.gitignore

@@ -1,2 +1,2 @@
 SOURCES/container-selinux.tgz
-SOURCES/selinux-policy-0113b35.tar.gz
+SOURCES/selinux-policy-14ba8a3.tar.gz

.selinux-policy.metadata

@@ -1,2 +1,2 @@
-484f3f9e443621ccd65c42d11229424a36bf58b9 SOURCES/container-selinux.tgz
-430470dababaa6af18348fc2f8f0fe2108b50e05 SOURCES/selinux-policy-0113b35.tar.gz
+4e860788a4fe3bb771ba2f0d0f7a4b934d1d7eee SOURCES/container-selinux.tgz
+e9156e9d0c01a68682e7a0f87772d6d3bba80a15 SOURCES/selinux-policy-14ba8a3.tar.gz

SOURCES/booleans-minimum.conf

@@ -1,248 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-allow_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-allow_execstack = true
-
-# Allow ftpd to read cifs directories.
-# 
-allow_ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-# 
-allow_ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
-allow_gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-# 
-allow_httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-allow_saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-# 
-allow_zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql 
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-# 
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# allow host key based authentication
-# 
-allow_ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
-# 
-read_untrusted_content = false
-
-# Allow spamd to write to users homedirs
-# 
-spamd_enable_home_dirs = false
-
-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = false
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
-# 
-write_untrusted_content = false
-
-# Allow all domains to talk to ttys
-# 
-allow_daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-# 
-allow_polyinstantiation = false
-
-# Allow all domains to dump core
-# 
-allow_daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-# 
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-# 
-allow_xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create 
-# 
-allow_guest_exec_content = false
-allow_xguest_exec_content = false
-
-# Only allow browser to use the web
-# 
-browser_confine_xguest=false
-
-# Allow postfix locat to write to mail spool
-# 
-allow_postfix_local_write_mail_spool=false
-
-# Allow common users to read/write noexattrfile systems
-# 
-user_rw_noexattrfile=true
-
-# Allow qemu to connect fully to the network
-# 
-qemu_full_network=true
-
-# Allow nsplugin execmem/execstack for bad plugins
-# 
-allow_nsplugin_execmem=true
-
-# Allow unconfined domain to transition to confined domain
-# 
-allow_unconfined_nsplugin_transition=true
-
-# System uses init upstart program
-# 
-init_upstart = true
-
-# Allow mount to mount any file/dir
-# 
-allow_mount_anyfile = true

SOURCES/booleans-mls.conf

@@ -1,6 +0,0 @@
-kerberos_enabled = true
-mount_anyfile = true
-polyinstantiation_enabled = true
-ftpd_is_daemon = true
-selinuxuser_ping = true
-xserver_object_manager = true

SOURCES/booleans-targeted.conf

@@ -1,24 +0,0 @@
-gssd_read_tmp = true
-httpd_builtin_scripting = true
-httpd_enable_cgi = true
-kerberos_enabled = true
-mount_anyfile = true
-nfs_export_all_ro = true
-nfs_export_all_rw = true
-nscd_use_shm = true
-openvpn_enable_homedirs = true
-postfix_local_write_mail_spool=true
-pppd_can_insmod = false
-privoxy_connect_any = true
-selinuxuser_direct_dri_enabled = true
-selinuxuser_execmem = true
-selinuxuser_execstack = true
-selinuxuser_rw_noexattrfile=true
-selinuxuser_ping = true
-squid_connect_any = true
-telepathy_tcp_connect_generic_network_ports=true
-unconfined_chrome_sandbox_transition=true
-unconfined_mozilla_plugin_transition=true
-xguest_exec_content = true
-mozilla_plugin_can_network_connect = true
-use_virtualbox = true

SOURCES/booleans.subs_dist

@@ -1,54 +0,0 @@
-allow_auditadm_exec_content auditadm_exec_content
-allow_console_login login_console_enabled
-allow_cvs_read_shadow cvs_read_shadow
-allow_daemons_dump_core daemons_dump_core
-allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
-allow_daemons_use_tty daemons_use_tty
-allow_domain_fd_use domain_fd_use
-allow_execheap selinuxuser_execheap
-allow_execmod selinuxuser_execmod
-allow_execstack selinuxuser_execstack
-allow_ftpd_anon_write ftpd_anon_write
-allow_ftpd_full_access ftpd_full_access
-allow_ftpd_use_cifs ftpd_use_cifs
-allow_ftpd_use_nfs ftpd_use_nfs
-allow_gssd_read_tmp gssd_read_tmp
-allow_guest_exec_content guest_exec_content
-allow_httpd_anon_write httpd_anon_write
-allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
-allow_httpd_mod_auth_pam httpd_mod_auth_pam
-allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
-allow_kerberos kerberos_enabled
-allow_mplayer_execstack mplayer_execstack
-allow_mount_anyfile mount_anyfile
-allow_nfsd_anon_write nfsd_anon_write
-allow_polyinstantiation polyinstantiation_enabled
-allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
-allow_rsync_anon_write rsync_anon_write
-allow_saslauthd_read_shadow saslauthd_read_shadow
-allow_secadm_exec_content secadm_exec_content
-allow_smbd_anon_write smbd_anon_write
-allow_ssh_keysign ssh_keysign
-allow_staff_exec_content staff_exec_content
-allow_sysadm_exec_content sysadm_exec_content
-allow_user_exec_content user_exec_content
-allow_user_mysql_connect selinuxuser_mysql_connect_enabled
-allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
-allow_write_xshm xserver_clients_write_xshm
-allow_xguest_exec_content xguest_exec_content
-allow_xserver_execmem xserver_execmem
-allow_ypbind nis_enabled
-allow_zebra_write_config zebra_write_config
-user_direct_dri selinuxuser_direct_dri_enabled
-user_ping selinuxuser_ping
-user_share_music selinuxuser_share_music
-user_tcp_server selinuxuser_tcp_server
-sepgsql_enable_pitr_implementation postgresql_can_rsync
-sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
-sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
-sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
-clamd_use_jit antivirus_use_jit
-amavis_use_jit antivirus_use_jit
-logwatch_can_sendmail logwatch_can_network_connect_mail
-puppet_manage_all_files puppetagent_manage_all_files
-virt_sandbox_use_nfs virt_use_nfs

SOURCES/customizable_types

@@ -1,14 +0,0 @@
-container_file_t
-sandbox_file_t
-svirt_image_t
-svirt_home_t
-svirt_sandbox_file_t
-virt_content_t
-httpd_user_htaccess_t
-httpd_user_script_exec_t
-httpd_user_rw_content_t
-httpd_user_ra_content_t
-httpd_user_content_t
-git_session_content_t
-home_bin_t
-user_tty_device_t

SOURCES/file_contexts.subs_dist

@@ -1,24 +0,0 @@
-/run /var/run
-/run/lock /var/lock
-/run/systemd/system /usr/lib/systemd/system
-/run/systemd/generator /usr/lib/systemd/system
-/run/systemd/generator.early /usr/lib/systemd/system
-/run/systemd/generator.late /usr/lib/systemd/system
-/lib /usr/lib
-/lib64 /usr/lib
-/usr/lib64 /usr/lib
-/usr/local/lib64 /usr/lib
-/usr/local/lib32 /usr/lib
-/etc/systemd/system /usr/lib/systemd/system
-/var/lib/xguest/home /home
-/var/named/chroot/usr/lib64 /usr/lib
-/var/named/chroot/lib64 /usr/lib
-/var/named/chroot/var  /var
-/home-inst            /home
-/home/home-inst            /home
-/var/roothome        /root
-/sbin                /usr/sbin
-/sysroot/tmp         /tmp
-/var/usrlocal        /usr/local
-/var/mnt             /mnt
-/bin                 /usr/bin

SOURCES/modules-minimum.lst

@@ -0,0 +1,50 @@
+apache
+application
+auditadm
+authlogin
+base
+bootloader
+clock
+dbus
+dmesg
+fstools
+getty
+hostname
+inetd
+init
+ipsec
+iptables
+kerberos
+libraries
+locallogin
+logadm
+logging
+lvm
+miscfiles
+modutils
+mount
+mta
+netlabel
+netutils
+nis
+postgresql
+secadm
+selinuxutil
+setrans
+seunshare
+ssh
+staff
+su
+sudo
+sysadm
+sysadm_secadm
+sysnetwork
+systemd
+udev
+unconfined
+unconfineduser
+unlabelednet
+unprivuser
+userdomain
+usermanage
+xserver

SOURCES/modules-mls-base.conf

@@ -1,380 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-# 
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-# 
-seunshare = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-# 
-corecommands = base
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-# 
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-# 
-# 
-ubac = base
-
-# Layer: kernel
-# Module: unlabelednet
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-# 
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-# 
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-# 
-secadm = module
-
-# Layer:role
-# Module: staff
-#
-# admin account 
-# 
-staff = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-# 
-sysadm_secadm = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-# 
-sysadm = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-# 
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-# 
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-# 
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-# 
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module

SOURCES/modules-targeted-base.conf

@@ -1,393 +0,0 @@
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-# 
-bootloader = module
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-# 
-dmesg = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-# 
-netutils = module
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-# 
-sudo = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-# 
-su = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-# 
-usermanage = module
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-# 
-seunshare = module
-
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-# 
-devices = base
-
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-# 
-domain = base
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-# 
-userdomain = module
-
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-# 
-files = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-# 
-miscfiles = module
-
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-# 
-filesystem = base
-
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-# 
-kernel = base
-
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-# 
-mcs = base
-
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-# 
-mls = base
-
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-# 
-selinux = base
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-# 
-storage = base
-
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-# 
-terminal = base
-
-# Layer: kernel
-# Module: ubac
-#
-# 
-# 
-ubac = base
-
-# Layer: kernel
-# Module: unconfined
-#
-# The unlabelednet module.
-#
-unlabelednet = module
-
-# Layer: role
-# Module: auditadm
-#
-# auditadm account on tty logins
-# 
-auditadm = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-# 
-logadm = module
-
-# Layer: role
-# Module: secadm
-#
-# secadm account on tty logins
-# 
-secadm = module
-
-# Layer:role
-# Module: sysadm_secadm
-#
-# System Administrator with Security Admin rules
-# 
-sysadm_secadm = module
-
-# Module: staff
-#
-# admin account 
-# 
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-# 
-sysadm = module
-
-# Layer: role
-# Module: unconfineduser
-#
-# The unconfined user domain.
-# 
-unconfineduser = module
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-# 
-unprivuser = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-# 
-postgresql = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-# 
-ssh = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-# 
-xserver = module
-
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-# 
-application = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-# 
-authlogin = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-# 
-clock = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-# 
-fstools = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-# 
-getty = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-# 
-hostname = module
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-# 
-init = module
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-# 
-ipsec = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-# 
-iptables = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-# 
-libraries = module
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-# 
-locallogin = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-# 
-logging = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-# 
-lvm = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-# 
-modutils = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-# 
-mount = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-# 
-netlabel = module
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-# 
-selinuxutil = module
-
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-# 
-setrans = module
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-# 
-sysnetwork = module
-
-# Layer: system
-# Module: systemd
-#
-# Policy for systemd components
-# 
-systemd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-# 
-udev = module
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-# 
-unconfined = module

SOURCES/permissivedomains.cil

@@ -1,2 +0,0 @@
-(roleattributeset cil_gen_require system_r)
-

SOURCES/rpm.macros

@@ -55,8 +55,10 @@ if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
-  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
+  semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
+  selinuxenabled && load_policy || : \
+  %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
 fi \
 %{nil}
 
@@ -71,15 +73,17 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if [ $1 -eq 0 ]; then \
   if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-    %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
-    %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
+    semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
+    selinuxenabled && load_policy || : \
+    %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
   fi \
 fi \
 %{nil}
 
 # %selinux_relabel_pre [-s <policytype>]
 %selinux_relabel_pre("s:") \
-if %{_sbindir}/selinuxenabled; then \
+if selinuxenabled; then \
   if [ -e /etc/selinux/config ]; then \
     . /etc/selinux/config \
   fi \
@@ -103,9 +107,9 @@ _policytype=%{-s*} \
 if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
-if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
    if [ -f %{_file_context_file_pre} ]; then \
-     %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
+     fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
      rm -f %{_file_context_file_pre} \
    fi \
 fi \
@@ -121,9 +125,9 @@ if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ -d "%{_selinux_store_policy_path}" ]; then \
-  LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
+  LOCAL_MODIFICATIONS=$(semanage boolean -E) \
   if [ ! -f %_file_custom_defined_booleans ]; then \
-      /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
+      echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
   fi \
   semanage_import='' \
   for boolean in %*; do \
@@ -134,20 +138,20 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \
           semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
           boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
           if [ -n "$boolean_customized_string" ]; then \
-              /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
+              echo $boolean_customized_string >> %_file_custom_defined_booleans \
           else \
-              /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
+              echo $boolean_local_string >> %_file_custom_defined_booleans \
           fi \
       else \
           semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
-          boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
-          /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
+          boolean_default_value=$(LC_ALL=C semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
+          echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
       fi \
   done; \
-  if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+  if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" \
   elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \
   fi \
 fi \
 %{nil}
@@ -173,10 +177,10 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \
           fi \
       fi \
   done; \
-  if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+  if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" \
   elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
-      /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
+      echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \
   fi \
 fi \
 %{nil}

SOURCES/securetty_types-minimum

@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t

SOURCES/securetty_types-mls

@@ -1,6 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t
-auditadm_tty_device_t
-secureadm_tty_device_t

SOURCES/securetty_types-targeted

@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t

SOURCES/selinux-policy-mls.conf

@@ -0,0 +1 @@
+selinux-policy-mls

SOURCES/selinux-policy-targeted.conf

@@ -0,0 +1 @@
+selinux-policy-targeted

SOURCES/setrans-minimum.conf

@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023.  Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh

SOURCES/setrans-mls.conf

@@ -1,52 +0,0 @@
-#
-# Multi-Level Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be labeled with one of 16 levels and be categorized with 0-1023 
-# categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Users can modify this table to translate the MLS labels for different purpose.
-#
-# Assumptions: using below MLS labels.
-#  SystemLow
-#  SystemHigh
-#  Unclassified 
-#  Secret with compartments A and B.
-# 
-# SystemLow and SystemHigh
-s0=SystemLow
-s15:c0.c1023=SystemHigh
-s0-s15:c0.c1023=SystemLow-SystemHigh
-
-# Unclassified level
-s1=Unclassified
-
-# Secret level with compartments
-s2=Secret
-s2:c0=A
-s2:c1=B
-
-# ranges for Unclassified
-s0-s1=SystemLow-Unclassified
-s1-s2=Unclassified-Secret
-s1-s15:c0.c1023=Unclassified-SystemHigh
-
-# ranges for Secret with compartments
-s0-s2=SystemLow-Secret
-s0-s2:c0=SystemLow-Secret:A
-s0-s2:c1=SystemLow-Secret:B
-s0-s2:c0,c1=SystemLow-Secret:AB
-s1-s2:c0=Unclassified-Secret:A
-s1-s2:c1=Unclassified-Secret:B
-s1-s2:c0,c1=Unclassified-Secret:AB
-s2-s2:c0=Secret-Secret:A
-s2-s2:c1=Secret-Secret:B
-s2-s2:c0,c1=Secret-Secret:AB
-s2-s15:c0.c1023=Secret-SystemHigh
-s2:c0-s2:c0,c1=Secret:A-Secret:AB
-s2:c0-s15:c0.c1023=Secret:A-SystemHigh
-s2:c1-s2:c0,c1=Secret:B-Secret:AB
-s2:c1-s15:c0.c1023=Secret:B-SystemHigh
-s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

SOURCES/setrans-targeted.conf

@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023.  Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh

SOURCES/users-minimum

@@ -1,39 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

SOURCES/users-mls

@@ -1,40 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)

SOURCES/users-targeted

@@ -1,41 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)

SOURCES/varrun-convert.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/bash
+### varrun-convert.sh
+### convert legacy filecontext entries containing /var/run to /run
+### and load an extra selinux module with the new content
+### the script takes a policy name as an argument
+
+# Set DEBUG=yes before running the script to get more verbose output
+# on the terminal and to the $LOG file
+if [ "${DEBUG}" = "yes" ]; then
+  set -x
+fi
+
+# Auxiliary and log files will be created in OUTPUTDIR
+OUTPUTDIR="/run/selinux-policy"
+LOG="$OUTPUTDIR/log"
+mkdir -p ${OUTPUTDIR}
+
+if [ -z ${1} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
+  exit
+fi
+
+SEMODULEOPT="-s ${1}"
+[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
+
+# Take current file_contexts and unify whitespace separators
+FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
+FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
+if [ ! -f ${FILE_CONTEXTS} ]; then
+  [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
+  exit
+fi
+
+if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
+  [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
+  exit
+fi
+
+EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
+EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
+EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
+
+# Print only /var/run entries
+grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
+
+# Unify whitespace separators
+sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
+sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
+
+# Deduplicate already existing /var/run=/run entries
+while read line
+do
+  subline="${line#/var}"
+  if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
+    echo "$line"
+  fi
+done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
+
+# Change /var/run to /run
+sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
+
+# Exception handling: packages with already duplicate entries
+sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
+sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
+
+# Change format to cil
+sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
+sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
+
+# Handle entries with <<none>> which do not match previous regexps
+sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
+
+# Wrap each line with an optional block
+i=1
+while read line
+do
+  echo "(optional extra_var_run_${i}"
+  echo "  $line"
+  echo ")"
+  ((i++))
+done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
+
+# Load module
+[ -s ${EXTRA_VARRUN_CIL} ] &&
+/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
+