow_execmod = false - -# Allow making the stack executable via mprotect.Also requires allow_execmem. -# -allow_execstack = true - -# Allow ftpd to read cifs directories. -# -allow_ftpd_use_cifs = false - -# Allow ftpd to read nfs directories. -# -allow_ftpd_use_nfs = false - -# Allow ftp servers to modify public filesused for public file transfer services. -# -allow_ftpd_anon_write = false - -# Allow gssd to read temp directory. -# -allow_gssd_read_tmp = true - -# Allow Apache to modify public filesused for public file transfer services. -# -allow_httpd_anon_write = false - -# Allow Apache to use mod_auth_pam module -# -allow_httpd_mod_auth_pam = false - -# Allow system to run with kerberos -# -allow_kerberos = true - -# Allow rsync to modify public filesused for public file transfer services. -# -allow_rsync_anon_write = false - -# Allow sasl to read shadow -# -allow_saslauthd_read_shadow = false - -# Allow samba to modify public filesused for public file transfer services. -# -allow_smbd_anon_write = false - -# Allow system to run with NIS -# -allow_ypbind = false - -# Allow zebra to write it own configuration files -# -allow_zebra_write_config = false - -# Enable extra rules in the cron domainto support fcron. -# -fcron_crond = false - -# -# allow httpd to connect to mysql/posgresql -httpd_can_network_connect_db = false - -# -# allow httpd to send dbus messages to avahi -httpd_dbus_avahi = true - -# -# allow httpd to network relay -httpd_can_network_relay = false - -# Allow httpd to use built in scripting (usually php) -# -httpd_builtin_scripting = true - -# Allow http daemon to tcp connect -# -httpd_can_network_connect = false - -# Allow httpd cgi support -# -httpd_enable_cgi = true - -# Allow httpd to act as a FTP server bylistening on the ftp port. -# -httpd_enable_ftp_server = false - -# Allow httpd to read home directories -# -httpd_enable_homedirs = false - -# Run SSI execs in system CGI script domain. -# -httpd_ssi_exec = false - -# Allow http daemon to communicate with the TTY -# -httpd_tty_comm = false - -# Run CGI in the main httpd domain -# -httpd_unified = false - -# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. -# -named_write_master_zones = false - -# Allow nfs to be exported read/write. -# -nfs_export_all_rw = true - -# Allow nfs to be exported read only -# -nfs_export_all_ro = true - -# Allow pppd to load kernel modules for certain modems -# -pppd_can_insmod = false - -# Allow reading of default_t files. -# -read_default_t = false - -# Allow samba to export user home directories. -# -samba_enable_home_dirs = false - -# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. -# -squid_connect_any = false - -# Support NFS home directories -# -use_nfs_home_dirs = true - -# Support SAMBA home directories -# -use_samba_home_dirs = false - -# Control users use of ping and traceroute -# -user_ping = false - -# allow host key based authentication -# -allow_ssh_keysign = false - -# Allow pppd to be run for a regular user -# -pppd_for_user = false - -# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted -# -read_untrusted_content = false - -# Allow spamd to write to users homedirs -# -spamd_enable_home_dirs = false - -# Allow regular users direct mouse access -# -user_direct_mouse = false - -# Allow users to read system messages. -# -user_dmesg = false - -# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) -# -user_rw_noexattrfile = false - -# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. -# -user_tcp_server = false - -# Allow w to display everyone -# -user_ttyfile_stat = false - -# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. -# -write_untrusted_content = false - -# Allow all domains to talk to ttys -# -allow_daemons_use_tty = false - -# Allow login domains to polyinstatiate directories -# -allow_polyinstantiation = false - -# Allow all domains to dump core -# -allow_daemons_dump_core = true - -# Allow samba to act as the domain controller -# -samba_domain_controller = false - -# Allow samba to export user home directories. -# -samba_run_unconfined = false - -# Allows XServer to execute writable memory -# -allow_xserver_execmem = false - -# disallow guest accounts to execute files that they can create -# -allow_guest_exec_content = false -allow_xguest_exec_content = false - -# Only allow browser to use the web -# -browser_confine_xguest=false - -# Allow postfix locat to write to mail spool -# -allow_postfix_local_write_mail_spool=false - -# Allow common users to read/write noexattrfile systems -# -user_rw_noexattrfile=true - -# Allow qemu to connect fully to the network -# -qemu_full_network=true - -# Allow nsplugin execmem/execstack for bad plugins -# -allow_nsplugin_execmem=true - -# Allow unconfined domain to transition to confined domain -# -allow_unconfined_nsplugin_transition=true - -# System uses init upstart program -# -init_upstart = true - -# Allow mount to mount any file/dir -# -allow_mount_anyfile = true diff --git a/SOURCES/booleans-mls.conf b/SOURCES/booleans-mls.conf deleted file mode 100644 index 65ccfa4..0000000 --- a/SOURCES/booleans-mls.conf +++ /dev/null @@ -1,6 +0,0 @@ -kerberos_enabled = true -mount_anyfile = true -polyinstantiation_enabled = true -ftpd_is_daemon = true -selinuxuser_ping = true -xserver_object_manager = true diff --git a/SOURCES/booleans-targeted.conf b/SOURCES/booleans-targeted.conf deleted file mode 100644 index 8789a08..0000000 --- a/SOURCES/booleans-targeted.conf +++ /dev/null @@ -1,25 +0,0 @@ -gssd_read_tmp = true -httpd_builtin_scripting = true -httpd_enable_cgi = true -kerberos_enabled = true -mount_anyfile = true -nfs_export_all_ro = true -nfs_export_all_rw = true -nscd_use_shm = true -openvpn_enable_homedirs = true -postfix_local_write_mail_spool=true -pppd_can_insmod = false -privoxy_connect_any = true -selinuxuser_direct_dri_enabled = true -selinuxuser_execmem = true -selinuxuser_execmod = true -selinuxuser_execstack = true -selinuxuser_rw_noexattrfile=true -selinuxuser_ping = true -squid_connect_any = true -telepathy_tcp_connect_generic_network_ports=true -unconfined_chrome_sandbox_transition=true -unconfined_mozilla_plugin_transition=true -xguest_exec_content = true -mozilla_plugin_can_network_connect = true -use_virtualbox = true diff --git a/SOURCES/booleans.subs_dist b/SOURCES/booleans.subs_dist deleted file mode 100644 index fed7d8c..0000000 --- a/SOURCES/booleans.subs_dist +++ /dev/null @@ -1,54 +0,0 @@ -allow_auditadm_exec_content auditadm_exec_content -allow_console_login login_console_enabled -allow_cvs_read_shadow cvs_read_shadow -allow_daemons_dump_core daemons_dump_core -allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper -allow_daemons_use_tty daemons_use_tty -allow_domain_fd_use domain_fd_use -allow_execheap selinuxuser_execheap -allow_execmod selinuxuser_execmod -allow_execstack selinuxuser_execstack -allow_ftpd_anon_write ftpd_anon_write -allow_ftpd_full_access ftpd_full_access -allow_ftpd_use_cifs ftpd_use_cifs -allow_ftpd_use_nfs ftpd_use_nfs -allow_gssd_read_tmp gssd_read_tmp -allow_guest_exec_content guest_exec_content -allow_httpd_anon_write httpd_anon_write -allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind -allow_httpd_mod_auth_pam httpd_mod_auth_pam -allow_httpd_sys_script_anon_write httpd_sys_script_anon_write -allow_kerberos kerberos_enabled -allow_mplayer_execstack mplayer_execstack -allow_mount_anyfile mount_anyfile -allow_nfsd_anon_write nfsd_anon_write -allow_polyinstantiation polyinstantiation_enabled -allow_postfix_local_write_mail_spool postfix_local_write_mail_spool -allow_rsync_anon_write rsync_anon_write -allow_saslauthd_read_shadow saslauthd_read_shadow -allow_secadm_exec_content secadm_exec_content -allow_smbd_anon_write smbd_anon_write -allow_ssh_keysign ssh_keysign -allow_staff_exec_content staff_exec_content -allow_sysadm_exec_content sysadm_exec_content -allow_user_exec_content user_exec_content -allow_user_mysql_connect selinuxuser_mysql_connect_enabled -allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled -allow_write_xshm xserver_clients_write_xshm -allow_xguest_exec_content xguest_exec_content -allow_xserver_execmem xserver_execmem -allow_ypbind nis_enabled -allow_zebra_write_config zebra_write_config -user_direct_dri selinuxuser_direct_dri_enabled -user_ping selinuxuser_ping -user_share_music selinuxuser_share_music -user_tcp_server selinuxuser_tcp_server -sepgsql_enable_pitr_implementation postgresql_can_rsync -sepgsql_enable_users_ddl postgresql_selinux_users_ddl -sepgsql_transmit_client_label postgresql_selinux_transmit_client_label -sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm -clamd_use_jit antivirus_use_jit -amavis_use_jit antivirus_use_jit -logwatch_can_sendmail logwatch_can_network_connect_mail -puppet_manage_all_files puppetagent_manage_all_files -virt_sandbox_use_nfs virt_use_nfs diff --git a/SOURCES/customizable_types b/SOURCES/customizable_types deleted file mode 100644 index b3f6cb0..0000000 --- a/SOURCES/customizable_types +++ /dev/null @@ -1,14 +0,0 @@ -container_file_t -sandbox_file_t -svirt_image_t -svirt_home_t -svirt_sandbox_file_t -virt_content_t -httpd_user_htaccess_t -httpd_user_script_exec_t -httpd_user_rw_content_t -httpd_user_ra_content_t -httpd_user_content_t -git_session_content_t -home_bin_t -user_tty_device_t diff --git a/SOURCES/file_contexts.subs_dist b/SOURCES/file_contexts.subs_dist deleted file mode 100644 index 6afa41b..0000000 --- a/SOURCES/file_contexts.subs_dist +++ /dev/null @@ -1,24 +0,0 @@ -/var/run /run -/var/lock /run/lock -/run/systemd/system /usr/lib/systemd/system -/run/systemd/generator /usr/lib/systemd/system -/run/systemd/generator.early /usr/lib/systemd/system -/run/systemd/generator.late /usr/lib/systemd/system -/lib /usr/lib -/lib64 /usr/lib -/usr/lib64 /usr/lib -/usr/local/lib64 /usr/lib -/usr/local/lib32 /usr/lib -/etc/systemd/system /usr/lib/systemd/system -/var/lib/xguest/home /home -/var/named/chroot/usr/lib64 /usr/lib -/var/named/chroot/lib64 /usr/lib -/var/named/chroot/var /var -/home-inst /home -/home/home-inst /home -/var/roothome /root -/sbin /usr/sbin -/sysroot/tmp /tmp -/var/usrlocal /usr/local -/var/mnt /mnt -/bin /usr/bin diff --git a/SOURCES/modules-minimum.lst b/SOURCES/modules-minimum.lst new file mode 100644 index 0000000..c4252c8 --- /dev/null +++ b/SOURCES/modules-minimum.lst @@ -0,0 +1,50 @@ +apache +application +auditadm +authlogin +base +bootloader +clock +dbus +dmesg +fstools +getty +hostname +inetd +init +ipsec +iptables +kerberos +libraries +locallogin +logadm +logging +lvm +miscfiles +modutils +mount +mta +netlabel +netutils +nis +postgresql +secadm +selinuxutil +setrans +seunshare +ssh +staff +su +sudo +sysadm +sysadm_secadm +sysnetwork +systemd +udev +unconfined +unconfineduser +unlabelednet +unprivuser +userdomain +usermanage +xserver diff --git a/SOURCES/modules-mls-base.conf b/SOURCES/modules-mls-base.conf deleted file mode 100644 index 5b21a3e..0000000 --- a/SOURCES/modules-mls-base.conf +++ /dev/null @@ -1,380 +0,0 @@ -# Layer: kernel -# Module: bootloader -# -# Policy for the kernel modules, kernel image, and bootloader. -# -bootloader = module - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: admin -# Module: dmesg -# -# Policy for dmesg. -# -dmesg = module - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = module - -# Layer: admin -# Module: sudo -# -# Execute a command with a substitute user -# -sudo = module - -# Layer: admin -# Module: su -# -# Run shells with substitute user and group -# -su = module - -# Layer: admin -# Module: usermanage -# -# Policy for managing user accounts. -# -usermanage = module - -# Layer: apps -# Module: seunshare -# -# seunshare executable -# -seunshare = module - -# Layer: kernel -# Module: corecommands -# Required in base -# -# Core policy for shells, and generic programs -# in /bin, /sbin, /usr/bin, and /usr/sbin. -# -corecommands = base - -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Module: domain -# Required in base -# -# Core policy for domains. -# -domain = base - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = module - -# Module: files -# Required in base -# -# Basic filesystem types and interfaces. -# -files = base - -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Module: mcs -# Required in base -# -# MultiCategory security policy -# -mcs = base - -# Module: mls -# Required in base -# -# Multilevel security policy -# -mls = base - -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = base - -# Module: terminal -# Required in base -# -# Policy for terminals. -# -terminal = base - -# Layer: kernel -# Module: ubac -# -# -# -ubac = base - -# Layer: kernel -# Module: unlabelednet -# -# The unlabelednet module. -# -unlabelednet = module - -# Layer: role -# Module: auditadm -# -# auditadm account on tty logins -# -auditadm = module - -# Layer: role -# Module: logadm -# -# Minimally prived root role for managing logging system -# -logadm = module - -# Layer: role -# Module: secadm -# -# secadm account on tty logins -# -secadm = module - -# Layer:role -# Module: staff -# -# admin account -# -staff = module - -# Layer:role -# Module: sysadm_secadm -# -# System Administrator with Security Admin rules -# -sysadm_secadm = module - -# Layer:role -# Module: sysadm -# -# System Administrator -# -sysadm = module - -# Layer: role -# Module: unprivuser -# -# Minimally privs guest account on tty logins -# -unprivuser = module - -# Layer: services -# Module: postgresql -# -# PostgreSQL relational database -# -postgresql = module - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = module - -# Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = module - -# Module: application -# Required in base -# -# Defines attributs and interfaces for all user applications -# -application = module - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = module - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = module - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = module - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = module - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = module - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = module - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = module - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = module - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = module - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = module - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = module - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = module - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = module - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = module - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = module - -# Layer: system -# Module: netlabel -# -# Basic netlabel types and interfaces. -# -netlabel = module - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = module - -# Module: setrans -# Required in base -# -# Policy for setrans -# -setrans = module - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = module - -# Layer: system -# Module: systemd -# -# Policy for systemd components -# -systemd = module - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = module diff --git a/SOURCES/modules-mls-contrib.conf b/SOURCES/modules-mls-contrib.conf deleted file mode 100644 index bfa841f..0000000 --- a/SOURCES/modules-mls-contrib.conf +++ /dev/null @@ -1,1581 +0,0 @@ -# Layer: services -# Module: accountsd -# -# An application to view and modify user accounts information -# -accountsd = module - -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = module - -# Layer: services -# Module: afs -# -# Andrew Filesystem server -# -afs = module - -# Layer: services -# Module: aide -# -# Policy for aide -# -aide = module - -# Layer: admin -# Module: alsa -# -# Ainit ALSA configuration tool -# -alsa = module - -# Layer: admin -# Module: amanda -# -# Automated backup program. -# -amanda = module - -# Layer: contrib -# Module: antivirus -# -# Anti-virus -# -antivirus = module - -# Layer: admin -# Module: amtu -# -# Abstract Machine Test Utility (AMTU) -# -amtu = module - -# Layer: admin -# Module: anaconda -# -# Policy for the Anaconda installer. -# -anaconda = module - -# Layer: services -# Module: apache -# -# Apache web server -# -apache = module - -# Layer: services -# Module: apcupsd -# -# daemon for most APC’s UPS for Linux -# -apcupsd = module - -# Layer: services -# Module: apm -# -# Advanced power management daemon -# -apm = module - -# Layer: services -# Module: arpwatch -# -# Ethernet activity monitor. -# -arpwatch = module - -# Layer: services -# Module: automount -# -# Filesystem automounter service. -# -automount = module - -# Layer: services -# Module: avahi -# -# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture -# -avahi = module - -# Layer: modules -# Module: awstats -# -# awstats executable -# -awstats = module - -# Layer: services -# Module: bind -# -# Berkeley internet name domain DNS server. -# -bind = module - -# Layer: services -# Module: bitlbee -# -# An IRC to other chat networks gateway -# -bitlbee = module - -# Layer: services -# Module: bluetooth -# -# Bluetooth tools and system services. -# -bluetooth = module - -# Layer: services -# Module: boinc -# -# Berkeley Open Infrastructure for Network Computing -# -boinc = module - -# Layer: system -# Module: brctl -# -# Utilities for configuring the linux ethernet bridge -# -brctl = module - -# Layer: services -# Module: bugzilla -# -# Bugzilla server -# -bugzilla = module - -# Layer: services -# Module: cachefilesd -# -# CacheFiles userspace management daemon -# -cachefilesd = module - -# Module: calamaris -# -# -# Squid log analysis -# -calamaris = module - -# Layer: services -# Module: canna -# -# Canna - kana-kanji conversion server -# -canna = module - -# Layer: services -# Module: ccs -# -# policy for ccs -# -ccs = module - -# Layer: apps -# Module: cdrecord -# -# Policy for cdrecord -# -cdrecord = module - -# Layer: admin -# Module: certmaster -# -# Digital Certificate master -# -certmaster = module - -# Layer: services -# Module: certmonger -# -# Certificate status monitor and PKI enrollment client -# -certmonger = module - -# Layer: admin -# Module: certwatch -# -# Digital Certificate Tracking -# -certwatch = module - -# Layer: services -# Module: cgroup -# -# Tools and libraries to control and monitor control groups -# -cgroup = module - -# Layer: apps -# Module: chrome -# -# chrome sandbox -# -chrome = module - -# Layer: services -# Module: chronyd -# -# Daemon for maintaining clock time -# -chronyd = module - -# Layer: services -# Module: cipe -# -# Encrypted tunnel daemon -# -cipe = module - -# Layer: services -# Module: clogd -# -# clogd - clustered mirror log server -# -clogd = module - -# Layer: services -# Module: cmirrord -# -# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster -# -cmirrord = module - -# Layer: services -# Module: colord -# -# color device daemon -# -colord = module - -# Layer: services -# Module: comsat -# -# Comsat, a biff server. -# -comsat = module - -# Layer: services -# Module: courier -# -# IMAP and POP3 email servers -# -courier = module - -# Layer: services -# Module: cpucontrol -# -# Services for loading CPU microcode and CPU frequency scaling. -# -cpucontrol = module - -# Layer: apps -# Module: cpufreqselector -# -# cpufreqselector executable -# -cpufreqselector = module - -# Layer: services -# Module: cron -# -# Periodic execution of scheduled commands. -# -cron = module - -# Layer: services -# Module: cups -# -# Common UNIX printing system -# -cups = module - -# Layer: services -# Module: cvs -# -# Concurrent versions system -# -cvs = module - -# Layer: services -# Module: cyphesis -# -# cyphesis game server -# -cyphesis = module - -# Layer: services -# Module: cyrus -# -# Cyrus is an IMAP service intended to be run on sealed servers -# -cyrus = module - -# Layer: system -# Module: daemontools -# -# Collection of tools for managing UNIX services -# -daemontools = module - -# Layer: role -# Module: dbadm -# -# Minimally prived root role for managing databases -# -dbadm = module - -# Layer: services -# Module: dbskk -# -# Dictionary server for the SKK Japanese input method system. -# -dbskk = module - -# Layer: services -# Module: dbus -# -# Desktop messaging bus -# -dbus = module - -# Layer: services -# Module: dcc -# -# A distributed, collaborative, spam detection and filtering network. -# -dcc = module - -# Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information -# -ddcprobe = off - -# Layer: services -# Module: devicekit -# -# devicekit-daemon -# -devicekit = module - -# Layer: services -# Module: dhcp -# -# Dynamic host configuration protocol (DHCP) server -# -dhcp = module - -# Layer: services -# Module: dictd -# -# Dictionary daemon -# -dictd = module - -# Layer: services -# Module: distcc -# -# Distributed compiler daemon -# -distcc = off - -# Layer: admin -# Module: dmidecode -# -# Decode DMI data for x86/ia64 bioses. -# -dmidecode = module - -# Layer: services -# Module: dnsmasq -# -# A lightweight DHCP and caching DNS server. -# -dnsmasq = module - -# Layer: services -# Module: dnssec -# -# A dnssec server application -# -dnssec = module - -# Layer: services -# Module: dovecot -# -# Dovecot POP and IMAP mail server -# -dovecot = module - -# Layer: services -# Module: entropy -# -# Generate entropy from audio input -# -entropyd = module - -# Layer: services -# Module: exim -# -# exim mail server -# -exim = module - -# Layer: services -# Module: fail2ban -# -# daiemon that bans IP that makes too many password failures -# -fail2ban = module - -# Layer: services -# Module: fetchmail -# -# Remote-mail retrieval and forwarding utility -# -fetchmail = module - -# Layer: services -# Module: finger -# -# Finger user information service. -# -finger = module - -# Layer: services -# Module: firewalld -# -# firewalld is firewall service daemon that provides dynamic customizable -# -firewalld = module - -# Layer: apps -# Module: firewallgui -# -# policy for system-config-firewall -# -firewallgui = module - -# Module: firstboot -# -# Final system configuration run during the first boot -# after installation of Red Hat/Fedora systems. -# -firstboot = module - -# Layer: services -# Module: fprintd -# -# finger print server -# -fprintd = module - -# Layer: services -# Module: ftp -# -# File transfer protocol service -# -ftp = module - -# Layer: apps -# Module: games -# -# The Open Group Pegasus CIM/WBEM Server. -# -games = module - -# Layer: apps -# Module: gitosis -# -# Policy for gitosis -# -gitosis = module - -# Layer: services -# Module: git -# -# Policy for the stupid content tracker -# -git = module - -# Layer: services -# Module: glance -# -# Policy for glance -# -glance = module - -# Layer: apps -# Module: gnome -# -# gnome session and gconf -# -gnome = module - -# Layer: apps -# Module: gpg -# -# Policy for Mozilla and related web browsers -# -gpg = module - -# Layer: services -# Module: gpm -# -# General Purpose Mouse driver -# -gpm = module - -# Module: gpsd -# -# gpsd monitor daemon -# -# -gpsd = module - -# Module: gssproxy -# -# A proxy for GSSAPI credential handling -# -# -gssproxy = module - -# Layer: role -# Module: guest -# -# Minimally privs guest account on tty logins -# -guest = module - -# Layer: services -# Module: i18n_input -# -# IIIMF htt server -# -i18n_input = off - -# Layer: services -# Module: inetd -# -# Internet services daemon. -# -inetd = module - -# Layer: services -# Module: inn -# -# Internet News NNTP server -# -inn = module - -# Layer: apps -# Module: irc -# -# IRC client policy -# -irc = module - -# Layer: services -# Module: irqbalance -# -# IRQ balancing daemon -# -irqbalance = module - -# Layer: system -# Module: iscsi -# -# Open-iSCSI daemon -# -iscsi = module - -# Layer: services -# Module: jabber -# -# Jabber instant messaging server -# -jabber = module - -# Layer: apps -# Module: kdumpgui -# -# system-config-kdump policy -# -kdumpgui = module - -# Layer: admin -# Module: kdump -# -# kdump is kernel crash dumping mechanism -# -kdump = module - -# Layer: services -# Module: kerberos -# -# MIT Kerberos admin and KDC -# -kerberos = module - -# Layer: services -# Module: kismet -# -# Wireless sniffing and monitoring -# -kismet = module - -# Layer: services -# Module: ktalk -# -# KDE Talk daemon -# -ktalk = module - -# Layer: services -# Module: ldap -# -# OpenLDAP directory server -# -ldap = module - -# Layer: services -# Module: lircd -# -# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. -# -lircd = module - -# Layer: apps -# Module: loadkeys -# -# Load keyboard mappings. -# -loadkeys = module - -# Layer: apps -# Module: lockdev -# -# device locking policy for lockdev -# -lockdev = module - -# Layer: admin -# Module: logrotate -# -# Rotate and archive system logs -# -logrotate = module - -# Layer: services -# Module: logwatch -# -# logwatch executable -# -logwatch = module - -# Layer: services -# Module: lpd -# -# Line printer daemon -# -lpd = module - -# Layer: services -# Module: lsm -# -# lsm policy -# -lsm = module - -# Layer: services -# Module: mailman -# -# Mailman is for managing electronic mail discussion and e-newsletter lists -# -mailman = module - -# Layer: admin -# Module: mcelog -# -# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. -# -mcelog = module - -# Layer: services -# Module: memcached -# -# high-performance memory object caching system -# -memcached = module - -# Layer: services -# Module: milter -# -# -# -milter = module - -# Layer: services -# Module: modemmanager -# -# Manager for dynamically switching between modems. -# -modemmanager = module - -# Layer: services -# Module: mojomojo -# -# Wiki server -# -mojomojo = module - -# Layer: apps -# Module: mozilla -# -# Policy for Mozilla and related web browsers -# -mozilla = module - -# Layer: apps -# Module: mplayer -# -# Policy for Mozilla and related web browsers -# -mplayer = module - -# Layer: admin -# Module: mrtg -# -# Network traffic graphing -# -mrtg = module - -# Layer: services -# Module: mta -# -# Policy common to all email tranfer agents. -# -mta = module - -# Layer: services -# Module: munin -# -# Munin -# -munin = module - -# Layer: services -# Module: mysql -# -# Policy for MySQL -# -mysql = module - -# Layer: services -# Module: nagios -# -# policy for nagios Host/service/network monitoring program -# -nagios = module - -# Layer: apps -# Module: namespace -# -# policy for namespace.init script -# -namespace = module - -# Layer: admin -# Module: ncftool -# -# Tool to modify the network configuration of a system -# -ncftool = module - -# Layer: services -# Module: networkmanager -# -# Manager for dynamically switching between networks. -# -networkmanager = module - -# Layer: services -# Module: nis -# -# Policy for NIS (YP) servers and clients -# -nis = module - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = module - -# Layer: services -# Module: nslcd -# -# Policy for nslcd -# -nslcd = module - -# Layer: services -# Module: ntop -# -# Policy for ntop -# -ntop = module - -# Layer: services -# Module: ntp -# -# Network time protocol daemon -# -ntp = module - -# Layer: services -# Module: nx -# -# NX Remote Desktop -# -nx = module - -# Layer: services -# Module: oddjob -# -# policy for oddjob -# -oddjob = module - -# Layer: services -# Module: openct -# -# Service for handling smart card readers. -# -openct = off - -# Layer: service -# Module: openct -# -# Middleware framework for smart card terminals -# -openct = module - -# Layer: services -# Module: openvpn -# -# Policy for OPENVPN full-featured SSL VPN solution -# -openvpn = module - -# Layer: contrib -# Module: prelude -# -# SELinux policy for prelude -# -prelude = module - -# Layer: contrib -# Module: prosody -# -# SELinux policy for prosody flexible communications server for Jabber/XMPP -# -prosody = module - -# Layer: services -# Module: pads -# -pads = module - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = module - -# Layer: service -# Module: pcscd -# -# PC/SC Smart Card Daemon -# -pcscd = module - -# Layer: services -# Module: pegasus -# -# The Open Group Pegasus CIM/WBEM Server. -# -pegasus = module - - -# Layer: services -# Module: pingd -# -# -pingd = module - -# Layer: services -# Module: piranha -# -# piranha - various tools to administer and configure the Linux Virtual Server -# -piranha = module - -# Layer: services -# Module: plymouthd -# -# Plymouth -# -plymouthd = module - -# Layer: apps -# Module: podsleuth -# -# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. -# -podsleuth = module - -# Layer: services -# Module: policykit -# -# Hardware abstraction layer -# -policykit = module - -# Layer: services -# Module: polipo -# -# polipo -# -polipo = module - -# Layer: services -# Module: portmap -# -# RPC port mapping service. -# -portmap = module - -# Layer: services -# Module: portreserve -# -# reserve ports to prevent portmap mapping them -# -portreserve = module - -# Layer: services -# Module: postfix -# -# Postfix email server -# -postfix = module - -o# Layer: services -# Module: postgrey -# -# email scanner -# -postgrey = module - -# Layer: services -# Module: ppp -# -# Point to Point Protocol daemon creates links in ppp networks -# -ppp = module - -# Layer: admin -# Module: prelink -# -# Manage temporary directory sizes and file ages -# -prelink = module - -unprivuser = module - -# Layer: services -# Module: privoxy -# -# Privacy enhancing web proxy. -# -privoxy = module - -# Layer: services -# Module: procmail -# -# Procmail mail delivery agent -# -procmail = module - -# Layer: services -# Module: psad -# -# Analyze iptables log for hostile traffic -# -psad = module - -# Layer: apps -# Module: ptchown -# -# helper function for grantpt(3), changes ownship and permissions of pseudotty -# -ptchown = module - -# Layer: services -# Module: publicfile -# -# publicfile supplies files to the public through HTTP and FTP -# -publicfile = module - -# Layer: apps -# Module: pulseaudio -# -# The PulseAudio Sound System -# -pulseaudio = module - -# Layer: services -# Module: qmail -# -# Policy for qmail -# -qmail = module - -# Layer: services -# Module: qpidd -# -# Policy for qpidd -# -qpid = module - -# Layer: admin -# Module: quota -# -# File system quota management -# -quota = module - -# Layer: services -# Module: radius -# -# RADIUS authentication and accounting server. -# -radius = module - -# Layer: services -# Module: radvd -# -# IPv6 router advertisement daemon -# -radvd = module - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = module - -# Layer: services -# Module: rdisc -# -# Network router discovery daemon -# -rdisc = module - -# Layer: admin -# Module: readahead -# -# Readahead, read files into page cache for improved performance -# -readahead = module - -# Layer: services -# Module: remotelogin -# -# Policy for rshd, rlogind, and telnetd. -# -remotelogin = module - -# Layer: services -# Module: rhcs -# -# RHCS - Red Hat Cluster Suite -# -rhcs = module - -# Layer: services -# Module: rhgb -# -# X windows login display manager -# -rhgb = module - -# Layer: services -# Module: ricci -# -# policy for ricci -# -ricci = module - -# Layer: services -# Module: rlogin -# -# Remote login daemon -# -rlogin = module - -# Layer: services -# Module: roundup -# -# Roundup Issue Tracking System policy -# -roundup = module - -# Layer: services -# Module: rpcbind -# -# universal addresses to RPC program number mapper -# -rpcbind = module - -# Layer: services -# Module: rpc -# -# Remote Procedure Call Daemon for managment of network based process communication -# -rpc = module - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = module - -# Layer: services -# Module: rshd -# -# Remote shell service. -# -rshd = module - -# Layer: services -# Module: rsync -# -# Fast incremental file transfer for synchronization -# -rsync = module - -# Layer: services -# Module: rtkit -# -# Real Time Kit Daemon -# -rtkit = module - -# Layer: services -# Module: rwho -# -# who is logged in on local machines -# -rwho = module - -# Layer: apps -# Module: sambagui -# -# policy for system-config-samba -# -sambagui = module - -# -# SMB and CIFS client/server programs for UNIX and -# name Service Switch daemon for resolving names -# from Windows NT servers. -# -samba = module - -# Layer: services -# Module: sasl -# -# SASL authentication server -# -sasl = module - -# Layer: apps -# Module: screen -# -# GNU terminal multiplexer -# -screen = module - -# Layer: services -# Module: sendmail -# -# Policy for sendmail. -# -sendmail = module - -# Layer: services -# Module: setroubleshoot -# -# Policy for the SELinux troubleshooting utility -# -setroubleshoot = module - -# Layer: admin -# Module: shorewall -# -# Policy for shorewall -# -shorewall = module - -# Layer: apps -# Module: slocate -# -# Update database for mlocate -# -slocate = module - -# Layer: services -# Module: slrnpull -# -# Service for downloading news feeds the slrn newsreader. -# -slrnpull = off - -# Layer: services -# Module: smartmon -# -# Smart disk monitoring daemon policy -# -smartmon = module - -# Layer: services -# Module: snmp -# -# Simple network management protocol services -# -snmp = module - -# Layer: services -# Module: snort -# -# Snort network intrusion detection system -# -snort = module - -# Layer: admin -# Module: sosreport -# -# sosreport debuggin information generator -# -sosreport = module - -# Layer: services -# Module: soundserver -# -# sound server for network audio server programs, nasd, yiff, etc -# -soundserver = module - -# Layer: services -# Module: spamassassin -# -# Filter used for removing unsolicited email. -# -spamassassin = module - -# Layer: services -# Module: squid -# -# Squid caching http proxy server -# -squid = module - -# Layer: services -# Module: sssd -# -# System Security Services Daemon -# -sssd = module - -# Layer: services -# Module: stunnel -# -# SSL Tunneling Proxy -# -stunnel = module - -# Layer: services -# Module: sysstat -# -# Policy for sysstat. Reports on various system states -# -sysstat = module - -# Layer: services -# Module: tcpd -# -# Policy for TCP daemon. -# -tcpd = module - -# Layer: services -# Module: tcsd -# -# tcsd - daemon that manages Trusted Computing resources -# -tcsd = module - -# Layer: apps -# Module: telepathy -# -# telepathy - Policy for Telepathy framework -# -telepathy = module - -# Layer: services -# Module: telnet -# -# Telnet daemon -# -telnet = module - -# Layer: services -# Module: tftp -# -# Trivial file transfer protocol daemon -# -tftp = module - -# Layer: services -# Module: tgtd -# -# Linux Target Framework Daemon. -# -tgtd = module - -# Layer: apps -# Module: thumb -# -# Thumbnailer confinement -# -thumb = module - -# Layer: services -# Module: timidity -# -# MIDI to WAV converter and player configured as a service -# -timidity = off - -# Layer: admin -# Module: tmpreaper -# -# Manage temporary directory sizes and file ages -# -tmpreaper = module - -# Layer: services -# Module: tor -# -# TOR, the onion router -# -tor = module - -# Layer: services -# Module: ksmtuned -# -# Kernel Samepage Merging (KSM) Tuning Daemon -# -ksmtuned = module - -# Layer: services -# Module: tuned -# -# Dynamic adaptive system tuning daemon -# -tuned = module - -# Layer: apps -# Module: tvtime -# -# tvtime - a high quality television application -# -tvtime = module - -# Layer: services -# Module: ulogd -# -# -# -ulogd = module - -# Layer: apps -# Module: uml -# -# Policy for UML -# -uml = module - -# Layer: admin -# Module: updfstab -# -# Red Hat utility to change /etc/fstab. -# -updfstab = module - -# Layer: admin -# Module: usbmodules -# -# List kernel modules of USB devices -# -usbmodules = module - -# Layer: apps -# Module: userhelper -# -# A helper interface to pam. -# -userhelper = module - -# Layer: apps -# Module: usernetctl -# -# User network interface configuration helper -# -usernetctl = module - -# Layer: services -# Module: uucp -# -# Unix to Unix Copy -# -uucp = module - -# Layer: services -# Module: virt -# -# Virtualization libraries -# -virt = module - -# Layer: apps -# Module: vmware -# -# VMWare Workstation virtual machines -# -vmware = module - -# Layer: contrib -# Module: openvswitch -# -# SELinux policy for openvswitch programs -# -openvswitch = module - -# Layer: admin -# Module: vpn -# -# Virtual Private Networking client -# -vpn = module - -# Layer: services -# Module: w3c -# -# w3c -# -w3c = module - -# Layer: role -# Module: webadm -# -# Minimally prived root role for managing apache -# -webadm = module - -# Layer: apps -# Module: webalizer -# -# Web server log analysis -# -webalizer = module - -# Layer: apps -# Module: wine -# -# wine executable -# -wine = module - -# Layer: apps -# Module: wireshark -# -# wireshark executable -# -wireshark = module - -# Layer: apps -# Module: wm -# -# X windows window manager -# -wm = module - -# Layer: system -# Module: xen -# -# virtualization software -# -xen = module - -# Layer: role -# Module: xguest -# -# Minimally privs guest account on X Windows logins -# -xguest = module - -# Layer: services -# Module: zabbix -# -# Open-source monitoring solution for your IT infrastructure -# -zabbix = module - -# Layer: services -# Module: zebra -# -# Zebra border gateway protocol network routing service -# -zebra = module - -# Layer: services -# Module: zosremote -# -# policy for z/OS Remote-services Audit dispatcher plugin -# -zosremote = module - -# Layer: contrib -# Module: mandb -# -# Policy for mandb -# -mandb = module diff --git a/SOURCES/modules-targeted-base.conf b/SOURCES/modules-targeted-base.conf deleted file mode 100644 index e7456ef..0000000 --- a/SOURCES/modules-targeted-base.conf +++ /dev/null @@ -1,393 +0,0 @@ -# Layer: kernel -# Module: bootloader -# -# Policy for the kernel modules, kernel image, and bootloader. -# -bootloader = module - -# Layer: kernel -# Module: corecommands -# Required in base -# -# Core policy for shells, and generic programs -# in /bin, /sbin, /usr/bin, and /usr/sbin. -# -corecommands = base - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: admin -# Module: dmesg -# -# Policy for dmesg. -# -dmesg = module - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = module - -# Layer: admin -# Module: sudo -# -# Execute a command with a substitute user -# -sudo = module - -# Layer: admin -# Module: su -# -# Run shells with substitute user and group -# -su = module - -# Layer: admin -# Module: usermanage -# -# Policy for managing user accounts. -# -usermanage = module - -# Layer: apps -# Module: seunshare -# -# seunshare executable -# -seunshare = module - -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Module: domain -# Required in base -# -# Core policy for domains. -# -domain = base - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = module - -# Module: files -# Required in base -# -# Basic filesystem types and interfaces. -# -files = base - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = module - -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Module: mcs -# Required in base -# -# MultiCategory security policy -# -mcs = base - -# Module: mls -# Required in base -# -# Multilevel security policy -# -mls = base - -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = base - -# Module: terminal -# Required in base -# -# Policy for terminals. -# -terminal = base - -# Layer: kernel -# Module: ubac -# -# -# -ubac = base - -# Layer: kernel -# Module: unconfined -# -# The unlabelednet module. -# -unlabelednet = module - -# Layer: role -# Module: auditadm -# -# auditadm account on tty logins -# -auditadm = module - -# Layer: role -# Module: logadm -# -# Minimally prived root role for managing logging system -# -logadm = module - -# Layer: role -# Module: secadm -# -# secadm account on tty logins -# -secadm = module - -# Layer:role -# Module: sysadm_secadm -# -# System Administrator with Security Admin rules -# -sysadm_secadm = module - -# Module: staff -# -# admin account -# -staff = module - -# Layer:role -# Module: sysadm -# -# System Administrator -# -sysadm = module - -# Layer: role -# Module: unconfineduser -# -# The unconfined user domain. -# -unconfineduser = module - -# Layer: role -# Module: unprivuser -# -# Minimally privs guest account on tty logins -# -unprivuser = module - -# Layer: services -# Module: postgresql -# -# PostgreSQL relational database -# -postgresql = module - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = module - -# Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = module - -# Module: application -# Required in base -# -# Defines attributs and interfaces for all user applications -# -application = module - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = module - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = module - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = module - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = module - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = module - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = module - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = module - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = module - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = module - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = module - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = module - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = module - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = module - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = module - -# Layer: system -# Module: netlabel -# -# Basic netlabel types and interfaces. -# -netlabel = module - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = module - -# Module: setrans -# Required in base -# -# Policy for setrans -# -setrans = module - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = module - -# Layer: system -# Module: systemd -# -# Policy for systemd components -# -systemd = module - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = module - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = module diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf deleted file mode 100644 index 10bd9b8..0000000 --- a/SOURCES/modules-targeted-contrib.conf +++ /dev/null @@ -1,2806 +0,0 @@ -# Layer: services -# Module: abrt -# -# Automatic bug detection and reporting tool -# -abrt = module - -# Layer: services -# Module: accountsd -# -# An application to view and modify user accounts information -# -accountsd = module - -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = module - -# Layer: services -# Module: afs -# -# Andrew Filesystem server -# -afs = module - -# Layer: services -# Module: aiccu -# -# SixXS Automatic IPv6 Connectivity Client Utility -# -aiccu = module - -# Layer: services -# Module: aide -# -# Policy for aide -# -aide = module - -# Layer: services -# Module: ajaxterm -# -# Web Based Terminal -# -ajaxterm = module - -# Layer: admin -# Module: alsa -# -# Ainit ALSA configuration tool -# -alsa = module - -# Layer: admin -# Module: amanda -# -# Automated backup program. -# -amanda = module - -# Layer: admin -# Module: amtu -# -# Abstract Machine Test Utility (AMTU) -# -amtu = module - -# Layer: admin -# Module: anaconda -# -# Policy for the Anaconda installer. -# -anaconda = module - -# Layer: contrib -# Module: antivirus -# -# SELinux policy for antivirus programs -# -antivirus = module - -# Layer: services -# Module: apache -# -# Apache web server -# -apache = module - -# Layer: services -# Module: apcupsd -# -# daemon for most APC’s UPS for Linux -# -apcupsd = module - -# Layer: services -# Module: apm -# -# Advanced power management daemon -# -apm = module - -# Layer: services -# Module: arpwatch -# -# Ethernet activity monitor. -# -arpwatch = module - -# Layer: services -# Module: asterisk -# -# Asterisk IP telephony server -# -asterisk = module - -# Layer: contrib -# Module: authconfig -# -# Authorization configuration tool -# -authconfig = module - -# Layer: services -# Module: automount -# -# Filesystem automounter service. -# -automount = module - -# Layer: services -# Module: avahi -# -# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture -# -avahi = module - -# Layer: module -# Module: awstats -# -# awstats executable -# -awstats = module - -# Layer: services -# Module: bcfg2 -# -# Configuration management server -# -bcfg2 = module - -# Layer: services -# Module: bind -# -# Berkeley internet name domain DNS server. -# -bind = module - -# Layer: contrib -# Module: rngd -# -# Daemon used to feed random data from hardware device to kernel random device -# -rngd = module - -# Layer: services -# Module: bitlbee -# -# An IRC to other chat networks gateway -# -bitlbee = module - -# Layer: services -# Module: blueman -# -# Blueman tools and system services. -# -blueman = module - -# Layer: services -# Module: bluetooth -# -# Bluetooth tools and system services. -# -bluetooth = module - -# Layer: services -# Module: boinc -# -# Berkeley Open Infrastructure for Network Computing -# -boinc = module - -# Layer: system -# Module: brctl -# -# Utilities for configuring the linux ethernet bridge -# -brctl = module - -# Layer: services -# Module: bugzilla -# -# Bugzilla server -# -bugzilla = module - -# Layer: services -# Module: bumblebee -# -# Support NVIDIA Optimus technology under Linux -# -bumblebee = module - -# Layer: services -# Module: cachefilesd -# -# CacheFiles userspace management daemon -# -cachefilesd = module - -# Module: calamaris -# -# -# Squid log analysis -# -calamaris = module - -# Layer: services -# Module: callweaver -# -# callweaver telephony sever -# -callweaver = module - -# Layer: services -# Module: canna -# -# Canna - kana-kanji conversion server -# -canna = module - -# Layer: services -# Module: ccs -# -# policy for ccs -# -ccs = module - -# Layer: apps -# Module: cdrecord -# -# Policy for cdrecord -# -cdrecord = module - -# Layer: admin -# Module: certmaster -# -# Digital Certificate master -# -certmaster = module - -# Layer: services -# Module: certmonger -# -# Certificate status monitor and PKI enrollment client -# -certmonger = module - -# Layer: admin -# Module: certwatch -# -# Digital Certificate Tracking -# -certwatch = module - -# Layer: services -# Module: cfengine -# -# cfengine -# -cfengine = module - -# Layer: services -# Module: cgroup -# -# Tools and libraries to control and monitor control groups -# -cgroup = module - -# Layer: apps -# Module: chrome -# -# chrome sandbox -# -chrome = module - -# Layer: services -# Module: chronyd -# -# Daemon for maintaining clock time -# -chronyd = module - -# Layer: services -# Module: cipe -# -# Encrypted tunnel daemon -# -cipe = module - - -# Layer: services -# Module: clogd -# -# clogd - clustered mirror log server -# -clogd = module - -# Layer: services -# Module: cloudform -# -# cloudform daemons -# -cloudform = module - -# Layer: services -# Module: cmirrord -# -# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster -# -cmirrord = module - -# Layer: services -# Module: cobbler -# -# cobbler -# -cobbler = module - -# Layer: services -# Module: collectd -# -# Statistics collection daemon for filling RRD files -# -collectd = module - -# Layer: services -# Module: colord -# -# color device daemon -# -colord = module - -# Layer: services -# Module: comsat -# -# Comsat, a biff server. -# -comsat = module - -# Layer: services -# Module: condor -# -# policy for condor -# -condor = module - -# Layer: services -# Module: conman -# -# Conman is a program for connecting to remote consoles being managed by conmand -# -conman = module - -# Layer: services -# Module: consolekit -# -# ConsoleKit is a system daemon for tracking what users are logged -# -consolekit = module - -# Layer: services -# Module: couchdb -# -# Apache CouchDB database server -# -couchdb = module - -# Layer: services -# Module: courier -# -# IMAP and POP3 email servers -# -courier = module - -# Layer: services -# Module: cpucontrol -# -# Services for loading CPU microcode and CPU frequency scaling. -# -cpucontrol = module - -# Layer: apps -# Module: cpufreqselector -# -# cpufreqselector executable -# -cpufreqselector = module - -# Layer: services -# Module: cron -# -# Periodic execution of scheduled commands. -# -cron = module - -# Layer: services -# Module: ctdbd -# -# Cluster Daemon -# -ctdb = module - -# Layer: services -# Module: cups -# -# Common UNIX printing system -# -cups = module - -# Layer: services -# Module: cvs -# -# Concurrent versions system -# -cvs = module - -# Layer: services -# Module: cyphesis -# -# cyphesis game server -# -cyphesis = module - -# Layer: services -# Module: cyrus -# -# Cyrus is an IMAP service intended to be run on sealed servers -# -cyrus = module - -# Layer: system -# Module: daemontools -# -# Collection of tools for managing UNIX services -# -daemontools = module - -# Layer: role -# Module: dbadm -# -# Minimally prived root role for managing databases -# -dbadm = module - -# Layer: services -# Module: dbskk -# -# Dictionary server for the SKK Japanese input method system. -# -dbskk = module - -# Layer: services -# Module: dbus -# -# Desktop messaging bus -# -dbus = module - -# Layer: services -# Module: dcc -# -# A distributed, collaborative, spam detection and filtering network. -# -dcc = module - -# Layer: services -# Module: ddclient -# -# Update dynamic IP address at DynDNS.org -# -ddclient = module - -# Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information -# -ddcprobe = off - -# Layer: services -# Module: denyhosts -# -# script to help thwart ssh server attacks -# -denyhosts = module - -# Layer: services -# Module: devicekit -# -# devicekit-daemon -# -devicekit = module - -# Layer: services -# Module: dhcp -# -# Dynamic host configuration protocol (DHCP) server -# -dhcp = module - -# Layer: services -# Module: dictd -# -# Dictionary daemon -# -dictd = module - -# Layer: services -# Module: dirsrv-admin -# -# An 309 directory admin server -# -dirsrv-admin = module - -# Layer: services -# Module: dirsrv -# -# An 309 directory server -# -dirsrv = module - -# Layer: services -# Module: distcc -# -# Distributed compiler daemon -# -distcc = off - -# Layer: admin -# Module: dmidecode -# -# Decode DMI data for x86/ia64 bioses. -# -dmidecode = module - -# Layer: services -# Module: dnsmasq -# -# A lightweight DHCP and caching DNS server. -# -dnsmasq = module - -# Layer: services -# Module: dnssec -# -# A dnssec server application -# -dnssec = module - -# Layer: services -# Module: dovecot -# -# Dovecot POP and IMAP mail server -# -dovecot = module - -# Layer: services -# Module: drbd -# -# DRBD mirrors a block device over the network to another machine. -# -drbd = module - -# Layer: services -# Module: dspam -# -# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering -# -dspam = module - -# Layer: services -# Module: entropy -# -# Generate entropy from audio input -# -entropyd = module - -# Layer: services -# Module: exim -# -# exim mail server -# -exim = module - -# Layer: services -# Module: fail2ban -# -# daiemon that bans IP that makes too many password failures -# -fail2ban = module - -# Layer: services -# Module: fcoe -# -# fcoe -# -fcoe = module - -# Layer: services -# Module: fetchmail -# -# Remote-mail retrieval and forwarding utility -# -fetchmail = module - -# Layer: services -# Module: finger -# -# Finger user information service. -# -finger = module - -# Layer: services -# Module: firewalld -# -# firewalld is firewall service daemon that provides dynamic customizable -# -firewalld = module - -# Layer: apps -# Module: firewallgui -# -# policy for system-config-firewall -# -firewallgui = module - -# Module: firstboot -# -# Final system configuration run during the first boot -# after installation of Red Hat/Fedora systems. -# -firstboot = module - -# Layer: services -# Module: fprintd -# -# finger print server -# -fprintd = module - -# Layer: services -# Module: freqset -# -# Utility for CPU frequency scaling -# -freqset = module - -# Layer: services -# Module: ftp -# -# File transfer protocol service -# -ftp = module - -# Layer: apps -# Module: games -# -# The Open Group Pegasus CIM/WBEM Server. -# -games = module - -# Layer: apps -# Module: gitosis -# -# Policy for gitosis -# -gitosis = module - -# Layer: services -# Module: git -# -# Policy for the stupid content tracker -# -git = module - -# Layer: services -# Module: glance -# -# Policy for glance -# -glance = module - -# Layer: contrib -# Module: glusterd -# -# policy for glusterd service -# -glusterd = module - -# Layer: apps -# Module: gnome -# -# gnome session and gconf -# -gnome = module - -# Layer: apps -# Module: gnome_remote_desktop -# -# gnome-remote-desktop -# -gnome_remote_desktop = module - -# Layer: apps -# Module: gpg -# -# Policy for GNU Privacy Guard and related programs. -# -gpg = module - -# Layer: services -# Module: gpm -# -# General Purpose Mouse driver -# -gpm = module - -# Module: gpsd -# -# gpsd monitor daemon -# -# -gpsd = module - -# Module: gssproxy -# -# A proxy for GSSAPI credential handling -# -# -gssproxy = module - -# Layer: role -# Module: guest -# -# Minimally privs guest account on tty logins -# -guest = module - -# Layer: role -# Module: xguest -# -# Minimally privs guest account on X Windows logins -# -xguest = module - -# Layer: services -# Module: hddtemp -# -# hddtemp hard disk temperature tool running as a daemon -# -hddtemp = module - -# Layer: services -# Module: hostapd -# -# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator -# -hostapd = module - -# Layer: services -# Module: i18n_input -# -# IIIMF htt server -# -i18n_input = off - -# Layer: services -# Module: icecast -# -# ShoutCast compatible streaming media server -# -icecast = module - -# Layer: services -# Module: inetd -# -# Internet services daemon. -# -inetd = module - -# Layer: services -# Module: inn -# -# Internet News NNTP server -# -inn = module - -# Layer: services -# Module: lircd -# -# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. -# -lircd = module - -# Layer: apps -# Module: irc -# -# IRC client policy -# -irc = module - -# Layer: services -# Module: irqbalance -# -# IRQ balancing daemon -# -irqbalance = module - -# Layer: system -# Module: iscsi -# -# Open-iSCSI daemon -# -iscsi = module - -# Layer: system -# Module: isnsd -# -# -# -isns = module - -# Layer: services -# Module: jabber -# -# Jabber instant messaging server -# -jabber = module - -# Layer: services -# Module: jetty -# -# Java based http server -# -jetty = module - -# Layer: apps -# Module: jockey -# -# policy for jockey-backend -# -jockey = module - -# Layer: apps -# Module: kdumpgui -# -# system-config-kdump policy -# -kdumpgui = module - -# Layer: admin -# Module: kdump -# -# kdump is kernel crash dumping mechanism -# -kdump = module - -# Layer: services -# Module: kerberos -# -# MIT Kerberos admin and KDC -# -kerberos = module - -# Layer: services -# Module: keepalived -# -# keepalived - load-balancing and high-availability service -# -keepalived = module - -# Module: keyboardd -# -# system-setup-keyboard is a keyboard layout daemon that monitors -# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet -# -keyboardd = module - -# Layer: services -# Module: keystone -# -# openstack-keystone -# -keystone = module - -# Layer: services -# Module: kismet -# -# Wireless sniffing and monitoring -# -kismet = module - -# Layer: services -# Module: ksmtuned -# -# Kernel Samepage Merging (KSM) Tuning Daemon -# -ksmtuned = module - -# Layer: services -# Module: ktalk -# -# KDE Talk daemon -# -ktalk = module - -# Layer: services -# Module: l2ltpd -# -# Layer 2 Tunnelling Protocol Daemon -# -l2tp = module - -# Layer: services -# Module: ldap -# -# OpenLDAP directory server -# -ldap = module - -# Layer: services -# Module: likewise -# -# Likewise Active Directory support for UNIX -# -likewise = module - -# Layer: apps -# Module: livecd -# -# livecd creator -# -livecd = module - -# Layer: services -# Module: lldpad -# -# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon -# -lldpad = module - -# Layer: apps -# Module: loadkeys -# -# Load keyboard mappings. -# -loadkeys = module - -# Layer: apps -# Module: lockdev -# -# device locking policy for lockdev -# -lockdev = module - -# Layer: admin -# Module: logrotate -# -# Rotate and archive system logs -# -logrotate = module - -# Layer: services -# Module: logwatch -# -# logwatch executable -# -logwatch = module - -# Layer: services -# Module: lpd -# -# Line printer daemon -# -lpd = module - -# Layer: services -# Module: mailman -# -# Mailman is for managing electronic mail discussion and e-newsletter lists -# -mailman = module - -# Layer: services -# Module: mailman -# -# Policy for mailscanner -# -mailscanner = module - -# Layer: apps -# Module: man2html -# -# policy for man2html apps -# -man2html = module - -# Layer: admin -# Module: mcelog -# -# Policy for mcelog. -# -mcelog = module - -# Layer: apps -# Module: mediawiki -# -# mediawiki -# -mediawiki = module - -# Layer: services -# Module: memcached -# -# high-performance memory object caching system -# -memcached = module - -# Layer: services -# Module: milter -# -# -# -milter = module - -# Layer: services -# Module: mip6d -# -# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation -# -mip6d = module - -# Layer: services -# Module: mock -# -# Policy for mock rpm builder -# -mock = module - -# Layer: services -# Module: modemmanager -# -# Manager for dynamically switching between modems. -# -modemmanager = module - -# Layer: services -# Module: mojomojo -# -# Wiki server -# -mojomojo = module - -# Layer: apps -# Module: mozilla -# -# Policy for Mozilla and related web browsers -# -mozilla = module - -# Layer: services -# Module: mpd -# -# mpd - daemon for playing music -# -mpd = module - -# Layer: apps -# Module: mplayer -# -# Policy for Mozilla and related web browsers -# -mplayer = module - -# Layer: admin -# Module: mrtg -# -# Network traffic graphing -# -mrtg = module - -# Layer: services -# Module: mta -# -# Policy common to all email tranfer agents. -# -mta = module - -# Layer: services -# Module: munin -# -# Munin -# -munin = module - -# Layer: services -# Module: mysql -# -# Policy for MySQL -# -mysql = module - -# Layer: contrib -# Module: mythtv -# -# Policy for Mythtv (Web Server) -# -mythtv = module - -# Layer: services -# Module: nagios -# -# policy for nagios Host/service/network monitoring program -# -nagios = module - -# Layer: apps -# Module: namespace -# -# policy for namespace.init script -# -namespace = module - -# Layer: admin -# Module: ncftool -# -# Tool to modify the network configuration of a system -# -ncftool = module - -# Layer: services -# Module: networkmanager -# -# Manager for dynamically switching between networks. -# -networkmanager = module - -# Layer: services -# Module: ninfod -# -# Respond to IPv6 Node Information Queries -# -ninfod = module - -# Layer: services -# Module: nis -# -# Policy for NIS (YP) servers and clients -# -nis = module - -# Layer: services -# Module: nova -# -# openstack-nova -# -nova = module - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = module - -# Layer: services -# Module: nslcd -# -# Policy for nslcd -# -nslcd = module - -# Layer: services -# Module: ntop -# -# Policy for ntop -# -ntop = module - -# Layer: services -# Module: ntp -# -# Network time protocol daemon -# -ntp = module - -# Layer: services -# Module: numad -# -# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology -# -numad = module - -# Layer: services -# Module: nut -# -# nut - Network UPS Tools -# -nut = module - -# Layer: services -# Module: nx -# -# NX Remote Desktop -# -nx = module - -# Layer: services -# Module: obex -# -# policy for obex-data-server -# -obex = module - -# Layer: services -# Module: oddjob -# -# policy for oddjob -# -oddjob = module - -# Layer: services -# Module: openct -# -# Service for handling smart card readers. -# -openct = off - -# Layer: service -# Module: openct -# -# Middleware framework for smart card terminals -# -openct = module - -# Layer: contrib -# Module: openshift-origin -# -# Origin version of openshift policy -# -openshift-origin = module -# Layer: contrib -# Module: openshift -# -# Core openshift policy -# -openshift = module - -# Layer: services -# Module: opensm -# -# InfiniBand subnet manager and administration (SM/SA) -# -opensm = module - -# Layer: services -# Module: openvpn -# -# Policy for OPENVPN full-featured SSL VPN solution -# -openvpn = module - -# Layer: contrib -# Module: openvswitch -# -# SELinux policy for openvswitch programs -# -openvswitch = module - -# Layer: services -# Module: openwsman -# -# WS-Management Server -# -openwsman = module - -# Layer: services -# Module: osad -# -# Client-side service written in Python that responds to pings -# -osad = module - -# Layer: contrib -# Module: prelude -# -# SELinux policy for prelude -# -prelude = module - -# Layer: contrib -# Module: prosody -# -# SELinux policy for prosody flexible communications server for Jabber/XMPP -# -prosody = module - -# Layer: services -# Module: pads -# -pads = module - -# Layer: services -# Module: passenger -# -# Passenger -# -passenger = module - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = module - -# Layer: service -# Module: pcscd -# -# PC/SC Smart Card Daemon -# -pcscd = module - -# Layer: services -# Module: pdns -# -# PowerDNS DNS server -# -pdns = module - -# Layer: services -# Module: pegasus -# -# The Open Group Pegasus CIM/WBEM Server. -# -pegasus = module - -# Layer: services -# Module: pingd -# -# -pingd = module - -# Layer: services -# Module: piranha -# -# piranha - various tools to administer and configure the Linux Virtual Server -# -piranha = module - -# Layer: contrib -# Module: pkcs -# -# daemon manages PKCS#11 objects between PKCS#11-enabled applications -# -pkcs = module - -# Layer: services -# Module: plymouthd -# -# Plymouth -# -plymouthd = module - -# Layer: apps -# Module: podsleuth -# -# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. -# -podsleuth = module - -# Layer: services -# Module: policykit -# -# Hardware abstraction layer -# -policykit = module - -# Layer: services -# Module: polipo -# -# polipo -# -polipo = module - -# Layer: services -# Module: portmap -# -# RPC port mapping service. -# -portmap = module - -# Layer: services -# Module: portreserve -# -# reserve ports to prevent portmap mapping them -# -portreserve = module - -# Layer: services -# Module: postfix -# -# Postfix email server -# -postfix = module - -# Layer: services -# Module: postgrey -# -# email scanner -# -postgrey = module - -# Layer: services -# Module: ppp -# -# Point to Point Protocol daemon creates links in ppp networks -# -ppp = module - -# Layer: admin -# Module: prelink -# -# Manage temporary directory sizes and file ages -# -prelink = module - -# Layer: services -# Module: privoxy -# -# Privacy enhancing web proxy. -# -privoxy = module - -# Layer: services -# Module: procmail -# -# Procmail mail delivery agent -# -procmail = module - -# Layer: services -# Module: psad -# -# Analyze iptables log for hostile traffic -# -psad = module - -# Layer: apps -# Module: ptchown -# -# helper function for grantpt(3), changes ownship and permissions of pseudotty -# -ptchown = module - -# Layer: services -# Module: publicfile -# -# publicfile supplies files to the public through HTTP and FTP -# -publicfile = module - -# Layer: apps -# Module: pulseaudio -# -# The PulseAudio Sound System -# -pulseaudio = module - -# Layer: services -# Module: puppet -# -# A network tool for managing many disparate systems -# -puppet = module - -# Layer: apps -# Module: pwauth -# -# External plugin for mod_authnz_external authenticator -# -pwauth = module - -# Layer: services -# Module: qmail -# -# Policy for qmail -# -qmail = module - -# Layer: services -# Module: qpidd -# -# Policy for qpidd -# -qpid = module - -# Layer: services -# Module: quantum -# -# Quantum is a virtual network service for Openstack -# -quantum = module - -# Layer: admin -# Module: quota -# -# File system quota management -# -quota = module - -# Layer: services -# Module: rabbitmq -# -# rabbitmq daemons -# -rabbitmq = module - -# Layer: services -# Module: radius -# -# RADIUS authentication and accounting server. -# -radius = module - -# Layer: services -# Module: radvd -# -# IPv6 router advertisement daemon -# -radvd = module - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = module - -# Layer: services -# Module: rasdaemon -# -# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing -# -rasdaemon = module - -# Layer: services -# Module: rdisc -# -# Network router discovery daemon -# -rdisc = module - -# Layer: admin -# Module: readahead -# -# Readahead, read files into page cache for improved performance -# -readahead = module - -# Layer: contrib -# Module: stapserver -# -# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA -# -realmd = module - -# Layer: services -# Module: remotelogin -# -# Policy for rshd, rlogind, and telnetd. -# -remotelogin = module - -# Layer: services -# Module: rhcs -# -# RHCS - Red Hat Cluster Suite -# -rhcs = module - -# Layer: services -# Module: rhev -# -# rhev policy module contains policies for rhev apps -# -rhev = module - -# Layer: services -# Module: rhgb -# -# X windows login display manager -# -rhgb = module - -# Layer: services -# Module: rhsmcertd -# -# Subscription Management Certificate Daemon policy -# -rhsmcertd = module - -# Layer: services -# Module: ricci -# -# policy for ricci -# -ricci = module - -# Layer: services -# Module: rlogin -# -# Remote login daemon -# -rlogin = module - -# Layer: services -# Module: roundup -# -# Roundup Issue Tracking System policy -# -roundup = module - -# Layer: services -# Module: rpcbind -# -# universal addresses to RPC program number mapper -# -rpcbind = module - -# Layer: services -# Module: rpc -# -# Remote Procedure Call Daemon for managment of network based process communication -# -rpc = module - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = module - -# Layer: services -# Module: rshd -# -# Remote shell service. -# -rshd = module - -# Layer: apps -# Module: rssh -# -# Restricted (scp/sftp) only shell -# -rssh = module - -# Layer: services -# Module: rsync -# -# Fast incremental file transfer for synchronization -# -rsync = module - -# Layer: services -# Module: rtkit -# -# Real Time Kit Daemon -# -rtkit = module - -# Layer: services -# Module: rwho -# -# who is logged in on local machines -# -rwho = module - -# Layer: apps -# Module: sambagui -# -# policy for system-config-samba -# -sambagui = module - -# -# SMB and CIFS client/server programs for UNIX and -# name Service Switch daemon for resolving names -# from Windows NT servers. -# -samba = module - -# Layer: apps -# Module: sandbox -# -# Policy for running apps within a sandbox -# -sandbox = module - -# Layer: apps -# Module: sandbox -# -# Policy for running apps within a X sandbox -# -sandboxX = module - -# Layer: services -# Module: sanlock -# -# sanlock policy -# -sanlock = module - -# Layer: services -# Module: sasl -# -# SASL authentication server -# -sasl = module - -# Layer: services -# Module: sblim -# -# sblim -# -sblim = module - -# Layer: apps -# Module: screen -# -# GNU terminal multiplexer -# -screen = module - -# Layer: admin -# Module: sectoolm -# -# Policy for sectool-mechanism -# -sectoolm = module - -# Layer: services -# Module: sendmail -# -# Policy for sendmail. -# -sendmail = module - -# Layer: contrib -# Module: sensord -# -# Sensor information logging daemon -# -sensord = module - -# Layer: services -# Module: setroubleshoot -# -# Policy for the SELinux troubleshooting utility -# -setroubleshoot = module - -# Layer: services -# Module: sge -# -# policy for grindengine MPI jobs -# -sge = module - -# Layer: admin -# Module: shorewall -# -# Policy for shorewall -# -shorewall = module - -# Layer: apps -# Module: slocate -# -# Update database for mlocate -# -slocate = module - -# Layer: contrib -# Module: slpd -# -# OpenSLP server daemon to dynamically register services -# -slpd = module - -# Layer: services -# Module: slrnpull -# -# Service for downloading news feeds the slrn newsreader. -# -slrnpull = off - -# Layer: services -# Module: smartmon -# -# Smart disk monitoring daemon policy -# -smartmon = module - -# Layer: services -# Module: smokeping -# -# Latency Logging and Graphing System -# -smokeping = module - -# Layer: admin -# Module: smoltclient -# -#The Fedora hardware profiler client -# -smoltclient = module - -# Layer: services -# Module: snmp -# -# Simple network management protocol services -# -snmp = module - -# Layer: services -# Module: snort -# -# Snort network intrusion detection system -# -snort = module - -# Layer: admin -# Module: sosreport -# -# sosreport debuggin information generator -# -sosreport = module - -# Layer: services -# Module: soundserver -# -# sound server for network audio server programs, nasd, yiff, etc -# -soundserver = module - -# Layer: services -# Module: spamassassin -# -# Filter used for removing unsolicited email. -# -spamassassin = module - -# Layer: services -# Module: speech-dispatcher -# -# speech-dispatcher - server process managing speech requests in Speech Dispatcher -# -speech-dispatcher = module - -# Layer: services -# Module: squid -# -# Squid caching http proxy server -# -squid = module - -# Layer: services -# Module: sssd -# -# System Security Services Daemon -# -sssd = module - -# Layer: services -# Module: sslh -# -# Applicative protocol(SSL/SSH) multiplexer -# -sslh = module - -# Layer: contrib -# Module: stapserver -# -# Instrumentation System Server -# -stapserver = module - -# Layer: services -# Module: stunnel -# -# SSL Tunneling Proxy -# -stunnel = module - -# Layer: services -# Module: svnserve -# -# policy for subversion service -# -svnserve = module - -# Layer: services -# Module: swift -# -# openstack-swift -# -swift = module - -# Layer: services -# Module: sysstat -# -# Policy for sysstat. Reports on various system states -# -sysstat = module - -# Layer: services -# Module: tcpd -# -# Policy for TCP daemon. -# -tcpd = module - -# Layer: services -# Module: tcsd -# -# tcsd - daemon that manages Trusted Computing resources -# -tcsd = module - -# Layer: apps -# Module: telepathy -# -# telepathy - Policy for Telepathy framework -# -telepathy = module - -# Layer: services -# Module: telnet -# -# Telnet daemon -# -telnet = module - -# Layer: services -# Module: tftp -# -# Trivial file transfer protocol daemon -# -tftp = module - -# Layer: services -# Module: tgtd -# -# Linux Target Framework Daemon. -# -tgtd = module - -# Layer: apps -# Module: thumb -# -# Thumbnailer confinement -# -thumb = module - -# Layer: services -# Module: timidity -# -# MIDI to WAV converter and player configured as a service -# -timidity = off - -# Layer: admin -# Module: tmpreaper -# -# Manage temporary directory sizes and file ages -# -tmpreaper = module - -# Layer: contrib -# Module: glusterd -# -# policy for tomcat service -# -tomcat = module -# Layer: services -# Module: tor -# -# TOR, the onion router -# -tor = module - -# Layer: services -# Module: tuned -# -# Dynamic adaptive system tuning daemon -# -tuned = module - -# Layer: apps -# Module: tvtime -# -# tvtime - a high quality television application -# -tvtime = module - -# Layer: services -# Module: ulogd -# -# netfilter/iptables ULOG daemon -# -ulogd = module - -# Layer: apps -# Module: uml -# -# Policy for UML -# -uml = module - -# Layer: admin -# Module: updfstab -# -# Red Hat utility to change /etc/fstab. -# -updfstab = module - -# Layer: admin -# Module: usbmodules -# -# List kernel modules of USB devices -# -usbmodules = module - -# Layer: services -# Module: usbmuxd -# -# Daemon for communicating with Apple's iPod Touch and iPhone -# -usbmuxd = module - -# Layer: apps -# Module: userhelper -# -# A helper interface to pam. -# -userhelper = module - -# Layer: apps -# Module: usernetctl -# -# User network interface configuration helper -# -usernetctl = module - -# Layer: services -# Module: uucp -# -# Unix to Unix Copy -# -uucp = module - -# Layer: services -# Module: uuidd -# -# UUID generation daemon -# -uuidd = module - -# Layer: services -# Module: varnishd -# -# Varnishd http accelerator daemon -# -varnishd = module - -# Layer: services -# Module: vdagent -# -# vdagent -# -vdagent = module - -# Layer: services -# Module: vhostmd -# -# vhostmd - spice guest agent daemon. -# -vhostmd = module - -# Layer: services -# Module: virt -# -# Virtualization libraries -# -virt = module - -# Layer: apps -# Module: vhostmd -# -# vlock - Virtual Console lock program -# -vlock = module - -# Layer: services -# Module: vmtools -# -# VMware Tools daemon -# -vmtools = module - -# Layer: apps -# Module: vmware -# -# VMWare Workstation virtual machines -# -vmware = module - -# Layer: services -# Module: vnstatd -# -# Network traffic Monitor -# -vnstatd = module - -# Layer: admin -# Module: vpn -# -# Virtual Private Networking client -# -vpn = module - -# Layer: services -# Module: w3c -# -# w3c -# -w3c = module - -# Layer: services -# Module: wdmd -# -# wdmd policy -# -wdmd = module - -# Layer: role -# Module: webadm -# -# Minimally prived root role for managing apache -# -webadm = module - -# Layer: apps -# Module: webalizer -# -# Web server log analysis -# -webalizer = module - -# Layer: apps -# Module: wine -# -# wine executable -# -wine = module - -# Layer: apps -# Module: wireshark -# -# wireshark executable -# -wireshark = module - -# Layer: system -# Module: xen -# -# virtualization software -# -xen = module - -# Layer: services -# Module: zabbix -# -# Open-source monitoring solution for your IT infrastructure -# -zabbix = module - -# Layer: services -# Module: zarafa -# -# Zarafa Collaboration Platform -# -zarafa = module - -# Layer: services -# Module: zebra -# -# Zebra border gateway protocol network routing service -# -zebra = module - -# Layer: services -# Module: zoneminder -# -# Zoneminder Camera Security Surveillance Solution -# -zoneminder = module - -# Layer: services -# Module: zosremote -# -# policy for z/OS Remote-services Audit dispatcher plugin -# -zosremote = module - -# Layer: contrib -# Module: thin -# -# Policy for thin -# -thin = module - -# Layer: contrib -# Module: mandb -# -# Policy for mandb -# -mandb = module - -# Layer: services -# Module: pki -# -# policy for pki -# -pki = module - -# Layer: services -# Module: smsd -# -# policy for smsd -# -smsd = module - -# Layer: contrib -# Module: pesign -# -# policy for pesign -# -pesign = module - -# Layer: contrib -# Module: nsd -# -# Fast and lean authoritative DNS Name Server -# -nsd = module - -# Layer: contrib -# Module: iodine -# -# Fast and lean authoritative DNS Name Server -# -iodine = module - -# Layer: contrib -# Module: openhpid -# -# OpenHPI daemon runs as a background process and accepts connecti -# -openhpid = module - -# Layer: contrib -# Module: watchdog -# -# Watchdog policy -# -watchdog = module - -# Layer: contrib -# Module: oracleasm -# -# oracleasm policy -# -oracleasm = module - -# Layer: contrib -# Module: redis -# -# redis policy -# -redis = module - -# Layer: contrib -# Module: hypervkvp -# -# hypervkvp policy -# -hypervkvp = module - -# Layer: contrib -# Module: lsm -# -# lsm policy -# -lsm = module - -# Layer: contrib -# Module: motion -# -# Daemon for detect motion using a video4linux device -motion = module - -# Layer: contrib -# Module: rtas -# -# rtas policy -# -rtas = module - -# Layer: contrib -# Module: journalctl -# -# journalctl policy -# -journalctl = module - -# Layer: contrib -# Module: gdomap -# -# gdomap policy -# -gdomap = module - -# Layer: contrib -# Module: minidlna -# -# minidlna policy -# -minidlna = module - -# Layer: contrib -# Module: minissdpd -# -# minissdpd policy -# -minissdpd = module - -# Layer: contrib -# Module: freeipmi -# -# Remote-Console (out-of-band) and System Management Software (in-band) -# based on IntelligentPlatform Management Interface specification -# -freeipmi = module - -# Layer: contrib -# Module: mirrormanager -# -# mirrormanager policy -# -mirrormanager = module - -# Layer: contrib -# Module: snapper -# -# snapper policy -# -snapper = module - -# Layer: contrib -# Module: pcp -# -# pcp policy -# -pcp = module - -# Layer: contrib -# Module: geoclue -# -# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information -# -geoclue = module - -# Layer: contrib -# Module: rkhunter -# -# rkhunter policy for /var/lib/rkhunter -# -rkhunter = module - -# Layer: contrib -# Module: bacula -# -# bacula policy -# -bacula = module - -# Layer: contrib -# Module: rhnsd -# -# rhnsd policy -# -rhnsd = module - -# Layer: contrib -# Module: mongodb -# -# mongodb policy -# - -mongodb = module - -# Layer: contrib -# Module: iotop -# -# iotop policy -# - -iotop = module - -# Layer: contrib -# Module: kmscon -# -# kmscon policy -# - -kmscon = module - -# Layer: contrib -# Module: naemon -# -# naemon policy -# -naemon = module - -# Layer: contrib -# Module: brltty -# -# brltty policy -# -brltty = module - -# Layer: contrib -# Module: cpuplug -# -# cpuplug policy -# -cpuplug = module - -# Layer: contrib -# Module: mon_statd -# -# mon_statd policy -# -mon_statd = module - -# Layer: contrib -# Module: cinder -# -# openstack-cinder policy -# -cinder = module - -# Layer: contrib -# Module: linuxptp -# -# linuxptp policy -# -linuxptp = module - -# Layer: contrib -# Module: rolekit -# -# rolekit policy -# -rolekit = module - -# Layer: contrib -# Module: targetd -# -# targetd policy -# -targetd = module - -# Layer: contrib -# Module: hsqldb -# -# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. -# -hsqldb = module - -# Layer: contrib -# Module: blkmapd -# -# The blkmapd daemon performs device discovery and mapping for pNFS block layout client. -# -blkmapd = module - -# Layer: contrib -# Module: pkcs11proxyd -# -# pkcs11proxyd policy -# -pkcs11proxyd = module - -# Layer: contrib -# Module: ipmievd -# -# IPMI event daemon for sending events to syslog -# -ipmievd = module - -# Layer: contrib -# Module: openfortivpn -# -# Fortinet compatible SSL VPN daemons. -# -openfortivpn = module - -# Layer: contrib -# Module: fwupd -# -# fwupd is a daemon to allow session software to update device firmware. -# -fwupd = module - -# Layer: contrib -# Module: lttng-tools -# -# LTTng 2.x central tracing registry session daemon. -# -lttng-tools = module - -# Layer: contrib -# Module: rkt -# -# CLI for running app containers -# -rkt = module - -# Layer: contrib -# Module: opendnssec -# -# opendnssec -# -opendnssec = module - -# Layer: contrib -# Module: hwloc -# -# hwloc -# -hwloc = module - -# Layer: contrib -# Module: sbd -# -# sbd -# -sbd = module - -# Layer: contrib -# Module: tlp -# -# tlp -# -tlp = module - -# Layer: contrib -# Module: conntrackd -# -# conntrackd -# -conntrackd = module - -# Layer: contrib -# Module: tangd -# -# tangd -# -tangd = module - -# Layer: contrib -# Module: ibacm -# -# ibacm -# -ibacm = module - -# Layer: contrib -# Module: opafm -# -# opafm -# -opafm = module - -# Layer: contrib -# Module: boltd -# -# boltd -# -boltd = module - -# Layer: contrib -# Module: kpatch -# -# kpatch -# -kpatch = module - -# Layer: contrib -# Module: timedatex -# -# timedatex -# -timedatex = module - -# Layer: contrib -# Module: rrdcached -# -# rrdcached -# -rrdcached = module - -# Layer: contrib -# Module: stratisd -# -# stratisd -# -stratisd = module - -# Layer: contrib -# Module: ica -# -# ica -# -ica = module - -# Layer: contrib -# Module: fedoratp -# -# fedoratp -# -fedoratp = module - -# Layer: contrib -# Module: insights_client -# -# insights_client -# -insights_client = module - -# Layer: contrib -# Module: stalld -# -# stalld -# -stalld = module - -# Layer: contrib -# Module: rhcd -# -# rhcd -# -rhcd = module - -# Layer: contrib -# Module: wireguard -# -# wireguard -# -wireguard = module - -# Layer: contrib -# Module: mptcpd -# -# mptcpd -# -mptcpd = module - -# Layer: contrib -# Module: rshim -# -# rshim -# -rshim = module - -# Layer: contrib -# Module: keyutils -# -# keyutils -# -keyutils = module - -# Layer: contrib -# Module: cifsutils -# -# cifsutils - Utilities for managing CIFS mounts -# -cifsutils = module - -# Layer: contrib -# Module: boothd -# -# boothd - Booth cluster ticket manager -# -boothd = module - -# Layer: contrib -# Module: kafs -# -# kafs - Tools for kAFS -# -kafs = module - -# Layer: contrib -# Module: bootupd -# -# bootupd - bootloader update daemon -# -bootupd = module - -# Layer: contrib -# Module: fdo -# -# fdo - fido device onboard protocol for IoT devices -# -fdo = module - -# Layer: contrib -# Module: qatlib -# -# qatlib - Intel QuickAssist technology library and resources management -# -qatlib = module - -# Layer: services -# Module: virt_supplementary -# -# non-libvirt virtualization libraries -# -virt_supplementary = module - -# Layer: contrib -# Module: nvme_stas -# -# nvme_stas -# -nvme_stas = module - -# Layer: contrib -# Module: coreos_installer -# -# coreos_installer -# -coreos_installer = module - -# Layer: contrib -# Module: afterburn -# -# afterburn -# -afterburn = module - -# Layer: contrib -# Module: iiosensorproxy -# -# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy -# -iiosensorproxy = module - -# Layer: contrib -# Module: pcm -# -# Policy for pcm - Intel(r) Performance Counter Monitor -# -# -pcm = module diff --git a/SOURCES/permissivedomains.cil b/SOURCES/permissivedomains.cil deleted file mode 100644 index 400bcf6..0000000 --- a/SOURCES/permissivedomains.cil +++ /dev/null @@ -1,2 +0,0 @@ -(roleattributeset cil_gen_require system_r) - diff --git a/SOURCES/rpm.macros b/SOURCES/rpm.macros index 6661955..c5c7377 100644 --- a/SOURCES/rpm.macros +++ b/SOURCES/rpm.macros @@ -55,9 +55,9 @@ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - %{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \ - %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ - %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \ + semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ + selinuxenabled && load_policy || : \ %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \ fi \ %{nil} @@ -73,9 +73,9 @@ if [ -z "${_policytype}" ]; then \ fi \ if [ $1 -eq 0 ]; then \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - %{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \ - %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ - %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \ + semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ + selinuxenabled && load_policy || : \ %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \ fi \ fi \ @@ -83,7 +83,7 @@ fi \ # %selinux_relabel_pre [-s ] %selinux_relabel_pre("s:") \ -if %{_sbindir}/selinuxenabled; then \ +if selinuxenabled; then \ if [ -e /etc/selinux/config ]; then \ . /etc/selinux/config \ fi \ @@ -107,9 +107,9 @@ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ -if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ +if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ if [ -f %{_file_context_file_pre} ]; then \ - %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \ + fixfiles -C %{_file_context_file_pre} restore &> /dev/null \ rm -f %{_file_context_file_pre} \ fi \ fi \ @@ -125,9 +125,9 @@ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ if [ -d "%{_selinux_store_policy_path}" ]; then \ - LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \ + LOCAL_MODIFICATIONS=$(semanage boolean -E) \ if [ ! -f %_file_custom_defined_booleans ]; then \ - /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ + echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ fi \ semanage_import='' \ for boolean in %*; do \ @@ -138,20 +138,20 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \ semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ if [ -n "$boolean_customized_string" ]; then \ - /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \ + echo $boolean_customized_string >> %_file_custom_defined_booleans \ else \ - /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \ + echo $boolean_local_string >> %_file_custom_defined_booleans \ fi \ else \ semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ - boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ - /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ + boolean_default_value=$(LC_ALL=C semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ + echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ fi \ done; \ - if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + echo -e "$semanage_import" | semanage import -S "${_policytype}" \ elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \ fi \ fi \ %{nil} @@ -177,10 +177,10 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \ fi \ fi \ done; \ - if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + echo -e "$semanage_import" | semanage import -S "${_policytype}" \ elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \ fi \ fi \ %{nil} diff --git a/SOURCES/securetty_types-minimum b/SOURCES/securetty_types-minimum deleted file mode 100644 index 7055096..0000000 --- a/SOURCES/securetty_types-minimum +++ /dev/null @@ -1,4 +0,0 @@ -console_device_t -sysadm_tty_device_t -user_tty_device_t -staff_tty_device_t diff --git a/SOURCES/securetty_types-mls b/SOURCES/securetty_types-mls deleted file mode 100644 index 89bf54d..0000000 --- a/SOURCES/securetty_types-mls +++ /dev/null @@ -1,6 +0,0 @@ -console_device_t -sysadm_tty_device_t -user_tty_device_t -staff_tty_device_t -auditadm_tty_device_t -secureadm_tty_device_t diff --git a/SOURCES/securetty_types-targeted b/SOURCES/securetty_types-targeted deleted file mode 100644 index 7055096..0000000 --- a/SOURCES/securetty_types-targeted +++ /dev/null @@ -1,4 +0,0 @@ -console_device_t -sysadm_tty_device_t -user_tty_device_t -staff_tty_device_t diff --git a/SOURCES/selinux-policy-mls.conf b/SOURCES/selinux-policy-mls.conf new file mode 100644 index 0000000..0a16d05 --- /dev/null +++ b/SOURCES/selinux-policy-mls.conf @@ -0,0 +1 @@ +selinux-policy-mls diff --git a/SOURCES/selinux-policy-targeted.conf b/SOURCES/selinux-policy-targeted.conf new file mode 100644 index 0000000..9c87c40 --- /dev/null +++ b/SOURCES/selinux-policy-targeted.conf @@ -0,0 +1 @@ +selinux-policy-targeted diff --git a/SOURCES/setrans-minimum.conf b/SOURCES/setrans-minimum.conf deleted file mode 100644 index 09a6ce3..0000000 --- a/SOURCES/setrans-minimum.conf +++ /dev/null @@ -1,19 +0,0 @@ -# -# Multi-Category Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be categorized with 0-1023 categories defined by the admin. -# Objects can be in more than one category at a time. -# Categories are stored in the system as c0-c1023. Users can use this -# table to translate the categories into a more meaningful output. -# Examples: -# s0:c0=CompanyConfidential -# s0:c1=PatientRecord -# s0:c2=Unclassified -# s0:c3=TopSecret -# s0:c1,c3=CompanyConfidentialRedHat -s0=SystemLow -s0-s0:c0.c1023=SystemLow-SystemHigh -s0:c0.c1023=SystemHigh diff --git a/SOURCES/setrans-mls.conf b/SOURCES/setrans-mls.conf deleted file mode 100644 index eb181d2..0000000 --- a/SOURCES/setrans-mls.conf +++ /dev/null @@ -1,52 +0,0 @@ -# -# Multi-Level Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be labeled with one of 16 levels and be categorized with 0-1023 -# categories defined by the admin. -# Objects can be in more than one category at a time. -# Users can modify this table to translate the MLS labels for different purpose. -# -# Assumptions: using below MLS labels. -# SystemLow -# SystemHigh -# Unclassified -# Secret with compartments A and B. -# -# SystemLow and SystemHigh -s0=SystemLow -s15:c0.c1023=SystemHigh -s0-s15:c0.c1023=SystemLow-SystemHigh - -# Unclassified level -s1=Unclassified - -# Secret level with compartments -s2=Secret -s2:c0=A -s2:c1=B - -# ranges for Unclassified -s0-s1=SystemLow-Unclassified -s1-s2=Unclassified-Secret -s1-s15:c0.c1023=Unclassified-SystemHigh - -# ranges for Secret with compartments -s0-s2=SystemLow-Secret -s0-s2:c0=SystemLow-Secret:A -s0-s2:c1=SystemLow-Secret:B -s0-s2:c0,c1=SystemLow-Secret:AB -s1-s2:c0=Unclassified-Secret:A -s1-s2:c1=Unclassified-Secret:B -s1-s2:c0,c1=Unclassified-Secret:AB -s2-s2:c0=Secret-Secret:A -s2-s2:c1=Secret-Secret:B -s2-s2:c0,c1=Secret-Secret:AB -s2-s15:c0.c1023=Secret-SystemHigh -s2:c0-s2:c0,c1=Secret:A-Secret:AB -s2:c0-s15:c0.c1023=Secret:A-SystemHigh -s2:c1-s2:c0,c1=Secret:B-Secret:AB -s2:c1-s15:c0.c1023=Secret:B-SystemHigh -s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh diff --git a/SOURCES/setrans-targeted.conf b/SOURCES/setrans-targeted.conf deleted file mode 100644 index 09a6ce3..0000000 --- a/SOURCES/setrans-targeted.conf +++ /dev/null @@ -1,19 +0,0 @@ -# -# Multi-Category Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be categorized with 0-1023 categories defined by the admin. -# Objects can be in more than one category at a time. -# Categories are stored in the system as c0-c1023. Users can use this -# table to translate the categories into a more meaningful output. -# Examples: -# s0:c0=CompanyConfidential -# s0:c1=PatientRecord -# s0:c2=Unclassified -# s0:c3=TopSecret -# s0:c1,c3=CompanyConfidentialRedHat -s0=SystemLow -s0-s0:c0.c1023=SystemLow-SystemHigh -s0:c0.c1023=SystemHigh diff --git a/SOURCES/users-minimum b/SOURCES/users-minimum deleted file mode 100644 index 66af860..0000000 --- a/SOURCES/users-minimum +++ /dev/null @@ -1,39 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/SOURCES/users-mls b/SOURCES/users-mls deleted file mode 100644 index 8fad9ea..0000000 --- a/SOURCES/users-mls +++ /dev/null @@ -1,40 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(guest_u, user, guest_r, s0, s0) -gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SOURCES/users-targeted b/SOURCES/users-targeted deleted file mode 100644 index a875306..0000000 --- a/SOURCES/users-targeted +++ /dev/null @@ -1,41 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(guest_u, user, guest_r, s0, s0) -gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SOURCES/varrun-convert.sh b/SOURCES/varrun-convert.sh index 5dbd0d6..bdf6f99 100755 --- a/SOURCES/varrun-convert.sh +++ b/SOURCES/varrun-convert.sh @@ -1,15 +1,16 @@ -#!/bin/bash +#!/usr/bin/bash ### varrun-convert.sh ### convert legacy filecontext entries containing /var/run to /run ### and load an extra selinux module with the new content ### the script takes a policy name as an argument # Set DEBUG=yes before running the script to get more verbose output +# on the terminal and to the $LOG file if [ "${DEBUG}" = "yes" ]; then set -x fi -# Look for working files and log in OUTPUTDIR +# Auxiliary and log files will be created in OUTPUTDIR OUTPUTDIR="/run/selinux-policy" LOG="$OUTPUTDIR/log" mkdir -p ${OUTPUTDIR} @@ -19,28 +20,41 @@ if [ -z ${1} ]; then exit fi +SEMODULEOPT="-s ${1}" +[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" + +# Take current file_contexts and unify whitespace separators FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" +FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified" if [ ! -f ${FILE_CONTEXTS} ]; then [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG exit fi -SEMODULEOPT="-s ${1}" -[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" - if ! grep -q ^/var/run ${FILE_CONTEXTS}; then [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG exit fi +EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt" EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" -EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil" +EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil" # Print only /var/run entries -grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES} +grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP} # Unify whitespace separators -sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP} +sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED} + +# Deduplicate already existing /var/run=/run entries +while read line +do + subline="${line#/var}" + if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then + echo "$line" + fi +done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES} # Change /var/run to /run sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} @@ -76,5 +90,6 @@ do done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} # Load module +[ -s ${EXTRA_VARRUN_CIL} ] && /usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL} diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index d7b5d7d..f4a109d 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,80 +1,65 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autochangelog +## END: Set by rpmautospec + +# Conditionals for policy types (all built by default) +%bcond targeted 1 +%bcond minimum 1 +%bcond mls 1 + # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit e464c3bb967763b8bfac50769b72159d040088b9 +%global commit 3f0002adb63d7da7f8dcb203925b9ba6d10301c3 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat %define polyinstatiate n %define monolithic n -%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} -%define BUILD_DOC 1 -%endif -%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} -%define BUILD_TARGETED 1 -%endif -%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} -%define BUILD_MINIMUM 1 -%endif -%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} -%define BUILD_MLS 1 -%endif + %define POLICYVER 33 %define POLICYCOREUTILSVER 3.4-1 %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 40.13.13 +Version: 40.13.16 Release: 1%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz -Source1: modules-targeted-base.conf -Source31: modules-targeted-contrib.conf -Source2: booleans-targeted.conf -Source3: Makefile.devel -Source4: setrans-targeted.conf -Source5: modules-mls-base.conf -Source32: modules-mls-contrib.conf -Source6: booleans-mls.conf -Source8: setrans-mls.conf -Source14: securetty_types-targeted -Source15: securetty_types-mls -#Source16: modules-minimum.conf -Source17: booleans-minimum.conf -Source18: setrans-minimum.conf -Source19: securetty_types-minimum -Source20: customizable_types -Source22: users-mls -Source23: users-targeted -Source25: users-minimum -Source26: file_contexts.subs_dist -Source27: selinux-policy.conf -Source28: permissivedomains.cil -Source30: booleans.subs_dist +Source1: Makefile.devel +Source2: selinux-policy.conf # Tool helps during policy development, to expand system m4 macros to raw allow rules # Git repo: https://github.com/fedora-selinux/macro-expander.git -Source33: macro-expander +Source3: macro-expander # Include SELinux policy for container from separate container-selinux repo # Git repo: https://github.com/containers/container-selinux.git -Source35: container-selinux.tgz +Source4: container-selinux.tgz + +# modules enabled in -minimum policy +Source16: modules-minimum.lst Source36: selinux-check-proper-disable.service # Script to convert /var/run file context entries to /run Source37: varrun-convert.sh +# Configuration files to dnf-protect targeted and/or mls subpackages +Source38: selinux-policy-targeted.conf +Source39: selinux-policy-mls.conf # Provide rpm macros for packages installing SELinux modules -Source102: rpm.macros +Source5: rpm.macros Url: %{giturl} BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 BuildRequires: make BuildRequires: systemd-rpm-macros +BuildRequires: groff Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(post): /bin/awk /usr/bin/sha512sum -Requires(meta): rpm-plugin-selinux +Requires(meta): (rpm-plugin-selinux if rpm-libs) Requires: selinux-policy-any = %{version}-%{release} Provides: selinux-policy-base = %{version}-%{release} Suggests: selinux-policy-targeted @@ -171,7 +156,6 @@ This package contains manual pages and documentation of the policy modules. %files doc %{_mandir}/man*/* -%{_mandir}/ru/*/* %exclude %{_mandir}/man8/container_selinux.8.gz %doc %{_datadir}/doc/%{name} @@ -180,17 +164,11 @@ This package contains manual pages and documentation of the policy modules. %define makeCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ -cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ -cp -f selinux_config/users-%1 ./policy/users \ -#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ +install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \ +install -p -m0644 ./dist/%1/users ./policy/users \ %define makeModulesConf() \ -cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ -cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ -if [ %3 == "contrib" ];then \ - cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ - cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ -fi; \ +install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \ %define installCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ @@ -200,14 +178,13 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-ap make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ -install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ -install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ -install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ -install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +install -p -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -p -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -p -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ -cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ +install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \ rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ %{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ @@ -266,8 +243,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ %dir %{_datadir}/selinux/%1 \ %{_datadir}/selinux/%1/base.lst \ -%{_datadir}/selinux/%1/modules-base.lst \ -%{_datadir}/selinux/%1/modules-contrib.lst \ +%{_datadir}/selinux/%1/modules.lst \ %{_datadir}/selinux/%1/nonbasemodules.lst \ %dir %{_sharedstatedir}/selinux/%1 \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ @@ -281,7 +257,9 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ -%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ +%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ +%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil \ +%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/lang_ext \ %nil %define relabel() \ @@ -295,6 +273,10 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p fi; \ # rebuilding the rpm database still can sometimes result in an incorrect context \ %{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \ +# In some scenarios, /usr/bin/httpd is labelled incorrectly after sbin merge. \ +# Relabel all files under /usr/bin, in case they got installed before policy \ +# was updated and the labels were incorrect. \ +%{_sbindir}/restorecon -R /usr/bin /usr/sbin \ if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ continue; \ fi; @@ -338,16 +320,12 @@ else \ fi; %define modulesList() \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ -if [ -e ./policy/modules-contrib.conf ];then \ - awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ -fi; +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ %define nonBaseModulesList() \ -contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ -base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ -for i in $contrib_modules $base_modules; do \ +modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \ +for i in $modules; do \ if [ $i != "sandbox" ];then \ echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ fi; \ @@ -408,11 +386,6 @@ if posix.stat(config_file) then \ end # Remove the local_varrun SELinux module -%define removeVarrunModule() \ -if [ -r "%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil" ]; then \ - %{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ -fi; - %define removeVarrunModuleLua() \ if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \ os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \ @@ -422,12 +395,7 @@ end %prep %autosetup -p 1 -n %{name}-%{commit} -tar -C policy/modules/contrib -xf %{SOURCE35} - -mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do - cp $i selinux_config -done +tar -C policy/modules/contrib -xf %{SOURCE4} %install # Build targeted policy @@ -437,11 +405,11 @@ mkdir -p %{buildroot}%{_sysconfdir}/sysconfig touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ -cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ +install -p -m0644 %{SOURCE2} %{buildroot}%{_usr}/lib/tmpfiles.d/ mkdir -p %{buildroot}%{_bindir} -install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ +install -p -m 755 %{SOURCE3} %{buildroot}%{_bindir}/ mkdir -p %{buildroot}%{_libexecdir}/selinux -install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux +install -p -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux # Always create policy module package directories mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ @@ -449,68 +417,70 @@ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_datadir}/selinux/packages +mkdir -p %{buildroot}%{_sysconfdir}/dnf/protected.d/ + # Install devel make clean -%if %{BUILD_TARGETED} +%if %{with targeted} # Build targeted policy %makeCmds targeted mcs allow -%makeModulesConf targeted base contrib +%makeModulesConf targeted %installCmds targeted mcs allow # install permissivedomains.cil -%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28} +%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i \ + ./dist/permissivedomains.cil # recreate sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox %make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp %modulesList targeted %nonBaseModulesList targeted +install -p -m 644 %{SOURCE38} %{buildroot}%{_sysconfdir}/dnf/protected.d/ %endif -%if %{BUILD_MINIMUM} +%if %{with minimum} # Build minimum policy %makeCmds minimum mcs allow -%makeModulesConf targeted base contrib +%makeModulesConf targeted %installCmds minimum mcs allow rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox +install -p -m 644 %{SOURCE16} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst %modulesList minimum %nonBaseModulesList minimum %endif -%if %{BUILD_MLS} +%if %{with mls} # Build mls policy %makeCmds mls mls deny -%makeModulesConf mls base contrib +%makeModulesConf mls %installCmds mls mls deny %modulesList mls %nonBaseModulesList mls +install -p -m 644 %{SOURCE39} %{buildroot}%{_sysconfdir}/dnf/protected.d/ %endif # remove leftovers when save-previous=true (semanage.conf) is used rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous -mkdir -p %{buildroot}%{_mandir} -cp -R man/* %{buildroot}%{_mandir} make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers mkdir %{buildroot}%{_datadir}/selinux/devel/ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include -install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile -install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ -install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ -%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} +install -p -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/Makefile +install -p -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ +install -p -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ +%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_mandir}/man8/ -w -r %{buildroot} mkdir %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d -install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +install -p -m 644 %{SOURCE5} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy mkdir -p %{buildroot}%{_unitdir} -install -m 644 %{SOURCE36} %{buildroot}%{_unitdir} - -rm -rf selinux_config +install -p -m 644 %{SOURCE36} %{buildroot}%{_unitdir} %post %systemd_post selinux-check-proper-disable.service @@ -570,7 +540,7 @@ if [ $1 = 0 ]; then fi exit 0 -%if %{BUILD_TARGETED} +%if %{with targeted} %package targeted Summary: SELinux targeted policy Provides: selinux-policy-any = %{version}-%{release} @@ -598,13 +568,13 @@ SELinux targeted policy package. %post targeted %checkConfigConsistency targeted -%postInstall $1 targeted exit 0 %posttrans targeted %checkConfigConsistency targeted %{_libexecdir}/selinux/varrun-convert.sh targeted -%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm +%postInstall $1 targeted +%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm /etc/mdevctl.d %postun targeted if [ $1 = 0 ]; then @@ -627,25 +597,11 @@ exit 0 %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null exit 0 -%triggerprein -- container-selinux -%removeVarrunModule targeted -exit 0 - -%triggerprein -- pcp-selinux -%removeVarrunModule targeted -exit 0 - -%triggerpostin -- container-selinux -%{_libexecdir}/selinux/varrun-convert.sh targeted -exit 0 - -%triggerpostin -- pcp-selinux -%{_libexecdir}/selinux/varrun-convert.sh targeted -exit 0 +%triggerprein -p -- container-selinux +%removeVarrunModuleLua targeted -%triggerpostun -- selinux-policy-targeted < 3.12.1-74 -rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null -exit 0 +%triggerprein -p -- pcp-selinux +%removeVarrunModuleLua targeted %triggerpostun -- pcp-selinux %{_libexecdir}/selinux/varrun-convert.sh targeted @@ -655,35 +611,15 @@ exit 0 %{_libexecdir}/selinux/varrun-convert.sh targeted exit 0 -%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138 -CR=$'\n' -INPUT="" -for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then - touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p - fi -done -for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do - INPUT="${INPUT}${CR}module -N -a $i" -done -for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do - cp $i %{_sharedstatedir}/selinux/targeted/active -done -echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy -fi -exit 0 - %files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-targeted.conf %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains %endif -%if %{BUILD_MINIMUM} +%if %{with minimum} %package minimum Summary: SELinux minimum policy Provides: selinux-policy-any = %{version}-%{release} @@ -708,16 +644,17 @@ fi %post minimum %checkConfigConsistency minimum -contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` -basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` +modules=`cat %{_datadir}/selinux/minimum/modules.lst` +basemodules=`cat %{_datadir}/selinux/minimum/base.lst` +enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst` if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled fi if [ $1 -eq 1 ]; then -for p in $contribpackages; do +for p in $modules; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done -for p in $basepackages apache dbus inetd kerberos mta nis; do +for p in $basemodules $enabledmodules; do rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done %{_sbindir}/semanage import -S minimum -f - << __eof @@ -728,7 +665,7 @@ __eof %{_sbindir}/semodule -B -s minimum 2> /dev/null else instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` -for p in $contribpackages; do +for p in $packages; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $instpackages apache dbus inetd kerberos mta nis; do @@ -760,34 +697,14 @@ if [ $1 = 0 ]; then fi exit 0 -%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138 -if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then - rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/* -fi -CR=$'\n' -INPUT="" -for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then - touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p - fi -done -for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do - INPUT="${INPUT}${CR}module -N -a $i" -done -echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy -fi -exit 0 - %files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u %fileList minimum +%{_datadir}/selinux/minimum/modules-enabled.lst %endif -%if %{BUILD_MLS} +%if %{with mls} %package mls Summary: SELinux MLS policy Provides: selinux-policy-any = %{version}-%{release} @@ -811,12 +728,12 @@ SELinux MLS (Multi Level Security) policy package. %post mls %checkConfigConsistency mls -%postInstall $1 mls exit 0 %posttrans mls %checkConfigConsistency mls %{_libexecdir}/selinux/varrun-convert.sh mls +%postInstall $1 mls %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun mls @@ -835,31 +752,61 @@ if [ $1 = 0 ]; then fi exit 0 -%triggerpostun mls -- selinux-policy-mls < 3.13.1-138 -CR=$'\n' -INPUT="" -for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then - touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p - fi -done -for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do - INPUT="${INPUT}${CR}module -N -a $i" -done -echo "$INPUT" | %{_sbindir}/semanage import -S mls -N -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy -fi -exit 0 - - %files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-mls.conf %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls %endif %changelog +## START: Generated by rpmautospec +* Fri Nov 29 2024 Zdenek Pytela - 40.13.16-1 +- Fix the file type for /run/systemd/generator +Resolves: RHEL-68313 + +* Thu Nov 28 2024 Zdenek Pytela - 40.13.15-1 +- Allow qatlib search the content of the kernel debugging filesystem +Resolves: RHEL-66334 +- Allow qatlib connect to systemd-machined over a unix socket +Resolves: RHEL-66334 +- Update policy for samba-bgqd +Resolves: RHEL-64908 +- Allow httpd get attributes of dirsrv unit files +Resolves: RHEL-62706 +- Allow virtstoraged read vm sysctls +Resolves: RHEL-61742 +- Allow virtstoraged execute mount programs in the mount domain +Resolves: RHEL-61742 +- Update policy for rpc-virtstorage +Resolves: RHEL-61742 +- Allow virtstoraged get attributes of configfs dirs +Resolves: RHEL-61742 +- Allow virt_driver_domain read virtd-lxc files in /proc +Resolves: RHEL-61742 +- Allow virtstoraged manage files with virt_content_t type +Resolves: RHEL-61742 +- Allow virtstoraged use the io_uring API +Resolves: RHEL-61742 +- Allow virtstoraged execute lvm programs in the lvm domain +Resolves: RHEL-61742 +- Allow svirt_t connect to unconfined_t over a unix domain socket +Resolves: RHEL-61246 +- Label /usr/lib/node_modules_22/npm/bin with bin_t +Resolves: RHEL-56350 +- Allow bacula execute container in the container domain +Resolves: RHEL-39529 +- Label /run/systemd/generator with systemd_unit_file_t +Resolves: RHEL-68313 + +* Tue Nov 19 2024 Zdenek Pytela - 40.13.14-1 +- mls/modules.conf - fix typo +- Use dist/targeted/modules.conf in build workflow +- Fix default and dist config files +- CI: update to actions/checkout@v4 +- Clean up and sync securetty_types +- Bring config files from dist-git into the source repo +- Sync users with Fedora targeted users + * Tue Nov 12 2024 Zdenek Pytela - 40.13.13-1 - Revert "Allow unconfined_t execute kmod in the kmod domain" Resolves: RHEL-65190 @@ -1333,766 +1280,4 @@ Resolves: RHEL-36094 - Set default file context of HOME_DIR/tmp/.* to <> - Allow kernel_generic_helper_t to execute mount(1) -* Fri Sep 29 2023 Zdenek Pytela - 38.29-1 -- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t -- Allow systemd-localed create Xserver config dirs -- Allow sssd read symlinks in /etc/sssd -- Label /dev/gnss[0-9] with gnss_device_t -- Allow systemd-sleep read/write efivarfs variables -- ci: Fix version number of packit generated srpms -- Dontaudit rhsmcertd write memory device -- Allow ssh_agent_type create a sockfile in /run/user/USERID -- Set default file context of /var/lib/authselect/backups to <> -- Allow prosody read network sysctls -- Allow cupsd_t to use bpf capability - -* Fri Sep 15 2023 Zdenek Pytela - 38.28-1 -- Allow sssd domain transition on passkey_child execution conditionally -- Allow login_userdomain watch lnk_files in /usr -- Allow login_userdomain watch video4linux devices -- Change systemd-network-generator transition to include class file -- Revert "Change file transition for systemd-network-generator" -- Allow nm-dispatcher winbind plugin read/write samba var files -- Allow systemd-networkd write to cgroup files -- Allow kdump create and use its memfd: objects - -* Thu Aug 31 2023 Zdenek Pytela - 38.27-1 -- Allow fedora-third-party get generic filesystem attributes -- Allow sssd use usb devices conditionally -- Update policy for qatlib -- Allow ssh_agent_type manage generic cache home files - -* Thu Aug 24 2023 Zdenek Pytela - 38.26-1 -- Change file transition for systemd-network-generator -- Additional support for gnome-initial-setup -- Update gnome-initial-setup policy for geoclue -- Allow openconnect vpn open vhost net device -- Allow cifs.upcall to connect to SSSD also through the /var/run socket -- Grant cifs.upcall more required capabilities -- Allow xenstored map xenfs files -- Update policy for fdo -- Allow keepalived watch var_run dirs -- Allow svirt to rw /dev/udmabuf -- Allow qatlib to modify hardware state information. -- Allow key.dns_resolve connect to avahi over a unix stream socket -- Allow key.dns_resolve create and use unix datagram socket -- Use quay.io as the container image source for CI - -* Fri Aug 11 2023 Zdenek Pytela - 38.25-1 -- ci: Move srpm/rpm build to packit -- .copr: Avoid subshell and changing directory -- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file -- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t -- Make insights_client_t an unconfined domain -- Allow insights-client manage user temporary files -- Allow insights-client create all rpm logs with a correct label -- Allow insights-client manage generic logs -- Allow cloud_init create dhclient var files and init_t manage net_conf_t -- Allow insights-client read and write cluster tmpfs files -- Allow ipsec read nsfs files -- Make tuned work with mls policy -- Remove nsplugin_role from mozilla.if -- allow mon_procd_t self:cap_userns sys_ptrace -- Allow pdns name_bind and name_connect all ports -- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh -- ci: Move to actions/checkout@v3 version -- .copr: Replace chown call with standard workflow safe.directory setting -- .copr: Enable `set -u` for robustness -- .copr: Simplify root directory variable - -* Fri Aug 04 2023 Zdenek Pytela - 38.24-1 -- Allow rhsmcertd dbus chat with policykit -- Allow polkitd execute pkla-check-authorization with nnp transition -- Allow user_u and staff_u get attributes of non-security dirs -- Allow unconfined user filetrans chrome_sandbox_home_t -- Allow svnserve execute postdrop with a transition -- Do not make postfix_postdrop_t type an MTA executable file -- Allow samba-dcerpc service manage samba tmp files -- Add use_nfs_home_dirs boolean for mozilla_plugin -- Fix labeling for no-stub-resolv.conf - -* Wed Aug 02 2023 Zdenek Pytela - 38.23-1 -- Revert "Allow winbind-rpcd use its private tmp files" -- Allow upsmon execute upsmon via a helper script -- Allow openconnect vpn read/write inherited vhost net device -- Allow winbind-rpcd use its private tmp files -- Update samba-dcerpc policy for printing -- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty -- Allow nscd watch system db dirs -- Allow qatlib to read sssd public files -- Allow fedora-third-party read /sys and proc -- Allow systemd-gpt-generator mount a tmpfs filesystem -- Allow journald write to cgroup files -- Allow rpc.mountd read network sysctls -- Allow blueman read the contents of the sysfs filesystem -- Allow logrotate_t to map generic files in /etc -- Boolean: Allow virt_qemu_ga create ssh directory - -* Tue Jul 25 2023 Zdenek Pytela - 38.22-1 -- Allow systemd-network-generator send system log messages -- Dontaudit the execute permission on sock_file globally -- Allow fsadm_t the file mounton permission -- Allow named and ndc the io_uring sqpoll permission -- Allow sssd io_uring sqpoll permission -- Fix location for /run/nsd -- Allow qemu-ga get fixed disk devices attributes -- Update bitlbee policy -- Label /usr/sbin/sos with sosreport_exec_t -- Update policy for the sblim-sfcb service -- Add the files_getattr_non_auth_dirs() interface -- Fix the CI to work with DNF5 - -* Sat Jul 22 2023 Fedora Release Engineering - 38.21-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jul 13 2023 Zdenek Pytela - 38.21-1 -- Make systemd_tmpfiles_t MLS trusted for lowering the level of files -- Revert "Allow insights client map cache_home_t" -- Allow nfsidmapd connect to systemd-machined over a unix socket -- Allow snapperd connect to kernel over a unix domain stream socket -- Allow virt_qemu_ga_t create .ssh dir with correct label -- Allow targetd read network sysctls -- Set the abrt_handle_event boolean to on -- Permit kernel_t to change the user identity in object contexts -- Allow insights client map cache_home_t -- Label /usr/sbin/mariadbd with mysqld_exec_t -- Trim changelog so that it starts at F37 time -- Define equivalency for /run/systemd/generator.early - -* Thu Jun 29 2023 Zdenek Pytela - 38.20-1 -- Allow httpd tcp connect to redis port conditionally -- Label only /usr/sbin/ripd and ripngd with zebra_exec_t -- Dontaudit aide the execmem permission -- Remove permissive from fdo -- Allow sa-update manage spamc home files -- Allow sa-update connect to systemlog services -- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t -- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t -- Allow bootupd search EFI directory - -* Tue Jun 27 2023 Zdenek Pytela - 38.19-1 -- Change init_audit_control default value to true -- Allow nfsidmapd connect to systemd-userdbd with a unix socket -- Add the qatlib module -- Add the fdo module -- Add the bootupd module -- Set default ports for keylime policy -- Create policy for qatlib -- Add policy for FIDO Device Onboard -- Add policy for bootupd -- Add the qatlib module -- Add the fdo module -- Add the bootupd module - -* Sun Jun 25 2023 Zdenek Pytela - 38.18-1 -- Add support for kafs-dns requested by keyutils -- Allow insights-client execmem -- Add support for chronyd-restricted -- Add init_explicit_domain() interface -- Allow fsadm_t to get attributes of cgroup filesystems -- Add list_dir_perms to kerberos_read_keytab -- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t -- Allow sendmail manage its runtime files -- Allow keyutils_dns_resolver_exec_t be an entrypoint -- Allow collectd_t read network state symlinks -- Revert "Allow collectd_t read proc_net link files" -- Allow nfsd_t to list exports_t dirs -- Allow cupsd dbus chat with xdm -- Allow haproxy read hardware state information -- Add the kafs module - -* Thu Jun 15 2023 Zdenek Pytela - 38.17-1 -- Label /dev/userfaultfd with userfaultfd_t -- Allow blueman send general signals to unprivileged user domains -- Allow dkim-milter domain transition to sendmail -- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t -- Allow cifs-helper read sssd kerberos configuration files -- Allow rpm_t sys_admin capability -- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file -- Allow collectd_t read proc_net link files -- Allow insights-client getsession process permission -- Allow insights-client work with pipe and socket tmp files -- Allow insights-client map generic log files -- Update cyrus_stream_connect() to use sockets in /run -- Allow keyutils-dns-resolver read/view kernel key ring -- Label /var/log/kdump.log with kdump_log_t - -* Fri Jun 09 2023 Zdenek Pytela - 38.16-1 -- Add support for the systemd-pstore service -- Allow kdumpctl_t to execmem -- Update sendmail policy module for opensmtpd -- Allow nagios-mail-plugin exec postfix master -- Allow subscription-manager execute ip -- Allow ssh client connect with a user dbus instance -- Add support for ksshaskpass -- Allow rhsmcertd file transition in /run also for socket files -- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t -- Allow plymouthd read/write X server miscellaneous devices -- Allow systemd-sleep read udev pid files -- Allow exim read network sysctls -- Allow sendmail request load module -- Allow named map its conf files -- Allow squid map its cache files -- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition - -* Tue May 30 2023 Zdenek Pytela - 38.15-1 -- Update policy for systemd-sleep -- Remove permissive domain for rshim_t -- Remove permissive domain for mptcpd_t -- Allow systemd-bootchartd the sys_ptrace userns capability -- Allow sysadm_t read nsfs files -- Allow sysadm_t run kernel bpf programs -- Update ssh_role_template for ssh-agent -- Update ssh_role_template to allow read/write unallocated ttys -- Add the booth module to modules.conf -- Allow firewalld rw ica_tmpfs_t files - -* Fri May 26 2023 Zdenek Pytela - 38.14-1 -- Remove permissive domain for cifs_helper_t -- Update the cifs-helper policy -- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to() -- Update pkcsslotd policy for sandboxing -- Allow abrt_t read kernel persistent storage files -- Dontaudit targetd search httpd config dirs -- Allow init_t nnp domain transition to policykit_t -- Allow rpcd_lsad setcap and use generic ptys -- Allow samba-dcerpcd connect to systemd_machined over a unix socket -- Allow wireguard to rw network sysctls -- Add policy for boothd -- Allow kernel to manage its own BPF objects -- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t - -* Mon May 22 2023 Zdenek Pytela - 38.13-1 -- Add initial policy for cifs-helper -- Label key.dns_resolver with keyutils_dns_resolver_exec_t -- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t -- Allow some systemd services write to cgroup files -- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files -- Allow systemd resolved to bind to arbitrary nodes -- Allow plymouthd_t bpf capability to run bpf programs -- Allow cupsd to create samba_var_t files -- Allow rhsmcert request the kernel to load a module -- Allow virsh name_connect virt_port_t -- Allow certmonger manage cluster library files -- Allow plymouthd read init process state -- Add chromium_sandbox_t setcap capability -- Allow snmpd read raw disk data -- Allow samba-rpcd work with passwords -- Allow unconfined service inherit signal state from init -- Allow cloud-init manage gpg admin home content -- Allow cluster_t dbus chat with various services -- Allow nfsidmapd work with systemd-userdbd and sssd -- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes -- Allow plymouthd map dri and framebuffer devices -- Allow rpmdb_migrate execute rpmdb -- Allow logrotate dbus chat with systemd-hostnamed -- Allow icecast connect to kernel using a unix stream socket -- Allow lldpad connect to systemd-userdbd over a unix socket -- Allow journalctl open user domain ptys and ttys -- Allow keepalived to manage its tmp files -- Allow ftpd read network sysctls -- Label /run/bgpd with zebra_var_run_t -- Allow gssproxy read network sysctls -- Add the cifsutils module - -* Tue Apr 25 2023 Zdenek Pytela - 38.12-1 -- Allow telnetd read network sysctls -- Allow munin system plugin read generic SSL certificates -- Allow munin system plugin create and use netlink generic socket -- Allow login_userdomain create user namespaces -- Allow request-key to send syslog messages -- Allow request-key to read/view any key -- Add fs_delete_pstore_files() interface -- Allow insights-client work with teamdctl -- Allow insights-client read unconfined service semaphores -- Allow insights-client get quotas of all filesystems -- Add fs_read_pstore_files() interface -- Allow generic kernel helper to read inherited kernel pipes - -* Fri Apr 14 2023 Zdenek Pytela - 38.11-1 -- Allow dovecot-deliver write to the main process runtime fifo files -- Allow dmidecode write to cloud-init tmp files -- Allow chronyd send a message to cloud-init over a datagram socket -- Allow cloud-init domain transition to insights-client domain -- Allow mongodb read filesystem sysctls -- Allow mongodb read network sysctls -- Allow accounts-daemon read generic systemd unit lnk files -- Allow blueman watch generic device dirs -- Allow nm-dispatcher tlp plugin create tlp dirs -- Allow systemd-coredump mounton /usr -- Allow rabbitmq to read network sysctls - -* Tue Apr 04 2023 Zdenek Pytela - 38.10-1 -- Allow certmonger dbus chat with the cron system domain -- Allow geoclue read network sysctls -- Allow geoclue watch the /etc directory -- Allow logwatch_mail_t read network sysctls -- Allow insights-client read all sysctls -- Allow passt manage qemu pid sock files - -* Fri Mar 24 2023 Zdenek Pytela - 38.9-1 -- Allow sssd read accountsd fifo files -- Add support for the passt_t domain -- Allow virtd_t and svirt_t work with passt -- Add new interfaces in the virt module -- Add passt interfaces defined conditionally -- Allow tshark the setsched capability -- Allow poweroff create connections to system dbus -- Allow wg load kernel modules, search debugfs dir -- Boolean: allow qemu-ga manage ssh home directory -- Label smtpd with sendmail_exec_t -- Label msmtp and msmtpd with sendmail_exec_t -- Allow dovecot to map files in /var/spool/dovecot - -* Fri Mar 03 2023 Zdenek Pytela - 38.8-1 -- Confine gnome-initial-setup -- Allow qemu-guest-agent create and use vsock socket -- Allow login_pgm setcap permission -- Allow chronyc read network sysctls -- Enhancement of the /usr/sbin/request-key helper policy -- Fix opencryptoki file names in /dev/shm -- Allow system_cronjob_t transition to rpm_script_t -- Revert "Allow system_cronjob_t domtrans to rpm_script_t" -- Add tunable to allow squid bind snmp port -- Allow staff_t getattr init pid chr & blk files and read krb5 -- Allow firewalld to rw z90crypt device -- Allow httpd work with tokens in /dev/shm -- Allow svirt to map svirt_image_t char files -- Allow sysadm_t run initrc_t script and sysadm_r role access -- Allow insights-client manage fsadm pid files - -* Wed Feb 08 2023 Zdenek Pytela - 38.7-1 -- Allowing snapper to create snapshots of /home/ subvolume/partition -- Add boolean qemu-ga to run unconfined script -- Label systemd-journald feature LogNamespace -- Add none file context for polyinstantiated tmp dirs -- Allow certmonger read the contents of the sysfs filesystem -- Add journalctl the sys_resource capability -- Allow nm-dispatcher plugins read generic files in /proc -- Add initial policy for the /usr/sbin/request-key helper -- Additional support for rpmdb_migrate -- Add the keyutils module - -* Mon Jan 30 2023 Zdenek Pytela - 38.6-1 -- Boolean: allow qemu-ga read ssh home directory -- Allow kernel_t to read/write all sockets -- Allow kernel_t to UNIX-stream connect to all domains -- Allow systemd-resolved send a datagram to journald -- Allow kernel_t to manage and have "execute" access to all files -- Fix the files_manage_all_files() interface -- Allow rshim bpf cap2 and read sssd public files -- Allow insights-client work with su and lpstat -- Allow insights-client tcp connect to all ports -- Allow nm-cloud-setup dispatcher plugin restart nm services -- Allow unconfined user filetransition for sudo log files -- Allow modemmanager create hardware state information files -- Allow ModemManager all permissions for netlink route socket -- Allow wg to send msg to kernel, write to syslog and dbus connections -- Allow hostname_t to read network sysctls. -- Dontaudit ftpd the execmem permission -- Allow svirt request the kernel to load a module -- Allow icecast rename its log files -- Allow upsd to send signal to itself -- Allow wireguard to create udp sockets and read net_conf -- Use '%autosetup' instead of '%setup' -- Pass -p 1 to '%autosetup' - -* Sat Jan 21 2023 Fedora Release Engineering - 38.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Jan 13 2023 Zdenek Pytela - 38.5-1 -- Allow insights client work with gluster and pcp -- Add insights additional capabilities -- Add interfaces in domain, files, and unconfined modules -- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t -- Allow sudodomain use sudo.log as a logfile -- Allow pdns server map its library files and bind to unreserved ports -- Allow sysadm_t read/write ipmi devices -- Allow prosody manage its runtime socket files -- Allow kernel threads manage kernel keys -- Allow systemd-userdbd the sys_resource capability -- Allow systemd-journal list cgroup directories -- Allow apcupsd dbus chat with systemd-logind -- Allow nut_domain manage also files and sock_files in /var/run -- Allow winbind-rpcd make a TCP connection to the ldap port -- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t -- Allow tlp read generic SSL certificates -- Allow systemd-resolved watch tmpfs directories -- Revert "Allow systemd-resolved watch tmpfs directories" - -* Mon Dec 19 2022 Zdenek Pytela - 38.4-1 -- Allow NetworkManager and wpa_supplicant the bpf capability -- Allow systemd-rfkill the bpf capability -- Allow winbind-rpcd manage samba_share_t files and dirs -- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t -- Allow gpsd the sys_ptrace userns capability -- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t -- Allow load_policy_t write to unallocated ttys -- Allow ndc read hardware state information -- Allow system mail service read inherited certmonger runtime files -- Add lpr_roles to system_r roles -- Revert "Allow insights-client run lpr and allow the proper role" -- Allow stalld to read /sys/kernel/security/lockdown file -- Allow keepalived to set resource limits -- Add policy for mptcpd -- Add policy for rshim -- Allow admin users to create user namespaces -- Allow journalctl relabel with var_log_t and syslogd_var_run_t files -- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted -- Trim changelog so that it starts at F35 time -- Add mptcpd and rshim modules - -* Wed Dec 14 2022 Zdenek Pytela - 38.3-1 -- Allow insights-client dbus chat with various services -- Allow insights-client tcp connect to various ports -- Allow insights-client run lpr and allow the proper role -- Allow insights-client work with pcp and manage user config files -- Allow redis get user names -- Allow kernel threads to use fds from all domains -- Allow systemd-modules-load load kernel modules -- Allow login_userdomain watch systemd-passwd pid dirs -- Allow insights-client dbus chat with abrt -- Grant kernel_t certain permissions in the system class -- Allow systemd-resolved watch tmpfs directories -- Allow systemd-timedated watch init runtime dir -- Make `bootc` be `install_exec_t` -- Allow systemd-coredump create user_namespace -- Allow syslog the setpcap capability -- donaudit virtlogd and dnsmasq execmem - -* Tue Dec 06 2022 Zdenek Pytela - 38.2-1 -- Don't make kernel_t an unconfined domain -- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition -- Allow kernel_t to execute systemctl to do a poweroff/reboot -- Grant basic permissions to the domain created by systemd_systemctl_domain() -- Allow kernel_t to request module loading -- Allow kernel_t to do compute_create -- Allow kernel_t to manage perf events -- Grant almost all capabilities to kernel_t -- Allow kernel_t to fully manage all devices -- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue" -- Allow pulseaudio to write to session_dbusd tmp socket files -- Allow systemd and unconfined_domain_type create user_namespace -- Add the user_namespace security class -- Reuse tmpfs_t also for the ramfs filesystem -- Label udf tools with fsadm_exec_t -- Allow networkmanager_dispatcher_plugin work with nscd -- Watch_sb all file type directories. -- Allow spamc read hardware state information files -- Allow sysadm read ipmi devices -- Allow insights client communicate with cupsd, mysqld, openvswitch, redis -- Allow insights client read raw memory devices -- Allow the spamd_update_t domain get generic filesystem attributes -- Dontaudit systemd-gpt-generator the sys_admin capability -- Allow ipsec_t only read tpm devices -- Allow cups-pdf connect to the system log service -- Allow postfix/smtpd read kerberos key table -- Allow syslogd read network sysctls -- Allow cdcc mmap dcc-client-map files -- Add watch and watch_sb dosfs interface - -* Mon Nov 21 2022 Zdenek Pytela - 38.1-1 -- Revert "Allow sysadm_t read raw memory devices" -- Allow systemd-socket-proxyd get attributes of cgroup filesystems -- Allow rpc.gssd read network sysctls -- Allow winbind-rpcd get attributes of device and pty filesystems -- Allow insights-client domain transition on semanage execution -- Allow insights-client create gluster log dir with a transition -- Allow insights-client manage generic locks -- Allow insights-client unix_read all domain semaphores -- Add domain_unix_read_all_semaphores() interface -- Allow winbind-rpcd use the terminal multiplexor -- Allow mrtg send mails -- Allow systemd-hostnamed dbus chat with init scripts -- Allow sssd dbus chat with system cronjobs -- Add interface to watch all filesystems -- Add watch_sb interfaces -- Add watch interfaces -- Allow dhcpd bpf capability to run bpf programs -- Allow netutils and traceroute bpf capability to run bpf programs -- Allow pkcs_slotd_t bpf capability to run bpf programs -- Allow xdm bpf capability to run bpf programs -- Allow pcscd bpf capability to run bpf programs -- Allow lldpad bpf capability to run bpf programs -- Allow keepalived bpf capability to run bpf programs -- Allow ipsec bpf capability to run bpf programs -- Allow fprintd bpf capability to run bpf programs -- Allow systemd-socket-proxyd get filesystems attributes -- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files - -* Mon Oct 31 2022 Zdenek Pytela - 37.14-1 -- Allow rotatelogs read httpd_log_t symlinks -- Add winbind-rpcd to samba_enable_home_dirs boolean -- Allow system cronjobs dbus chat with setroubleshoot -- Allow setroubleshootd read device sysctls -- Allow virt_domain read device sysctls -- Allow rhcd compute selinux access vector -- Allow insights-client manage samba var dirs -- Label ports 10161-10162 tcp/udp with snmp -- Allow aide to connect to systemd_machined with a unix socket. -- Allow samba-dcerpcd use NSCD services over a unix stream socket -- Allow vlock search the contents of the /dev/pts directory -- Allow insights-client send null signal to rpm and system cronjob -- Label port 15354/tcp and 15354/udp with opendnssec -- Allow ftpd map ftpd_var_run files -- Allow targetclid to manage tmp files -- Allow insights-client connect to postgresql with a unix socket -- Allow insights-client domtrans on unix_chkpwd execution -- Add file context entries for insights-client and rhc -- Allow pulseaudio create gnome content (~/.config) -- Allow login_userdomain dbus chat with rhsmcertd -- Allow sbd the sys_ptrace capability -- Allow ptp4l_t name_bind ptp_event_port_t - -* Mon Oct 03 2022 Zdenek Pytela - 37.13-1 -- Remove the ipa module -- Allow sss daemons read/write unnamed pipes of cloud-init -- Allow postfix_mailqueue create and use unix dgram sockets -- Allow xdm watch user home directories -- Allow nm-dispatcher ddclient plugin load a kernel module -- Stop ignoring standalone interface files -- Drop cockpit module -- Allow init map its private tmp files -- Allow xenstored change its hard resource limits -- Allow system_mail-t read network sysctls -- Add bgpd sys_chroot capability - -* Thu Sep 22 2022 Zdenek Pytela - 37.12-1 -- nut-upsd: kernel_read_system_state, fs_getattr_cgroup -- Add numad the ipc_owner capability -- Allow gst-plugin-scanner read virtual memory sysctls -- Allow init read/write inherited user fifo files -- Update dnssec-trigger policy: setsched, module_request -- added policy for systemd-socket-proxyd -- Add the new 'cmd' permission to the 'io_uring' class -- Allow winbind-rpcd read and write its key ring -- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t -- blueman-mechanism can read ~/.local/lib/python*/site-packages directory -- pidof executed by abrt can readlink /proc/*/exe -- Fix typo in comment -- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum - -* Wed Sep 14 2022 Zdenek Pytela - 37.11-1 -- Allow tor get filesystem attributes -- Allow utempter append to login_userdomain stream -- Allow login_userdomain accept a stream connection to XDM -- Allow login_userdomain write to boltd named pipes -- Allow staff_u and user_u users write to bolt pipe -- Allow login_userdomain watch various directories -- Update rhcd policy for executing additional commands 5 -- Update rhcd policy for executing additional commands 4 -- Allow rhcd create rpm hawkey logs with correct label -- Allow systemd-gpt-auto-generator to check for empty dirs -- Update rhcd policy for executing additional commands 3 -- Allow journalctl read rhcd fifo files -- Update insights-client policy for additional commands execution 5 -- Allow init remount all file_type filesystems -- Confine insights-client systemd unit -- Update insights-client policy for additional commands execution 4 -- Allow pcp pmcd search tracefs and acct_data dirs -- Allow httpd read network sysctls -- Dontaudit domain map permission on directories -- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs" -- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)" -- Update insights-client policy for additional commands execution 3 -- Allow systemd permissions needed for sandboxed services -- Add rhcd module -- Make dependency on rpm-plugin-selinux unordered - -* Fri Sep 02 2022 Zdenek Pytela - 37.10-1 -- Allow ipsec_t read/write tpm devices -- Allow rhcd execute all executables -- Update rhcd policy for executing additional commands 2 -- Update insights-client policy for additional commands execution 2 -- Allow sysadm_t read raw memory devices -- Allow chronyd send and receive chronyd/ntp client packets -- Allow ssh client read kerberos homedir config files -- Label /var/log/rhc-worker-playbook with rhcd_var_log_t -- Update insights-client policy (auditctl, gpg, journal) -- Allow system_cronjob_t domtrans to rpm_script_t -- Allow smbd_t process noatsecure permission for winbind_rpcd_t -- Update tor_bind_all_unreserved_ports interface -- Allow chronyd bind UDP sockets to ptp_event ports. -- Allow unconfined and sysadm users transition for /root/.gnupg -- Add gpg_filetrans_admin_home_content() interface -- Update rhcd policy for executing additional commands -- Update insights-client policy for additional commands execution -- Add userdom_view_all_users_keys() interface -- Allow gpg read and write generic pty type -- Allow chronyc read and write generic pty type -- Allow system_dbusd ioctl kernel with a unix stream sockets -- Allow samba-bgqd to read a printer list -- Allow stalld get and set scheduling policy of all domains. -- Allow unconfined_t transition to targetclid_home_t - -* Thu Aug 11 2022 Zdenek Pytela - 37.9-1 -- Allow nm-dispatcher custom plugin dbus chat with nm -- Allow nm-dispatcher sendmail plugin get status of systemd services -- Allow xdm read the kernel key ring -- Allow login_userdomain check status of mount units -- Allow postfix/smtp and postfix/virtual read kerberos key table -- Allow services execute systemd-notify -- Do not allow login_userdomain use sd_notify() -- Allow launch-xenstored read filesystem sysctls -- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd -- Allow openvswitch fsetid capability -- Allow openvswitch use its private tmpfs files and dirs -- Allow openvswitch search tracefs dirs -- Allow pmdalinux read files on an nfsd filesystem -- Allow winbind-rpcd write to winbind pid files -- Allow networkmanager to signal unconfined process -- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t -- Allow samba-bgqd get a printer list -- fix(init.fc): Fix section description -- Allow fedora-third-party read the passwords file -- Remove permissive domain for rhcd_t -- Allow pmie read network state information and network sysctls -- Revert "Dontaudit domain the fowner capability" -- Allow sysadm_t to run bpftool on the userdomain attribute -- Add the userdom_prog_run_bpf_userdomain() interface -- Allow insights-client rpm named file transitions -- Add /var/tmp/insights-archive to insights_client_filetrans_named_content - -* Mon Aug 01 2022 Zdenek Pytela - 37.8-1 -- Allow sa-update to get init status and start systemd files -- Use insights_client_filetrans_named_content -- Make default file context match with named transitions -- Allow nm-dispatcher tlp plugin send system log messages -- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket -- Add permissions to manage lnk_files into gnome_manage_home_config -- Allow rhsmcertd to read insights config files -- Label /etc/insights-client/machine-id -- fix(devices.fc): Replace single quote in comment to solve parsing issues -- Make NetworkManager_dispatcher_custom_t an unconfined domain - -* Sat Jul 23 2022 Fedora Release Engineering - 37.7-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jul 14 2022 Zdenek Pytela - 37.7-1 -- Update winbind_rpcd_t -- Allow some domains use sd_notify() -- Revert "Allow rabbitmq to use systemd notify" -- fix(sedoctool.py): Fix syntax warning: "is not" with a literal -- Allow nm-dispatcher console plugin manage etc files -- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs -- Allow nm-dispatcher console plugin setfscreate -- Support using systemd-update-helper in rpm scriptlets -- Allow nm-dispatcher winbind plugin read samba config files -- Allow domain use userfaultfd over all domains -- Allow cups-lpd read network sysctls - -* Wed Jun 29 2022 Zdenek Pytela - 37.6-1 -- Allow stalld set scheduling policy of kernel threads -- Allow targetclid read /var/target files -- Allow targetclid read generic SSL certificates (fixed) -- Allow firewalld read the contents of the sysfs filesystem -- Fix file context pattern for /var/target -- Use insights_client_etc_t in insights_search_config() -- Allow nm-dispatcher ddclient plugin handle systemd services -- Allow nm-dispatcher winbind plugin run smbcontrol -- Allow nm-dispatcher custom plugin create and use unix dgram socket -- Update samba-dcerpcd policy for kerberos usage 2 -- Allow keepalived read the contents of the sysfs filesystem -- Allow amandad read network sysctls -- Allow cups-lpd read network sysctls -- Allow kpropd read network sysctls -- Update insights_client_filetrans_named_content() -- Allow rabbitmq to use systemd notify -- Label /var/target with targetd_var_t -- Allow targetclid read generic SSL certificates -- Update rhcd policy -- Allow rhcd search insights configuration directories -- Add the kernel_read_proc_files() interface -- Require policycoreutils >= 3.4-1 -- Add a script for enclosing interfaces in ifndef statements -- Disable rpm verification on interface_info - -* Wed Jun 22 2022 Zdenek Pytela - 37.5-1 -- Allow transition to insights_client named content -- Add the insights_client_filetrans_named_content() interface -- Update policy for insights-client to run additional commands 3 -- Allow dhclient manage pid files used by chronyd -- Allow stalld get scheduling policy of kernel threads -- Allow samba-dcerpcd work with sssd -- Allow dlm_controld send a null signal to a cluster daemon -- Allow ksmctl create hardware state information files -- Allow winbind_rpcd_t connect to self over a unix_stream_socket -- Update samba-dcerpcd policy for kerberos usage -- Allow insights-client execute its private memfd: objects -- Update policy for insights-client to run additional commands 2 -- Use insights_client_tmp_t instead of insights_client_var_tmp_t -- Change space indentation to tab in insights-client -- Use socket permissions sets in insights-client -- Update policy for insights-client to run additional commands -- Change rpm_setattr_db_files() to use a pattern -- Allow init_t to rw insights_client unnamed pipe -- Add rpm setattr db files macro -- Fix insights client -- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling -- Allow rabbitmq to access its private memfd: objects -- Update policy for samba-dcerpcd -- Allow stalld setsched and sys_nice - -* Tue Jun 07 2022 Zdenek Pytela - 37.4-1 -- Allow auditd_t noatsecure for a transition to audisp_remote_t -- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket -- Allow pcp_domain execute its private memfd: objects -- Add support for samba-dcerpcd -- Add policy for wireguard -- Confine targetcli -- Allow systemd work with install_t unix stream sockets -- Allow iscsid the sys_ptrace userns capability -- Allow xdm connect to unconfined_service_t over a unix stream socket - -* Fri May 27 2022 Zdenek Pytela - 37.3-1 -- Allow nm-dispatcher custom plugin execute systemctl -- Allow nm-dispatcher custom plugin dbus chat with nm -- Allow nm-dispatcher custom plugin create and use udp socket -- Allow nm-dispatcher custom plugin create and use netlink_route_socket -- Use create_netlink_socket_perms in netlink_route_socket class permissions -- Add support for nm-dispatcher sendmail scripts -- Allow sslh net_admin capability -- Allow insights-client manage gpg admin home content -- Add the gpg_manage_admin_home_content() interface -- Allow rhsmcertd create generic log files -- Update logging_create_generic_logs() to use create_files_pattern() -- Label /var/cache/insights with insights_client_cache_t -- Allow insights-client search gconf homedir -- Allow insights-client create and use unix_dgram_socket -- Allow blueman execute its private memfd: files -- Move the chown call into make-srpm.sh - -* Fri May 06 2022 Zdenek Pytela - 37.2-1 -- Use the networkmanager_dispatcher_plugin attribute in allow rules -- Make a custom nm-dispatcher plugin transition -- Label port 4784/tcp and 4784/udp with bfd_multi -- Allow systemd watch and watch_reads user ptys -- Allow sblim-gatherd the kill capability -- Label more vdsm utils with virtd_exec_t -- Add ksm service to ksmtuned -- Add rhcd policy -- Dontaudit guest attempts to dbus chat with systemd domains -- Dontaudit guest attempts to dbus chat with system bus types -- Use a named transition in systemd_hwdb_manage_config() -- Add default fc specifications for patterns in /opt -- Add the files_create_etc_files() interface -- Allow nm-dispatcher console plugin create and write files in /etc -- Allow nm-dispatcher console plugin transition to the setfiles domain -- Allow more nm-dispatcher plugins append to init stream sockets -- Allow nm-dispatcher tlp plugin dbus chat with nm -- Reorder networkmanager_dispatcher_plugin_template() calls -- Allow svirt connectto virtlogd -- Allow blueman map its private memfd: files -- Allow sysadm user execute init scripts with a transition -- Allow sblim-sfcbd connect to sblim-reposd stream -- Allow keepalived_unconfined_script_t dbus chat with init -- Run restorecon with "-i" not to report errors - -* Mon May 02 2022 Zdenek Pytela - 37.1-1 -- Fix users for SELinux userspace 3.4 -- Label /var/run/machine-id as machineid_t -- Add stalld to modules.conf -- Use files_tmpfs_file() for rhsmcertd_tmpfs_t -- Allow blueman read/write its private memfd: objects -- Allow insights-client read rhnsd config files -- Allow insights-client create_socket_perms for tcp/udp sockets +## END: Generated by rpmautospec