From e4fb15f834f7a6f57d87917917030fd9a5b34b9f Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 25 Oct 2024 19:19:12 +0300 Subject: [PATCH] import selinux-policy-40.13.10-1.el10 --- .gitignore | 2 + .selinux-policy.metadata | 2 + SOURCES/Makefile.devel | 22 + SOURCES/booleans-minimum.conf | 248 ++ SOURCES/booleans-mls.conf | 6 + SOURCES/booleans-targeted.conf | 25 + SOURCES/booleans.subs_dist | 54 + SOURCES/customizable_types | 14 + SOURCES/file_contexts.subs_dist | 24 + SOURCES/macro-expander | 81 + SOURCES/modules-mls-base.conf | 380 +++ SOURCES/modules-mls-contrib.conf | 1581 ++++++++++ SOURCES/modules-targeted-base.conf | 393 +++ SOURCES/modules-targeted-contrib.conf | 2784 ++++++++++++++++++ SOURCES/permissivedomains.cil | 2 + SOURCES/rpm.macros | 186 ++ SOURCES/securetty_types-minimum | 4 + SOURCES/securetty_types-mls | 6 + SOURCES/securetty_types-targeted | 4 + SOURCES/selinux-check-proper-disable.service | 15 + SOURCES/selinux-policy.conf | 4 + SOURCES/setrans-minimum.conf | 19 + SOURCES/setrans-mls.conf | 52 + SOURCES/setrans-targeted.conf | 19 + SOURCES/users-minimum | 39 + SOURCES/users-mls | 40 + SOURCES/users-targeted | 41 + SOURCES/varrun-convert.sh | 80 + SPECS/selinux-policy.spec | 2032 +++++++++++++ 29 files changed, 8159 insertions(+) create mode 100644 .gitignore create mode 100644 .selinux-policy.metadata create mode 100644 SOURCES/Makefile.devel create mode 100644 SOURCES/booleans-minimum.conf create mode 100644 SOURCES/booleans-mls.conf create mode 100644 SOURCES/booleans-targeted.conf create mode 100644 SOURCES/booleans.subs_dist create mode 100644 SOURCES/customizable_types create mode 100644 SOURCES/file_contexts.subs_dist create mode 100644 SOURCES/macro-expander create mode 100644 SOURCES/modules-mls-base.conf create mode 100644 SOURCES/modules-mls-contrib.conf create mode 100644 SOURCES/modules-targeted-base.conf create mode 100644 SOURCES/modules-targeted-contrib.conf create mode 100644 SOURCES/permissivedomains.cil create mode 100644 SOURCES/rpm.macros create mode 100644 SOURCES/securetty_types-minimum create mode 100644 SOURCES/securetty_types-mls create mode 100644 SOURCES/securetty_types-targeted create mode 100644 SOURCES/selinux-check-proper-disable.service create mode 100644 SOURCES/selinux-policy.conf create mode 100644 SOURCES/setrans-minimum.conf create mode 100644 SOURCES/setrans-mls.conf create mode 100644 SOURCES/setrans-targeted.conf create mode 100644 SOURCES/users-minimum create mode 100644 SOURCES/users-mls create mode 100644 SOURCES/users-targeted create mode 100755 SOURCES/varrun-convert.sh create mode 100644 SPECS/selinux-policy.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..101d38d --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/container-selinux.tgz +SOURCES/selinux-policy-3d165a6.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata new file mode 100644 index 0000000..d3f91a5 --- /dev/null +++ b/.selinux-policy.metadata @@ -0,0 +1,2 @@ +cc56c4b39763b0c0eec6cc128dab6c1e3b428600 SOURCES/container-selinux.tgz +a1dbf2c006b89e053e3cf6bb2aec1cda55756ad2 SOURCES/selinux-policy-3d165a6.tar.gz diff --git a/SOURCES/Makefile.devel b/SOURCES/Makefile.devel new file mode 100644 index 0000000..b1c6bfe --- /dev/null +++ b/SOURCES/Makefile.devel @@ -0,0 +1,22 @@ +# installation paths +SHAREDIR := /usr/share/selinux + +AWK ?= gawk +NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)) + +ifeq ($(MLSENABLED),) + MLSENABLED := 1 +endif + +ifeq ($(MLSENABLED),1) + NTYPE = mcs +endif + +ifeq ($(NAME),mls) + NTYPE = mls +endif + +TYPE ?= $(NTYPE) + +HEADERDIR := $(SHAREDIR)/devel/include +include $(HEADERDIR)/Makefile diff --git a/SOURCES/booleans-minimum.conf b/SOURCES/booleans-minimum.conf new file mode 100644 index 0000000..59dac1f --- /dev/null +++ b/SOURCES/booleans-minimum.conf @@ -0,0 +1,248 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +allow_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +allow_execstack = true + +# Allow ftpd to read cifs directories. +# +allow_ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +allow_ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +allow_gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +allow_httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +allow_saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +allow_zebra_write_config = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to send dbus messages to avahi +httpd_dbus_avahi = true + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# allow host key based authentication +# +allow_ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted +# +read_untrusted_content = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = false + +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# Allow users to read system messages. +# +user_dmesg = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = false + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow w to display everyone +# +user_ttyfile_stat = false + +# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. +# +write_untrusted_content = false + +# Allow all domains to talk to ttys +# +allow_daemons_use_tty = false + +# Allow login domains to polyinstatiate directories +# +allow_polyinstantiation = false + +# Allow all domains to dump core +# +allow_daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = false + +# Allows XServer to execute writable memory +# +allow_xserver_execmem = false + +# disallow guest accounts to execute files that they can create +# +allow_guest_exec_content = false +allow_xguest_exec_content = false + +# Only allow browser to use the web +# +browser_confine_xguest=false + +# Allow postfix locat to write to mail spool +# +allow_postfix_local_write_mail_spool=false + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile=true + +# Allow qemu to connect fully to the network +# +qemu_full_network=true + +# Allow nsplugin execmem/execstack for bad plugins +# +allow_nsplugin_execmem=true + +# Allow unconfined domain to transition to confined domain +# +allow_unconfined_nsplugin_transition=true + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# +allow_mount_anyfile = true diff --git a/SOURCES/booleans-mls.conf b/SOURCES/booleans-mls.conf new file mode 100644 index 0000000..65ccfa4 --- /dev/null +++ b/SOURCES/booleans-mls.conf @@ -0,0 +1,6 @@ +kerberos_enabled = true +mount_anyfile = true +polyinstantiation_enabled = true +ftpd_is_daemon = true +selinuxuser_ping = true +xserver_object_manager = true diff --git a/SOURCES/booleans-targeted.conf b/SOURCES/booleans-targeted.conf new file mode 100644 index 0000000..8789a08 --- /dev/null +++ b/SOURCES/booleans-targeted.conf @@ -0,0 +1,25 @@ +gssd_read_tmp = true +httpd_builtin_scripting = true +httpd_enable_cgi = true +kerberos_enabled = true +mount_anyfile = true +nfs_export_all_ro = true +nfs_export_all_rw = true +nscd_use_shm = true +openvpn_enable_homedirs = true +postfix_local_write_mail_spool=true +pppd_can_insmod = false +privoxy_connect_any = true +selinuxuser_direct_dri_enabled = true +selinuxuser_execmem = true +selinuxuser_execmod = true +selinuxuser_execstack = true +selinuxuser_rw_noexattrfile=true +selinuxuser_ping = true +squid_connect_any = true +telepathy_tcp_connect_generic_network_ports=true +unconfined_chrome_sandbox_transition=true +unconfined_mozilla_plugin_transition=true +xguest_exec_content = true +mozilla_plugin_can_network_connect = true +use_virtualbox = true diff --git a/SOURCES/booleans.subs_dist b/SOURCES/booleans.subs_dist new file mode 100644 index 0000000..fed7d8c --- /dev/null +++ b/SOURCES/booleans.subs_dist @@ -0,0 +1,54 @@ +allow_auditadm_exec_content auditadm_exec_content +allow_console_login login_console_enabled +allow_cvs_read_shadow cvs_read_shadow +allow_daemons_dump_core daemons_dump_core +allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper +allow_daemons_use_tty daemons_use_tty +allow_domain_fd_use domain_fd_use +allow_execheap selinuxuser_execheap +allow_execmod selinuxuser_execmod +allow_execstack selinuxuser_execstack +allow_ftpd_anon_write ftpd_anon_write +allow_ftpd_full_access ftpd_full_access +allow_ftpd_use_cifs ftpd_use_cifs +allow_ftpd_use_nfs ftpd_use_nfs +allow_gssd_read_tmp gssd_read_tmp +allow_guest_exec_content guest_exec_content +allow_httpd_anon_write httpd_anon_write +allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind +allow_httpd_mod_auth_pam httpd_mod_auth_pam +allow_httpd_sys_script_anon_write httpd_sys_script_anon_write +allow_kerberos kerberos_enabled +allow_mplayer_execstack mplayer_execstack +allow_mount_anyfile mount_anyfile +allow_nfsd_anon_write nfsd_anon_write +allow_polyinstantiation polyinstantiation_enabled +allow_postfix_local_write_mail_spool postfix_local_write_mail_spool +allow_rsync_anon_write rsync_anon_write +allow_saslauthd_read_shadow saslauthd_read_shadow +allow_secadm_exec_content secadm_exec_content +allow_smbd_anon_write smbd_anon_write +allow_ssh_keysign ssh_keysign +allow_staff_exec_content staff_exec_content +allow_sysadm_exec_content sysadm_exec_content +allow_user_exec_content user_exec_content +allow_user_mysql_connect selinuxuser_mysql_connect_enabled +allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled +allow_write_xshm xserver_clients_write_xshm +allow_xguest_exec_content xguest_exec_content +allow_xserver_execmem xserver_execmem +allow_ypbind nis_enabled +allow_zebra_write_config zebra_write_config +user_direct_dri selinuxuser_direct_dri_enabled +user_ping selinuxuser_ping +user_share_music selinuxuser_share_music +user_tcp_server selinuxuser_tcp_server +sepgsql_enable_pitr_implementation postgresql_can_rsync +sepgsql_enable_users_ddl postgresql_selinux_users_ddl +sepgsql_transmit_client_label postgresql_selinux_transmit_client_label +sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm +clamd_use_jit antivirus_use_jit +amavis_use_jit antivirus_use_jit +logwatch_can_sendmail logwatch_can_network_connect_mail +puppet_manage_all_files puppetagent_manage_all_files +virt_sandbox_use_nfs virt_use_nfs diff --git a/SOURCES/customizable_types b/SOURCES/customizable_types new file mode 100644 index 0000000..b3f6cb0 --- /dev/null +++ b/SOURCES/customizable_types @@ -0,0 +1,14 @@ +container_file_t +sandbox_file_t +svirt_image_t +svirt_home_t +svirt_sandbox_file_t +virt_content_t +httpd_user_htaccess_t +httpd_user_script_exec_t +httpd_user_rw_content_t +httpd_user_ra_content_t +httpd_user_content_t +git_session_content_t +home_bin_t +user_tty_device_t diff --git a/SOURCES/file_contexts.subs_dist b/SOURCES/file_contexts.subs_dist new file mode 100644 index 0000000..6afa41b --- /dev/null +++ b/SOURCES/file_contexts.subs_dist @@ -0,0 +1,24 @@ +/var/run /run +/var/lock /run/lock +/run/systemd/system /usr/lib/systemd/system +/run/systemd/generator /usr/lib/systemd/system +/run/systemd/generator.early /usr/lib/systemd/system +/run/systemd/generator.late /usr/lib/systemd/system +/lib /usr/lib +/lib64 /usr/lib +/usr/lib64 /usr/lib +/usr/local/lib64 /usr/lib +/usr/local/lib32 /usr/lib +/etc/systemd/system /usr/lib/systemd/system +/var/lib/xguest/home /home +/var/named/chroot/usr/lib64 /usr/lib +/var/named/chroot/lib64 /usr/lib +/var/named/chroot/var /var +/home-inst /home +/home/home-inst /home +/var/roothome /root +/sbin /usr/sbin +/sysroot/tmp /tmp +/var/usrlocal /usr/local +/var/mnt /mnt +/bin /usr/bin diff --git a/SOURCES/macro-expander b/SOURCES/macro-expander new file mode 100644 index 0000000..2670b61 --- /dev/null +++ b/SOURCES/macro-expander @@ -0,0 +1,81 @@ +#!/bin/bash + +function usage { + echo "Usage: $0 [ -c | -t [ -M ] ] " + echo "Options: + -c generate CIL output + -t generate standard policy source format (.te) allow rules - this is default + -M generate complete module .te output +" +} + +function cleanup { + rm -rf $TEMP_STORE +} + +while getopts "chMt" opt; do + case $opt in + c) GENCIL=1 + ;; + t) GENTE=1 + ;; + M) GENTEMODULE=1 + ;; + h) usage + exit 0 + ;; + \?) usage + exit 1 + ;; + esac +done + +shift $((OPTIND-1)) + +SELINUX_MACRO=$1 + +if [ -z "$SELINUX_MACRO" ] +then + exit 1 +fi + +TEMP_STORE="$(mktemp -d)" +cd $TEMP_STORE || exit 1 + +IFS="(" +set $1 +SELINUX_DOMAIN="${2::-1}" + +echo -e "policy_module(expander, 1.0.0) \n" \ + "gen_require(\`\n" \ + "type $SELINUX_DOMAIN ; \n" \ + "')" > expander.te + +echo "$SELINUX_MACRO" >> expander.te + +make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null + +if [ "x$GENCIL" = "x1" ]; then + + make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null + MAKE_RESULT=$? + + if [ $MAKE_RESULT -ne 2 ] + then + /usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null + grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u + fi +fi + +if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then + m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null + if [ "x$GENTEMODULE" = "x1" ]; then + # sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp + sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp + else + grep '^\s*allow' expander.tmp | sed 's/^\s*//' + fi +fi + +cd - > /dev/null || exit 1 +cleanup diff --git a/SOURCES/modules-mls-base.conf b/SOURCES/modules-mls-base.conf new file mode 100644 index 0000000..5b21a3e --- /dev/null +++ b/SOURCES/modules-mls-base.conf @@ -0,0 +1,380 @@ +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# Layer: kernel +# Module: unlabelednet +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer:role +# Module: staff +# +# admin account +# +staff = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Layer:role +# Module: sysadm +# +# System Administrator +# +sysadm = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module diff --git a/SOURCES/modules-mls-contrib.conf b/SOURCES/modules-mls-contrib.conf new file mode 100644 index 0000000..bfa841f --- /dev/null +++ b/SOURCES/modules-mls-contrib.conf @@ -0,0 +1,1581 @@ +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: contrib +# Module: antivirus +# +# Anti-virus +# +antivirus = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: modules +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for Mozilla and related web browsers +# +gpg = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Module: gssproxy +# +# A proxy for GSSAPI credential handling +# +# +gssproxy = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: admin +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: lsm +# +# lsm policy +# +lsm = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: admin +# Module: mcelog +# +# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. +# +mcelog = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: service +# Module: openct +# +# Middleware framework for smart card terminals +# +openct = module + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + +# Layer: contrib +# Module: prelude +# +# SELinux policy for prelude +# +prelude = module + +# Layer: contrib +# Module: prosody +# +# SELinux policy for prosody flexible communications server for Jabber/XMPP +# +prosody = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +o# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +unprivuser = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: services +# Module: ulogd +# +# +# +ulogd = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: contrib +# Module: openvswitch +# +# SELinux policy for openvswitch programs +# +openvswitch = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: apps +# Module: wm +# +# X windows window manager +# +wm = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: contrib +# Module: mandb +# +# Policy for mandb +# +mandb = module diff --git a/SOURCES/modules-targeted-base.conf b/SOURCES/modules-targeted-base.conf new file mode 100644 index 0000000..e7456ef --- /dev/null +++ b/SOURCES/modules-targeted-base.conf @@ -0,0 +1,393 @@ +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# Layer: kernel +# Module: unconfined +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Module: staff +# +# admin account +# +staff = module + +# Layer:role +# Module: sysadm +# +# System Administrator +# +sysadm = module + +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf new file mode 100644 index 0000000..f5bb906 --- /dev/null +++ b/SOURCES/modules-targeted-contrib.conf @@ -0,0 +1,2784 @@ +# Layer: services +# Module: abrt +# +# Automatic bug detection and reporting tool +# +abrt = module + +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aiccu +# +# SixXS Automatic IPv6 Connectivity Client Utility +# +aiccu = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: services +# Module: ajaxterm +# +# Web Based Terminal +# +ajaxterm = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: contrib +# Module: antivirus +# +# SELinux policy for antivirus programs +# +antivirus = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: contrib +# Module: authconfig +# +# Authorization configuration tool +# +authconfig = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: module +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: services +# Module: bcfg2 +# +# Configuration management server +# +bcfg2 = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: contrib +# Module: rngd +# +# Daemon used to feed random data from hardware device to kernel random device +# +rngd = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: services +# Module: blueman +# +# Blueman tools and system services. +# +blueman = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: bumblebee +# +# Support NVIDIA Optimus technology under Linux +# +bumblebee = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: services +# Module: callweaver +# +# callweaver telephony sever +# +callweaver = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cfengine +# +# cfengine +# +cfengine = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cloudform +# +# cloudform daemons +# +cloudform = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: cobbler +# +# cobbler +# +cobbler = module + +# Layer: services +# Module: collectd +# +# Statistics collection daemon for filling RRD files +# +collectd = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: condor +# +# policy for condor +# +condor = module + +# Layer: services +# Module: conman +# +# Conman is a program for connecting to remote consoles being managed by conmand +# +conman = module + +# Layer: services +# Module: consolekit +# +# ConsoleKit is a system daemon for tracking what users are logged +# +consolekit = module + +# Layer: services +# Module: couchdb +# +# Apache CouchDB database server +# +couchdb = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: ctdbd +# +# Cluster Daemon +# +ctdb = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: denyhosts +# +# script to help thwart ssh server attacks +# +denyhosts = module + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv-admin = module + +# Layer: services +# Module: dirsrv +# +# An 309 directory server +# +dirsrv = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: drbd +# +# DRBD mirrors a block device over the network to another machine. +# +drbd = module + +# Layer: services +# Module: dspam +# +# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering +# +dspam = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fcoe +# +# fcoe +# +fcoe = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: services +# Module: freqset +# +# Utility for CPU frequency scaling +# +freqset = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: contrib +# Module: glusterd +# +# policy for glusterd service +# +glusterd = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Module: gssproxy +# +# A proxy for GSSAPI credential handling +# +# +gssproxy = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services +# Module: hostapd +# +# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator +# +hostapd = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: icecast +# +# ShoutCast compatible streaming media server +# +icecast = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: system +# Module: isnsd +# +# +# +isns = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: jetty +# +# Java based http server +# +jetty = module + +# Layer: apps +# Module: jockey +# +# policy for jockey-backend +# +jockey = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: admin +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: keepalived +# +# keepalived - load-balancing and high-availability service +# +keepalived = module + +# Module: keyboardd +# +# system-setup-keyboard is a keyboard layout daemon that monitors +# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet +# +keyboardd = module + +# Layer: services +# Module: keystone +# +# openstack-keystone +# +keystone = module + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: l2ltpd +# +# Layer 2 Tunnelling Protocol Daemon +# +l2tp = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: likewise +# +# Likewise Active Directory support for UNIX +# +likewise = module + +# Layer: apps +# Module: livecd +# +# livecd creator +# +livecd = module + +# Layer: services +# Module: lldpad +# +# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon +# +lldpad = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: mailman +# +# Policy for mailscanner +# +mailscanner = module + +# Layer: apps +# Module: man2html +# +# policy for man2html apps +# +man2html = module + +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = module + +# Layer: apps +# Module: mediawiki +# +# mediawiki +# +mediawiki = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: services +# Module: mip6d +# +# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation +# +mip6d = module + +# Layer: services +# Module: mock +# +# Policy for mock rpm builder +# +mock = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: services +# Module: mpd +# +# mpd - daemon for playing music +# +mpd = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: contrib +# Module: mythtv +# +# Policy for Mythtv (Web Server) +# +mythtv = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: ninfod +# +# Respond to IPv6 Node Information Queries +# +ninfod = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nova +# +# openstack-nova +# +nova = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: numad +# +# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology +# +numad = module + +# Layer: services +# Module: nut +# +# nut - Network UPS Tools +# +nut = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + +# Layer: services +# Module: obex +# +# policy for obex-data-server +# +obex = module + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: service +# Module: openct +# +# Middleware framework for smart card terminals +# +openct = module + +# Layer: contrib +# Module: openshift-origin +# +# Origin version of openshift policy +# +openshift-origin = module +# Layer: contrib +# Module: openshift +# +# Core openshift policy +# +openshift = module + +# Layer: services +# Module: opensm +# +# InfiniBand subnet manager and administration (SM/SA) +# +opensm = module + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + +# Layer: contrib +# Module: openvswitch +# +# SELinux policy for openvswitch programs +# +openvswitch = module + +# Layer: services +# Module: openwsman +# +# WS-Management Server +# +openwsman = module + +# Layer: services +# Module: osad +# +# Client-side service written in Python that responds to pings +# +osad = module + +# Layer: contrib +# Module: prelude +# +# SELinux policy for prelude +# +prelude = module + +# Layer: contrib +# Module: prosody +# +# SELinux policy for prosody flexible communications server for Jabber/XMPP +# +prosody = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: services +# Module: passenger +# +# Passenger +# +passenger = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: services +# Module: pdns +# +# PowerDNS DNS server +# +pdns = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: contrib +# Module: pkcs +# +# daemon manages PKCS#11 objects between PKCS#11-enabled applications +# +pkcs = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: puppet +# +# A network tool for managing many disparate systems +# +puppet = module + +# Layer: apps +# Module: pwauth +# +# External plugin for mod_authnz_external authenticator +# +pwauth = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: services +# Module: quantum +# +# Quantum is a virtual network service for Openstack +# +quantum = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: services +# Module: rabbitmq +# +# rabbitmq daemons +# +rabbitmq = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: rasdaemon +# +# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing +# +rasdaemon = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: contrib +# Module: stapserver +# +# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA +# +realmd = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: rhev +# +# rhev policy module contains policies for rhev apps +# +rhev = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: services +# Module: rhsmcertd +# +# Subscription Management Certificate Daemon policy +# +rhsmcertd = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a sandbox +# +sandbox = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a X sandbox +# +sandboxX = module + +# Layer: services +# Module: sanlock +# +# sanlock policy +# +sanlock = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: services +# Module: sblim +# +# sblim +# +sblim = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: admin +# Module: sectoolm +# +# Policy for sectool-mechanism +# +sectoolm = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: contrib +# Module: sensord +# +# Sensor information logging daemon +# +sensord = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: services +# Module: sge +# +# policy for grindengine MPI jobs +# +sge = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: contrib +# Module: slpd +# +# OpenSLP server daemon to dynamically register services +# +slpd = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: smokeping +# +# Latency Logging and Graphing System +# +smokeping = module + +# Layer: admin +# Module: smoltclient +# +#The Fedora hardware profiler client +# +smoltclient = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: speech-dispatcher +# +# speech-dispatcher - server process managing speech requests in Speech Dispatcher +# +speech-dispatcher = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: services +# Module: sslh +# +# Applicative protocol(SSL/SSH) multiplexer +# +sslh = module + +# Layer: contrib +# Module: stapserver +# +# Instrumentation System Server +# +stapserver = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: svnserve +# +# policy for subversion service +# +svnserve = module + +# Layer: services +# Module: swift +# +# openstack-swift +# +swift = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: contrib +# Module: glusterd +# +# policy for tomcat service +# +tomcat = module +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: services +# Module: ulogd +# +# netfilter/iptables ULOG daemon +# +ulogd = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: services +# Module: usbmuxd +# +# Daemon for communicating with Apple's iPod Touch and iPhone +# +usbmuxd = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uuidd +# +# UUID generation daemon +# +uuidd = module + +# Layer: services +# Module: varnishd +# +# Varnishd http accelerator daemon +# +varnishd = module + +# Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module + +# Layer: services +# Module: vhostmd +# +# vhostmd - spice guest agent daemon. +# +vhostmd = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: apps +# Module: vhostmd +# +# vlock - Virtual Console lock program +# +vlock = module + +# Layer: services +# Module: vmtools +# +# VMware Tools daemon +# +vmtools = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: services +# Module: vnstatd +# +# Network traffic Monitor +# +vnstatd = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: services +# Module: wdmd +# +# wdmd policy +# +wdmd = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: zarafa +# +# Zarafa Collaboration Platform +# +zarafa = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zoneminder +# +# Zoneminder Camera Security Surveillance Solution +# +zoneminder = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: contrib +# Module: thin +# +# Policy for thin +# +thin = module + +# Layer: contrib +# Module: mandb +# +# Policy for mandb +# +mandb = module + +# Layer: services +# Module: pki +# +# policy for pki +# +pki = module + +# Layer: services +# Module: smsd +# +# policy for smsd +# +smsd = module + +# Layer: contrib +# Module: pesign +# +# policy for pesign +# +pesign = module + +# Layer: contrib +# Module: nsd +# +# Fast and lean authoritative DNS Name Server +# +nsd = module + +# Layer: contrib +# Module: iodine +# +# Fast and lean authoritative DNS Name Server +# +iodine = module + +# Layer: contrib +# Module: openhpid +# +# OpenHPI daemon runs as a background process and accepts connecti +# +openhpid = module + +# Layer: contrib +# Module: watchdog +# +# Watchdog policy +# +watchdog = module + +# Layer: contrib +# Module: oracleasm +# +# oracleasm policy +# +oracleasm = module + +# Layer: contrib +# Module: redis +# +# redis policy +# +redis = module + +# Layer: contrib +# Module: hypervkvp +# +# hypervkvp policy +# +hypervkvp = module + +# Layer: contrib +# Module: lsm +# +# lsm policy +# +lsm = module + +# Layer: contrib +# Module: motion +# +# Daemon for detect motion using a video4linux device +motion = module + +# Layer: contrib +# Module: rtas +# +# rtas policy +# +rtas = module + +# Layer: contrib +# Module: journalctl +# +# journalctl policy +# +journalctl = module + +# Layer: contrib +# Module: gdomap +# +# gdomap policy +# +gdomap = module + +# Layer: contrib +# Module: minidlna +# +# minidlna policy +# +minidlna = module + +# Layer: contrib +# Module: minissdpd +# +# minissdpd policy +# +minissdpd = module + +# Layer: contrib +# Module: freeipmi +# +# Remote-Console (out-of-band) and System Management Software (in-band) +# based on IntelligentPlatform Management Interface specification +# +freeipmi = module + +# Layer: contrib +# Module: mirrormanager +# +# mirrormanager policy +# +mirrormanager = module + +# Layer: contrib +# Module: snapper +# +# snapper policy +# +snapper = module + +# Layer: contrib +# Module: pcp +# +# pcp policy +# +pcp = module + +# Layer: contrib +# Module: geoclue +# +# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information +# +geoclue = module + +# Layer: contrib +# Module: rkhunter +# +# rkhunter policy for /var/lib/rkhunter +# +rkhunter = module + +# Layer: contrib +# Module: bacula +# +# bacula policy +# +bacula = module + +# Layer: contrib +# Module: rhnsd +# +# rhnsd policy +# +rhnsd = module + +# Layer: contrib +# Module: mongodb +# +# mongodb policy +# + +mongodb = module + +# Layer: contrib +# Module: iotop +# +# iotop policy +# + +iotop = module + +# Layer: contrib +# Module: kmscon +# +# kmscon policy +# + +kmscon = module + +# Layer: contrib +# Module: naemon +# +# naemon policy +# +naemon = module + +# Layer: contrib +# Module: brltty +# +# brltty policy +# +brltty = module + +# Layer: contrib +# Module: cpuplug +# +# cpuplug policy +# +cpuplug = module + +# Layer: contrib +# Module: mon_statd +# +# mon_statd policy +# +mon_statd = module + +# Layer: contrib +# Module: cinder +# +# openstack-cinder policy +# +cinder = module + +# Layer: contrib +# Module: linuxptp +# +# linuxptp policy +# +linuxptp = module + +# Layer: contrib +# Module: rolekit +# +# rolekit policy +# +rolekit = module + +# Layer: contrib +# Module: targetd +# +# targetd policy +# +targetd = module + +# Layer: contrib +# Module: hsqldb +# +# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. +# +hsqldb = module + +# Layer: contrib +# Module: blkmapd +# +# The blkmapd daemon performs device discovery and mapping for pNFS block layout client. +# +blkmapd = module + +# Layer: contrib +# Module: pkcs11proxyd +# +# pkcs11proxyd policy +# +pkcs11proxyd = module + +# Layer: contrib +# Module: ipmievd +# +# IPMI event daemon for sending events to syslog +# +ipmievd = module + +# Layer: contrib +# Module: openfortivpn +# +# Fortinet compatible SSL VPN daemons. +# +openfortivpn = module + +# Layer: contrib +# Module: fwupd +# +# fwupd is a daemon to allow session software to update device firmware. +# +fwupd = module + +# Layer: contrib +# Module: lttng-tools +# +# LTTng 2.x central tracing registry session daemon. +# +lttng-tools = module + +# Layer: contrib +# Module: rkt +# +# CLI for running app containers +# +rkt = module + +# Layer: contrib +# Module: opendnssec +# +# opendnssec +# +opendnssec = module + +# Layer: contrib +# Module: hwloc +# +# hwloc +# +hwloc = module + +# Layer: contrib +# Module: sbd +# +# sbd +# +sbd = module + +# Layer: contrib +# Module: tlp +# +# tlp +# +tlp = module + +# Layer: contrib +# Module: conntrackd +# +# conntrackd +# +conntrackd = module + +# Layer: contrib +# Module: tangd +# +# tangd +# +tangd = module + +# Layer: contrib +# Module: ibacm +# +# ibacm +# +ibacm = module + +# Layer: contrib +# Module: opafm +# +# opafm +# +opafm = module + +# Layer: contrib +# Module: boltd +# +# boltd +# +boltd = module + +# Layer: contrib +# Module: kpatch +# +# kpatch +# +kpatch = module + +# Layer: contrib +# Module: timedatex +# +# timedatex +# +timedatex = module + +# Layer: contrib +# Module: rrdcached +# +# rrdcached +# +rrdcached = module + +# Layer: contrib +# Module: stratisd +# +# stratisd +# +stratisd = module + +# Layer: contrib +# Module: ica +# +# ica +# +ica = module + +# Layer: contrib +# Module: fedoratp +# +# fedoratp +# +fedoratp = module + +# Layer: contrib +# Module: insights_client +# +# insights_client +# +insights_client = module + +# Layer: contrib +# Module: stalld +# +# stalld +# +stalld = module + +# Layer: contrib +# Module: rhcd +# +# rhcd +# +rhcd = module + +# Layer: contrib +# Module: wireguard +# +# wireguard +# +wireguard = module + +# Layer: contrib +# Module: mptcpd +# +# mptcpd +# +mptcpd = module + +# Layer: contrib +# Module: rshim +# +# rshim +# +rshim = module + +# Layer: contrib +# Module: keyutils +# +# keyutils +# +keyutils = module + +# Layer: contrib +# Module: cifsutils +# +# cifsutils - Utilities for managing CIFS mounts +# +cifsutils = module + +# Layer: contrib +# Module: boothd +# +# boothd - Booth cluster ticket manager +# +boothd = module + +# Layer: contrib +# Module: kafs +# +# kafs - Tools for kAFS +# +kafs = module + +# Layer: contrib +# Module: bootupd +# +# bootupd - bootloader update daemon +# +bootupd = module + +# Layer: contrib +# Module: fdo +# +# fdo - fido device onboard protocol for IoT devices +# +fdo = module + +# Layer: contrib +# Module: qatlib +# +# qatlib - Intel QuickAssist technology library and resources management +# +qatlib = module + +# Layer: services +# Module: virt_supplementary +# +# non-libvirt virtualization libraries +# +virt_supplementary = module + +# Layer: contrib +# Module: nvme_stas +# +# nvme_stas +# +nvme_stas = module + +# Layer: contrib +# Module: coreos_installer +# +# coreos_installer +# +coreos_installer = module + +# Layer: contrib +# Module: afterburn +# +# afterburn +# +afterburn = module diff --git a/SOURCES/permissivedomains.cil b/SOURCES/permissivedomains.cil new file mode 100644 index 0000000..400bcf6 --- /dev/null +++ b/SOURCES/permissivedomains.cil @@ -0,0 +1,2 @@ +(roleattributeset cil_gen_require system_r) + diff --git a/SOURCES/rpm.macros b/SOURCES/rpm.macros new file mode 100644 index 0000000..6661955 --- /dev/null +++ b/SOURCES/rpm.macros @@ -0,0 +1,186 @@ +# Copyright (C) 2017 Red Hat, Inc. All rights reserved. +# +# Author: Petr Lautrbach +# Author: Lukáš Vrabec +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# RPM macros for packages installing SELinux modules + +%_selinux_policy_version SELINUXPOLICYVERSION + +%_selinux_store_path SELINUXSTOREPATH +%_selinux_store_policy_path %{_selinux_store_path}/${_policytype} + +%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts +%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre + +%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom +%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp + +# %selinux_requires +%selinux_requires \ +Requires: selinux-policy >= %{_selinux_policy_version} \ +BuildRequires: pkgconfig(systemd) \ +BuildRequires: selinux-policy \ +BuildRequires: selinux-policy-devel \ +Requires(post): selinux-policy-base >= %{_selinux_policy_version} \ +Requires(post): libselinux-utils \ +Requires(post): policycoreutils \ +%if 0%{?fedora} || 0%{?rhel} > 7\ +Requires(post): policycoreutils-python-utils \ +%else \ +Requires(post): policycoreutils-python \ +%endif \ +%{nil} + +# %selinux_modules_install [-s ] [-p ] module [module]... +%selinux_modules_install("s:p:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \ + %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \ +fi \ +%{nil} + +# %selinux_modules_uninstall [-s ] [-p ] module [module]... +%selinux_modules_uninstall("s:p:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ $1 -eq 0 ]; then \ + if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \ + %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \ + fi \ +fi \ +%{nil} + +# %selinux_relabel_pre [-s ] +%selinux_relabel_pre("s:") \ +if %{_sbindir}/selinuxenabled; then \ + if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ + fi \ + _policytype=%{-s*} \ + if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ + fi \ + if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \ + fi \ +fi \ +%{nil} + + +# %selinux_relabel_post [-s ] +%selinux_relabel_post("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + if [ -f %{_file_context_file_pre} ]; then \ + %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \ + rm -f %{_file_context_file_pre} \ + fi \ +fi \ +%{nil} + +# %selinux_set_booleans [-s ] boolean [boolean]... +%selinux_set_booleans("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \ + if [ ! -f %_file_custom_defined_booleans ]; then \ + /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ + fi \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_value=${boolean#*=} \ + boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \ + if [ -n "$boolean_local_string" ]; then \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \ + else \ + /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \ + fi \ + else \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ + /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ +fi \ +%{nil} + +# %selinux_unset_booleans [-s ] boolean [boolean]... +%selinux_unset_booleans("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \ + if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \ + semanage_import="${semanage_import}\\n${boolean_customized_string}" \ + fi \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ +fi \ +%{nil} diff --git a/SOURCES/securetty_types-minimum b/SOURCES/securetty_types-minimum new file mode 100644 index 0000000..7055096 --- /dev/null +++ b/SOURCES/securetty_types-minimum @@ -0,0 +1,4 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t diff --git a/SOURCES/securetty_types-mls b/SOURCES/securetty_types-mls new file mode 100644 index 0000000..89bf54d --- /dev/null +++ b/SOURCES/securetty_types-mls @@ -0,0 +1,6 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t +auditadm_tty_device_t +secureadm_tty_device_t diff --git a/SOURCES/securetty_types-targeted b/SOURCES/securetty_types-targeted new file mode 100644 index 0000000..7055096 --- /dev/null +++ b/SOURCES/securetty_types-targeted @@ -0,0 +1,4 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t diff --git a/SOURCES/selinux-check-proper-disable.service b/SOURCES/selinux-check-proper-disable.service new file mode 100644 index 0000000..8f3b4da --- /dev/null +++ b/SOURCES/selinux-check-proper-disable.service @@ -0,0 +1,15 @@ +[Unit] +Description=Check that SELinux is not disabled the unsafe way +ConditionKernelCommandLine=!selinux=0 +After=sysinit.target + +[Service] +Type=oneshot +EnvironmentFile=/etc/selinux/config +ExecCondition=test "$SELINUX" = disabled +ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.' +StandardOutput=journal+console +SyslogLevel=warning + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/selinux-policy.conf b/SOURCES/selinux-policy.conf new file mode 100644 index 0000000..f2f1ced --- /dev/null +++ b/SOURCES/selinux-policy.conf @@ -0,0 +1,4 @@ +z /sys/devices/system/cpu/online - - - +Z /sys/class/net - - - +z /sys/kernel/uevent_helper - - - +w /sys/fs/selinux/checkreqprot - - - - 0 diff --git a/SOURCES/setrans-minimum.conf b/SOURCES/setrans-minimum.conf new file mode 100644 index 0000000..09a6ce3 --- /dev/null +++ b/SOURCES/setrans-minimum.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/SOURCES/setrans-mls.conf b/SOURCES/setrans-mls.conf new file mode 100644 index 0000000..eb181d2 --- /dev/null +++ b/SOURCES/setrans-mls.conf @@ -0,0 +1,52 @@ +# +# Multi-Level Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be labeled with one of 16 levels and be categorized with 0-1023 +# categories defined by the admin. +# Objects can be in more than one category at a time. +# Users can modify this table to translate the MLS labels for different purpose. +# +# Assumptions: using below MLS labels. +# SystemLow +# SystemHigh +# Unclassified +# Secret with compartments A and B. +# +# SystemLow and SystemHigh +s0=SystemLow +s15:c0.c1023=SystemHigh +s0-s15:c0.c1023=SystemLow-SystemHigh + +# Unclassified level +s1=Unclassified + +# Secret level with compartments +s2=Secret +s2:c0=A +s2:c1=B + +# ranges for Unclassified +s0-s1=SystemLow-Unclassified +s1-s2=Unclassified-Secret +s1-s15:c0.c1023=Unclassified-SystemHigh + +# ranges for Secret with compartments +s0-s2=SystemLow-Secret +s0-s2:c0=SystemLow-Secret:A +s0-s2:c1=SystemLow-Secret:B +s0-s2:c0,c1=SystemLow-Secret:AB +s1-s2:c0=Unclassified-Secret:A +s1-s2:c1=Unclassified-Secret:B +s1-s2:c0,c1=Unclassified-Secret:AB +s2-s2:c0=Secret-Secret:A +s2-s2:c1=Secret-Secret:B +s2-s2:c0,c1=Secret-Secret:AB +s2-s15:c0.c1023=Secret-SystemHigh +s2:c0-s2:c0,c1=Secret:A-Secret:AB +s2:c0-s15:c0.c1023=Secret:A-SystemHigh +s2:c1-s2:c0,c1=Secret:B-Secret:AB +s2:c1-s15:c0.c1023=Secret:B-SystemHigh +s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh diff --git a/SOURCES/setrans-targeted.conf b/SOURCES/setrans-targeted.conf new file mode 100644 index 0000000..09a6ce3 --- /dev/null +++ b/SOURCES/setrans-targeted.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/SOURCES/users-minimum b/SOURCES/users-minimum new file mode 100644 index 0000000..66af860 --- /dev/null +++ b/SOURCES/users-minimum @@ -0,0 +1,39 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/SOURCES/users-mls b/SOURCES/users-mls new file mode 100644 index 0000000..8fad9ea --- /dev/null +++ b/SOURCES/users-mls @@ -0,0 +1,40 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SOURCES/users-targeted b/SOURCES/users-targeted new file mode 100644 index 0000000..a875306 --- /dev/null +++ b/SOURCES/users-targeted @@ -0,0 +1,41 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/SOURCES/varrun-convert.sh b/SOURCES/varrun-convert.sh new file mode 100755 index 0000000..5dbd0d6 --- /dev/null +++ b/SOURCES/varrun-convert.sh @@ -0,0 +1,80 @@ +#!/bin/bash +### varrun-convert.sh +### convert legacy filecontext entries containing /var/run to /run +### and load an extra selinux module with the new content +### the script takes a policy name as an argument + +# Set DEBUG=yes before running the script to get more verbose output +if [ "${DEBUG}" = "yes" ]; then + set -x +fi + +# Look for working files and log in OUTPUTDIR +OUTPUTDIR="/run/selinux-policy" +LOG="$OUTPUTDIR/log" +mkdir -p ${OUTPUTDIR} + +if [ -z ${1} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG + exit +fi + +FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" +if [ ! -f ${FILE_CONTEXTS} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG + exit +fi + +SEMODULEOPT="-s ${1}" +[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" + +if ! grep -q ^/var/run ${FILE_CONTEXTS}; then + [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG + exit +fi + +EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" +EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil" + +# Print only /var/run entries +grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES} + +# Unify whitespace separators +sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES} + +# Change /var/run to /run +sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} + +# Exception handling: packages with already duplicate entries +sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES} +sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES} +sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES} + +# Change format to cil +sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES} + +# Handle entries with <> which do not match previous regexps +sed -i s'/ <>$/ ())/' ${EXTRA_VARRUN_ENTRIES} + +# Wrap each line with an optional block +i=1 +while read line +do + echo "(optional extra_var_run_${i}" + echo " $line" + echo ")" + ((i++)) +done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} + +# Load module +/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL} + diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec new file mode 100644 index 0000000..1f94964 --- /dev/null +++ b/SPECS/selinux-policy.spec @@ -0,0 +1,2032 @@ +# github repo with selinux-policy sources +%global giturl https://github.com/fedora-selinux/selinux-policy +%global commit 3d165a6733390d9313d4360831f48379b7b13fc0 +%global shortcommit %(c=%{commit}; echo ${c:0:7}) + +%define distro redhat +%define polyinstatiate n +%define monolithic n +%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} +%define BUILD_DOC 1 +%endif +%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} +%define BUILD_TARGETED 1 +%endif +%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} +%define BUILD_MINIMUM 1 +%endif +%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} +%define BUILD_MLS 1 +%endif +%define POLICYVER 33 +%define POLICYCOREUTILSVER 3.4-1 +%define CHECKPOLICYVER 3.2 +Summary: SELinux policy configuration +Name: selinux-policy +Version: 40.13.10 +Release: 1%{?dist} +License: GPL-2.0-or-later +Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +Source1: modules-targeted-base.conf +Source31: modules-targeted-contrib.conf +Source2: booleans-targeted.conf +Source3: Makefile.devel +Source4: setrans-targeted.conf +Source5: modules-mls-base.conf +Source32: modules-mls-contrib.conf +Source6: booleans-mls.conf +Source8: setrans-mls.conf +Source14: securetty_types-targeted +Source15: securetty_types-mls +#Source16: modules-minimum.conf +Source17: booleans-minimum.conf +Source18: setrans-minimum.conf +Source19: securetty_types-minimum +Source20: customizable_types +Source22: users-mls +Source23: users-targeted +Source25: users-minimum +Source26: file_contexts.subs_dist +Source27: selinux-policy.conf +Source28: permissivedomains.cil +Source30: booleans.subs_dist + +# Tool helps during policy development, to expand system m4 macros to raw allow rules +# Git repo: https://github.com/fedora-selinux/macro-expander.git +Source33: macro-expander + +# Include SELinux policy for container from separate container-selinux repo +# Git repo: https://github.com/containers/container-selinux.git +Source35: container-selinux.tgz + +Source36: selinux-check-proper-disable.service + +# Script to convert /var/run file context entries to /run +Source37: varrun-convert.sh + +# Provide rpm macros for packages installing SELinux modules +Source102: rpm.macros + +Url: %{giturl} +BuildArch: noarch +BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 +BuildRequires: make +BuildRequires: systemd-rpm-macros +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(post): /bin/awk /usr/bin/sha512sum +Requires(meta): rpm-plugin-selinux +Requires: selinux-policy-any = %{version}-%{release} +Provides: selinux-policy-base = %{version}-%{release} +Suggests: selinux-policy-targeted + +%description +SELinux core policy package. +Originally based off of reference policy, +the policy has been adjusted to provide support for Fedora. + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%dir %{_datadir}/selinux +%dir %{_datadir}/selinux/packages +%dir %{_sysconfdir}/selinux +%ghost %config(noreplace) %{_sysconfdir}/selinux/config +%ghost %{_sysconfdir}/sysconfig/selinux +%{_usr}/lib/tmpfiles.d/selinux-policy.conf +%{_rpmconfigdir}/macros.d/macros.selinux-policy +%{_unitdir}/selinux-check-proper-disable.service +%{_libexecdir}/selinux/varrun-convert.sh + +%package sandbox +Summary: SELinux sandbox policy +Requires(pre): selinux-policy-base = %{version}-%{release} +Requires(pre): selinux-policy-targeted = %{version}-%{release} + +%description sandbox +SELinux sandbox policy for use with the sandbox utility. + +%files sandbox +%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp + +%post sandbox +rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null +rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null +%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi; +exit 0 + +%preun sandbox +if [ $1 -eq 0 ] ; then + %{_sbindir}/semodule -n -d sandbox 2>/dev/null + if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy + fi; +fi; +exit 0 + +%package devel +Summary: SELinux policy development files +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Requires: m4 checkpolicy >= %{CHECKPOLICYVER} +Requires: /usr/bin/make +Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} + +%description devel +SELinux policy development package. +This package contains: +- interfaces, macros, and patterns for policy development +- a policy example +- the macro-expander utility +and some additional files. + +%files devel +%{_bindir}/macro-expander +%dir %{_datadir}/selinux/devel +%dir %{_datadir}/selinux/devel/include +%{_datadir}/selinux/devel/include/* +%exclude %{_datadir}/selinux/devel/include/contrib/container.if +%dir %{_datadir}/selinux/devel/html +%{_datadir}/selinux/devel/html/*html +%{_datadir}/selinux/devel/html/*css +%{_datadir}/selinux/devel/Makefile +%{_datadir}/selinux/devel/example.* +%{_datadir}/selinux/devel/policy.* +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info + +%post devel +%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null +exit 0 + +%package doc +Summary: SELinux policy documentation +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} + +%description doc +SELinux policy documentation package. +This package contains manual pages and documentation of the policy modules. + +%files doc +%{_mandir}/man*/* +%{_mandir}/ru/*/* +%exclude %{_mandir}/man8/container_selinux.8.gz +%doc %{_datadir}/doc/%{name} + +%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 + +%define makeCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ +cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ +cp -f selinux_config/users-%1 ./policy/users \ +#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ + +%define makeModulesConf() \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ +if [ %3 == "contrib" ];then \ + cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ + cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ +fi; \ + +%define installCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ +%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ +install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ +rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ +%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ +rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ +%nil + +%define fileList() \ +%defattr(-,root,root) \ +%dir %{_sysconfdir}/selinux/%1 \ +%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ +%dir %{_sysconfdir}/selinux/%1/logins \ +%dir %{_sharedstatedir}/selinux/%1/active \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ +%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ +%dir %{_sysconfdir}/selinux/%1/policy/ \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ +%{_sysconfdir}/selinux/%1/.policy.sha512 \ +%dir %{_sysconfdir}/selinux/%1/contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ +%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ +%dir %{_sysconfdir}/selinux/%1/contexts/files \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ +%{_sysconfdir}/selinux/%1/booleans.subs_dist \ +%config %{_sysconfdir}/selinux/%1/contexts/files/media \ +%dir %{_sysconfdir}/selinux/%1/contexts/users \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ +%dir %{_datadir}/selinux/%1 \ +%{_datadir}/selinux/%1/base.lst \ +%{_datadir}/selinux/%1/modules-base.lst \ +%{_datadir}/selinux/%1/modules-contrib.lst \ +%{_datadir}/selinux/%1/nonbasemodules.lst \ +%dir %{_sharedstatedir}/selinux/%1 \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \ +%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ +%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ +%nil + +%define relabel() \ +if [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config &> /dev/null || true; \ +fi; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ + %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ + rm -f ${FILE_CONTEXT}.pre; \ +fi; \ +# rebuilding the rpm database still can sometimes result in an incorrect context \ +%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \ +if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ + continue; \ +fi; + +%define preInstall() \ +if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ + for MOD_NAME in ganesha ipa_custodia kdbus; do \ + if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ + %{_sbindir}/semodule -n -d $MOD_NAME 2> /dev/null; \ + fi; \ + done; \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ + [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ + fi; \ + touch %{_sysconfdir}/selinux/%1/.rebuild; \ + if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ + POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ + sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ + checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \ + if [ "$sha512" == "$checksha512" ] ; then \ + rm %{_sysconfdir}/selinux/%1/.rebuild; \ + fi; \ + fi; \ +fi; + +%define postInstall() \ +if [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config &> /dev/null || true; \ +fi; \ +if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ + rm %{_sysconfdir}/selinux/%2/.rebuild; \ +fi; \ +%{_sbindir}/semodule -B -n -s %2 2> /dev/null; \ +[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \ +if [ %1 -eq 1 ]; then \ + %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ +else \ +%relabel %2 \ +fi; + +%define modulesList() \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ +if [ -e ./policy/modules-contrib.conf ];then \ + awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ +fi; + +%define nonBaseModulesList() \ +contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ +base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ +for i in $contrib_modules $base_modules; do \ + if [ $i != "sandbox" ];then \ + echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ + fi; \ +done; + +# Make sure the config is consistent with what packages are installed in the system +# this covers cases when system is installed with selinux-policy-{mls,minimal} +# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not +# been rebooted yet. +# The macro should be called at the beginning of "post" (to make sure load_policy does not fail) +# and in "posttrans" (to make sure that the store is consistent when all package transitions are done) +# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable) +# Steps: +# * load values from config and its backup +# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so +# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used +# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't +%define checkConfigConsistency() \ +if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \ + . %{_sysconfdir}/selinux/.config_backup; \ +else \ + BACKUP_SELINUXTYPE=targeted; \ +fi; \ +if [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \ + if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \ + fi; \ + elif [ "%1" = "targeted" ]; then \ + if [ "%1" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ + fi; \ + elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \ + if [ "%1" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ + fi; \ + fi; \ +fi; + +# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names +# of variables inside so that they are easy to use later +# This should be done in "pretrans" because config content can change during RPM operations +# The macro has to be used in a script slot with "-p " +%define backupConfigLua() \ +local sysconfdir = rpm.expand("%{_sysconfdir}") \ +local config_file = sysconfdir .. "/selinux/config" \ +local config_backup = sysconfdir .. "/selinux/.config_backup" \ +os.remove(config_backup) \ +if posix.stat(config_file) then \ + local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \ + local content = f:read("*all") \ + f:close() \ + local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \ + local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \ + bf:write(backup) \ + bf:close() \ +end + +# Remove the local_varrun SELinux module +%define removeVarrunModule() \ +if [ -r "%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil" ]; then \ + %{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ +fi; + +%define removeVarrunModuleLua() \ +if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \ + os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \ +end + +%build + +%prep +%autosetup -p 1 -n %{name}-%{commit} +tar -C policy/modules/contrib -xf %{SOURCE35} + +mkdir selinux_config +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do + cp $i selinux_config +done + +%install +# Build targeted policy +%{__rm} -fR %{buildroot} +mkdir -p %{buildroot}%{_sysconfdir}/selinux +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +touch %{buildroot}%{_sysconfdir}/selinux/config +touch %{buildroot}%{_sysconfdir}/sysconfig/selinux +mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ +cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ +mkdir -p %{buildroot}%{_bindir} +install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ +mkdir -p %{buildroot}%{_libexecdir}/selinux +install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux + +# Always create policy module package directories +mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ + +mkdir -p %{buildroot}%{_datadir}/selinux/packages + +# Install devel +make clean +%if %{BUILD_TARGETED} +# Build targeted policy +%makeCmds targeted mcs allow +%makeModulesConf targeted base contrib +%installCmds targeted mcs allow +# install permissivedomains.cil +%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28} +# recreate sandbox.pp +rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox +%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp +mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp +%modulesList targeted +%nonBaseModulesList targeted +%endif + +%if %{BUILD_MINIMUM} +# Build minimum policy +%makeCmds minimum mcs allow +%makeModulesConf targeted base contrib +%installCmds minimum mcs allow +rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox +%modulesList minimum +%nonBaseModulesList minimum +%endif + +%if %{BUILD_MLS} +# Build mls policy +%makeCmds mls mls deny +%makeModulesConf mls base contrib +%installCmds mls mls deny +%modulesList mls +%nonBaseModulesList mls +%endif + +# remove leftovers when save-previous=true (semanage.conf) is used +rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous + +mkdir -p %{buildroot}%{_mandir} +cp -R man/* %{buildroot}%{_mandir} +make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs +make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers +mkdir %{buildroot}%{_datadir}/selinux/devel/ +mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include +install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile +install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ +install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ +%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} +mkdir %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html + +mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d +install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy + +mkdir -p %{buildroot}%{_unitdir} +install -m 644 %{SOURCE36} %{buildroot}%{_unitdir} + +rm -rf selinux_config + +%post +%systemd_post selinux-check-proper-disable.service +if [ ! -s %{_sysconfdir}/selinux/config ]; then +# +# New install so we will default to targeted policy +# +echo " +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +# See also: +# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes +# +# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also +# fully disable SELinux during boot. If you need a system with SELinux +# fully disabled instead of SELinux running with no policy loaded, you +# need to pass selinux=0 to the kernel command line. You can use grubby +# to persistently set the bootloader to boot with selinux=0: +# +# grubby --update-kernel ALL --args selinux=0 +# +# To revert back to SELinux enabled: +# +# grubby --update-kernel ALL --remove-args selinux +# +SELINUX=enforcing +# SELINUXTYPE= can take one of these three values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=targeted + +" > %{_sysconfdir}/selinux/config + + ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux + %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : +else + . %{_sysconfdir}/selinux/config +fi +exit 0 + +%preun +%systemd_preun selinux-check-proper-disable.service + +%postun +%systemd_postun selinux-check-proper-disable.service +if [ $1 = 0 ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi +fi +exit 0 + +%if %{BUILD_TARGETED} +%package targeted +Summary: SELinux targeted policy +Provides: selinux-policy-any = %{version}-%{release} +Obsoletes: selinux-policy-targeted-sources < 2 +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: audispd-plugins <= 1.7.7-1 +Obsoletes: mod_fcgid-selinux <= %{version}-%{release} +Obsoletes: cachefilesd-selinux <= 0.10-1 +Conflicts: seedit +Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 +Conflicts: container-selinux < 2:1.12.1-22 + +%description targeted +SELinux targeted policy package. + +%pretrans targeted -p +%backupConfigLua +%removeVarrunModuleLua targeted + +%pre targeted +%preInstall targeted + +%post targeted +%checkConfigConsistency targeted +%postInstall $1 targeted +exit 0 + +%posttrans targeted +%checkConfigConsistency targeted +%{_libexecdir}/selinux/varrun-convert.sh targeted +%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm + +%postun targeted +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "targeted" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + + +%triggerin -- pcre2 +%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null +exit 0 + +%triggerprein -- container-selinux +%removeVarrunModule targeted +exit 0 + +%triggerprein -- pcp-selinux +%removeVarrunModule targeted +exit 0 + +%triggerpostin -- container-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + +%triggerpostin -- pcp-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + +%triggerpostun -- selinux-policy-targeted < 3.12.1-74 +rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null +exit 0 + +%triggerpostun -- pcp-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + +%triggerpostun -- container-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + +%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138 +CR=$'\n' +INPUT="" +for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then + touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p + fi +done +for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do + INPUT="${INPUT}${CR}module -N -a $i" +done +for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do + cp $i %{_sharedstatedir}/selinux/targeted/active +done +echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi +exit 0 + +%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u +%fileList targeted +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains +%endif + +%if %{BUILD_MINIMUM} +%package minimum +Summary: SELinux minimum policy +Provides: selinux-policy-any = %{version}-%{release} +Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit +Conflicts: container-selinux <= 1.9.0-9 + +%description minimum +SELinux minimum policy package. + +%pretrans minimum -p +%backupConfigLua + +%pre minimum +%preInstall minimum +if [ $1 -ne 1 ]; then + %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst +fi + +%post minimum +%checkConfigConsistency minimum +contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` +basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` +if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then + mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled +fi +if [ $1 -eq 1 ]; then +for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +done +for p in $basepackages apache dbus inetd kerberos mta nis; do + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +done +%{_sbindir}/semanage import -S minimum -f - << __eof +login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ +login -m -s unconfined_u -r s0-s0:c0.c1023 root +__eof +%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null +%{_sbindir}/semodule -B -s minimum 2> /dev/null +else +instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` +for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +done +for p in $instpackages apache dbus inetd kerberos mta nis; do + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +done +%{_sbindir}/semodule -B -s minimum 2> /dev/null +%relabel minimum +fi +exit 0 + +%posttrans minimum +%checkConfigConsistency minimum +%{_libexecdir}/selinux/varrun-convert.sh minimum +%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm + +%postun minimum +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "minimum" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + +%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138 +if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/* +fi +CR=$'\n' +INPUT="" +for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + fi +done +for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do + INPUT="${INPUT}${CR}module -N -a $i" +done +echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi +exit 0 + +%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u +%fileList minimum +%endif + +%if %{BUILD_MLS} +%package mls +Summary: SELinux MLS policy +Provides: selinux-policy-any = %{version}-%{release} +Obsoletes: selinux-policy-mls-sources < 2 +Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit +Conflicts: container-selinux <= 1.9.0-9 + +%description mls +SELinux MLS (Multi Level Security) policy package. + +%pretrans mls -p +%backupConfigLua + +%pre mls +%preInstall mls + +%post mls +%checkConfigConsistency mls +%postInstall $1 mls +exit 0 + +%posttrans mls +%checkConfigConsistency mls +%{_libexecdir}/selinux/varrun-convert.sh mls +%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm + +%postun mls +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "mls" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + +%triggerpostun mls -- selinux-policy-mls < 3.13.1-138 +CR=$'\n' +INPUT="" +for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then + touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p + fi +done +for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do + INPUT="${INPUT}${CR}module -N -a $i" +done +echo "$INPUT" | %{_sbindir}/semanage import -S mls -N +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi +exit 0 + + +%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u +%fileList mls +%endif + +%changelog +* Fri Oct 25 2024 MSVSphere Packaging Team - 40.13.10-1 +- Rebuilt for MSVSphere 10 + +* Wed Oct 16 2024 Zdenek Pytela - 40.13.10-1 +- Confine gnome-remote-desktop +Resolves: RHEL-35877 +- Allow virtqemud get attributes of a tmpfs filesystem +Resolves: RHEL-40855 +- Allow virtqemud get attributes of cifs files +Resolves: RHEL-40855 +- Allow virtqemud get attributes of filesystems with extended attributes +Resolves: RHEL-39668 +- Allow virtqemud get attributes of NFS filesystems +Resolves: RHEL-40855 +- Add support for secretmem anon inode +Resolves: RHEL-40953 +- Allow systemd-sleep read raw disk data +Resolves: RHEL-49600 +- Allow systemd-hwdb send messages to kernel unix datagram sockets +Resolves: RHEL-50810 +- Label /run/modprobe.d with modules_conf_t +Resolves: RHEL-54591 +- Allow setsebool_t relabel selinux data files +Resolves: RHEL-55412 +- Don't audit crontab_domain write attempts to user home +Resolves: RHEL-56349 +- Differentiate between staff and sysadm when executing crontab with sudo +Resolves: RHEL-56349 +- Add crontab_admin_domtrans interface +Resolves: RHEL-56349 +- Add crontab_domtrans interface +Resolves: RHEL-56349 +- Allow boothd connect to kernel over a unix socket +Resolves: RHEL-58060 +- Fix label of pseudoterminals created from sudodomain +Resolves: RHEL-58068 +- systemd: allow systemd_notify_t to send data to kernel_t datagram sockets +Resolves: RHEL-58072 +- Allow rsyslog read systemd-logind session files +Resolves: RHEL-40961 +- Label /dev/mmcblk0rpmb character device with removable_device_t +Resolves: RHEL-55265 +- Label /dev/hfi1_[0-9]+ devices +Resolves: RHEL-62836 +- Label /dev/papr-sysparm and /dev/papr-vpd +Resolves: RHEL-56908 +- Support SGX devices +Resolves: RHEL-62354 +- Suppress semodule's stderr +Resolves: RHEL-59192 + +* Mon Aug 26 2024 Zdenek Pytela - 40.13.9-1 +- Allow virtqemud relabelfrom also for file and sock_file +Resolves: RHEL-49763 +- Allow virtqemud relabel user tmp files and socket files +Resolves: RHEL-49763 +- Update virtqemud policy for libguestfs usage +Resolves: RHEL-49763 +- Label /run/libvirt/qemu/channel with virtqemud_var_run_t +Resolves: RHEL-47274 + +* Tue Aug 13 2024 Zdenek Pytela - 40.13.8-1 +- Add virt_create_log() and virt_write_log() interfaces +Resolves: RHEL-47274 +- Update libvirt policy +Resolves: RHEL-45464 +Resolves: RHEL-49763 +- Allow svirt_tcg_t map svirt_image_t files +Resolves: RHEL-47274 +- Allow svirt_tcg_t read vm sysctls +Resolves: RHEL-47274 +- Additional updates stalld policy for bpf usage +Resolves: RHEL-50356 + +* Thu Aug 08 2024 Zdenek Pytela - 40.13.7-1 +- Add the swtpm.if interface file for interactions with other domains +Resolves: RHEL-47274 +- Allow virtproxyd create and use its private tmp files +Resolves: RHEL-40499 +- Allow virtproxyd read network state +Resolves: RHEL-40499 +- Allow virtqemud domain transition on swtpm execution +Resolves: RHEL-47274 +Resolves: RHEL-49763 +- Allow virtqemud relabel virt_var_run_t directories +Resolves: RHEL-47274 +Resolves: RHEL-45464 +Resolves: RHEL-49763 +- Allow virtqemud domain transition on passt execution +Resolves: RHEL-45464 +- Allow virt_driver_domain create and use log files in /var/log +Resolves: RHEL-40239 +- Allow virt_driver_domain connect to systemd-userdbd over a unix socket +Resolves: RHEL-44932 +Resolves: RHEL-44898 +- Update stalld policy for bpf usage +Resolves: RHEL-50356 +- Allow boothd connect to systemd-userdbd over a unix socket +Resolves: RHEL-45907 +- Allow linuxptp configure phc2sys and chronyd over a unix domain socket +Resolves: RHEL-46011 +- Allow systemd-machined manage runtime sockets +Resolves: RHEL-49567 +- Allow ip command write to ipsec's logs +Resolves: RHEL-41222 +- Allow init_t nnp domain transition to firewalld_t +Resolves: RHEL-52481 +- Update qatlib policy for v24.02 with new features +Resolves: RHEL-50377 +- Allow postfix_domain map postfix_etc_t files +Resolves: RHEL-46327 + +* Thu Jul 25 2024 Zdenek Pytela - 40.13.6-1 +- Allow virtnodedevd run udev with a domain transition +Resolves: RHEL-39890 +- Allow virtnodedev_t create and use virtnodedev_lock_t +Resolves: RHEL-39890 +- Allow svirt attach_queue to a virtqemud tun_socket +Resolves: RHEL-44312 +- Label /run/systemd/machine with systemd_machined_var_run_t +Resolves: RHEL-49567 +- Allow to create and delete socket files created by rhsm.service + +* Tue Jul 16 2024 Zdenek Pytela - 40.13.5-1 +- Allow to create and delete socket files created by rhsm.service +Resolves: RHEL-40857 +- Allow svirt read virtqemud fifo files +Resolves: RHEL-40350 +- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket +Resolves: RHEL-37822 +- Allow virtqemud read virt-dbus process state +Resolves: RHEL-37822 +- Allow virtqemud run ssh client with a transition +Resolves: RHEL-43215 +- Allow virtnetworkd exec shell when virt_hooks_unconfined is on +Resolves: RHEL-41168 +- Allow NetworkManager the sys_ptrace capability in user namespace +Resolves: RHEL-46717 +- Update keyutils policy +Resolves: RHEL-38920 +- Allow ip the setexec permission +Resolves: RHEL-41182 + +* Fri Jun 28 2024 Zdenek Pytela - 40.13.4-1 +- Confine libvirt-dbus +Resolves: RHEL-37822 +- Allow sssd create and use io_uring +Resolves: RHEL-43448 +- Allow virtqemud the kill capability in user namespace +Resolves: RHEL-44996 +- Allow login_userdomain execute systemd-tmpfiles in the caller domain +Resolves: RHEL-44191 +- Allow virtqemud read vm sysctls +Resolves: RHEL-40938 +- Allow svirt_t read vm sysctls +Resolves: RHEL-40938 +- Allow rshim get options of the netlink class for KOBJECT_UEVENT family +Resolves: RHEL-40859 +- Allow systemd-hostnamed read the vsock device +Resolves: RHEL-45309 +- Allow systemd (PID 1) manage systemd conf files +Resolves: RHEL-45304 +- Allow journald read systemd config files and directories +Resolves: RHEL-45304 +- Allow systemd_domain read systemd_conf_t dirs +Resolves: RHEL-45304 +- Label systemd configuration files with systemd_conf_t +Resolves: RHEL-45304 +- Allow dhcpcd the kill capability +Resolves: RHEL-43417 +- Add support for libvirt hooks +Resolves: RHEL-41168 + +* Mon Jun 24 2024 Troy Dawson - 40.13.3-2 +- Bump release for June 2024 mass rebuild + +* Tue Jun 18 2024 Zdenek Pytela - 40.13.3-1 +- Allow virtqemud manage nfs files when virt_use_nfs boolean is on +Resolves: RHEL-40205 +- Allow virt_driver_domain read files labeled unconfined_t +Resolves: RHEL-40262 +- Allow virt_driver_domain dbus chat with policykit +Resolves: RHEL-40346 +- Escape "interface" as a file name in a virt filetrans pattern +Resolves: RHEL-34769 +- Allow setroubleshootd get attributes of all sysctls +Resolves: RHEL-40923 +- Allow qemu-ga read vm sysctls +Resolves: RHEL-40829 +- Allow sbd to trace processes in user namespace +Resolves: RHEL-39989 +- Allow request-key execute scripts +Resolves: RHEL-38920 +- Update policy for haproxyd +Resolves: RHEL-40877 + +* Fri Jun 07 2024 Zdenek Pytela - 40.13.2-1 +- Allow all domains read and write z90crypt device +Resolves: RHEL-28539 +- Allow dhcpc read /run/netns files +Resolves: RHEL-39510 +- Allow bootupd search efivarfs dirs +Resolves: RHEL-39514 + +* Fri May 17 2024 Zdenek Pytela - 40.13.1-1 +- Allow logwatch read logind sessions files +Resolves: RHEL-30441 +- Allow sulogin relabel tty1 +Resolves: RHEL-30440 +- Dontaudit sulogin the checkpoint_restore capability +Resolves: RHEL-30440 +- Allow postfix smtpd map aliases file +Resolves: RHEL-35544 +- Ensure dbus communication is allowed bidirectionally +Resolves: RHEL-35783 +- Allow various services read and write z90crypt device +Resolves: RHEL-28539 +- Allow dhcpcd use unix_stream_socket +Resolves: RHEL-33081 +- Allow xdm_t to watch and watch_reads mount_var_run_t +Resolves: RHEL-36073 +- Allow plymouthd log during shutdown +Resolves: RHEL-30455 +- Update rpm configuration for the /var/run equivalency change +Resolves: RHEL-36094 + +* Mon Feb 12 2024 Zdenek Pytela - 40.13-1 +- Only allow confined user domains to login locally without unconfined_login +- Add userdom_spec_domtrans_confined_admin_users interface +- Only allow admindomain to execute shell via ssh with ssh_sysadm_login +- Add userdom_spec_domtrans_admin_users interface +- Move ssh dyntrans to unconfined inside unconfined_login tunable policy +- Update ssh_role_template() for user ssh-agent type +- Allow init to inherit system DBus file descriptors +- Allow init to inherit fds from syslogd +- Allow any domain to inherit fds from rpm-ostree +- Update afterburn policy +- Allow init_t nnp domain transition to abrtd_t + +* Tue Feb 06 2024 Zdenek Pytela - 40.12-1 +- Rename all /var/lock file context entries to /run/lock +- Rename all /var/run file context entries to /run +- Invert the "/var/run = /run" equivalency + +* Mon Feb 05 2024 Zdenek Pytela - 40.11-1 +- Replace init domtrans rule for confined users to allow exec init +- Update dbus_role_template() to allow user service status +- Allow polkit status all systemd services +- Allow setroubleshootd create and use inherited io_uring +- Allow load_policy read and write generic ptys +- Allow gpg manage rpm cache +- Allow login_userdomain name_bind to howl and xmsg udp ports +- Allow rules for confined users logged in plasma +- Label /dev/iommu with iommu_device_t +- Remove duplicate file context entries in /run +- Dontaudit getty and plymouth the checkpoint_restore capability +- Allow su domains write login records +- Revert "Allow su domains write login records" +- Allow login_userdomain delete session dbusd tmp socket files +- Allow unix dgram sendto between exim processes +- Allow su domains write login records +- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on + +* Wed Jan 24 2024 Zdenek Pytela - 40.10-1 +- Allow chronyd-restricted read chronyd key files +- Allow conntrackd_t to use bpf capability2 +- Allow systemd-networkd manage its runtime socket files +- Allow init_t nnp domain transition to colord_t +- Allow polkit status systemd services +- nova: Fix duplicate declarations +- Allow httpd work with PrivateTmp +- Add interfaces for watching and reading ifconfig_var_run_t +- Allow collectd read raw fixed disk device +- Allow collectd read udev pid files +- Set correct label on /etc/pki/pki-tomcat/kra +- Allow systemd domains watch system dbus pid socket files +- Allow certmonger read network sysctls +- Allow mdadm list stratisd data directories +- Allow syslog to run unconfined scripts conditionally +- Allow syslogd_t nnp_transition to syslogd_unconfined_script_t +- Allow qatlib set attributes of vfio device files + +* Tue Jan 09 2024 Zdenek Pytela - 40.9-1 +- Allow systemd-sleep set attributes of efivarfs files +- Allow samba-dcerpcd read public files +- Allow spamd_update_t the sys_ptrace capability in user namespace +- Allow bluetooth devices work with alsa +- Allow alsa get attributes filesystems with extended attributes + +* Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2 +- Limit %%selinux_requires to version, not release + +* Thu Dec 21 2023 Zdenek Pytela - 40.8-1 +- Allow hypervkvp_t write access to NetworkManager_etc_rw_t +- Add interface for write-only access to NetworkManager rw conf +- Allow systemd-sleep send a message to syslog over a unix dgram socket +- Allow init create and use netlink netfilter socket +- Allow qatlib load kernel modules +- Allow qatlib run lspci +- Allow qatlib manage its private runtime socket files +- Allow qatlib read/write vfio devices +- Label /etc/redis.conf with redis_conf_t +- Remove the lockdown-class rules from the policy +- Allow init read all non-security socket files +- Replace redundant dnsmasq pattern macros +- Remove unneeded symlink perms in dnsmasq.if +- Add additions to dnsmasq interface +- Allow nvme_stas_t create and use netlink kobject uevent socket +- Allow collectd connect to statsd port +- Allow keepalived_t to use sys_ptrace of cap_userns +- Allow dovecot_auth_t connect to postgresql using UNIX socket + +* Wed Dec 13 2023 Zdenek Pytela - 40.7-1 +- Make named_zone_t and named_var_run_t a part of the mountpoint attribute +- Allow sysadm execute traceroute in sysadm_t domain using sudo +- Allow sysadm execute tcpdump in sysadm_t domain using sudo +- Allow opafm search nfs directories +- Add support for syslogd unconfined scripts +- Allow gpsd use /dev/gnss devices +- Allow gpg read rpm cache +- Allow virtqemud additional permissions +- Allow virtqemud manage its private lock files +- Allow virtqemud use the io_uring api +- Allow ddclient send e-mail notifications +- Allow postfix_master_t map postfix data files +- Allow init create and use vsock sockets +- Allow thumb_t append to init unix domain stream sockets +- Label /dev/vas with vas_device_t +- Change domain_kernel_load_modules boolean to true +- Create interface selinux_watch_config and add it to SELinux users + +* Tue Nov 28 2023 Zdenek Pytela - 40.6-1 +- Add afterburn to modules-targeted-contrib.conf +- Update cifs interfaces to include fs_search_auto_mountpoints() +- Allow sudodomain read var auth files +- Allow spamd_update_t read hardware state information +- Allow virtnetworkd domain transition on tc command execution +- Allow sendmail MTA connect to sendmail LDA +- Allow auditd read all domains process state +- Allow rsync read network sysctls +- Add dhcpcd bpf capability to run bpf programs +- Dontaudit systemd-hwdb dac_override capability +- Allow systemd-sleep create efivarfs files + +* Tue Nov 14 2023 Zdenek Pytela - 40.5-1 +- Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on +- Allow graphical applications work in Wayland +- Allow kdump work with PrivateTmp +- Allow dovecot-auth work with PrivateTmp +- Allow nfsd get attributes of all filesystems +- Allow unconfined_domain_type use io_uring cmd on domain +- ci: Only run Rawhide revdeps tests on the rawhide branch +- Label /var/run/auditd.state as auditd_var_run_t +- Allow fido-device-onboard (FDO) read the crack database +- Allow ip an explicit domain transition to other domains +- Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t +- Allow winbind_rpcd_t processes access when samba_export_all_* is on +- Enable NetworkManager and dhclient to use initramfs-configured DHCP connection +- Allow ntp to bind and connect to ntske port. +- Allow system_mail_t manage exim spool files and dirs +- Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t +- Label /run/pcsd.socket with cluster_var_run_t +- ci: Run cockpit tests in PRs + +* Thu Oct 19 2023 Zdenek Pytela - 40.4-1 +- Add map_read map_write to kernel_prog_run_bpf +- Allow systemd-fstab-generator read all symlinks +- Allow systemd-fstab-generator the dac_override capability +- Allow rpcbind read network sysctls +- Support using systemd containers +- Allow sysadm_t to connect to iscsid using a unix domain stream socket +- Add policy for coreos installer +- Add coreos_installer to modules-targeted-contrib.conf + +* Tue Oct 17 2023 Zdenek Pytela - 40.3-1 +- Add policy for nvme-stas +- Confine systemd fstab,sysv,rc-local +- Label /etc/aliases.lmdb with etc_aliases_t +- Create policy for afterburn +- Add nvme_stas to modules-targeted-contrib.conf +- Add plans/tests.fmf + +* Tue Oct 10 2023 Zdenek Pytela - 40.2-1 +- Add the virt_supplementary module to modules-targeted-contrib.conf +- Make new virt drivers permissive +- Split virt policy, introduce virt_supplementary module +- Allow apcupsd cgi scripts read /sys +- Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes +- Allow kernel_t to manage and relabel all files +- Add missing optional_policy() to files_relabel_all_files() + +* Tue Oct 03 2023 Zdenek Pytela - 40.1-1 +- Allow named and ndc use the io_uring api +- Deprecate common_anon_inode_perms usage +- Improve default file context(None) of /var/lib/authselect/backups +- Allow udev_t to search all directories with a filesystem type +- Implement proper anon_inode support +- Allow targetd write to the syslog pid sock_file +- Add ipa_pki_retrieve_key_exec() interface +- Allow kdumpctl_t to list all directories with a filesystem type +- Allow udev additional permissions +- Allow udev load kernel module +- Allow sysadm_t to mmap modules_object_t files +- Add the unconfined_read_files() and unconfined_list_dirs() interfaces +- Set default file context of HOME_DIR/tmp/.* to <> +- Allow kernel_generic_helper_t to execute mount(1) + +* Fri Sep 29 2023 Zdenek Pytela - 38.29-1 +- Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t +- Allow systemd-localed create Xserver config dirs +- Allow sssd read symlinks in /etc/sssd +- Label /dev/gnss[0-9] with gnss_device_t +- Allow systemd-sleep read/write efivarfs variables +- ci: Fix version number of packit generated srpms +- Dontaudit rhsmcertd write memory device +- Allow ssh_agent_type create a sockfile in /run/user/USERID +- Set default file context of /var/lib/authselect/backups to <> +- Allow prosody read network sysctls +- Allow cupsd_t to use bpf capability + +* Fri Sep 15 2023 Zdenek Pytela - 38.28-1 +- Allow sssd domain transition on passkey_child execution conditionally +- Allow login_userdomain watch lnk_files in /usr +- Allow login_userdomain watch video4linux devices +- Change systemd-network-generator transition to include class file +- Revert "Change file transition for systemd-network-generator" +- Allow nm-dispatcher winbind plugin read/write samba var files +- Allow systemd-networkd write to cgroup files +- Allow kdump create and use its memfd: objects + +* Thu Aug 31 2023 Zdenek Pytela - 38.27-1 +- Allow fedora-third-party get generic filesystem attributes +- Allow sssd use usb devices conditionally +- Update policy for qatlib +- Allow ssh_agent_type manage generic cache home files + +* Thu Aug 24 2023 Zdenek Pytela - 38.26-1 +- Change file transition for systemd-network-generator +- Additional support for gnome-initial-setup +- Update gnome-initial-setup policy for geoclue +- Allow openconnect vpn open vhost net device +- Allow cifs.upcall to connect to SSSD also through the /var/run socket +- Grant cifs.upcall more required capabilities +- Allow xenstored map xenfs files +- Update policy for fdo +- Allow keepalived watch var_run dirs +- Allow svirt to rw /dev/udmabuf +- Allow qatlib to modify hardware state information. +- Allow key.dns_resolve connect to avahi over a unix stream socket +- Allow key.dns_resolve create and use unix datagram socket +- Use quay.io as the container image source for CI + +* Fri Aug 11 2023 Zdenek Pytela - 38.25-1 +- ci: Move srpm/rpm build to packit +- .copr: Avoid subshell and changing directory +- Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file +- Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t +- Make insights_client_t an unconfined domain +- Allow insights-client manage user temporary files +- Allow insights-client create all rpm logs with a correct label +- Allow insights-client manage generic logs +- Allow cloud_init create dhclient var files and init_t manage net_conf_t +- Allow insights-client read and write cluster tmpfs files +- Allow ipsec read nsfs files +- Make tuned work with mls policy +- Remove nsplugin_role from mozilla.if +- allow mon_procd_t self:cap_userns sys_ptrace +- Allow pdns name_bind and name_connect all ports +- Set the MLS range of fsdaemon_t to s0 - mls_systemhigh +- ci: Move to actions/checkout@v3 version +- .copr: Replace chown call with standard workflow safe.directory setting +- .copr: Enable `set -u` for robustness +- .copr: Simplify root directory variable + +* Fri Aug 04 2023 Zdenek Pytela - 38.24-1 +- Allow rhsmcertd dbus chat with policykit +- Allow polkitd execute pkla-check-authorization with nnp transition +- Allow user_u and staff_u get attributes of non-security dirs +- Allow unconfined user filetrans chrome_sandbox_home_t +- Allow svnserve execute postdrop with a transition +- Do not make postfix_postdrop_t type an MTA executable file +- Allow samba-dcerpc service manage samba tmp files +- Add use_nfs_home_dirs boolean for mozilla_plugin +- Fix labeling for no-stub-resolv.conf + +* Wed Aug 02 2023 Zdenek Pytela - 38.23-1 +- Revert "Allow winbind-rpcd use its private tmp files" +- Allow upsmon execute upsmon via a helper script +- Allow openconnect vpn read/write inherited vhost net device +- Allow winbind-rpcd use its private tmp files +- Update samba-dcerpc policy for printing +- Allow gpsd,oddjob,oddjob_mkhomedir rw user domain pty +- Allow nscd watch system db dirs +- Allow qatlib to read sssd public files +- Allow fedora-third-party read /sys and proc +- Allow systemd-gpt-generator mount a tmpfs filesystem +- Allow journald write to cgroup files +- Allow rpc.mountd read network sysctls +- Allow blueman read the contents of the sysfs filesystem +- Allow logrotate_t to map generic files in /etc +- Boolean: Allow virt_qemu_ga create ssh directory + +* Tue Jul 25 2023 Zdenek Pytela - 38.22-1 +- Allow systemd-network-generator send system log messages +- Dontaudit the execute permission on sock_file globally +- Allow fsadm_t the file mounton permission +- Allow named and ndc the io_uring sqpoll permission +- Allow sssd io_uring sqpoll permission +- Fix location for /run/nsd +- Allow qemu-ga get fixed disk devices attributes +- Update bitlbee policy +- Label /usr/sbin/sos with sosreport_exec_t +- Update policy for the sblim-sfcb service +- Add the files_getattr_non_auth_dirs() interface +- Fix the CI to work with DNF5 + +* Sat Jul 22 2023 Fedora Release Engineering - 38.21-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jul 13 2023 Zdenek Pytela - 38.21-1 +- Make systemd_tmpfiles_t MLS trusted for lowering the level of files +- Revert "Allow insights client map cache_home_t" +- Allow nfsidmapd connect to systemd-machined over a unix socket +- Allow snapperd connect to kernel over a unix domain stream socket +- Allow virt_qemu_ga_t create .ssh dir with correct label +- Allow targetd read network sysctls +- Set the abrt_handle_event boolean to on +- Permit kernel_t to change the user identity in object contexts +- Allow insights client map cache_home_t +- Label /usr/sbin/mariadbd with mysqld_exec_t +- Trim changelog so that it starts at F37 time +- Define equivalency for /run/systemd/generator.early + +* Thu Jun 29 2023 Zdenek Pytela - 38.20-1 +- Allow httpd tcp connect to redis port conditionally +- Label only /usr/sbin/ripd and ripngd with zebra_exec_t +- Dontaudit aide the execmem permission +- Remove permissive from fdo +- Allow sa-update manage spamc home files +- Allow sa-update connect to systemlog services +- Label /usr/lib/systemd/system/mimedefang.service with antivirus_unit_file_t +- Allow nsd_crond_t write nsd_var_run_t & connectto nsd_t +- Allow bootupd search EFI directory + +* Tue Jun 27 2023 Zdenek Pytela - 38.19-1 +- Change init_audit_control default value to true +- Allow nfsidmapd connect to systemd-userdbd with a unix socket +- Add the qatlib module +- Add the fdo module +- Add the bootupd module +- Set default ports for keylime policy +- Create policy for qatlib +- Add policy for FIDO Device Onboard +- Add policy for bootupd +- Add the qatlib module +- Add the fdo module +- Add the bootupd module + +* Sun Jun 25 2023 Zdenek Pytela - 38.18-1 +- Add support for kafs-dns requested by keyutils +- Allow insights-client execmem +- Add support for chronyd-restricted +- Add init_explicit_domain() interface +- Allow fsadm_t to get attributes of cgroup filesystems +- Add list_dir_perms to kerberos_read_keytab +- Label /var/run/tmpfiles.d/static-nodes.conf with kmod_var_run_t +- Allow sendmail manage its runtime files +- Allow keyutils_dns_resolver_exec_t be an entrypoint +- Allow collectd_t read network state symlinks +- Revert "Allow collectd_t read proc_net link files" +- Allow nfsd_t to list exports_t dirs +- Allow cupsd dbus chat with xdm +- Allow haproxy read hardware state information +- Add the kafs module + +* Thu Jun 15 2023 Zdenek Pytela - 38.17-1 +- Label /dev/userfaultfd with userfaultfd_t +- Allow blueman send general signals to unprivileged user domains +- Allow dkim-milter domain transition to sendmail +- Label /usr/sbin/cifs.idmap with cifs_helper_exec_t +- Allow cifs-helper read sssd kerberos configuration files +- Allow rpm_t sys_admin capability +- Allow dovecot_deliver_t create/map dovecot_spool_t dir/file +- Allow collectd_t read proc_net link files +- Allow insights-client getsession process permission +- Allow insights-client work with pipe and socket tmp files +- Allow insights-client map generic log files +- Update cyrus_stream_connect() to use sockets in /run +- Allow keyutils-dns-resolver read/view kernel key ring +- Label /var/log/kdump.log with kdump_log_t + +* Fri Jun 09 2023 Zdenek Pytela - 38.16-1 +- Add support for the systemd-pstore service +- Allow kdumpctl_t to execmem +- Update sendmail policy module for opensmtpd +- Allow nagios-mail-plugin exec postfix master +- Allow subscription-manager execute ip +- Allow ssh client connect with a user dbus instance +- Add support for ksshaskpass +- Allow rhsmcertd file transition in /run also for socket files +- Allow keyutils_dns_resolver_t execute keyutils_dns_resolver_exec_t +- Allow plymouthd read/write X server miscellaneous devices +- Allow systemd-sleep read udev pid files +- Allow exim read network sysctls +- Allow sendmail request load module +- Allow named map its conf files +- Allow squid map its cache files +- Allow NetworkManager_dispatcher_dhclient_t to execute shells without a domain transition + +* Tue May 30 2023 Zdenek Pytela - 38.15-1 +- Update policy for systemd-sleep +- Remove permissive domain for rshim_t +- Remove permissive domain for mptcpd_t +- Allow systemd-bootchartd the sys_ptrace userns capability +- Allow sysadm_t read nsfs files +- Allow sysadm_t run kernel bpf programs +- Update ssh_role_template for ssh-agent +- Update ssh_role_template to allow read/write unallocated ttys +- Add the booth module to modules.conf +- Allow firewalld rw ica_tmpfs_t files + +* Fri May 26 2023 Zdenek Pytela - 38.14-1 +- Remove permissive domain for cifs_helper_t +- Update the cifs-helper policy +- Replace cifsutils_helper_domtrans() with keyutils_request_domtrans_to() +- Update pkcsslotd policy for sandboxing +- Allow abrt_t read kernel persistent storage files +- Dontaudit targetd search httpd config dirs +- Allow init_t nnp domain transition to policykit_t +- Allow rpcd_lsad setcap and use generic ptys +- Allow samba-dcerpcd connect to systemd_machined over a unix socket +- Allow wireguard to rw network sysctls +- Add policy for boothd +- Allow kernel to manage its own BPF objects +- Label /usr/lib/systemd/system/proftpd.* & vsftpd.* with ftpd_unit_file_t + +* Mon May 22 2023 Zdenek Pytela - 38.13-1 +- Add initial policy for cifs-helper +- Label key.dns_resolver with keyutils_dns_resolver_exec_t +- Allow unconfined_service_t to create .gnupg labeled as gpg_secret_t +- Allow some systemd services write to cgroup files +- Allow NetworkManager_dispatcher_dhclient_t to read the DHCP configuration files +- Allow systemd resolved to bind to arbitrary nodes +- Allow plymouthd_t bpf capability to run bpf programs +- Allow cupsd to create samba_var_t files +- Allow rhsmcert request the kernel to load a module +- Allow virsh name_connect virt_port_t +- Allow certmonger manage cluster library files +- Allow plymouthd read init process state +- Add chromium_sandbox_t setcap capability +- Allow snmpd read raw disk data +- Allow samba-rpcd work with passwords +- Allow unconfined service inherit signal state from init +- Allow cloud-init manage gpg admin home content +- Allow cluster_t dbus chat with various services +- Allow nfsidmapd work with systemd-userdbd and sssd +- Allow unconfined_domain_type use IORING_OP_URING_CMD on all device nodes +- Allow plymouthd map dri and framebuffer devices +- Allow rpmdb_migrate execute rpmdb +- Allow logrotate dbus chat with systemd-hostnamed +- Allow icecast connect to kernel using a unix stream socket +- Allow lldpad connect to systemd-userdbd over a unix socket +- Allow journalctl open user domain ptys and ttys +- Allow keepalived to manage its tmp files +- Allow ftpd read network sysctls +- Label /run/bgpd with zebra_var_run_t +- Allow gssproxy read network sysctls +- Add the cifsutils module + +* Tue Apr 25 2023 Zdenek Pytela - 38.12-1 +- Allow telnetd read network sysctls +- Allow munin system plugin read generic SSL certificates +- Allow munin system plugin create and use netlink generic socket +- Allow login_userdomain create user namespaces +- Allow request-key to send syslog messages +- Allow request-key to read/view any key +- Add fs_delete_pstore_files() interface +- Allow insights-client work with teamdctl +- Allow insights-client read unconfined service semaphores +- Allow insights-client get quotas of all filesystems +- Add fs_read_pstore_files() interface +- Allow generic kernel helper to read inherited kernel pipes + +* Fri Apr 14 2023 Zdenek Pytela - 38.11-1 +- Allow dovecot-deliver write to the main process runtime fifo files +- Allow dmidecode write to cloud-init tmp files +- Allow chronyd send a message to cloud-init over a datagram socket +- Allow cloud-init domain transition to insights-client domain +- Allow mongodb read filesystem sysctls +- Allow mongodb read network sysctls +- Allow accounts-daemon read generic systemd unit lnk files +- Allow blueman watch generic device dirs +- Allow nm-dispatcher tlp plugin create tlp dirs +- Allow systemd-coredump mounton /usr +- Allow rabbitmq to read network sysctls + +* Tue Apr 04 2023 Zdenek Pytela - 38.10-1 +- Allow certmonger dbus chat with the cron system domain +- Allow geoclue read network sysctls +- Allow geoclue watch the /etc directory +- Allow logwatch_mail_t read network sysctls +- Allow insights-client read all sysctls +- Allow passt manage qemu pid sock files + +* Fri Mar 24 2023 Zdenek Pytela - 38.9-1 +- Allow sssd read accountsd fifo files +- Add support for the passt_t domain +- Allow virtd_t and svirt_t work with passt +- Add new interfaces in the virt module +- Add passt interfaces defined conditionally +- Allow tshark the setsched capability +- Allow poweroff create connections to system dbus +- Allow wg load kernel modules, search debugfs dir +- Boolean: allow qemu-ga manage ssh home directory +- Label smtpd with sendmail_exec_t +- Label msmtp and msmtpd with sendmail_exec_t +- Allow dovecot to map files in /var/spool/dovecot + +* Fri Mar 03 2023 Zdenek Pytela - 38.8-1 +- Confine gnome-initial-setup +- Allow qemu-guest-agent create and use vsock socket +- Allow login_pgm setcap permission +- Allow chronyc read network sysctls +- Enhancement of the /usr/sbin/request-key helper policy +- Fix opencryptoki file names in /dev/shm +- Allow system_cronjob_t transition to rpm_script_t +- Revert "Allow system_cronjob_t domtrans to rpm_script_t" +- Add tunable to allow squid bind snmp port +- Allow staff_t getattr init pid chr & blk files and read krb5 +- Allow firewalld to rw z90crypt device +- Allow httpd work with tokens in /dev/shm +- Allow svirt to map svirt_image_t char files +- Allow sysadm_t run initrc_t script and sysadm_r role access +- Allow insights-client manage fsadm pid files + +* Wed Feb 08 2023 Zdenek Pytela - 38.7-1 +- Allowing snapper to create snapshots of /home/ subvolume/partition +- Add boolean qemu-ga to run unconfined script +- Label systemd-journald feature LogNamespace +- Add none file context for polyinstantiated tmp dirs +- Allow certmonger read the contents of the sysfs filesystem +- Add journalctl the sys_resource capability +- Allow nm-dispatcher plugins read generic files in /proc +- Add initial policy for the /usr/sbin/request-key helper +- Additional support for rpmdb_migrate +- Add the keyutils module + +* Mon Jan 30 2023 Zdenek Pytela - 38.6-1 +- Boolean: allow qemu-ga read ssh home directory +- Allow kernel_t to read/write all sockets +- Allow kernel_t to UNIX-stream connect to all domains +- Allow systemd-resolved send a datagram to journald +- Allow kernel_t to manage and have "execute" access to all files +- Fix the files_manage_all_files() interface +- Allow rshim bpf cap2 and read sssd public files +- Allow insights-client work with su and lpstat +- Allow insights-client tcp connect to all ports +- Allow nm-cloud-setup dispatcher plugin restart nm services +- Allow unconfined user filetransition for sudo log files +- Allow modemmanager create hardware state information files +- Allow ModemManager all permissions for netlink route socket +- Allow wg to send msg to kernel, write to syslog and dbus connections +- Allow hostname_t to read network sysctls. +- Dontaudit ftpd the execmem permission +- Allow svirt request the kernel to load a module +- Allow icecast rename its log files +- Allow upsd to send signal to itself +- Allow wireguard to create udp sockets and read net_conf +- Use '%autosetup' instead of '%setup' +- Pass -p 1 to '%autosetup' + +* Sat Jan 21 2023 Fedora Release Engineering - 38.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Jan 13 2023 Zdenek Pytela - 38.5-1 +- Allow insights client work with gluster and pcp +- Add insights additional capabilities +- Add interfaces in domain, files, and unconfined modules +- Label fwupdoffline and fwupd-detect-cet with fwupd_exec_t +- Allow sudodomain use sudo.log as a logfile +- Allow pdns server map its library files and bind to unreserved ports +- Allow sysadm_t read/write ipmi devices +- Allow prosody manage its runtime socket files +- Allow kernel threads manage kernel keys +- Allow systemd-userdbd the sys_resource capability +- Allow systemd-journal list cgroup directories +- Allow apcupsd dbus chat with systemd-logind +- Allow nut_domain manage also files and sock_files in /var/run +- Allow winbind-rpcd make a TCP connection to the ldap port +- Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t +- Allow tlp read generic SSL certificates +- Allow systemd-resolved watch tmpfs directories +- Revert "Allow systemd-resolved watch tmpfs directories" + +* Mon Dec 19 2022 Zdenek Pytela - 38.4-1 +- Allow NetworkManager and wpa_supplicant the bpf capability +- Allow systemd-rfkill the bpf capability +- Allow winbind-rpcd manage samba_share_t files and dirs +- Label /var/lib/httpd/md(/.*)? with httpd_sys_rw_content_t +- Allow gpsd the sys_ptrace userns capability +- Introduce gpsd_tmp_t for sockfiles managed by gpsd_t +- Allow load_policy_t write to unallocated ttys +- Allow ndc read hardware state information +- Allow system mail service read inherited certmonger runtime files +- Add lpr_roles to system_r roles +- Revert "Allow insights-client run lpr and allow the proper role" +- Allow stalld to read /sys/kernel/security/lockdown file +- Allow keepalived to set resource limits +- Add policy for mptcpd +- Add policy for rshim +- Allow admin users to create user namespaces +- Allow journalctl relabel with var_log_t and syslogd_var_run_t files +- Do not run restorecon /etc/NetworkManager/dispatcher.d in targeted +- Trim changelog so that it starts at F35 time +- Add mptcpd and rshim modules + +* Wed Dec 14 2022 Zdenek Pytela - 38.3-1 +- Allow insights-client dbus chat with various services +- Allow insights-client tcp connect to various ports +- Allow insights-client run lpr and allow the proper role +- Allow insights-client work with pcp and manage user config files +- Allow redis get user names +- Allow kernel threads to use fds from all domains +- Allow systemd-modules-load load kernel modules +- Allow login_userdomain watch systemd-passwd pid dirs +- Allow insights-client dbus chat with abrt +- Grant kernel_t certain permissions in the system class +- Allow systemd-resolved watch tmpfs directories +- Allow systemd-timedated watch init runtime dir +- Make `bootc` be `install_exec_t` +- Allow systemd-coredump create user_namespace +- Allow syslog the setpcap capability +- donaudit virtlogd and dnsmasq execmem + +* Tue Dec 06 2022 Zdenek Pytela - 38.2-1 +- Don't make kernel_t an unconfined domain +- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition +- Allow kernel_t to execute systemctl to do a poweroff/reboot +- Grant basic permissions to the domain created by systemd_systemctl_domain() +- Allow kernel_t to request module loading +- Allow kernel_t to do compute_create +- Allow kernel_t to manage perf events +- Grant almost all capabilities to kernel_t +- Allow kernel_t to fully manage all devices +- Revert "In domain_transition_pattern there is no permission allowing caller domain to execu_no_trans on entrypoint, this patch fixing this issue" +- Allow pulseaudio to write to session_dbusd tmp socket files +- Allow systemd and unconfined_domain_type create user_namespace +- Add the user_namespace security class +- Reuse tmpfs_t also for the ramfs filesystem +- Label udf tools with fsadm_exec_t +- Allow networkmanager_dispatcher_plugin work with nscd +- Watch_sb all file type directories. +- Allow spamc read hardware state information files +- Allow sysadm read ipmi devices +- Allow insights client communicate with cupsd, mysqld, openvswitch, redis +- Allow insights client read raw memory devices +- Allow the spamd_update_t domain get generic filesystem attributes +- Dontaudit systemd-gpt-generator the sys_admin capability +- Allow ipsec_t only read tpm devices +- Allow cups-pdf connect to the system log service +- Allow postfix/smtpd read kerberos key table +- Allow syslogd read network sysctls +- Allow cdcc mmap dcc-client-map files +- Add watch and watch_sb dosfs interface + +* Mon Nov 21 2022 Zdenek Pytela - 38.1-1 +- Revert "Allow sysadm_t read raw memory devices" +- Allow systemd-socket-proxyd get attributes of cgroup filesystems +- Allow rpc.gssd read network sysctls +- Allow winbind-rpcd get attributes of device and pty filesystems +- Allow insights-client domain transition on semanage execution +- Allow insights-client create gluster log dir with a transition +- Allow insights-client manage generic locks +- Allow insights-client unix_read all domain semaphores +- Add domain_unix_read_all_semaphores() interface +- Allow winbind-rpcd use the terminal multiplexor +- Allow mrtg send mails +- Allow systemd-hostnamed dbus chat with init scripts +- Allow sssd dbus chat with system cronjobs +- Add interface to watch all filesystems +- Add watch_sb interfaces +- Add watch interfaces +- Allow dhcpd bpf capability to run bpf programs +- Allow netutils and traceroute bpf capability to run bpf programs +- Allow pkcs_slotd_t bpf capability to run bpf programs +- Allow xdm bpf capability to run bpf programs +- Allow pcscd bpf capability to run bpf programs +- Allow lldpad bpf capability to run bpf programs +- Allow keepalived bpf capability to run bpf programs +- Allow ipsec bpf capability to run bpf programs +- Allow fprintd bpf capability to run bpf programs +- Allow systemd-socket-proxyd get filesystems attributes +- Allow dirsrv_snmp_t to manage dirsrv_config_t & dirsrv_var_run_t files + +* Mon Oct 31 2022 Zdenek Pytela - 37.14-1 +- Allow rotatelogs read httpd_log_t symlinks +- Add winbind-rpcd to samba_enable_home_dirs boolean +- Allow system cronjobs dbus chat with setroubleshoot +- Allow setroubleshootd read device sysctls +- Allow virt_domain read device sysctls +- Allow rhcd compute selinux access vector +- Allow insights-client manage samba var dirs +- Label ports 10161-10162 tcp/udp with snmp +- Allow aide to connect to systemd_machined with a unix socket. +- Allow samba-dcerpcd use NSCD services over a unix stream socket +- Allow vlock search the contents of the /dev/pts directory +- Allow insights-client send null signal to rpm and system cronjob +- Label port 15354/tcp and 15354/udp with opendnssec +- Allow ftpd map ftpd_var_run files +- Allow targetclid to manage tmp files +- Allow insights-client connect to postgresql with a unix socket +- Allow insights-client domtrans on unix_chkpwd execution +- Add file context entries for insights-client and rhc +- Allow pulseaudio create gnome content (~/.config) +- Allow login_userdomain dbus chat with rhsmcertd +- Allow sbd the sys_ptrace capability +- Allow ptp4l_t name_bind ptp_event_port_t + +* Mon Oct 03 2022 Zdenek Pytela - 37.13-1 +- Remove the ipa module +- Allow sss daemons read/write unnamed pipes of cloud-init +- Allow postfix_mailqueue create and use unix dgram sockets +- Allow xdm watch user home directories +- Allow nm-dispatcher ddclient plugin load a kernel module +- Stop ignoring standalone interface files +- Drop cockpit module +- Allow init map its private tmp files +- Allow xenstored change its hard resource limits +- Allow system_mail-t read network sysctls +- Add bgpd sys_chroot capability + +* Thu Sep 22 2022 Zdenek Pytela - 37.12-1 +- nut-upsd: kernel_read_system_state, fs_getattr_cgroup +- Add numad the ipc_owner capability +- Allow gst-plugin-scanner read virtual memory sysctls +- Allow init read/write inherited user fifo files +- Update dnssec-trigger policy: setsched, module_request +- added policy for systemd-socket-proxyd +- Add the new 'cmd' permission to the 'io_uring' class +- Allow winbind-rpcd read and write its key ring +- Label /run/NetworkManager/no-stub-resolv.conf net_conf_t +- blueman-mechanism can read ~/.local/lib/python*/site-packages directory +- pidof executed by abrt can readlink /proc/*/exe +- Fix typo in comment +- Do not run restorecon /etc/NetworkManager/dispatcher.d in mls and minimum + +* Wed Sep 14 2022 Zdenek Pytela - 37.11-1 +- Allow tor get filesystem attributes +- Allow utempter append to login_userdomain stream +- Allow login_userdomain accept a stream connection to XDM +- Allow login_userdomain write to boltd named pipes +- Allow staff_u and user_u users write to bolt pipe +- Allow login_userdomain watch various directories +- Update rhcd policy for executing additional commands 5 +- Update rhcd policy for executing additional commands 4 +- Allow rhcd create rpm hawkey logs with correct label +- Allow systemd-gpt-auto-generator to check for empty dirs +- Update rhcd policy for executing additional commands 3 +- Allow journalctl read rhcd fifo files +- Update insights-client policy for additional commands execution 5 +- Allow init remount all file_type filesystems +- Confine insights-client systemd unit +- Update insights-client policy for additional commands execution 4 +- Allow pcp pmcd search tracefs and acct_data dirs +- Allow httpd read network sysctls +- Dontaudit domain map permission on directories +- Revert "Allow X userdomains to mmap user_fonts_cache_t dirs" +- Revert "Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)" +- Update insights-client policy for additional commands execution 3 +- Allow systemd permissions needed for sandboxed services +- Add rhcd module +- Make dependency on rpm-plugin-selinux unordered + +* Fri Sep 02 2022 Zdenek Pytela - 37.10-1 +- Allow ipsec_t read/write tpm devices +- Allow rhcd execute all executables +- Update rhcd policy for executing additional commands 2 +- Update insights-client policy for additional commands execution 2 +- Allow sysadm_t read raw memory devices +- Allow chronyd send and receive chronyd/ntp client packets +- Allow ssh client read kerberos homedir config files +- Label /var/log/rhc-worker-playbook with rhcd_var_log_t +- Update insights-client policy (auditctl, gpg, journal) +- Allow system_cronjob_t domtrans to rpm_script_t +- Allow smbd_t process noatsecure permission for winbind_rpcd_t +- Update tor_bind_all_unreserved_ports interface +- Allow chronyd bind UDP sockets to ptp_event ports. +- Allow unconfined and sysadm users transition for /root/.gnupg +- Add gpg_filetrans_admin_home_content() interface +- Update rhcd policy for executing additional commands +- Update insights-client policy for additional commands execution +- Add userdom_view_all_users_keys() interface +- Allow gpg read and write generic pty type +- Allow chronyc read and write generic pty type +- Allow system_dbusd ioctl kernel with a unix stream sockets +- Allow samba-bgqd to read a printer list +- Allow stalld get and set scheduling policy of all domains. +- Allow unconfined_t transition to targetclid_home_t + +* Thu Aug 11 2022 Zdenek Pytela - 37.9-1 +- Allow nm-dispatcher custom plugin dbus chat with nm +- Allow nm-dispatcher sendmail plugin get status of systemd services +- Allow xdm read the kernel key ring +- Allow login_userdomain check status of mount units +- Allow postfix/smtp and postfix/virtual read kerberos key table +- Allow services execute systemd-notify +- Do not allow login_userdomain use sd_notify() +- Allow launch-xenstored read filesystem sysctls +- Allow systemd-modules-load write to /dev/kmsg and send a message to syslogd +- Allow openvswitch fsetid capability +- Allow openvswitch use its private tmpfs files and dirs +- Allow openvswitch search tracefs dirs +- Allow pmdalinux read files on an nfsd filesystem +- Allow winbind-rpcd write to winbind pid files +- Allow networkmanager to signal unconfined process +- Allow systemd_hostnamed label /run/systemd/* as hostnamed_etc_t +- Allow samba-bgqd get a printer list +- fix(init.fc): Fix section description +- Allow fedora-third-party read the passwords file +- Remove permissive domain for rhcd_t +- Allow pmie read network state information and network sysctls +- Revert "Dontaudit domain the fowner capability" +- Allow sysadm_t to run bpftool on the userdomain attribute +- Add the userdom_prog_run_bpf_userdomain() interface +- Allow insights-client rpm named file transitions +- Add /var/tmp/insights-archive to insights_client_filetrans_named_content + +* Mon Aug 01 2022 Zdenek Pytela - 37.8-1 +- Allow sa-update to get init status and start systemd files +- Use insights_client_filetrans_named_content +- Make default file context match with named transitions +- Allow nm-dispatcher tlp plugin send system log messages +- Allow nm-dispatcher tlp plugin create and use unix_dgram_socket +- Add permissions to manage lnk_files into gnome_manage_home_config +- Allow rhsmcertd to read insights config files +- Label /etc/insights-client/machine-id +- fix(devices.fc): Replace single quote in comment to solve parsing issues +- Make NetworkManager_dispatcher_custom_t an unconfined domain + +* Sat Jul 23 2022 Fedora Release Engineering - 37.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jul 14 2022 Zdenek Pytela - 37.7-1 +- Update winbind_rpcd_t +- Allow some domains use sd_notify() +- Revert "Allow rabbitmq to use systemd notify" +- fix(sedoctool.py): Fix syntax warning: "is not" with a literal +- Allow nm-dispatcher console plugin manage etc files +- Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs +- Allow nm-dispatcher console plugin setfscreate +- Support using systemd-update-helper in rpm scriptlets +- Allow nm-dispatcher winbind plugin read samba config files +- Allow domain use userfaultfd over all domains +- Allow cups-lpd read network sysctls + +* Wed Jun 29 2022 Zdenek Pytela - 37.6-1 +- Allow stalld set scheduling policy of kernel threads +- Allow targetclid read /var/target files +- Allow targetclid read generic SSL certificates (fixed) +- Allow firewalld read the contents of the sysfs filesystem +- Fix file context pattern for /var/target +- Use insights_client_etc_t in insights_search_config() +- Allow nm-dispatcher ddclient plugin handle systemd services +- Allow nm-dispatcher winbind plugin run smbcontrol +- Allow nm-dispatcher custom plugin create and use unix dgram socket +- Update samba-dcerpcd policy for kerberos usage 2 +- Allow keepalived read the contents of the sysfs filesystem +- Allow amandad read network sysctls +- Allow cups-lpd read network sysctls +- Allow kpropd read network sysctls +- Update insights_client_filetrans_named_content() +- Allow rabbitmq to use systemd notify +- Label /var/target with targetd_var_t +- Allow targetclid read generic SSL certificates +- Update rhcd policy +- Allow rhcd search insights configuration directories +- Add the kernel_read_proc_files() interface +- Require policycoreutils >= 3.4-1 +- Add a script for enclosing interfaces in ifndef statements +- Disable rpm verification on interface_info + +* Wed Jun 22 2022 Zdenek Pytela - 37.5-1 +- Allow transition to insights_client named content +- Add the insights_client_filetrans_named_content() interface +- Update policy for insights-client to run additional commands 3 +- Allow dhclient manage pid files used by chronyd +- Allow stalld get scheduling policy of kernel threads +- Allow samba-dcerpcd work with sssd +- Allow dlm_controld send a null signal to a cluster daemon +- Allow ksmctl create hardware state information files +- Allow winbind_rpcd_t connect to self over a unix_stream_socket +- Update samba-dcerpcd policy for kerberos usage +- Allow insights-client execute its private memfd: objects +- Update policy for insights-client to run additional commands 2 +- Use insights_client_tmp_t instead of insights_client_var_tmp_t +- Change space indentation to tab in insights-client +- Use socket permissions sets in insights-client +- Update policy for insights-client to run additional commands +- Change rpm_setattr_db_files() to use a pattern +- Allow init_t to rw insights_client unnamed pipe +- Add rpm setattr db files macro +- Fix insights client +- Update kernel_read_unix_sysctls() for sysctl_net_unix_t handling +- Allow rabbitmq to access its private memfd: objects +- Update policy for samba-dcerpcd +- Allow stalld setsched and sys_nice + +* Tue Jun 07 2022 Zdenek Pytela - 37.4-1 +- Allow auditd_t noatsecure for a transition to audisp_remote_t +- Allow ctdbd nlmsg_read on netlink_tcpdiag_socket +- Allow pcp_domain execute its private memfd: objects +- Add support for samba-dcerpcd +- Add policy for wireguard +- Confine targetcli +- Allow systemd work with install_t unix stream sockets +- Allow iscsid the sys_ptrace userns capability +- Allow xdm connect to unconfined_service_t over a unix stream socket + +* Fri May 27 2022 Zdenek Pytela - 37.3-1 +- Allow nm-dispatcher custom plugin execute systemctl +- Allow nm-dispatcher custom plugin dbus chat with nm +- Allow nm-dispatcher custom plugin create and use udp socket +- Allow nm-dispatcher custom plugin create and use netlink_route_socket +- Use create_netlink_socket_perms in netlink_route_socket class permissions +- Add support for nm-dispatcher sendmail scripts +- Allow sslh net_admin capability +- Allow insights-client manage gpg admin home content +- Add the gpg_manage_admin_home_content() interface +- Allow rhsmcertd create generic log files +- Update logging_create_generic_logs() to use create_files_pattern() +- Label /var/cache/insights with insights_client_cache_t +- Allow insights-client search gconf homedir +- Allow insights-client create and use unix_dgram_socket +- Allow blueman execute its private memfd: files +- Move the chown call into make-srpm.sh + +* Fri May 06 2022 Zdenek Pytela - 37.2-1 +- Use the networkmanager_dispatcher_plugin attribute in allow rules +- Make a custom nm-dispatcher plugin transition +- Label port 4784/tcp and 4784/udp with bfd_multi +- Allow systemd watch and watch_reads user ptys +- Allow sblim-gatherd the kill capability +- Label more vdsm utils with virtd_exec_t +- Add ksm service to ksmtuned +- Add rhcd policy +- Dontaudit guest attempts to dbus chat with systemd domains +- Dontaudit guest attempts to dbus chat with system bus types +- Use a named transition in systemd_hwdb_manage_config() +- Add default fc specifications for patterns in /opt +- Add the files_create_etc_files() interface +- Allow nm-dispatcher console plugin create and write files in /etc +- Allow nm-dispatcher console plugin transition to the setfiles domain +- Allow more nm-dispatcher plugins append to init stream sockets +- Allow nm-dispatcher tlp plugin dbus chat with nm +- Reorder networkmanager_dispatcher_plugin_template() calls +- Allow svirt connectto virtlogd +- Allow blueman map its private memfd: files +- Allow sysadm user execute init scripts with a transition +- Allow sblim-sfcbd connect to sblim-reposd stream +- Allow keepalived_unconfined_script_t dbus chat with init +- Run restorecon with "-i" not to report errors + +* Mon May 02 2022 Zdenek Pytela - 37.1-1 +- Fix users for SELinux userspace 3.4 +- Label /var/run/machine-id as machineid_t +- Add stalld to modules.conf +- Use files_tmpfs_file() for rhsmcertd_tmpfs_t +- Allow blueman read/write its private memfd: objects +- Allow insights-client read rhnsd config files +- Allow insights-client create_socket_perms for tcp/udp sockets