parent
2eb1e5050c
commit
b3c16146eb
@ -1,2 +1,2 @@
|
|||||||
SOURCES/container-selinux.tgz
|
SOURCES/container-selinux.tgz
|
||||||
SOURCES/selinux-policy-e464c3b.tar.gz
|
SOURCES/selinux-policy-3f0002a.tar.gz
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
a7770e3ebc8e88c6c514ec4a8fe532526e3798ae SOURCES/container-selinux.tgz
|
a93d442e55a089e898204de344ea212302d626d2 SOURCES/container-selinux.tgz
|
||||||
26ce88444772beacbefbd1647e4b89eca510518c SOURCES/selinux-policy-e464c3b.tar.gz
|
444104bed47e1d4da78a6e09764a5e42c4f757af SOURCES/selinux-policy-3f0002a.tar.gz
|
||||||
|
@ -1,248 +0,0 @@
|
|||||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
|
||||||
#
|
|
||||||
allow_execmem = false
|
|
||||||
|
|
||||||
# Allow making a modified private filemapping executable (text relocation).
|
|
||||||
#
|
|
||||||
allow_execmod = false
|
|
||||||
|
|
||||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
|
||||||
#
|
|
||||||
allow_execstack = true
|
|
||||||
|
|
||||||
# Allow ftpd to read cifs directories.
|
|
||||||
#
|
|
||||||
allow_ftpd_use_cifs = false
|
|
||||||
|
|
||||||
# Allow ftpd to read nfs directories.
|
|
||||||
#
|
|
||||||
allow_ftpd_use_nfs = false
|
|
||||||
|
|
||||||
# Allow ftp servers to modify public filesused for public file transfer services.
|
|
||||||
#
|
|
||||||
allow_ftpd_anon_write = false
|
|
||||||
|
|
||||||
# Allow gssd to read temp directory.
|
|
||||||
#
|
|
||||||
allow_gssd_read_tmp = true
|
|
||||||
|
|
||||||
# Allow Apache to modify public filesused for public file transfer services.
|
|
||||||
#
|
|
||||||
allow_httpd_anon_write = false
|
|
||||||
|
|
||||||
# Allow Apache to use mod_auth_pam module
|
|
||||||
#
|
|
||||||
allow_httpd_mod_auth_pam = false
|
|
||||||
|
|
||||||
# Allow system to run with kerberos
|
|
||||||
#
|
|
||||||
allow_kerberos = true
|
|
||||||
|
|
||||||
# Allow rsync to modify public filesused for public file transfer services.
|
|
||||||
#
|
|
||||||
allow_rsync_anon_write = false
|
|
||||||
|
|
||||||
# Allow sasl to read shadow
|
|
||||||
#
|
|
||||||
allow_saslauthd_read_shadow = false
|
|
||||||
|
|
||||||
# Allow samba to modify public filesused for public file transfer services.
|
|
||||||
#
|
|
||||||
allow_smbd_anon_write = false
|
|
||||||
|
|
||||||
# Allow system to run with NIS
|
|
||||||
#
|
|
||||||
allow_ypbind = false
|
|
||||||
|
|
||||||
# Allow zebra to write it own configuration files
|
|
||||||
#
|
|
||||||
allow_zebra_write_config = false
|
|
||||||
|
|
||||||
# Enable extra rules in the cron domainto support fcron.
|
|
||||||
#
|
|
||||||
fcron_crond = false
|
|
||||||
|
|
||||||
#
|
|
||||||
# allow httpd to connect to mysql/posgresql
|
|
||||||
httpd_can_network_connect_db = false
|
|
||||||
|
|
||||||
#
|
|
||||||
# allow httpd to send dbus messages to avahi
|
|
||||||
httpd_dbus_avahi = true
|
|
||||||
|
|
||||||
#
|
|
||||||
# allow httpd to network relay
|
|
||||||
httpd_can_network_relay = false
|
|
||||||
|
|
||||||
# Allow httpd to use built in scripting (usually php)
|
|
||||||
#
|
|
||||||
httpd_builtin_scripting = true
|
|
||||||
|
|
||||||
# Allow http daemon to tcp connect
|
|
||||||
#
|
|
||||||
httpd_can_network_connect = false
|
|
||||||
|
|
||||||
# Allow httpd cgi support
|
|
||||||
#
|
|
||||||
httpd_enable_cgi = true
|
|
||||||
|
|
||||||
# Allow httpd to act as a FTP server bylistening on the ftp port.
|
|
||||||
#
|
|
||||||
httpd_enable_ftp_server = false
|
|
||||||
|
|
||||||
# Allow httpd to read home directories
|
|
||||||
#
|
|
||||||
httpd_enable_homedirs = false
|
|
||||||
|
|
||||||
# Run SSI execs in system CGI script domain.
|
|
||||||
#
|
|
||||||
httpd_ssi_exec = false
|
|
||||||
|
|
||||||
# Allow http daemon to communicate with the TTY
|
|
||||||
#
|
|
||||||
httpd_tty_comm = false
|
|
||||||
|
|
||||||
# Run CGI in the main httpd domain
|
|
||||||
#
|
|
||||||
httpd_unified = false
|
|
||||||
|
|
||||||
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
|
||||||
#
|
|
||||||
named_write_master_zones = false
|
|
||||||
|
|
||||||
# Allow nfs to be exported read/write.
|
|
||||||
#
|
|
||||||
nfs_export_all_rw = true
|
|
||||||
|
|
||||||
# Allow nfs to be exported read only
|
|
||||||
#
|
|
||||||
nfs_export_all_ro = true
|
|
||||||
|
|
||||||
# Allow pppd to load kernel modules for certain modems
|
|
||||||
#
|
|
||||||
pppd_can_insmod = false
|
|
||||||
|
|
||||||
# Allow reading of default_t files.
|
|
||||||
#
|
|
||||||
read_default_t = false
|
|
||||||
|
|
||||||
# Allow samba to export user home directories.
|
|
||||||
#
|
|
||||||
samba_enable_home_dirs = false
|
|
||||||
|
|
||||||
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
|
|
||||||
#
|
|
||||||
squid_connect_any = false
|
|
||||||
|
|
||||||
# Support NFS home directories
|
|
||||||
#
|
|
||||||
use_nfs_home_dirs = true
|
|
||||||
|
|
||||||
# Support SAMBA home directories
|
|
||||||
#
|
|
||||||
use_samba_home_dirs = false
|
|
||||||
|
|
||||||
# Control users use of ping and traceroute
|
|
||||||
#
|
|
||||||
user_ping = false
|
|
||||||
|
|
||||||
# allow host key based authentication
|
|
||||||
#
|
|
||||||
allow_ssh_keysign = false
|
|
||||||
|
|
||||||
# Allow pppd to be run for a regular user
|
|
||||||
#
|
|
||||||
pppd_for_user = false
|
|
||||||
|
|
||||||
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
|
|
||||||
#
|
|
||||||
read_untrusted_content = false
|
|
||||||
|
|
||||||
# Allow spamd to write to users homedirs
|
|
||||||
#
|
|
||||||
spamd_enable_home_dirs = false
|
|
||||||
|
|
||||||
# Allow regular users direct mouse access
|
|
||||||
#
|
|
||||||
user_direct_mouse = false
|
|
||||||
|
|
||||||
# Allow users to read system messages.
|
|
||||||
#
|
|
||||||
user_dmesg = false
|
|
||||||
|
|
||||||
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
|
|
||||||
#
|
|
||||||
user_rw_noexattrfile = false
|
|
||||||
|
|
||||||
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
|
|
||||||
#
|
|
||||||
user_tcp_server = false
|
|
||||||
|
|
||||||
# Allow w to display everyone
|
|
||||||
#
|
|
||||||
user_ttyfile_stat = false
|
|
||||||
|
|
||||||
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
|
|
||||||
#
|
|
||||||
write_untrusted_content = false
|
|
||||||
|
|
||||||
# Allow all domains to talk to ttys
|
|
||||||
#
|
|
||||||
allow_daemons_use_tty = false
|
|
||||||
|
|
||||||
# Allow login domains to polyinstatiate directories
|
|
||||||
#
|
|
||||||
allow_polyinstantiation = false
|
|
||||||
|
|
||||||
# Allow all domains to dump core
|
|
||||||
#
|
|
||||||
allow_daemons_dump_core = true
|
|
||||||
|
|
||||||
# Allow samba to act as the domain controller
|
|
||||||
#
|
|
||||||
samba_domain_controller = false
|
|
||||||
|
|
||||||
# Allow samba to export user home directories.
|
|
||||||
#
|
|
||||||
samba_run_unconfined = false
|
|
||||||
|
|
||||||
# Allows XServer to execute writable memory
|
|
||||||
#
|
|
||||||
allow_xserver_execmem = false
|
|
||||||
|
|
||||||
# disallow guest accounts to execute files that they can create
|
|
||||||
#
|
|
||||||
allow_guest_exec_content = false
|
|
||||||
allow_xguest_exec_content = false
|
|
||||||
|
|
||||||
# Only allow browser to use the web
|
|
||||||
#
|
|
||||||
browser_confine_xguest=false
|
|
||||||
|
|
||||||
# Allow postfix locat to write to mail spool
|
|
||||||
#
|
|
||||||
allow_postfix_local_write_mail_spool=false
|
|
||||||
|
|
||||||
# Allow common users to read/write noexattrfile systems
|
|
||||||
#
|
|
||||||
user_rw_noexattrfile=true
|
|
||||||
|
|
||||||
# Allow qemu to connect fully to the network
|
|
||||||
#
|
|
||||||
qemu_full_network=true
|
|
||||||
|
|
||||||
# Allow nsplugin execmem/execstack for bad plugins
|
|
||||||
#
|
|
||||||
allow_nsplugin_execmem=true
|
|
||||||
|
|
||||||
# Allow unconfined domain to transition to confined domain
|
|
||||||
#
|
|
||||||
allow_unconfined_nsplugin_transition=true
|
|
||||||
|
|
||||||
# System uses init upstart program
|
|
||||||
#
|
|
||||||
init_upstart = true
|
|
||||||
|
|
||||||
# Allow mount to mount any file/dir
|
|
||||||
#
|
|
||||||
allow_mount_anyfile = true
|
|
@ -1,6 +0,0 @@
|
|||||||
kerberos_enabled = true
|
|
||||||
mount_anyfile = true
|
|
||||||
polyinstantiation_enabled = true
|
|
||||||
ftpd_is_daemon = true
|
|
||||||
selinuxuser_ping = true
|
|
||||||
xserver_object_manager = true
|
|
@ -1,25 +0,0 @@
|
|||||||
gssd_read_tmp = true
|
|
||||||
httpd_builtin_scripting = true
|
|
||||||
httpd_enable_cgi = true
|
|
||||||
kerberos_enabled = true
|
|
||||||
mount_anyfile = true
|
|
||||||
nfs_export_all_ro = true
|
|
||||||
nfs_export_all_rw = true
|
|
||||||
nscd_use_shm = true
|
|
||||||
openvpn_enable_homedirs = true
|
|
||||||
postfix_local_write_mail_spool=true
|
|
||||||
pppd_can_insmod = false
|
|
||||||
privoxy_connect_any = true
|
|
||||||
selinuxuser_direct_dri_enabled = true
|
|
||||||
selinuxuser_execmem = true
|
|
||||||
selinuxuser_execmod = true
|
|
||||||
selinuxuser_execstack = true
|
|
||||||
selinuxuser_rw_noexattrfile=true
|
|
||||||
selinuxuser_ping = true
|
|
||||||
squid_connect_any = true
|
|
||||||
telepathy_tcp_connect_generic_network_ports=true
|
|
||||||
unconfined_chrome_sandbox_transition=true
|
|
||||||
unconfined_mozilla_plugin_transition=true
|
|
||||||
xguest_exec_content = true
|
|
||||||
mozilla_plugin_can_network_connect = true
|
|
||||||
use_virtualbox = true
|
|
@ -1,54 +0,0 @@
|
|||||||
allow_auditadm_exec_content auditadm_exec_content
|
|
||||||
allow_console_login login_console_enabled
|
|
||||||
allow_cvs_read_shadow cvs_read_shadow
|
|
||||||
allow_daemons_dump_core daemons_dump_core
|
|
||||||
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
|
|
||||||
allow_daemons_use_tty daemons_use_tty
|
|
||||||
allow_domain_fd_use domain_fd_use
|
|
||||||
allow_execheap selinuxuser_execheap
|
|
||||||
allow_execmod selinuxuser_execmod
|
|
||||||
allow_execstack selinuxuser_execstack
|
|
||||||
allow_ftpd_anon_write ftpd_anon_write
|
|
||||||
allow_ftpd_full_access ftpd_full_access
|
|
||||||
allow_ftpd_use_cifs ftpd_use_cifs
|
|
||||||
allow_ftpd_use_nfs ftpd_use_nfs
|
|
||||||
allow_gssd_read_tmp gssd_read_tmp
|
|
||||||
allow_guest_exec_content guest_exec_content
|
|
||||||
allow_httpd_anon_write httpd_anon_write
|
|
||||||
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
|
|
||||||
allow_httpd_mod_auth_pam httpd_mod_auth_pam
|
|
||||||
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
|
|
||||||
allow_kerberos kerberos_enabled
|
|
||||||
allow_mplayer_execstack mplayer_execstack
|
|
||||||
allow_mount_anyfile mount_anyfile
|
|
||||||
allow_nfsd_anon_write nfsd_anon_write
|
|
||||||
allow_polyinstantiation polyinstantiation_enabled
|
|
||||||
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
|
|
||||||
allow_rsync_anon_write rsync_anon_write
|
|
||||||
allow_saslauthd_read_shadow saslauthd_read_shadow
|
|
||||||
allow_secadm_exec_content secadm_exec_content
|
|
||||||
allow_smbd_anon_write smbd_anon_write
|
|
||||||
allow_ssh_keysign ssh_keysign
|
|
||||||
allow_staff_exec_content staff_exec_content
|
|
||||||
allow_sysadm_exec_content sysadm_exec_content
|
|
||||||
allow_user_exec_content user_exec_content
|
|
||||||
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
|
|
||||||
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
|
|
||||||
allow_write_xshm xserver_clients_write_xshm
|
|
||||||
allow_xguest_exec_content xguest_exec_content
|
|
||||||
allow_xserver_execmem xserver_execmem
|
|
||||||
allow_ypbind nis_enabled
|
|
||||||
allow_zebra_write_config zebra_write_config
|
|
||||||
user_direct_dri selinuxuser_direct_dri_enabled
|
|
||||||
user_ping selinuxuser_ping
|
|
||||||
user_share_music selinuxuser_share_music
|
|
||||||
user_tcp_server selinuxuser_tcp_server
|
|
||||||
sepgsql_enable_pitr_implementation postgresql_can_rsync
|
|
||||||
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
|
|
||||||
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
|
|
||||||
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
|
|
||||||
clamd_use_jit antivirus_use_jit
|
|
||||||
amavis_use_jit antivirus_use_jit
|
|
||||||
logwatch_can_sendmail logwatch_can_network_connect_mail
|
|
||||||
puppet_manage_all_files puppetagent_manage_all_files
|
|
||||||
virt_sandbox_use_nfs virt_use_nfs
|
|
@ -1,14 +0,0 @@
|
|||||||
container_file_t
|
|
||||||
sandbox_file_t
|
|
||||||
svirt_image_t
|
|
||||||
svirt_home_t
|
|
||||||
svirt_sandbox_file_t
|
|
||||||
virt_content_t
|
|
||||||
httpd_user_htaccess_t
|
|
||||||
httpd_user_script_exec_t
|
|
||||||
httpd_user_rw_content_t
|
|
||||||
httpd_user_ra_content_t
|
|
||||||
httpd_user_content_t
|
|
||||||
git_session_content_t
|
|
||||||
home_bin_t
|
|
||||||
user_tty_device_t
|
|
@ -1,24 +0,0 @@
|
|||||||
/var/run /run
|
|
||||||
/var/lock /run/lock
|
|
||||||
/run/systemd/system /usr/lib/systemd/system
|
|
||||||
/run/systemd/generator /usr/lib/systemd/system
|
|
||||||
/run/systemd/generator.early /usr/lib/systemd/system
|
|
||||||
/run/systemd/generator.late /usr/lib/systemd/system
|
|
||||||
/lib /usr/lib
|
|
||||||
/lib64 /usr/lib
|
|
||||||
/usr/lib64 /usr/lib
|
|
||||||
/usr/local/lib64 /usr/lib
|
|
||||||
/usr/local/lib32 /usr/lib
|
|
||||||
/etc/systemd/system /usr/lib/systemd/system
|
|
||||||
/var/lib/xguest/home /home
|
|
||||||
/var/named/chroot/usr/lib64 /usr/lib
|
|
||||||
/var/named/chroot/lib64 /usr/lib
|
|
||||||
/var/named/chroot/var /var
|
|
||||||
/home-inst /home
|
|
||||||
/home/home-inst /home
|
|
||||||
/var/roothome /root
|
|
||||||
/sbin /usr/sbin
|
|
||||||
/sysroot/tmp /tmp
|
|
||||||
/var/usrlocal /usr/local
|
|
||||||
/var/mnt /mnt
|
|
||||||
/bin /usr/bin
|
|
@ -0,0 +1,50 @@
|
|||||||
|
apache
|
||||||
|
application
|
||||||
|
auditadm
|
||||||
|
authlogin
|
||||||
|
base
|
||||||
|
bootloader
|
||||||
|
clock
|
||||||
|
dbus
|
||||||
|
dmesg
|
||||||
|
fstools
|
||||||
|
getty
|
||||||
|
hostname
|
||||||
|
inetd
|
||||||
|
init
|
||||||
|
ipsec
|
||||||
|
iptables
|
||||||
|
kerberos
|
||||||
|
libraries
|
||||||
|
locallogin
|
||||||
|
logadm
|
||||||
|
logging
|
||||||
|
lvm
|
||||||
|
miscfiles
|
||||||
|
modutils
|
||||||
|
mount
|
||||||
|
mta
|
||||||
|
netlabel
|
||||||
|
netutils
|
||||||
|
nis
|
||||||
|
postgresql
|
||||||
|
secadm
|
||||||
|
selinuxutil
|
||||||
|
setrans
|
||||||
|
seunshare
|
||||||
|
ssh
|
||||||
|
staff
|
||||||
|
su
|
||||||
|
sudo
|
||||||
|
sysadm
|
||||||
|
sysadm_secadm
|
||||||
|
sysnetwork
|
||||||
|
systemd
|
||||||
|
udev
|
||||||
|
unconfined
|
||||||
|
unconfineduser
|
||||||
|
unlabelednet
|
||||||
|
unprivuser
|
||||||
|
userdomain
|
||||||
|
usermanage
|
||||||
|
xserver
|
@ -1,380 +0,0 @@
|
|||||||
# Layer: kernel
|
|
||||||
# Module: bootloader
|
|
||||||
#
|
|
||||||
# Policy for the kernel modules, kernel image, and bootloader.
|
|
||||||
#
|
|
||||||
bootloader = module
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: corenetwork
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy controlling access to network objects
|
|
||||||
#
|
|
||||||
corenetwork = base
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: dmesg
|
|
||||||
#
|
|
||||||
# Policy for dmesg.
|
|
||||||
#
|
|
||||||
dmesg = module
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: netutils
|
|
||||||
#
|
|
||||||
# Network analysis utilities
|
|
||||||
#
|
|
||||||
netutils = module
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: sudo
|
|
||||||
#
|
|
||||||
# Execute a command with a substitute user
|
|
||||||
#
|
|
||||||
sudo = module
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: su
|
|
||||||
#
|
|
||||||
# Run shells with substitute user and group
|
|
||||||
#
|
|
||||||
su = module
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: usermanage
|
|
||||||
#
|
|
||||||
# Policy for managing user accounts.
|
|
||||||
#
|
|
||||||
usermanage = module
|
|
||||||
|
|
||||||
# Layer: apps
|
|
||||||
# Module: seunshare
|
|
||||||
#
|
|
||||||
# seunshare executable
|
|
||||||
#
|
|
||||||
seunshare = module
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: corecommands
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Core policy for shells, and generic programs
|
|
||||||
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
|
||||||
#
|
|
||||||
corecommands = base
|
|
||||||
|
|
||||||
# Module: devices
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Device nodes and interfaces for many basic system devices.
|
|
||||||
#
|
|
||||||
devices = base
|
|
||||||
|
|
||||||
# Module: domain
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Core policy for domains.
|
|
||||||
#
|
|
||||||
domain = base
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: userdomain
|
|
||||||
#
|
|
||||||
# Policy for user domains
|
|
||||||
#
|
|
||||||
userdomain = module
|
|
||||||
|
|
||||||
# Module: files
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Basic filesystem types and interfaces.
|
|
||||||
#
|
|
||||||
files = base
|
|
||||||
|
|
||||||
# Module: filesystem
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for filesystems.
|
|
||||||
#
|
|
||||||
filesystem = base
|
|
||||||
|
|
||||||
# Module: kernel
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
|
||||||
#
|
|
||||||
kernel = base
|
|
||||||
|
|
||||||
# Module: mcs
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# MultiCategory security policy
|
|
||||||
#
|
|
||||||
mcs = base
|
|
||||||
|
|
||||||
# Module: mls
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Multilevel security policy
|
|
||||||
#
|
|
||||||
mls = base
|
|
||||||
|
|
||||||
# Module: selinux
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for kernel security interface, in particular, selinuxfs.
|
|
||||||
#
|
|
||||||
selinux = base
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: storage
|
|
||||||
#
|
|
||||||
# Policy controlling access to storage devices
|
|
||||||
#
|
|
||||||
storage = base
|
|
||||||
|
|
||||||
# Module: terminal
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for terminals.
|
|
||||||
#
|
|
||||||
terminal = base
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: ubac
|
|
||||||
#
|
|
||||||
#
|
|
||||||
#
|
|
||||||
ubac = base
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: unlabelednet
|
|
||||||
#
|
|
||||||
# The unlabelednet module.
|
|
||||||
#
|
|
||||||
unlabelednet = module
|
|
||||||
|
|
||||||
# Layer: role
|
|
||||||
# Module: auditadm
|
|
||||||
#
|
|
||||||
# auditadm account on tty logins
|
|
||||||
#
|
|
||||||
auditadm = module
|
|
||||||
|
|
||||||
# Layer: role
|
|
||||||
# Module: logadm
|
|
||||||
#
|
|
||||||
# Minimally prived root role for managing logging system
|
|
||||||
#
|
|
||||||
logadm = module
|
|
||||||
|
|
||||||
# Layer: role
|
|
||||||
# Module: secadm
|
|
||||||
#
|
|
||||||
# secadm account on tty logins
|
|
||||||
#
|
|
||||||
secadm = module
|
|
||||||
|
|
||||||
# Layer:role
|
|
||||||
# Module: staff
|
|
||||||
#
|
|
||||||
# admin account
|
|
||||||
#
|
|
||||||
staff = module
|
|
||||||
|
|
||||||
# Layer:role
|
|
||||||
# Module: sysadm_secadm
|
|
||||||
#
|
|
||||||
# System Administrator with Security Admin rules
|
|
||||||
#
|
|
||||||
sysadm_secadm = module
|
|
||||||
|
|
||||||
# Layer:role
|
|
||||||
# Module: sysadm
|
|
||||||
#
|
|
||||||
# System Administrator
|
|
||||||
#
|
|
||||||
sysadm = module
|
|
||||||
|
|
||||||
# Layer: role
|
|
||||||
# Module: unprivuser
|
|
||||||
#
|
|
||||||
# Minimally privs guest account on tty logins
|
|
||||||
#
|
|
||||||
unprivuser = module
|
|
||||||
|
|
||||||
# Layer: services
|
|
||||||
# Module: postgresql
|
|
||||||
#
|
|
||||||
# PostgreSQL relational database
|
|
||||||
#
|
|
||||||
postgresql = module
|
|
||||||
|
|
||||||
# Layer: services
|
|
||||||
# Module: ssh
|
|
||||||
#
|
|
||||||
# Secure shell client and server policy.
|
|
||||||
#
|
|
||||||
ssh = module
|
|
||||||
|
|
||||||
# Layer: services
|
|
||||||
# Module: xserver
|
|
||||||
#
|
|
||||||
# X windows login display manager
|
|
||||||
#
|
|
||||||
xserver = module
|
|
||||||
|
|
||||||
# Module: application
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Defines attributs and interfaces for all user applications
|
|
||||||
#
|
|
||||||
application = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: authlogin
|
|
||||||
#
|
|
||||||
# Common policy for authentication and user login.
|
|
||||||
#
|
|
||||||
authlogin = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: clock
|
|
||||||
#
|
|
||||||
# Policy for reading and setting the hardware clock.
|
|
||||||
#
|
|
||||||
clock = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: fstools
|
|
||||||
#
|
|
||||||
# Tools for filesystem management, such as mkfs and fsck.
|
|
||||||
#
|
|
||||||
fstools = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: getty
|
|
||||||
#
|
|
||||||
# Policy for getty.
|
|
||||||
#
|
|
||||||
getty = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: hostname
|
|
||||||
#
|
|
||||||
# Policy for changing the system host name.
|
|
||||||
#
|
|
||||||
hostname = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: init
|
|
||||||
#
|
|
||||||
# System initialization programs (init and init scripts).
|
|
||||||
#
|
|
||||||
init = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: ipsec
|
|
||||||
#
|
|
||||||
# TCP/IP encryption
|
|
||||||
#
|
|
||||||
ipsec = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: iptables
|
|
||||||
#
|
|
||||||
# Policy for iptables.
|
|
||||||
#
|
|
||||||
iptables = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: libraries
|
|
||||||
#
|
|
||||||
# Policy for system libraries.
|
|
||||||
#
|
|
||||||
libraries = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: locallogin
|
|
||||||
#
|
|
||||||
# Policy for local logins.
|
|
||||||
#
|
|
||||||
locallogin = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: logging
|
|
||||||
#
|
|
||||||
# Policy for the kernel message logger and system logging daemon.
|
|
||||||
#
|
|
||||||
logging = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: lvm
|
|
||||||
#
|
|
||||||
# Policy for logical volume management programs.
|
|
||||||
#
|
|
||||||
lvm = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: miscfiles
|
|
||||||
#
|
|
||||||
# Miscelaneous files.
|
|
||||||
#
|
|
||||||
miscfiles = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: modutils
|
|
||||||
#
|
|
||||||
# Policy for kernel module utilities
|
|
||||||
#
|
|
||||||
modutils = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: mount
|
|
||||||
#
|
|
||||||
# Policy for mount.
|
|
||||||
#
|
|
||||||
mount = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: netlabel
|
|
||||||
#
|
|
||||||
# Basic netlabel types and interfaces.
|
|
||||||
#
|
|
||||||
netlabel = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: selinuxutil
|
|
||||||
#
|
|
||||||
# Policy for SELinux policy and userland applications.
|
|
||||||
#
|
|
||||||
selinuxutil = module
|
|
||||||
|
|
||||||
# Module: setrans
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for setrans
|
|
||||||
#
|
|
||||||
setrans = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: sysnetwork
|
|
||||||
#
|
|
||||||
# Policy for network configuration: ifconfig and dhcp client.
|
|
||||||
#
|
|
||||||
sysnetwork = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: systemd
|
|
||||||
#
|
|
||||||
# Policy for systemd components
|
|
||||||
#
|
|
||||||
systemd = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: udev
|
|
||||||
#
|
|
||||||
# Policy for udev.
|
|
||||||
#
|
|
||||||
udev = module
|
|
File diff suppressed because it is too large
Load Diff
@ -1,393 +0,0 @@
|
|||||||
# Layer: kernel
|
|
||||||
# Module: bootloader
|
|
||||||
#
|
|
||||||
# Policy for the kernel modules, kernel image, and bootloader.
|
|
||||||
#
|
|
||||||
bootloader = module
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: corecommands
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Core policy for shells, and generic programs
|
|
||||||
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
|
||||||
#
|
|
||||||
corecommands = base
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: corenetwork
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy controlling access to network objects
|
|
||||||
#
|
|
||||||
corenetwork = base
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: dmesg
|
|
||||||
#
|
|
||||||
# Policy for dmesg.
|
|
||||||
#
|
|
||||||
dmesg = module
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: netutils
|
|
||||||
#
|
|
||||||
# Network analysis utilities
|
|
||||||
#
|
|
||||||
netutils = module
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: sudo
|
|
||||||
#
|
|
||||||
# Execute a command with a substitute user
|
|
||||||
#
|
|
||||||
sudo = module
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: su
|
|
||||||
#
|
|
||||||
# Run shells with substitute user and group
|
|
||||||
#
|
|
||||||
su = module
|
|
||||||
|
|
||||||
# Layer: admin
|
|
||||||
# Module: usermanage
|
|
||||||
#
|
|
||||||
# Policy for managing user accounts.
|
|
||||||
#
|
|
||||||
usermanage = module
|
|
||||||
|
|
||||||
# Layer: apps
|
|
||||||
# Module: seunshare
|
|
||||||
#
|
|
||||||
# seunshare executable
|
|
||||||
#
|
|
||||||
seunshare = module
|
|
||||||
|
|
||||||
# Module: devices
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Device nodes and interfaces for many basic system devices.
|
|
||||||
#
|
|
||||||
devices = base
|
|
||||||
|
|
||||||
# Module: domain
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Core policy for domains.
|
|
||||||
#
|
|
||||||
domain = base
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: userdomain
|
|
||||||
#
|
|
||||||
# Policy for user domains
|
|
||||||
#
|
|
||||||
userdomain = module
|
|
||||||
|
|
||||||
# Module: files
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Basic filesystem types and interfaces.
|
|
||||||
#
|
|
||||||
files = base
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: miscfiles
|
|
||||||
#
|
|
||||||
# Miscelaneous files.
|
|
||||||
#
|
|
||||||
miscfiles = module
|
|
||||||
|
|
||||||
# Module: filesystem
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for filesystems.
|
|
||||||
#
|
|
||||||
filesystem = base
|
|
||||||
|
|
||||||
# Module: kernel
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
|
||||||
#
|
|
||||||
kernel = base
|
|
||||||
|
|
||||||
# Module: mcs
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# MultiCategory security policy
|
|
||||||
#
|
|
||||||
mcs = base
|
|
||||||
|
|
||||||
# Module: mls
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Multilevel security policy
|
|
||||||
#
|
|
||||||
mls = base
|
|
||||||
|
|
||||||
# Module: selinux
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for kernel security interface, in particular, selinuxfs.
|
|
||||||
#
|
|
||||||
selinux = base
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: storage
|
|
||||||
#
|
|
||||||
# Policy controlling access to storage devices
|
|
||||||
#
|
|
||||||
storage = base
|
|
||||||
|
|
||||||
# Module: terminal
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for terminals.
|
|
||||||
#
|
|
||||||
terminal = base
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: ubac
|
|
||||||
#
|
|
||||||
#
|
|
||||||
#
|
|
||||||
ubac = base
|
|
||||||
|
|
||||||
# Layer: kernel
|
|
||||||
# Module: unconfined
|
|
||||||
#
|
|
||||||
# The unlabelednet module.
|
|
||||||
#
|
|
||||||
unlabelednet = module
|
|
||||||
|
|
||||||
# Layer: role
|
|
||||||
# Module: auditadm
|
|
||||||
#
|
|
||||||
# auditadm account on tty logins
|
|
||||||
#
|
|
||||||
auditadm = module
|
|
||||||
|
|
||||||
# Layer: role
|
|
||||||
# Module: logadm
|
|
||||||
#
|
|
||||||
# Minimally prived root role for managing logging system
|
|
||||||
#
|
|
||||||
logadm = module
|
|
||||||
|
|
||||||
# Layer: role
|
|
||||||
# Module: secadm
|
|
||||||
#
|
|
||||||
# secadm account on tty logins
|
|
||||||
#
|
|
||||||
secadm = module
|
|
||||||
|
|
||||||
# Layer:role
|
|
||||||
# Module: sysadm_secadm
|
|
||||||
#
|
|
||||||
# System Administrator with Security Admin rules
|
|
||||||
#
|
|
||||||
sysadm_secadm = module
|
|
||||||
|
|
||||||
# Module: staff
|
|
||||||
#
|
|
||||||
# admin account
|
|
||||||
#
|
|
||||||
staff = module
|
|
||||||
|
|
||||||
# Layer:role
|
|
||||||
# Module: sysadm
|
|
||||||
#
|
|
||||||
# System Administrator
|
|
||||||
#
|
|
||||||
sysadm = module
|
|
||||||
|
|
||||||
# Layer: role
|
|
||||||
# Module: unconfineduser
|
|
||||||
#
|
|
||||||
# The unconfined user domain.
|
|
||||||
#
|
|
||||||
unconfineduser = module
|
|
||||||
|
|
||||||
# Layer: role
|
|
||||||
# Module: unprivuser
|
|
||||||
#
|
|
||||||
# Minimally privs guest account on tty logins
|
|
||||||
#
|
|
||||||
unprivuser = module
|
|
||||||
|
|
||||||
# Layer: services
|
|
||||||
# Module: postgresql
|
|
||||||
#
|
|
||||||
# PostgreSQL relational database
|
|
||||||
#
|
|
||||||
postgresql = module
|
|
||||||
|
|
||||||
# Layer: services
|
|
||||||
# Module: ssh
|
|
||||||
#
|
|
||||||
# Secure shell client and server policy.
|
|
||||||
#
|
|
||||||
ssh = module
|
|
||||||
|
|
||||||
# Layer: services
|
|
||||||
# Module: xserver
|
|
||||||
#
|
|
||||||
# X windows login display manager
|
|
||||||
#
|
|
||||||
xserver = module
|
|
||||||
|
|
||||||
# Module: application
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Defines attributs and interfaces for all user applications
|
|
||||||
#
|
|
||||||
application = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: authlogin
|
|
||||||
#
|
|
||||||
# Common policy for authentication and user login.
|
|
||||||
#
|
|
||||||
authlogin = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: clock
|
|
||||||
#
|
|
||||||
# Policy for reading and setting the hardware clock.
|
|
||||||
#
|
|
||||||
clock = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: fstools
|
|
||||||
#
|
|
||||||
# Tools for filesystem management, such as mkfs and fsck.
|
|
||||||
#
|
|
||||||
fstools = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: getty
|
|
||||||
#
|
|
||||||
# Policy for getty.
|
|
||||||
#
|
|
||||||
getty = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: hostname
|
|
||||||
#
|
|
||||||
# Policy for changing the system host name.
|
|
||||||
#
|
|
||||||
hostname = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: init
|
|
||||||
#
|
|
||||||
# System initialization programs (init and init scripts).
|
|
||||||
#
|
|
||||||
init = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: ipsec
|
|
||||||
#
|
|
||||||
# TCP/IP encryption
|
|
||||||
#
|
|
||||||
ipsec = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: iptables
|
|
||||||
#
|
|
||||||
# Policy for iptables.
|
|
||||||
#
|
|
||||||
iptables = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: libraries
|
|
||||||
#
|
|
||||||
# Policy for system libraries.
|
|
||||||
#
|
|
||||||
libraries = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: locallogin
|
|
||||||
#
|
|
||||||
# Policy for local logins.
|
|
||||||
#
|
|
||||||
locallogin = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: logging
|
|
||||||
#
|
|
||||||
# Policy for the kernel message logger and system logging daemon.
|
|
||||||
#
|
|
||||||
logging = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: lvm
|
|
||||||
#
|
|
||||||
# Policy for logical volume management programs.
|
|
||||||
#
|
|
||||||
lvm = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: modutils
|
|
||||||
#
|
|
||||||
# Policy for kernel module utilities
|
|
||||||
#
|
|
||||||
modutils = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: mount
|
|
||||||
#
|
|
||||||
# Policy for mount.
|
|
||||||
#
|
|
||||||
mount = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: netlabel
|
|
||||||
#
|
|
||||||
# Basic netlabel types and interfaces.
|
|
||||||
#
|
|
||||||
netlabel = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: selinuxutil
|
|
||||||
#
|
|
||||||
# Policy for SELinux policy and userland applications.
|
|
||||||
#
|
|
||||||
selinuxutil = module
|
|
||||||
|
|
||||||
# Module: setrans
|
|
||||||
# Required in base
|
|
||||||
#
|
|
||||||
# Policy for setrans
|
|
||||||
#
|
|
||||||
setrans = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: sysnetwork
|
|
||||||
#
|
|
||||||
# Policy for network configuration: ifconfig and dhcp client.
|
|
||||||
#
|
|
||||||
sysnetwork = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: systemd
|
|
||||||
#
|
|
||||||
# Policy for systemd components
|
|
||||||
#
|
|
||||||
systemd = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: udev
|
|
||||||
#
|
|
||||||
# Policy for udev.
|
|
||||||
#
|
|
||||||
udev = module
|
|
||||||
|
|
||||||
# Layer: system
|
|
||||||
# Module: unconfined
|
|
||||||
#
|
|
||||||
# The unconfined domain.
|
|
||||||
#
|
|
||||||
unconfined = module
|
|
File diff suppressed because it is too large
Load Diff
@ -1,2 +0,0 @@
|
|||||||
(roleattributeset cil_gen_require system_r)
|
|
||||||
|
|
@ -1,4 +0,0 @@
|
|||||||
console_device_t
|
|
||||||
sysadm_tty_device_t
|
|
||||||
user_tty_device_t
|
|
||||||
staff_tty_device_t
|
|
@ -1,6 +0,0 @@
|
|||||||
console_device_t
|
|
||||||
sysadm_tty_device_t
|
|
||||||
user_tty_device_t
|
|
||||||
staff_tty_device_t
|
|
||||||
auditadm_tty_device_t
|
|
||||||
secureadm_tty_device_t
|
|
@ -1,4 +0,0 @@
|
|||||||
console_device_t
|
|
||||||
sysadm_tty_device_t
|
|
||||||
user_tty_device_t
|
|
||||||
staff_tty_device_t
|
|
@ -0,0 +1 @@
|
|||||||
|
selinux-policy-mls
|
@ -0,0 +1 @@
|
|||||||
|
selinux-policy-targeted
|
@ -1,19 +0,0 @@
|
|||||||
#
|
|
||||||
# Multi-Category Security translation table for SELinux
|
|
||||||
#
|
|
||||||
# Uncomment the following to disable translation libary
|
|
||||||
# disable=1
|
|
||||||
#
|
|
||||||
# Objects can be categorized with 0-1023 categories defined by the admin.
|
|
||||||
# Objects can be in more than one category at a time.
|
|
||||||
# Categories are stored in the system as c0-c1023. Users can use this
|
|
||||||
# table to translate the categories into a more meaningful output.
|
|
||||||
# Examples:
|
|
||||||
# s0:c0=CompanyConfidential
|
|
||||||
# s0:c1=PatientRecord
|
|
||||||
# s0:c2=Unclassified
|
|
||||||
# s0:c3=TopSecret
|
|
||||||
# s0:c1,c3=CompanyConfidentialRedHat
|
|
||||||
s0=SystemLow
|
|
||||||
s0-s0:c0.c1023=SystemLow-SystemHigh
|
|
||||||
s0:c0.c1023=SystemHigh
|
|
@ -1,52 +0,0 @@
|
|||||||
#
|
|
||||||
# Multi-Level Security translation table for SELinux
|
|
||||||
#
|
|
||||||
# Uncomment the following to disable translation libary
|
|
||||||
# disable=1
|
|
||||||
#
|
|
||||||
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
|
|
||||||
# categories defined by the admin.
|
|
||||||
# Objects can be in more than one category at a time.
|
|
||||||
# Users can modify this table to translate the MLS labels for different purpose.
|
|
||||||
#
|
|
||||||
# Assumptions: using below MLS labels.
|
|
||||||
# SystemLow
|
|
||||||
# SystemHigh
|
|
||||||
# Unclassified
|
|
||||||
# Secret with compartments A and B.
|
|
||||||
#
|
|
||||||
# SystemLow and SystemHigh
|
|
||||||
s0=SystemLow
|
|
||||||
s15:c0.c1023=SystemHigh
|
|
||||||
s0-s15:c0.c1023=SystemLow-SystemHigh
|
|
||||||
|
|
||||||
# Unclassified level
|
|
||||||
s1=Unclassified
|
|
||||||
|
|
||||||
# Secret level with compartments
|
|
||||||
s2=Secret
|
|
||||||
s2:c0=A
|
|
||||||
s2:c1=B
|
|
||||||
|
|
||||||
# ranges for Unclassified
|
|
||||||
s0-s1=SystemLow-Unclassified
|
|
||||||
s1-s2=Unclassified-Secret
|
|
||||||
s1-s15:c0.c1023=Unclassified-SystemHigh
|
|
||||||
|
|
||||||
# ranges for Secret with compartments
|
|
||||||
s0-s2=SystemLow-Secret
|
|
||||||
s0-s2:c0=SystemLow-Secret:A
|
|
||||||
s0-s2:c1=SystemLow-Secret:B
|
|
||||||
s0-s2:c0,c1=SystemLow-Secret:AB
|
|
||||||
s1-s2:c0=Unclassified-Secret:A
|
|
||||||
s1-s2:c1=Unclassified-Secret:B
|
|
||||||
s1-s2:c0,c1=Unclassified-Secret:AB
|
|
||||||
s2-s2:c0=Secret-Secret:A
|
|
||||||
s2-s2:c1=Secret-Secret:B
|
|
||||||
s2-s2:c0,c1=Secret-Secret:AB
|
|
||||||
s2-s15:c0.c1023=Secret-SystemHigh
|
|
||||||
s2:c0-s2:c0,c1=Secret:A-Secret:AB
|
|
||||||
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
|
|
||||||
s2:c1-s2:c0,c1=Secret:B-Secret:AB
|
|
||||||
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
|
|
||||||
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
|
|
@ -1,19 +0,0 @@
|
|||||||
#
|
|
||||||
# Multi-Category Security translation table for SELinux
|
|
||||||
#
|
|
||||||
# Uncomment the following to disable translation libary
|
|
||||||
# disable=1
|
|
||||||
#
|
|
||||||
# Objects can be categorized with 0-1023 categories defined by the admin.
|
|
||||||
# Objects can be in more than one category at a time.
|
|
||||||
# Categories are stored in the system as c0-c1023. Users can use this
|
|
||||||
# table to translate the categories into a more meaningful output.
|
|
||||||
# Examples:
|
|
||||||
# s0:c0=CompanyConfidential
|
|
||||||
# s0:c1=PatientRecord
|
|
||||||
# s0:c2=Unclassified
|
|
||||||
# s0:c3=TopSecret
|
|
||||||
# s0:c1,c3=CompanyConfidentialRedHat
|
|
||||||
s0=SystemLow
|
|
||||||
s0-s0:c0.c1023=SystemLow-SystemHigh
|
|
||||||
s0:c0.c1023=SystemHigh
|
|
@ -1,39 +0,0 @@
|
|||||||
##################################
|
|
||||||
#
|
|
||||||
# Core User configuration.
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
|
||||||
#
|
|
||||||
# Note: Identities without a prefix wil not be listed
|
|
||||||
# in the users_extra file used by genhomedircon.
|
|
||||||
|
|
||||||
#
|
|
||||||
# system_u is the user identity for system processes and objects.
|
|
||||||
# There should be no corresponding Unix user identity for system,
|
|
||||||
# and a user process should never be assigned the system user
|
|
||||||
# identity.
|
|
||||||
#
|
|
||||||
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
|
|
||||||
#
|
|
||||||
# user_u is a generic user identity for Linux users who have no
|
|
||||||
# SELinux user identity defined. The modified daemons will use
|
|
||||||
# this user identity in the security context if there is no matching
|
|
||||||
# SELinux user identity for a Linux user. If you do not want to
|
|
||||||
# permit any access to such users, then remove this entry.
|
|
||||||
#
|
|
||||||
gen_user(user_u, user, user_r, s0, s0)
|
|
||||||
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following users correspond to Unix identities.
|
|
||||||
# These identities are typically assigned as the user attribute
|
|
||||||
# when login starts the user shell. Users with access to the sysadm_r
|
|
||||||
# role should use the staff_r role instead of the user_r role when
|
|
||||||
# not in the sysadm_r.
|
|
||||||
#
|
|
||||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
@ -1,40 +0,0 @@
|
|||||||
##################################
|
|
||||||
#
|
|
||||||
# Core User configuration.
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
|
||||||
#
|
|
||||||
# Note: Identities without a prefix wil not be listed
|
|
||||||
# in the users_extra file used by genhomedircon.
|
|
||||||
|
|
||||||
#
|
|
||||||
# system_u is the user identity for system processes and objects.
|
|
||||||
# There should be no corresponding Unix user identity for system,
|
|
||||||
# and a user process should never be assigned the system user
|
|
||||||
# identity.
|
|
||||||
#
|
|
||||||
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
|
|
||||||
#
|
|
||||||
# user_u is a generic user identity for Linux users who have no
|
|
||||||
# SELinux user identity defined. The modified daemons will use
|
|
||||||
# this user identity in the security context if there is no matching
|
|
||||||
# SELinux user identity for a Linux user. If you do not want to
|
|
||||||
# permit any access to such users, then remove this entry.
|
|
||||||
#
|
|
||||||
gen_user(user_u, user, user_r, s0, s0)
|
|
||||||
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following users correspond to Unix identities.
|
|
||||||
# These identities are typically assigned as the user attribute
|
|
||||||
# when login starts the user shell. Users with access to the sysadm_r
|
|
||||||
# role should use the staff_r role instead of the user_r role when
|
|
||||||
# not in the sysadm_r.
|
|
||||||
#
|
|
||||||
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
gen_user(guest_u, user, guest_r, s0, s0)
|
|
||||||
gen_user(xguest_u, user, xguest_r, s0, s0)
|
|
@ -1,41 +0,0 @@
|
|||||||
##################################
|
|
||||||
#
|
|
||||||
# Core User configuration.
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
|
||||||
#
|
|
||||||
# Note: Identities without a prefix wil not be listed
|
|
||||||
# in the users_extra file used by genhomedircon.
|
|
||||||
|
|
||||||
#
|
|
||||||
# system_u is the user identity for system processes and objects.
|
|
||||||
# There should be no corresponding Unix user identity for system,
|
|
||||||
# and a user process should never be assigned the system user
|
|
||||||
# identity.
|
|
||||||
#
|
|
||||||
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
|
|
||||||
#
|
|
||||||
# user_u is a generic user identity for Linux users who have no
|
|
||||||
# SELinux user identity defined. The modified daemons will use
|
|
||||||
# this user identity in the security context if there is no matching
|
|
||||||
# SELinux user identity for a Linux user. If you do not want to
|
|
||||||
# permit any access to such users, then remove this entry.
|
|
||||||
#
|
|
||||||
gen_user(user_u, user, user_r, s0, s0)
|
|
||||||
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following users correspond to Unix identities.
|
|
||||||
# These identities are typically assigned as the user attribute
|
|
||||||
# when login starts the user shell. Users with access to the sysadm_r
|
|
||||||
# role should use the staff_r role instead of the user_r role when
|
|
||||||
# not in the sysadm_r.
|
|
||||||
#
|
|
||||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
|
||||||
gen_user(guest_u, user, guest_r, s0, s0)
|
|
||||||
gen_user(xguest_u, user, xguest_r, s0, s0)
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue