Compare commits
No commits in common. 'cs10' and 'c9' have entirely different histories.
@ -1,2 +1,2 @@
|
|||||||
SOURCES/container-selinux.tgz
|
SOURCES/container-selinux.tgz
|
||||||
SOURCES/selinux-policy-14ba8a3.tar.gz
|
SOURCES/selinux-policy-0113b35.tar.gz
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
4e860788a4fe3bb771ba2f0d0f7a4b934d1d7eee SOURCES/container-selinux.tgz
|
484f3f9e443621ccd65c42d11229424a36bf58b9 SOURCES/container-selinux.tgz
|
||||||
e9156e9d0c01a68682e7a0f87772d6d3bba80a15 SOURCES/selinux-policy-14ba8a3.tar.gz
|
430470dababaa6af18348fc2f8f0fe2108b50e05 SOURCES/selinux-policy-0113b35.tar.gz
|
||||||
|
@ -0,0 +1,248 @@
|
|||||||
|
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||||
|
#
|
||||||
|
allow_execmem = false
|
||||||
|
|
||||||
|
# Allow making a modified private filemapping executable (text relocation).
|
||||||
|
#
|
||||||
|
allow_execmod = false
|
||||||
|
|
||||||
|
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||||
|
#
|
||||||
|
allow_execstack = true
|
||||||
|
|
||||||
|
# Allow ftpd to read cifs directories.
|
||||||
|
#
|
||||||
|
allow_ftpd_use_cifs = false
|
||||||
|
|
||||||
|
# Allow ftpd to read nfs directories.
|
||||||
|
#
|
||||||
|
allow_ftpd_use_nfs = false
|
||||||
|
|
||||||
|
# Allow ftp servers to modify public filesused for public file transfer services.
|
||||||
|
#
|
||||||
|
allow_ftpd_anon_write = false
|
||||||
|
|
||||||
|
# Allow gssd to read temp directory.
|
||||||
|
#
|
||||||
|
allow_gssd_read_tmp = true
|
||||||
|
|
||||||
|
# Allow Apache to modify public filesused for public file transfer services.
|
||||||
|
#
|
||||||
|
allow_httpd_anon_write = false
|
||||||
|
|
||||||
|
# Allow Apache to use mod_auth_pam module
|
||||||
|
#
|
||||||
|
allow_httpd_mod_auth_pam = false
|
||||||
|
|
||||||
|
# Allow system to run with kerberos
|
||||||
|
#
|
||||||
|
allow_kerberos = true
|
||||||
|
|
||||||
|
# Allow rsync to modify public filesused for public file transfer services.
|
||||||
|
#
|
||||||
|
allow_rsync_anon_write = false
|
||||||
|
|
||||||
|
# Allow sasl to read shadow
|
||||||
|
#
|
||||||
|
allow_saslauthd_read_shadow = false
|
||||||
|
|
||||||
|
# Allow samba to modify public filesused for public file transfer services.
|
||||||
|
#
|
||||||
|
allow_smbd_anon_write = false
|
||||||
|
|
||||||
|
# Allow system to run with NIS
|
||||||
|
#
|
||||||
|
allow_ypbind = false
|
||||||
|
|
||||||
|
# Allow zebra to write it own configuration files
|
||||||
|
#
|
||||||
|
allow_zebra_write_config = false
|
||||||
|
|
||||||
|
# Enable extra rules in the cron domainto support fcron.
|
||||||
|
#
|
||||||
|
fcron_crond = false
|
||||||
|
|
||||||
|
#
|
||||||
|
# allow httpd to connect to mysql/posgresql
|
||||||
|
httpd_can_network_connect_db = false
|
||||||
|
|
||||||
|
#
|
||||||
|
# allow httpd to send dbus messages to avahi
|
||||||
|
httpd_dbus_avahi = true
|
||||||
|
|
||||||
|
#
|
||||||
|
# allow httpd to network relay
|
||||||
|
httpd_can_network_relay = false
|
||||||
|
|
||||||
|
# Allow httpd to use built in scripting (usually php)
|
||||||
|
#
|
||||||
|
httpd_builtin_scripting = true
|
||||||
|
|
||||||
|
# Allow http daemon to tcp connect
|
||||||
|
#
|
||||||
|
httpd_can_network_connect = false
|
||||||
|
|
||||||
|
# Allow httpd cgi support
|
||||||
|
#
|
||||||
|
httpd_enable_cgi = true
|
||||||
|
|
||||||
|
# Allow httpd to act as a FTP server bylistening on the ftp port.
|
||||||
|
#
|
||||||
|
httpd_enable_ftp_server = false
|
||||||
|
|
||||||
|
# Allow httpd to read home directories
|
||||||
|
#
|
||||||
|
httpd_enable_homedirs = false
|
||||||
|
|
||||||
|
# Run SSI execs in system CGI script domain.
|
||||||
|
#
|
||||||
|
httpd_ssi_exec = false
|
||||||
|
|
||||||
|
# Allow http daemon to communicate with the TTY
|
||||||
|
#
|
||||||
|
httpd_tty_comm = false
|
||||||
|
|
||||||
|
# Run CGI in the main httpd domain
|
||||||
|
#
|
||||||
|
httpd_unified = false
|
||||||
|
|
||||||
|
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
||||||
|
#
|
||||||
|
named_write_master_zones = false
|
||||||
|
|
||||||
|
# Allow nfs to be exported read/write.
|
||||||
|
#
|
||||||
|
nfs_export_all_rw = true
|
||||||
|
|
||||||
|
# Allow nfs to be exported read only
|
||||||
|
#
|
||||||
|
nfs_export_all_ro = true
|
||||||
|
|
||||||
|
# Allow pppd to load kernel modules for certain modems
|
||||||
|
#
|
||||||
|
pppd_can_insmod = false
|
||||||
|
|
||||||
|
# Allow reading of default_t files.
|
||||||
|
#
|
||||||
|
read_default_t = false
|
||||||
|
|
||||||
|
# Allow samba to export user home directories.
|
||||||
|
#
|
||||||
|
samba_enable_home_dirs = false
|
||||||
|
|
||||||
|
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
|
||||||
|
#
|
||||||
|
squid_connect_any = false
|
||||||
|
|
||||||
|
# Support NFS home directories
|
||||||
|
#
|
||||||
|
use_nfs_home_dirs = true
|
||||||
|
|
||||||
|
# Support SAMBA home directories
|
||||||
|
#
|
||||||
|
use_samba_home_dirs = false
|
||||||
|
|
||||||
|
# Control users use of ping and traceroute
|
||||||
|
#
|
||||||
|
user_ping = false
|
||||||
|
|
||||||
|
# allow host key based authentication
|
||||||
|
#
|
||||||
|
allow_ssh_keysign = false
|
||||||
|
|
||||||
|
# Allow pppd to be run for a regular user
|
||||||
|
#
|
||||||
|
pppd_for_user = false
|
||||||
|
|
||||||
|
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
|
||||||
|
#
|
||||||
|
read_untrusted_content = false
|
||||||
|
|
||||||
|
# Allow spamd to write to users homedirs
|
||||||
|
#
|
||||||
|
spamd_enable_home_dirs = false
|
||||||
|
|
||||||
|
# Allow regular users direct mouse access
|
||||||
|
#
|
||||||
|
user_direct_mouse = false
|
||||||
|
|
||||||
|
# Allow users to read system messages.
|
||||||
|
#
|
||||||
|
user_dmesg = false
|
||||||
|
|
||||||
|
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||||
|
#
|
||||||
|
user_rw_noexattrfile = false
|
||||||
|
|
||||||
|
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
|
||||||
|
#
|
||||||
|
user_tcp_server = false
|
||||||
|
|
||||||
|
# Allow w to display everyone
|
||||||
|
#
|
||||||
|
user_ttyfile_stat = false
|
||||||
|
|
||||||
|
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
|
||||||
|
#
|
||||||
|
write_untrusted_content = false
|
||||||
|
|
||||||
|
# Allow all domains to talk to ttys
|
||||||
|
#
|
||||||
|
allow_daemons_use_tty = false
|
||||||
|
|
||||||
|
# Allow login domains to polyinstatiate directories
|
||||||
|
#
|
||||||
|
allow_polyinstantiation = false
|
||||||
|
|
||||||
|
# Allow all domains to dump core
|
||||||
|
#
|
||||||
|
allow_daemons_dump_core = true
|
||||||
|
|
||||||
|
# Allow samba to act as the domain controller
|
||||||
|
#
|
||||||
|
samba_domain_controller = false
|
||||||
|
|
||||||
|
# Allow samba to export user home directories.
|
||||||
|
#
|
||||||
|
samba_run_unconfined = false
|
||||||
|
|
||||||
|
# Allows XServer to execute writable memory
|
||||||
|
#
|
||||||
|
allow_xserver_execmem = false
|
||||||
|
|
||||||
|
# disallow guest accounts to execute files that they can create
|
||||||
|
#
|
||||||
|
allow_guest_exec_content = false
|
||||||
|
allow_xguest_exec_content = false
|
||||||
|
|
||||||
|
# Only allow browser to use the web
|
||||||
|
#
|
||||||
|
browser_confine_xguest=false
|
||||||
|
|
||||||
|
# Allow postfix locat to write to mail spool
|
||||||
|
#
|
||||||
|
allow_postfix_local_write_mail_spool=false
|
||||||
|
|
||||||
|
# Allow common users to read/write noexattrfile systems
|
||||||
|
#
|
||||||
|
user_rw_noexattrfile=true
|
||||||
|
|
||||||
|
# Allow qemu to connect fully to the network
|
||||||
|
#
|
||||||
|
qemu_full_network=true
|
||||||
|
|
||||||
|
# Allow nsplugin execmem/execstack for bad plugins
|
||||||
|
#
|
||||||
|
allow_nsplugin_execmem=true
|
||||||
|
|
||||||
|
# Allow unconfined domain to transition to confined domain
|
||||||
|
#
|
||||||
|
allow_unconfined_nsplugin_transition=true
|
||||||
|
|
||||||
|
# System uses init upstart program
|
||||||
|
#
|
||||||
|
init_upstart = true
|
||||||
|
|
||||||
|
# Allow mount to mount any file/dir
|
||||||
|
#
|
||||||
|
allow_mount_anyfile = true
|
@ -0,0 +1,6 @@
|
|||||||
|
kerberos_enabled = true
|
||||||
|
mount_anyfile = true
|
||||||
|
polyinstantiation_enabled = true
|
||||||
|
ftpd_is_daemon = true
|
||||||
|
selinuxuser_ping = true
|
||||||
|
xserver_object_manager = true
|
@ -0,0 +1,24 @@
|
|||||||
|
gssd_read_tmp = true
|
||||||
|
httpd_builtin_scripting = true
|
||||||
|
httpd_enable_cgi = true
|
||||||
|
kerberos_enabled = true
|
||||||
|
mount_anyfile = true
|
||||||
|
nfs_export_all_ro = true
|
||||||
|
nfs_export_all_rw = true
|
||||||
|
nscd_use_shm = true
|
||||||
|
openvpn_enable_homedirs = true
|
||||||
|
postfix_local_write_mail_spool=true
|
||||||
|
pppd_can_insmod = false
|
||||||
|
privoxy_connect_any = true
|
||||||
|
selinuxuser_direct_dri_enabled = true
|
||||||
|
selinuxuser_execmem = true
|
||||||
|
selinuxuser_execstack = true
|
||||||
|
selinuxuser_rw_noexattrfile=true
|
||||||
|
selinuxuser_ping = true
|
||||||
|
squid_connect_any = true
|
||||||
|
telepathy_tcp_connect_generic_network_ports=true
|
||||||
|
unconfined_chrome_sandbox_transition=true
|
||||||
|
unconfined_mozilla_plugin_transition=true
|
||||||
|
xguest_exec_content = true
|
||||||
|
mozilla_plugin_can_network_connect = true
|
||||||
|
use_virtualbox = true
|
@ -0,0 +1,54 @@
|
|||||||
|
allow_auditadm_exec_content auditadm_exec_content
|
||||||
|
allow_console_login login_console_enabled
|
||||||
|
allow_cvs_read_shadow cvs_read_shadow
|
||||||
|
allow_daemons_dump_core daemons_dump_core
|
||||||
|
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
|
||||||
|
allow_daemons_use_tty daemons_use_tty
|
||||||
|
allow_domain_fd_use domain_fd_use
|
||||||
|
allow_execheap selinuxuser_execheap
|
||||||
|
allow_execmod selinuxuser_execmod
|
||||||
|
allow_execstack selinuxuser_execstack
|
||||||
|
allow_ftpd_anon_write ftpd_anon_write
|
||||||
|
allow_ftpd_full_access ftpd_full_access
|
||||||
|
allow_ftpd_use_cifs ftpd_use_cifs
|
||||||
|
allow_ftpd_use_nfs ftpd_use_nfs
|
||||||
|
allow_gssd_read_tmp gssd_read_tmp
|
||||||
|
allow_guest_exec_content guest_exec_content
|
||||||
|
allow_httpd_anon_write httpd_anon_write
|
||||||
|
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
|
||||||
|
allow_httpd_mod_auth_pam httpd_mod_auth_pam
|
||||||
|
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
|
||||||
|
allow_kerberos kerberos_enabled
|
||||||
|
allow_mplayer_execstack mplayer_execstack
|
||||||
|
allow_mount_anyfile mount_anyfile
|
||||||
|
allow_nfsd_anon_write nfsd_anon_write
|
||||||
|
allow_polyinstantiation polyinstantiation_enabled
|
||||||
|
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
|
||||||
|
allow_rsync_anon_write rsync_anon_write
|
||||||
|
allow_saslauthd_read_shadow saslauthd_read_shadow
|
||||||
|
allow_secadm_exec_content secadm_exec_content
|
||||||
|
allow_smbd_anon_write smbd_anon_write
|
||||||
|
allow_ssh_keysign ssh_keysign
|
||||||
|
allow_staff_exec_content staff_exec_content
|
||||||
|
allow_sysadm_exec_content sysadm_exec_content
|
||||||
|
allow_user_exec_content user_exec_content
|
||||||
|
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
|
||||||
|
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
|
||||||
|
allow_write_xshm xserver_clients_write_xshm
|
||||||
|
allow_xguest_exec_content xguest_exec_content
|
||||||
|
allow_xserver_execmem xserver_execmem
|
||||||
|
allow_ypbind nis_enabled
|
||||||
|
allow_zebra_write_config zebra_write_config
|
||||||
|
user_direct_dri selinuxuser_direct_dri_enabled
|
||||||
|
user_ping selinuxuser_ping
|
||||||
|
user_share_music selinuxuser_share_music
|
||||||
|
user_tcp_server selinuxuser_tcp_server
|
||||||
|
sepgsql_enable_pitr_implementation postgresql_can_rsync
|
||||||
|
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
|
||||||
|
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
|
||||||
|
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
|
||||||
|
clamd_use_jit antivirus_use_jit
|
||||||
|
amavis_use_jit antivirus_use_jit
|
||||||
|
logwatch_can_sendmail logwatch_can_network_connect_mail
|
||||||
|
puppet_manage_all_files puppetagent_manage_all_files
|
||||||
|
virt_sandbox_use_nfs virt_use_nfs
|
@ -0,0 +1,14 @@
|
|||||||
|
container_file_t
|
||||||
|
sandbox_file_t
|
||||||
|
svirt_image_t
|
||||||
|
svirt_home_t
|
||||||
|
svirt_sandbox_file_t
|
||||||
|
virt_content_t
|
||||||
|
httpd_user_htaccess_t
|
||||||
|
httpd_user_script_exec_t
|
||||||
|
httpd_user_rw_content_t
|
||||||
|
httpd_user_ra_content_t
|
||||||
|
httpd_user_content_t
|
||||||
|
git_session_content_t
|
||||||
|
home_bin_t
|
||||||
|
user_tty_device_t
|
@ -0,0 +1,24 @@
|
|||||||
|
/run /var/run
|
||||||
|
/run/lock /var/lock
|
||||||
|
/run/systemd/system /usr/lib/systemd/system
|
||||||
|
/run/systemd/generator /usr/lib/systemd/system
|
||||||
|
/run/systemd/generator.early /usr/lib/systemd/system
|
||||||
|
/run/systemd/generator.late /usr/lib/systemd/system
|
||||||
|
/lib /usr/lib
|
||||||
|
/lib64 /usr/lib
|
||||||
|
/usr/lib64 /usr/lib
|
||||||
|
/usr/local/lib64 /usr/lib
|
||||||
|
/usr/local/lib32 /usr/lib
|
||||||
|
/etc/systemd/system /usr/lib/systemd/system
|
||||||
|
/var/lib/xguest/home /home
|
||||||
|
/var/named/chroot/usr/lib64 /usr/lib
|
||||||
|
/var/named/chroot/lib64 /usr/lib
|
||||||
|
/var/named/chroot/var /var
|
||||||
|
/home-inst /home
|
||||||
|
/home/home-inst /home
|
||||||
|
/var/roothome /root
|
||||||
|
/sbin /usr/sbin
|
||||||
|
/sysroot/tmp /tmp
|
||||||
|
/var/usrlocal /usr/local
|
||||||
|
/var/mnt /mnt
|
||||||
|
/bin /usr/bin
|
@ -1,50 +0,0 @@
|
|||||||
apache
|
|
||||||
application
|
|
||||||
auditadm
|
|
||||||
authlogin
|
|
||||||
base
|
|
||||||
bootloader
|
|
||||||
clock
|
|
||||||
dbus
|
|
||||||
dmesg
|
|
||||||
fstools
|
|
||||||
getty
|
|
||||||
hostname
|
|
||||||
inetd
|
|
||||||
init
|
|
||||||
ipsec
|
|
||||||
iptables
|
|
||||||
kerberos
|
|
||||||
libraries
|
|
||||||
locallogin
|
|
||||||
logadm
|
|
||||||
logging
|
|
||||||
lvm
|
|
||||||
miscfiles
|
|
||||||
modutils
|
|
||||||
mount
|
|
||||||
mta
|
|
||||||
netlabel
|
|
||||||
netutils
|
|
||||||
nis
|
|
||||||
postgresql
|
|
||||||
secadm
|
|
||||||
selinuxutil
|
|
||||||
setrans
|
|
||||||
seunshare
|
|
||||||
ssh
|
|
||||||
staff
|
|
||||||
su
|
|
||||||
sudo
|
|
||||||
sysadm
|
|
||||||
sysadm_secadm
|
|
||||||
sysnetwork
|
|
||||||
systemd
|
|
||||||
udev
|
|
||||||
unconfined
|
|
||||||
unconfineduser
|
|
||||||
unlabelednet
|
|
||||||
unprivuser
|
|
||||||
userdomain
|
|
||||||
usermanage
|
|
||||||
xserver
|
|
@ -0,0 +1,380 @@
|
|||||||
|
# Layer: kernel
|
||||||
|
# Module: bootloader
|
||||||
|
#
|
||||||
|
# Policy for the kernel modules, kernel image, and bootloader.
|
||||||
|
#
|
||||||
|
bootloader = module
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: corenetwork
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy controlling access to network objects
|
||||||
|
#
|
||||||
|
corenetwork = base
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: dmesg
|
||||||
|
#
|
||||||
|
# Policy for dmesg.
|
||||||
|
#
|
||||||
|
dmesg = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: netutils
|
||||||
|
#
|
||||||
|
# Network analysis utilities
|
||||||
|
#
|
||||||
|
netutils = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: sudo
|
||||||
|
#
|
||||||
|
# Execute a command with a substitute user
|
||||||
|
#
|
||||||
|
sudo = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: su
|
||||||
|
#
|
||||||
|
# Run shells with substitute user and group
|
||||||
|
#
|
||||||
|
su = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: usermanage
|
||||||
|
#
|
||||||
|
# Policy for managing user accounts.
|
||||||
|
#
|
||||||
|
usermanage = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: seunshare
|
||||||
|
#
|
||||||
|
# seunshare executable
|
||||||
|
#
|
||||||
|
seunshare = module
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: corecommands
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Core policy for shells, and generic programs
|
||||||
|
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||||
|
#
|
||||||
|
corecommands = base
|
||||||
|
|
||||||
|
# Module: devices
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Device nodes and interfaces for many basic system devices.
|
||||||
|
#
|
||||||
|
devices = base
|
||||||
|
|
||||||
|
# Module: domain
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Core policy for domains.
|
||||||
|
#
|
||||||
|
domain = base
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: userdomain
|
||||||
|
#
|
||||||
|
# Policy for user domains
|
||||||
|
#
|
||||||
|
userdomain = module
|
||||||
|
|
||||||
|
# Module: files
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Basic filesystem types and interfaces.
|
||||||
|
#
|
||||||
|
files = base
|
||||||
|
|
||||||
|
# Module: filesystem
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for filesystems.
|
||||||
|
#
|
||||||
|
filesystem = base
|
||||||
|
|
||||||
|
# Module: kernel
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||||
|
#
|
||||||
|
kernel = base
|
||||||
|
|
||||||
|
# Module: mcs
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# MultiCategory security policy
|
||||||
|
#
|
||||||
|
mcs = base
|
||||||
|
|
||||||
|
# Module: mls
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Multilevel security policy
|
||||||
|
#
|
||||||
|
mls = base
|
||||||
|
|
||||||
|
# Module: selinux
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for kernel security interface, in particular, selinuxfs.
|
||||||
|
#
|
||||||
|
selinux = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: storage
|
||||||
|
#
|
||||||
|
# Policy controlling access to storage devices
|
||||||
|
#
|
||||||
|
storage = base
|
||||||
|
|
||||||
|
# Module: terminal
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for terminals.
|
||||||
|
#
|
||||||
|
terminal = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: ubac
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#
|
||||||
|
ubac = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: unlabelednet
|
||||||
|
#
|
||||||
|
# The unlabelednet module.
|
||||||
|
#
|
||||||
|
unlabelednet = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: auditadm
|
||||||
|
#
|
||||||
|
# auditadm account on tty logins
|
||||||
|
#
|
||||||
|
auditadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: logadm
|
||||||
|
#
|
||||||
|
# Minimally prived root role for managing logging system
|
||||||
|
#
|
||||||
|
logadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: secadm
|
||||||
|
#
|
||||||
|
# secadm account on tty logins
|
||||||
|
#
|
||||||
|
secadm = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: staff
|
||||||
|
#
|
||||||
|
# admin account
|
||||||
|
#
|
||||||
|
staff = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: sysadm_secadm
|
||||||
|
#
|
||||||
|
# System Administrator with Security Admin rules
|
||||||
|
#
|
||||||
|
sysadm_secadm = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: sysadm
|
||||||
|
#
|
||||||
|
# System Administrator
|
||||||
|
#
|
||||||
|
sysadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: unprivuser
|
||||||
|
#
|
||||||
|
# Minimally privs guest account on tty logins
|
||||||
|
#
|
||||||
|
unprivuser = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: postgresql
|
||||||
|
#
|
||||||
|
# PostgreSQL relational database
|
||||||
|
#
|
||||||
|
postgresql = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: ssh
|
||||||
|
#
|
||||||
|
# Secure shell client and server policy.
|
||||||
|
#
|
||||||
|
ssh = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: xserver
|
||||||
|
#
|
||||||
|
# X windows login display manager
|
||||||
|
#
|
||||||
|
xserver = module
|
||||||
|
|
||||||
|
# Module: application
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Defines attributs and interfaces for all user applications
|
||||||
|
#
|
||||||
|
application = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: authlogin
|
||||||
|
#
|
||||||
|
# Common policy for authentication and user login.
|
||||||
|
#
|
||||||
|
authlogin = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: clock
|
||||||
|
#
|
||||||
|
# Policy for reading and setting the hardware clock.
|
||||||
|
#
|
||||||
|
clock = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: fstools
|
||||||
|
#
|
||||||
|
# Tools for filesystem management, such as mkfs and fsck.
|
||||||
|
#
|
||||||
|
fstools = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: getty
|
||||||
|
#
|
||||||
|
# Policy for getty.
|
||||||
|
#
|
||||||
|
getty = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: hostname
|
||||||
|
#
|
||||||
|
# Policy for changing the system host name.
|
||||||
|
#
|
||||||
|
hostname = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: init
|
||||||
|
#
|
||||||
|
# System initialization programs (init and init scripts).
|
||||||
|
#
|
||||||
|
init = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: ipsec
|
||||||
|
#
|
||||||
|
# TCP/IP encryption
|
||||||
|
#
|
||||||
|
ipsec = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: iptables
|
||||||
|
#
|
||||||
|
# Policy for iptables.
|
||||||
|
#
|
||||||
|
iptables = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: libraries
|
||||||
|
#
|
||||||
|
# Policy for system libraries.
|
||||||
|
#
|
||||||
|
libraries = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: locallogin
|
||||||
|
#
|
||||||
|
# Policy for local logins.
|
||||||
|
#
|
||||||
|
locallogin = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: logging
|
||||||
|
#
|
||||||
|
# Policy for the kernel message logger and system logging daemon.
|
||||||
|
#
|
||||||
|
logging = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: lvm
|
||||||
|
#
|
||||||
|
# Policy for logical volume management programs.
|
||||||
|
#
|
||||||
|
lvm = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: miscfiles
|
||||||
|
#
|
||||||
|
# Miscelaneous files.
|
||||||
|
#
|
||||||
|
miscfiles = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: modutils
|
||||||
|
#
|
||||||
|
# Policy for kernel module utilities
|
||||||
|
#
|
||||||
|
modutils = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: mount
|
||||||
|
#
|
||||||
|
# Policy for mount.
|
||||||
|
#
|
||||||
|
mount = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: netlabel
|
||||||
|
#
|
||||||
|
# Basic netlabel types and interfaces.
|
||||||
|
#
|
||||||
|
netlabel = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: selinuxutil
|
||||||
|
#
|
||||||
|
# Policy for SELinux policy and userland applications.
|
||||||
|
#
|
||||||
|
selinuxutil = module
|
||||||
|
|
||||||
|
# Module: setrans
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for setrans
|
||||||
|
#
|
||||||
|
setrans = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: sysnetwork
|
||||||
|
#
|
||||||
|
# Policy for network configuration: ifconfig and dhcp client.
|
||||||
|
#
|
||||||
|
sysnetwork = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: systemd
|
||||||
|
#
|
||||||
|
# Policy for systemd components
|
||||||
|
#
|
||||||
|
systemd = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: udev
|
||||||
|
#
|
||||||
|
# Policy for udev.
|
||||||
|
#
|
||||||
|
udev = module
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,393 @@
|
|||||||
|
# Layer: kernel
|
||||||
|
# Module: bootloader
|
||||||
|
#
|
||||||
|
# Policy for the kernel modules, kernel image, and bootloader.
|
||||||
|
#
|
||||||
|
bootloader = module
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: corecommands
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Core policy for shells, and generic programs
|
||||||
|
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||||
|
#
|
||||||
|
corecommands = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: corenetwork
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy controlling access to network objects
|
||||||
|
#
|
||||||
|
corenetwork = base
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: dmesg
|
||||||
|
#
|
||||||
|
# Policy for dmesg.
|
||||||
|
#
|
||||||
|
dmesg = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: netutils
|
||||||
|
#
|
||||||
|
# Network analysis utilities
|
||||||
|
#
|
||||||
|
netutils = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: sudo
|
||||||
|
#
|
||||||
|
# Execute a command with a substitute user
|
||||||
|
#
|
||||||
|
sudo = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: su
|
||||||
|
#
|
||||||
|
# Run shells with substitute user and group
|
||||||
|
#
|
||||||
|
su = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: usermanage
|
||||||
|
#
|
||||||
|
# Policy for managing user accounts.
|
||||||
|
#
|
||||||
|
usermanage = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: seunshare
|
||||||
|
#
|
||||||
|
# seunshare executable
|
||||||
|
#
|
||||||
|
seunshare = module
|
||||||
|
|
||||||
|
# Module: devices
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Device nodes and interfaces for many basic system devices.
|
||||||
|
#
|
||||||
|
devices = base
|
||||||
|
|
||||||
|
# Module: domain
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Core policy for domains.
|
||||||
|
#
|
||||||
|
domain = base
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: userdomain
|
||||||
|
#
|
||||||
|
# Policy for user domains
|
||||||
|
#
|
||||||
|
userdomain = module
|
||||||
|
|
||||||
|
# Module: files
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Basic filesystem types and interfaces.
|
||||||
|
#
|
||||||
|
files = base
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: miscfiles
|
||||||
|
#
|
||||||
|
# Miscelaneous files.
|
||||||
|
#
|
||||||
|
miscfiles = module
|
||||||
|
|
||||||
|
# Module: filesystem
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for filesystems.
|
||||||
|
#
|
||||||
|
filesystem = base
|
||||||
|
|
||||||
|
# Module: kernel
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||||
|
#
|
||||||
|
kernel = base
|
||||||
|
|
||||||
|
# Module: mcs
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# MultiCategory security policy
|
||||||
|
#
|
||||||
|
mcs = base
|
||||||
|
|
||||||
|
# Module: mls
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Multilevel security policy
|
||||||
|
#
|
||||||
|
mls = base
|
||||||
|
|
||||||
|
# Module: selinux
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for kernel security interface, in particular, selinuxfs.
|
||||||
|
#
|
||||||
|
selinux = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: storage
|
||||||
|
#
|
||||||
|
# Policy controlling access to storage devices
|
||||||
|
#
|
||||||
|
storage = base
|
||||||
|
|
||||||
|
# Module: terminal
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for terminals.
|
||||||
|
#
|
||||||
|
terminal = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: ubac
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#
|
||||||
|
ubac = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: unconfined
|
||||||
|
#
|
||||||
|
# The unlabelednet module.
|
||||||
|
#
|
||||||
|
unlabelednet = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: auditadm
|
||||||
|
#
|
||||||
|
# auditadm account on tty logins
|
||||||
|
#
|
||||||
|
auditadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: logadm
|
||||||
|
#
|
||||||
|
# Minimally prived root role for managing logging system
|
||||||
|
#
|
||||||
|
logadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: secadm
|
||||||
|
#
|
||||||
|
# secadm account on tty logins
|
||||||
|
#
|
||||||
|
secadm = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: sysadm_secadm
|
||||||
|
#
|
||||||
|
# System Administrator with Security Admin rules
|
||||||
|
#
|
||||||
|
sysadm_secadm = module
|
||||||
|
|
||||||
|
# Module: staff
|
||||||
|
#
|
||||||
|
# admin account
|
||||||
|
#
|
||||||
|
staff = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: sysadm
|
||||||
|
#
|
||||||
|
# System Administrator
|
||||||
|
#
|
||||||
|
sysadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: unconfineduser
|
||||||
|
#
|
||||||
|
# The unconfined user domain.
|
||||||
|
#
|
||||||
|
unconfineduser = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: unprivuser
|
||||||
|
#
|
||||||
|
# Minimally privs guest account on tty logins
|
||||||
|
#
|
||||||
|
unprivuser = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: postgresql
|
||||||
|
#
|
||||||
|
# PostgreSQL relational database
|
||||||
|
#
|
||||||
|
postgresql = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: ssh
|
||||||
|
#
|
||||||
|
# Secure shell client and server policy.
|
||||||
|
#
|
||||||
|
ssh = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: xserver
|
||||||
|
#
|
||||||
|
# X windows login display manager
|
||||||
|
#
|
||||||
|
xserver = module
|
||||||
|
|
||||||
|
# Module: application
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Defines attributs and interfaces for all user applications
|
||||||
|
#
|
||||||
|
application = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: authlogin
|
||||||
|
#
|
||||||
|
# Common policy for authentication and user login.
|
||||||
|
#
|
||||||
|
authlogin = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: clock
|
||||||
|
#
|
||||||
|
# Policy for reading and setting the hardware clock.
|
||||||
|
#
|
||||||
|
clock = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: fstools
|
||||||
|
#
|
||||||
|
# Tools for filesystem management, such as mkfs and fsck.
|
||||||
|
#
|
||||||
|
fstools = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: getty
|
||||||
|
#
|
||||||
|
# Policy for getty.
|
||||||
|
#
|
||||||
|
getty = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: hostname
|
||||||
|
#
|
||||||
|
# Policy for changing the system host name.
|
||||||
|
#
|
||||||
|
hostname = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: init
|
||||||
|
#
|
||||||
|
# System initialization programs (init and init scripts).
|
||||||
|
#
|
||||||
|
init = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: ipsec
|
||||||
|
#
|
||||||
|
# TCP/IP encryption
|
||||||
|
#
|
||||||
|
ipsec = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: iptables
|
||||||
|
#
|
||||||
|
# Policy for iptables.
|
||||||
|
#
|
||||||
|
iptables = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: libraries
|
||||||
|
#
|
||||||
|
# Policy for system libraries.
|
||||||
|
#
|
||||||
|
libraries = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: locallogin
|
||||||
|
#
|
||||||
|
# Policy for local logins.
|
||||||
|
#
|
||||||
|
locallogin = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: logging
|
||||||
|
#
|
||||||
|
# Policy for the kernel message logger and system logging daemon.
|
||||||
|
#
|
||||||
|
logging = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: lvm
|
||||||
|
#
|
||||||
|
# Policy for logical volume management programs.
|
||||||
|
#
|
||||||
|
lvm = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: modutils
|
||||||
|
#
|
||||||
|
# Policy for kernel module utilities
|
||||||
|
#
|
||||||
|
modutils = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: mount
|
||||||
|
#
|
||||||
|
# Policy for mount.
|
||||||
|
#
|
||||||
|
mount = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: netlabel
|
||||||
|
#
|
||||||
|
# Basic netlabel types and interfaces.
|
||||||
|
#
|
||||||
|
netlabel = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: selinuxutil
|
||||||
|
#
|
||||||
|
# Policy for SELinux policy and userland applications.
|
||||||
|
#
|
||||||
|
selinuxutil = module
|
||||||
|
|
||||||
|
# Module: setrans
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for setrans
|
||||||
|
#
|
||||||
|
setrans = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: sysnetwork
|
||||||
|
#
|
||||||
|
# Policy for network configuration: ifconfig and dhcp client.
|
||||||
|
#
|
||||||
|
sysnetwork = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: systemd
|
||||||
|
#
|
||||||
|
# Policy for systemd components
|
||||||
|
#
|
||||||
|
systemd = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: udev
|
||||||
|
#
|
||||||
|
# Policy for udev.
|
||||||
|
#
|
||||||
|
udev = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: unconfined
|
||||||
|
#
|
||||||
|
# The unconfined domain.
|
||||||
|
#
|
||||||
|
unconfined = module
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,2 @@
|
|||||||
|
(roleattributeset cil_gen_require system_r)
|
||||||
|
|
@ -0,0 +1,4 @@
|
|||||||
|
console_device_t
|
||||||
|
sysadm_tty_device_t
|
||||||
|
user_tty_device_t
|
||||||
|
staff_tty_device_t
|
@ -0,0 +1,6 @@
|
|||||||
|
console_device_t
|
||||||
|
sysadm_tty_device_t
|
||||||
|
user_tty_device_t
|
||||||
|
staff_tty_device_t
|
||||||
|
auditadm_tty_device_t
|
||||||
|
secureadm_tty_device_t
|
@ -0,0 +1,4 @@
|
|||||||
|
console_device_t
|
||||||
|
sysadm_tty_device_t
|
||||||
|
user_tty_device_t
|
||||||
|
staff_tty_device_t
|
@ -1 +0,0 @@
|
|||||||
selinux-policy-mls
|
|
@ -1 +0,0 @@
|
|||||||
selinux-policy-targeted
|
|
@ -0,0 +1,19 @@
|
|||||||
|
#
|
||||||
|
# Multi-Category Security translation table for SELinux
|
||||||
|
#
|
||||||
|
# Uncomment the following to disable translation libary
|
||||||
|
# disable=1
|
||||||
|
#
|
||||||
|
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||||
|
# Objects can be in more than one category at a time.
|
||||||
|
# Categories are stored in the system as c0-c1023. Users can use this
|
||||||
|
# table to translate the categories into a more meaningful output.
|
||||||
|
# Examples:
|
||||||
|
# s0:c0=CompanyConfidential
|
||||||
|
# s0:c1=PatientRecord
|
||||||
|
# s0:c2=Unclassified
|
||||||
|
# s0:c3=TopSecret
|
||||||
|
# s0:c1,c3=CompanyConfidentialRedHat
|
||||||
|
s0=SystemLow
|
||||||
|
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||||
|
s0:c0.c1023=SystemHigh
|
@ -0,0 +1,52 @@
|
|||||||
|
#
|
||||||
|
# Multi-Level Security translation table for SELinux
|
||||||
|
#
|
||||||
|
# Uncomment the following to disable translation libary
|
||||||
|
# disable=1
|
||||||
|
#
|
||||||
|
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
|
||||||
|
# categories defined by the admin.
|
||||||
|
# Objects can be in more than one category at a time.
|
||||||
|
# Users can modify this table to translate the MLS labels for different purpose.
|
||||||
|
#
|
||||||
|
# Assumptions: using below MLS labels.
|
||||||
|
# SystemLow
|
||||||
|
# SystemHigh
|
||||||
|
# Unclassified
|
||||||
|
# Secret with compartments A and B.
|
||||||
|
#
|
||||||
|
# SystemLow and SystemHigh
|
||||||
|
s0=SystemLow
|
||||||
|
s15:c0.c1023=SystemHigh
|
||||||
|
s0-s15:c0.c1023=SystemLow-SystemHigh
|
||||||
|
|
||||||
|
# Unclassified level
|
||||||
|
s1=Unclassified
|
||||||
|
|
||||||
|
# Secret level with compartments
|
||||||
|
s2=Secret
|
||||||
|
s2:c0=A
|
||||||
|
s2:c1=B
|
||||||
|
|
||||||
|
# ranges for Unclassified
|
||||||
|
s0-s1=SystemLow-Unclassified
|
||||||
|
s1-s2=Unclassified-Secret
|
||||||
|
s1-s15:c0.c1023=Unclassified-SystemHigh
|
||||||
|
|
||||||
|
# ranges for Secret with compartments
|
||||||
|
s0-s2=SystemLow-Secret
|
||||||
|
s0-s2:c0=SystemLow-Secret:A
|
||||||
|
s0-s2:c1=SystemLow-Secret:B
|
||||||
|
s0-s2:c0,c1=SystemLow-Secret:AB
|
||||||
|
s1-s2:c0=Unclassified-Secret:A
|
||||||
|
s1-s2:c1=Unclassified-Secret:B
|
||||||
|
s1-s2:c0,c1=Unclassified-Secret:AB
|
||||||
|
s2-s2:c0=Secret-Secret:A
|
||||||
|
s2-s2:c1=Secret-Secret:B
|
||||||
|
s2-s2:c0,c1=Secret-Secret:AB
|
||||||
|
s2-s15:c0.c1023=Secret-SystemHigh
|
||||||
|
s2:c0-s2:c0,c1=Secret:A-Secret:AB
|
||||||
|
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
|
||||||
|
s2:c1-s2:c0,c1=Secret:B-Secret:AB
|
||||||
|
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
|
||||||
|
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
|
@ -0,0 +1,19 @@
|
|||||||
|
#
|
||||||
|
# Multi-Category Security translation table for SELinux
|
||||||
|
#
|
||||||
|
# Uncomment the following to disable translation libary
|
||||||
|
# disable=1
|
||||||
|
#
|
||||||
|
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||||
|
# Objects can be in more than one category at a time.
|
||||||
|
# Categories are stored in the system as c0-c1023. Users can use this
|
||||||
|
# table to translate the categories into a more meaningful output.
|
||||||
|
# Examples:
|
||||||
|
# s0:c0=CompanyConfidential
|
||||||
|
# s0:c1=PatientRecord
|
||||||
|
# s0:c2=Unclassified
|
||||||
|
# s0:c3=TopSecret
|
||||||
|
# s0:c1,c3=CompanyConfidentialRedHat
|
||||||
|
s0=SystemLow
|
||||||
|
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||||
|
s0:c0.c1023=SystemHigh
|
@ -0,0 +1,39 @@
|
|||||||
|
##################################
|
||||||
|
#
|
||||||
|
# Core User configuration.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||||
|
#
|
||||||
|
# Note: Identities without a prefix wil not be listed
|
||||||
|
# in the users_extra file used by genhomedircon.
|
||||||
|
|
||||||
|
#
|
||||||
|
# system_u is the user identity for system processes and objects.
|
||||||
|
# There should be no corresponding Unix user identity for system,
|
||||||
|
# and a user process should never be assigned the system user
|
||||||
|
# identity.
|
||||||
|
#
|
||||||
|
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# user_u is a generic user identity for Linux users who have no
|
||||||
|
# SELinux user identity defined. The modified daemons will use
|
||||||
|
# this user identity in the security context if there is no matching
|
||||||
|
# SELinux user identity for a Linux user. If you do not want to
|
||||||
|
# permit any access to such users, then remove this entry.
|
||||||
|
#
|
||||||
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
|
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following users correspond to Unix identities.
|
||||||
|
# These identities are typically assigned as the user attribute
|
||||||
|
# when login starts the user shell. Users with access to the sysadm_r
|
||||||
|
# role should use the staff_r role instead of the user_r role when
|
||||||
|
# not in the sysadm_r.
|
||||||
|
#
|
||||||
|
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
@ -0,0 +1,40 @@
|
|||||||
|
##################################
|
||||||
|
#
|
||||||
|
# Core User configuration.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||||
|
#
|
||||||
|
# Note: Identities without a prefix wil not be listed
|
||||||
|
# in the users_extra file used by genhomedircon.
|
||||||
|
|
||||||
|
#
|
||||||
|
# system_u is the user identity for system processes and objects.
|
||||||
|
# There should be no corresponding Unix user identity for system,
|
||||||
|
# and a user process should never be assigned the system user
|
||||||
|
# identity.
|
||||||
|
#
|
||||||
|
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# user_u is a generic user identity for Linux users who have no
|
||||||
|
# SELinux user identity defined. The modified daemons will use
|
||||||
|
# this user identity in the security context if there is no matching
|
||||||
|
# SELinux user identity for a Linux user. If you do not want to
|
||||||
|
# permit any access to such users, then remove this entry.
|
||||||
|
#
|
||||||
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
|
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following users correspond to Unix identities.
|
||||||
|
# These identities are typically assigned as the user attribute
|
||||||
|
# when login starts the user shell. Users with access to the sysadm_r
|
||||||
|
# role should use the staff_r role instead of the user_r role when
|
||||||
|
# not in the sysadm_r.
|
||||||
|
#
|
||||||
|
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(guest_u, user, guest_r, s0, s0)
|
||||||
|
gen_user(xguest_u, user, xguest_r, s0, s0)
|
@ -0,0 +1,41 @@
|
|||||||
|
##################################
|
||||||
|
#
|
||||||
|
# Core User configuration.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||||
|
#
|
||||||
|
# Note: Identities without a prefix wil not be listed
|
||||||
|
# in the users_extra file used by genhomedircon.
|
||||||
|
|
||||||
|
#
|
||||||
|
# system_u is the user identity for system processes and objects.
|
||||||
|
# There should be no corresponding Unix user identity for system,
|
||||||
|
# and a user process should never be assigned the system user
|
||||||
|
# identity.
|
||||||
|
#
|
||||||
|
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# user_u is a generic user identity for Linux users who have no
|
||||||
|
# SELinux user identity defined. The modified daemons will use
|
||||||
|
# this user identity in the security context if there is no matching
|
||||||
|
# SELinux user identity for a Linux user. If you do not want to
|
||||||
|
# permit any access to such users, then remove this entry.
|
||||||
|
#
|
||||||
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
|
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following users correspond to Unix identities.
|
||||||
|
# These identities are typically assigned as the user attribute
|
||||||
|
# when login starts the user shell. Users with access to the sysadm_r
|
||||||
|
# role should use the staff_r role instead of the user_r role when
|
||||||
|
# not in the sysadm_r.
|
||||||
|
#
|
||||||
|
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(guest_u, user, guest_r, s0, s0)
|
||||||
|
gen_user(xguest_u, user, xguest_r, s0, s0)
|
@ -1,95 +0,0 @@
|
|||||||
#!/usr/bin/bash
|
|
||||||
### varrun-convert.sh
|
|
||||||
### convert legacy filecontext entries containing /var/run to /run
|
|
||||||
### and load an extra selinux module with the new content
|
|
||||||
### the script takes a policy name as an argument
|
|
||||||
|
|
||||||
# Set DEBUG=yes before running the script to get more verbose output
|
|
||||||
# on the terminal and to the $LOG file
|
|
||||||
if [ "${DEBUG}" = "yes" ]; then
|
|
||||||
set -x
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Auxiliary and log files will be created in OUTPUTDIR
|
|
||||||
OUTPUTDIR="/run/selinux-policy"
|
|
||||||
LOG="$OUTPUTDIR/log"
|
|
||||||
mkdir -p ${OUTPUTDIR}
|
|
||||||
|
|
||||||
if [ -z ${1} ]; then
|
|
||||||
[ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
|
|
||||||
SEMODULEOPT="-s ${1}"
|
|
||||||
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
|
|
||||||
|
|
||||||
# Take current file_contexts and unify whitespace separators
|
|
||||||
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
|
|
||||||
FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
|
|
||||||
if [ ! -f ${FILE_CONTEXTS} ]; then
|
|
||||||
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
|
|
||||||
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
|
|
||||||
EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
|
|
||||||
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
|
|
||||||
EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
|
|
||||||
|
|
||||||
# Print only /var/run entries
|
|
||||||
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
|
|
||||||
|
|
||||||
# Unify whitespace separators
|
|
||||||
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
|
|
||||||
sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
|
|
||||||
|
|
||||||
# Deduplicate already existing /var/run=/run entries
|
|
||||||
while read line
|
|
||||||
do
|
|
||||||
subline="${line#/var}"
|
|
||||||
if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
|
|
||||||
echo "$line"
|
|
||||||
fi
|
|
||||||
done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
|
|
||||||
# Change /var/run to /run
|
|
||||||
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
|
|
||||||
# Exception handling: packages with already duplicate entries
|
|
||||||
sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
|
|
||||||
# Change format to cil
|
|
||||||
sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
|
|
||||||
# Handle entries with <<none>> which do not match previous regexps
|
|
||||||
sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
|
|
||||||
|
|
||||||
# Wrap each line with an optional block
|
|
||||||
i=1
|
|
||||||
while read line
|
|
||||||
do
|
|
||||||
echo "(optional extra_var_run_${i}"
|
|
||||||
echo " $line"
|
|
||||||
echo ")"
|
|
||||||
((i++))
|
|
||||||
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
|
|
||||||
|
|
||||||
# Load module
|
|
||||||
[ -s ${EXTRA_VARRUN_CIL} ] &&
|
|
||||||
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue