diff --git a/README.md b/README.md deleted file mode 100644 index 7342728d557c602f51c6d278bba9f3dd9faaf356..0000000000000000000000000000000000000000 --- a/README.md +++ /dev/null @@ -1,11 +0,0 @@ -Anolis OS -======================================= -# 代码仓库说明 -## 分支说明 ->进行代码开发工作时,请注意选择当前版本对应的分支 -* aX分支为对应大版本的主分支,如a8分支对应当前最新版本 -* aX.Y分支为对应小版本的维护分支,如a8.2分支对应8.2版本 -## 开发流程 -1. 首先fork目标分支到自己的namespace -2. 在自己的fork分支上做出修改 -3. 向对应的仓库中提交merge request,源分支为fork分支 diff --git a/booleans-minimum.conf b/booleans-minimum.conf deleted file mode 100644 index 59dac1f68a538cbaf318a923342bd5972cec861c..0000000000000000000000000000000000000000 --- a/booleans-minimum.conf +++ /dev/null @@ -1,248 +0,0 @@ -# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. -# -allow_execmem = false - -# Allow making a modified private filemapping executable (text relocation). -# -allow_execmod = false - -# Allow making the stack executable via mprotect.Also requires allow_execmem. -# -allow_execstack = true - -# Allow ftpd to read cifs directories. -# -allow_ftpd_use_cifs = false - -# Allow ftpd to read nfs directories. -# -allow_ftpd_use_nfs = false - -# Allow ftp servers to modify public filesused for public file transfer services. -# -allow_ftpd_anon_write = false - -# Allow gssd to read temp directory. -# -allow_gssd_read_tmp = true - -# Allow Apache to modify public filesused for public file transfer services. -# -allow_httpd_anon_write = false - -# Allow Apache to use mod_auth_pam module -# -allow_httpd_mod_auth_pam = false - -# Allow system to run with kerberos -# -allow_kerberos = true - -# Allow rsync to modify public filesused for public file transfer services. -# -allow_rsync_anon_write = false - -# Allow sasl to read shadow -# -allow_saslauthd_read_shadow = false - -# Allow samba to modify public filesused for public file transfer services. -# -allow_smbd_anon_write = false - -# Allow system to run with NIS -# -allow_ypbind = false - -# Allow zebra to write it own configuration files -# -allow_zebra_write_config = false - -# Enable extra rules in the cron domainto support fcron. -# -fcron_crond = false - -# -# allow httpd to connect to mysql/posgresql -httpd_can_network_connect_db = false - -# -# allow httpd to send dbus messages to avahi -httpd_dbus_avahi = true - -# -# allow httpd to network relay -httpd_can_network_relay = false - -# Allow httpd to use built in scripting (usually php) -# -httpd_builtin_scripting = true - -# Allow http daemon to tcp connect -# -httpd_can_network_connect = false - -# Allow httpd cgi support -# -httpd_enable_cgi = true - -# Allow httpd to act as a FTP server bylistening on the ftp port. -# -httpd_enable_ftp_server = false - -# Allow httpd to read home directories -# -httpd_enable_homedirs = false - -# Run SSI execs in system CGI script domain. -# -httpd_ssi_exec = false - -# Allow http daemon to communicate with the TTY -# -httpd_tty_comm = false - -# Run CGI in the main httpd domain -# -httpd_unified = false - -# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. -# -named_write_master_zones = false - -# Allow nfs to be exported read/write. -# -nfs_export_all_rw = true - -# Allow nfs to be exported read only -# -nfs_export_all_ro = true - -# Allow pppd to load kernel modules for certain modems -# -pppd_can_insmod = false - -# Allow reading of default_t files. -# -read_default_t = false - -# Allow samba to export user home directories. -# -samba_enable_home_dirs = false - -# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. -# -squid_connect_any = false - -# Support NFS home directories -# -use_nfs_home_dirs = true - -# Support SAMBA home directories -# -use_samba_home_dirs = false - -# Control users use of ping and traceroute -# -user_ping = false - -# allow host key based authentication -# -allow_ssh_keysign = false - -# Allow pppd to be run for a regular user -# -pppd_for_user = false - -# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted -# -read_untrusted_content = false - -# Allow spamd to write to users homedirs -# -spamd_enable_home_dirs = false - -# Allow regular users direct mouse access -# -user_direct_mouse = false - -# Allow users to read system messages. -# -user_dmesg = false - -# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) -# -user_rw_noexattrfile = false - -# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. -# -user_tcp_server = false - -# Allow w to display everyone -# -user_ttyfile_stat = false - -# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. -# -write_untrusted_content = false - -# Allow all domains to talk to ttys -# -allow_daemons_use_tty = false - -# Allow login domains to polyinstatiate directories -# -allow_polyinstantiation = false - -# Allow all domains to dump core -# -allow_daemons_dump_core = true - -# Allow samba to act as the domain controller -# -samba_domain_controller = false - -# Allow samba to export user home directories. -# -samba_run_unconfined = false - -# Allows XServer to execute writable memory -# -allow_xserver_execmem = false - -# disallow guest accounts to execute files that they can create -# -allow_guest_exec_content = false -allow_xguest_exec_content = false - -# Only allow browser to use the web -# -browser_confine_xguest=false - -# Allow postfix locat to write to mail spool -# -allow_postfix_local_write_mail_spool=false - -# Allow common users to read/write noexattrfile systems -# -user_rw_noexattrfile=true - -# Allow qemu to connect fully to the network -# -qemu_full_network=true - -# Allow nsplugin execmem/execstack for bad plugins -# -allow_nsplugin_execmem=true - -# Allow unconfined domain to transition to confined domain -# -allow_unconfined_nsplugin_transition=true - -# System uses init upstart program -# -init_upstart = true - -# Allow mount to mount any file/dir -# -allow_mount_anyfile = true diff --git a/booleans-mls.conf b/booleans-mls.conf deleted file mode 100644 index 65ccfa4a4e45f82937af4fadef149b29451f8482..0000000000000000000000000000000000000000 --- a/booleans-mls.conf +++ /dev/null @@ -1,6 +0,0 @@ -kerberos_enabled = true -mount_anyfile = true -polyinstantiation_enabled = true -ftpd_is_daemon = true -selinuxuser_ping = true -xserver_object_manager = true diff --git a/booleans-targeted.conf b/booleans-targeted.conf deleted file mode 100644 index 8789a08b23dffa8fae3670f3c9ff0ac49a07ed01..0000000000000000000000000000000000000000 --- a/booleans-targeted.conf +++ /dev/null @@ -1,25 +0,0 @@ -gssd_read_tmp = true -httpd_builtin_scripting = true -httpd_enable_cgi = true -kerberos_enabled = true -mount_anyfile = true -nfs_export_all_ro = true -nfs_export_all_rw = true -nscd_use_shm = true -openvpn_enable_homedirs = true -postfix_local_write_mail_spool=true -pppd_can_insmod = false -privoxy_connect_any = true -selinuxuser_direct_dri_enabled = true -selinuxuser_execmem = true -selinuxuser_execmod = true -selinuxuser_execstack = true -selinuxuser_rw_noexattrfile=true -selinuxuser_ping = true -squid_connect_any = true -telepathy_tcp_connect_generic_network_ports=true -unconfined_chrome_sandbox_transition=true -unconfined_mozilla_plugin_transition=true -xguest_exec_content = true -mozilla_plugin_can_network_connect = true -use_virtualbox = true diff --git a/booleans.subs_dist b/booleans.subs_dist deleted file mode 100644 index fed7d8cff7fa3d93165e85ff9accd4a6054e1358..0000000000000000000000000000000000000000 --- a/booleans.subs_dist +++ /dev/null @@ -1,54 +0,0 @@ -allow_auditadm_exec_content auditadm_exec_content -allow_console_login login_console_enabled -allow_cvs_read_shadow cvs_read_shadow -allow_daemons_dump_core daemons_dump_core -allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper -allow_daemons_use_tty daemons_use_tty -allow_domain_fd_use domain_fd_use -allow_execheap selinuxuser_execheap -allow_execmod selinuxuser_execmod -allow_execstack selinuxuser_execstack -allow_ftpd_anon_write ftpd_anon_write -allow_ftpd_full_access ftpd_full_access -allow_ftpd_use_cifs ftpd_use_cifs -allow_ftpd_use_nfs ftpd_use_nfs -allow_gssd_read_tmp gssd_read_tmp -allow_guest_exec_content guest_exec_content -allow_httpd_anon_write httpd_anon_write -allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind -allow_httpd_mod_auth_pam httpd_mod_auth_pam -allow_httpd_sys_script_anon_write httpd_sys_script_anon_write -allow_kerberos kerberos_enabled -allow_mplayer_execstack mplayer_execstack -allow_mount_anyfile mount_anyfile -allow_nfsd_anon_write nfsd_anon_write -allow_polyinstantiation polyinstantiation_enabled -allow_postfix_local_write_mail_spool postfix_local_write_mail_spool -allow_rsync_anon_write rsync_anon_write -allow_saslauthd_read_shadow saslauthd_read_shadow -allow_secadm_exec_content secadm_exec_content -allow_smbd_anon_write smbd_anon_write -allow_ssh_keysign ssh_keysign -allow_staff_exec_content staff_exec_content -allow_sysadm_exec_content sysadm_exec_content -allow_user_exec_content user_exec_content -allow_user_mysql_connect selinuxuser_mysql_connect_enabled -allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled -allow_write_xshm xserver_clients_write_xshm -allow_xguest_exec_content xguest_exec_content -allow_xserver_execmem xserver_execmem -allow_ypbind nis_enabled -allow_zebra_write_config zebra_write_config -user_direct_dri selinuxuser_direct_dri_enabled -user_ping selinuxuser_ping -user_share_music selinuxuser_share_music -user_tcp_server selinuxuser_tcp_server -sepgsql_enable_pitr_implementation postgresql_can_rsync -sepgsql_enable_users_ddl postgresql_selinux_users_ddl -sepgsql_transmit_client_label postgresql_selinux_transmit_client_label -sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm -clamd_use_jit antivirus_use_jit -amavis_use_jit antivirus_use_jit -logwatch_can_sendmail logwatch_can_network_connect_mail -puppet_manage_all_files puppetagent_manage_all_files -virt_sandbox_use_nfs virt_use_nfs diff --git a/container-selinux.tgz b/container-selinux.tgz index 8d06bd44a5b95b3b3907df09014bede38921d12b..ca088603ff38f396f399d9e9f92cb2addfd682b0 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/customizable_types b/customizable_types deleted file mode 100644 index b3f6cb087c2e0e69c3133c91ad797166e00d9aa7..0000000000000000000000000000000000000000 --- a/customizable_types +++ /dev/null @@ -1,14 +0,0 @@ -container_file_t -sandbox_file_t -svirt_image_t -svirt_home_t -svirt_sandbox_file_t -virt_content_t -httpd_user_htaccess_t -httpd_user_script_exec_t -httpd_user_rw_content_t -httpd_user_ra_content_t -httpd_user_content_t -git_session_content_t -home_bin_t -user_tty_device_t diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist deleted file mode 100644 index 1bf47105126cc8787a9e14a36635be58cc725576..0000000000000000000000000000000000000000 --- a/file_contexts.subs_dist +++ /dev/null @@ -1,22 +0,0 @@ -/run /var/run -/run/lock /var/lock -/run/systemd/system /usr/lib/systemd/system -/run/systemd/generator /usr/lib/systemd/system -/run/systemd/generator.late /usr/lib/systemd/system -/lib /usr/lib -/lib64 /usr/lib -/usr/lib64 /usr/lib -/usr/local/lib64 /usr/lib -/usr/local/lib32 /usr/lib -/etc/systemd/system /usr/lib/systemd/system -/var/lib/xguest/home /home -/var/named/chroot/usr/lib64 /usr/lib -/var/named/chroot/lib64 /usr/lib -/var/named/chroot/var /var -/home-inst /home -/home/home-inst /home -/var/roothome /root -/sbin /usr/sbin -/sysroot/tmp /tmp -/var/usrlocal /usr/local -/var/mnt /mnt diff --git a/modules-minimum.lst b/modules-minimum.lst new file mode 100644 index 0000000000000000000000000000000000000000..c4252c846fc4b568227d964b12020b39257f3b64 --- /dev/null +++ b/modules-minimum.lst @@ -0,0 +1,50 @@ +apache +application +auditadm +authlogin +base +bootloader +clock +dbus +dmesg +fstools +getty +hostname +inetd +init +ipsec +iptables +kerberos +libraries +locallogin +logadm +logging +lvm +miscfiles +modutils +mount +mta +netlabel +netutils +nis +postgresql +secadm +selinuxutil +setrans +seunshare +ssh +staff +su +sudo +sysadm +sysadm_secadm +sysnetwork +systemd +udev +unconfined +unconfineduser +unlabelednet +unprivuser +userdomain +usermanage +xserver diff --git a/modules-mls-base.conf b/modules-mls-base.conf deleted file mode 100644 index 5b21a3ebe5f0b546f8cdb7ccc0d261f20eaca24c..0000000000000000000000000000000000000000 --- a/modules-mls-base.conf +++ /dev/null @@ -1,380 +0,0 @@ -# Layer: kernel -# Module: bootloader -# -# Policy for the kernel modules, kernel image, and bootloader. -# -bootloader = module - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: admin -# Module: dmesg -# -# Policy for dmesg. -# -dmesg = module - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = module - -# Layer: admin -# Module: sudo -# -# Execute a command with a substitute user -# -sudo = module - -# Layer: admin -# Module: su -# -# Run shells with substitute user and group -# -su = module - -# Layer: admin -# Module: usermanage -# -# Policy for managing user accounts. -# -usermanage = module - -# Layer: apps -# Module: seunshare -# -# seunshare executable -# -seunshare = module - -# Layer: kernel -# Module: corecommands -# Required in base -# -# Core policy for shells, and generic programs -# in /bin, /sbin, /usr/bin, and /usr/sbin. -# -corecommands = base - -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Module: domain -# Required in base -# -# Core policy for domains. -# -domain = base - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = module - -# Module: files -# Required in base -# -# Basic filesystem types and interfaces. -# -files = base - -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Module: mcs -# Required in base -# -# MultiCategory security policy -# -mcs = base - -# Module: mls -# Required in base -# -# Multilevel security policy -# -mls = base - -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = base - -# Module: terminal -# Required in base -# -# Policy for terminals. -# -terminal = base - -# Layer: kernel -# Module: ubac -# -# -# -ubac = base - -# Layer: kernel -# Module: unlabelednet -# -# The unlabelednet module. -# -unlabelednet = module - -# Layer: role -# Module: auditadm -# -# auditadm account on tty logins -# -auditadm = module - -# Layer: role -# Module: logadm -# -# Minimally prived root role for managing logging system -# -logadm = module - -# Layer: role -# Module: secadm -# -# secadm account on tty logins -# -secadm = module - -# Layer:role -# Module: staff -# -# admin account -# -staff = module - -# Layer:role -# Module: sysadm_secadm -# -# System Administrator with Security Admin rules -# -sysadm_secadm = module - -# Layer:role -# Module: sysadm -# -# System Administrator -# -sysadm = module - -# Layer: role -# Module: unprivuser -# -# Minimally privs guest account on tty logins -# -unprivuser = module - -# Layer: services -# Module: postgresql -# -# PostgreSQL relational database -# -postgresql = module - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = module - -# Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = module - -# Module: application -# Required in base -# -# Defines attributs and interfaces for all user applications -# -application = module - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = module - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = module - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = module - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = module - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = module - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = module - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = module - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = module - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = module - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = module - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = module - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = module - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = module - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = module - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = module - -# Layer: system -# Module: netlabel -# -# Basic netlabel types and interfaces. -# -netlabel = module - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = module - -# Module: setrans -# Required in base -# -# Policy for setrans -# -setrans = module - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = module - -# Layer: system -# Module: systemd -# -# Policy for systemd components -# -systemd = module - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = module diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf deleted file mode 100644 index f7e6ad84eb15e444d22537a1fcb72c67ba2a09fd..0000000000000000000000000000000000000000 --- a/modules-mls-contrib.conf +++ /dev/null @@ -1,1579 +0,0 @@ -# Layer: services -# Module: accountsd -# -# An application to view and modify user accounts information -# -accountsd = module - -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = module - -# Layer: services -# Module: afs -# -# Andrew Filesystem server -# -afs = module - -# Layer: services -# Module: aide -# -# Policy for aide -# -aide = module - -# Layer: admin -# Module: alsa -# -# Ainit ALSA configuration tool -# -alsa = module - -# Layer: admin -# Module: amanda -# -# Automated backup program. -# -amanda = module - -# Layer: contrib -# Module: antivirus -# -# Anti-virus -# -antivirus = module - -# Layer: admin -# Module: amtu -# -# Abstract Machine Test Utility (AMTU) -# -amtu = module - -# Layer: admin -# Module: anaconda -# -# Policy for the Anaconda installer. -# -anaconda = module - -# Layer: services -# Module: apache -# -# Apache web server -# -apache = module - -# Layer: services -# Module: apcupsd -# -# daemon for most APC’s UPS for Linux -# -apcupsd = module - -# Layer: services -# Module: apm -# -# Advanced power management daemon -# -apm = module - -# Layer: services -# Module: arpwatch -# -# Ethernet activity monitor. -# -arpwatch = module - -# Layer: services -# Module: automount -# -# Filesystem automounter service. -# -automount = module - -# Layer: services -# Module: avahi -# -# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture -# -avahi = module - -# Layer: modules -# Module: awstats -# -# awstats executable -# -awstats = module - -# Layer: services -# Module: bind -# -# Berkeley internet name domain DNS server. -# -bind = module - -# Layer: services -# Module: bitlbee -# -# An IRC to other chat networks gateway -# -bitlbee = module - -# Layer: services -# Module: bluetooth -# -# Bluetooth tools and system services. -# -bluetooth = module - -# Layer: services -# Module: boinc -# -# Berkeley Open Infrastructure for Network Computing -# -boinc = module - -# Layer: system -# Module: brctl -# -# Utilities for configuring the linux ethernet bridge -# -brctl = module - -# Layer: services -# Module: bugzilla -# -# Bugzilla server -# -bugzilla = module - -# Layer: services -# Module: cachefilesd -# -# CacheFiles userspace management daemon -# -cachefilesd = module - -# Module: calamaris -# -# -# Squid log analysis -# -calamaris = module - -# Layer: services -# Module: canna -# -# Canna - kana-kanji conversion server -# -canna = module - -# Layer: services -# Module: ccs -# -# policy for ccs -# -ccs = module - -# Layer: apps -# Module: cdrecord -# -# Policy for cdrecord -# -cdrecord = module - -# Layer: admin -# Module: certmaster -# -# Digital Certificate master -# -certmaster = module - -# Layer: services -# Module: certmonger -# -# Certificate status monitor and PKI enrollment client -# -certmonger = module - -# Layer: admin -# Module: certwatch -# -# Digital Certificate Tracking -# -certwatch = module - -# Layer: services -# Module: cgroup -# -# Tools and libraries to control and monitor control groups -# -cgroup = module - -# Layer: apps -# Module: chrome -# -# chrome sandbox -# -chrome = module - -# Layer: services -# Module: chronyd -# -# Daemon for maintaining clock time -# -chronyd = module - -# Layer: services -# Module: cipe -# -# Encrypted tunnel daemon -# -cipe = module - -# Layer: services -# Module: clogd -# -# clogd - clustered mirror log server -# -clogd = module - -# Layer: services -# Module: cmirrord -# -# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster -# -cmirrord = module - -# Layer: services -# Module: colord -# -# color device daemon -# -colord = module - -# Layer: services -# Module: comsat -# -# Comsat, a biff server. -# -comsat = module - -# Layer: services -# Module: courier -# -# IMAP and POP3 email servers -# -courier = module - -# Layer: services -# Module: cpucontrol -# -# Services for loading CPU microcode and CPU frequency scaling. -# -cpucontrol = module - -# Layer: apps -# Module: cpufreqselector -# -# cpufreqselector executable -# -cpufreqselector = module - -# Layer: services -# Module: cron -# -# Periodic execution of scheduled commands. -# -cron = module - -# Layer: services -# Module: cups -# -# Common UNIX printing system -# -cups = module - -# Layer: services -# Module: cvs -# -# Concurrent versions system -# -cvs = module - -# Layer: services -# Module: cyphesis -# -# cyphesis game server -# -cyphesis = module - -# Layer: services -# Module: cyrus -# -# Cyrus is an IMAP service intended to be run on sealed servers -# -cyrus = module - -# Layer: system -# Module: daemontools -# -# Collection of tools for managing UNIX services -# -daemontools = module - -# Layer: role -# Module: dbadm -# -# Minimally prived root role for managing databases -# -dbadm = module - -# Layer: services -# Module: dbskk -# -# Dictionary server for the SKK Japanese input method system. -# -dbskk = module - -# Layer: services -# Module: dbus -# -# Desktop messaging bus -# -dbus = module - -# Layer: services -# Module: dcc -# -# A distributed, collaborative, spam detection and filtering network. -# -dcc = module - -# Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information -# -ddcprobe = off - -# Layer: services -# Module: devicekit -# -# devicekit-daemon -# -devicekit = module - -# Layer: services -# Module: dhcp -# -# Dynamic host configuration protocol (DHCP) server -# -dhcp = module - -# Layer: services -# Module: dictd -# -# Dictionary daemon -# -dictd = module - -# Layer: services -# Module: distcc -# -# Distributed compiler daemon -# -distcc = off - -# Layer: admin -# Module: dmidecode -# -# Decode DMI data for x86/ia64 bioses. -# -dmidecode = module - -# Layer: services -# Module: dnsmasq -# -# A lightweight DHCP and caching DNS server. -# -dnsmasq = module - -# Layer: services -# Module: dnssec -# -# A dnssec server application -# -dnssec = module - -# Layer: services -# Module: dovecot -# -# Dovecot POP and IMAP mail server -# -dovecot = module - -# Layer: services -# Module: entropy -# -# Generate entropy from audio input -# -entropyd = module - -# Layer: services -# Module: exim -# -# exim mail server -# -exim = module - -# Layer: services -# Module: fail2ban -# -# daiemon that bans IP that makes too many password failures -# -fail2ban = module - -# Layer: services -# Module: fetchmail -# -# Remote-mail retrieval and forwarding utility -# -fetchmail = module - -# Layer: services -# Module: finger -# -# Finger user information service. -# -finger = module - -# Layer: services -# Module: firewalld -# -# firewalld is firewall service daemon that provides dynamic customizable -# -firewalld = module - -# Layer: apps -# Module: firewallgui -# -# policy for system-config-firewall -# -firewallgui = module - -# Module: firstboot -# -# Final system configuration run during the first boot -# after installation of systems. -# -firstboot = module - -# Layer: services -# Module: fprintd -# -# finger print server -# -fprintd = module - -# Layer: services -# Module: ftp -# -# File transfer protocol service -# -ftp = module - -# Layer: apps -# Module: games -# -# The Open Group Pegasus CIM/WBEM Server. -# -games = module - -# Layer: apps -# Module: gitosis -# -# Policy for gitosis -# -gitosis = module - -# Layer: services -# Module: git -# -# Policy for the stupid content tracker -# -git = module - -# Layer: services -# Module: glance -# -# Policy for glance -# -glance = module - -# Layer: apps -# Module: gnome -# -# gnome session and gconf -# -gnome = module - -# Layer: apps -# Module: gpg -# -# Policy for Mozilla and related web browsers -# -gpg = module - -# Layer: services -# Module: gpm -# -# General Purpose Mouse driver -# -gpm = module - -# Module: gpsd -# -# gpsd monitor daemon -# -# -gpsd = module - -# Module: gssproxy -# -# A proxy for GSSAPI credential handling -# -# -gssproxy = module - -# Layer: role -# Module: guest -# -# Minimally privs guest account on tty logins -# -guest = module - -# Layer: services -# Module: i18n_input -# -# IIIMF htt server -# -i18n_input = off - -# Layer: services -# Module: inetd -# -# Internet services daemon. -# -inetd = module - -# Layer: services -# Module: inn -# -# Internet News NNTP server -# -inn = module - -# Layer: apps -# Module: irc -# -# IRC client policy -# -irc = module - -# Layer: services -# Module: irqbalance -# -# IRQ balancing daemon -# -irqbalance = module - -# Layer: system -# Module: iscsi -# -# Open-iSCSI daemon -# -iscsi = module - -# Layer: services -# Module: jabber -# -# Jabber instant messaging server -# -jabber = module - -# Layer: apps -# Module: kdumpgui -# -# system-config-kdump policy -# -kdumpgui = module - -# Layer: admin -# Module: kdump -# -# kdump is kernel crash dumping mechanism -# -kdump = module - -# Layer: services -# Module: kerberos -# -# MIT Kerberos admin and KDC -# -kerberos = module - -# Layer: services -# Module: kismet -# -# Wireless sniffing and monitoring -# -kismet = module - -# Layer: services -# Module: ktalk -# -# KDE Talk daemon -# -ktalk = module - -# Layer: services -# Module: ldap -# -# OpenLDAP directory server -# -ldap = module - -# Layer: services -# Module: lircd -# -# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. -# -lircd = module - -# Layer: apps -# Module: loadkeys -# -# Load keyboard mappings. -# -loadkeys = module - -# Layer: apps -# Module: lockdev -# -# device locking policy for lockdev -# -lockdev = module - -# Layer: admin -# Module: logrotate -# -# Rotate and archive system logs -# -logrotate = module - -# Layer: services -# Module: logwatch -# -# logwatch executable -# -logwatch = module - -# Layer: services -# Module: lpd -# -# Line printer daemon -# -lpd = module - -# Layer: services -# Module: lsm -# -# lsm policy -# -lsm = module - -# Layer: services -# Module: mailman -# -# Mailman is for managing electronic mail discussion and e-newsletter lists -# -mailman = module - -# Layer: admin -# Module: mcelog -# -# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. -# -mcelog = module - -# Layer: services -# Module: memcached -# -# high-performance memory object caching system -# -memcached = module - -# Layer: services -# Module: milter -# -# -# -milter = module - -# Layer: services -# Module: modemmanager -# -# Manager for dynamically switching between modems. -# -modemmanager = module - -# Layer: services -# Module: mojomojo -# -# Wiki server -# -mojomojo = module - -# Layer: apps -# Module: mozilla -# -# Policy for Mozilla and related web browsers -# -mozilla = module - -# Layer: apps -# Module: mplayer -# -# Policy for Mozilla and related web browsers -# -mplayer = module - -# Layer: admin -# Module: mrtg -# -# Network traffic graphing -# -mrtg = module - -# Layer: services -# Module: mta -# -# Policy common to all email tranfer agents. -# -mta = module - -# Layer: services -# Module: munin -# -# Munin -# -munin = module - -# Layer: services -# Module: mysql -# -# Policy for MySQL -# -mysql = module - -# Layer: services -# Module: nagios -# -# policy for nagios Host/service/network monitoring program -# -nagios = module - -# Layer: apps -# Module: namespace -# -# policy for namespace.init script -# -namespace = module - -# Layer: admin -# Module: ncftool -# -# Tool to modify the network configuration of a system -# -ncftool = module - -# Layer: services -# Module: networkmanager -# -# Manager for dynamically switching between networks. -# -networkmanager = module - -# Layer: services -# Module: nis -# -# Policy for NIS (YP) servers and clients -# -nis = module - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = module - -# Layer: services -# Module: nslcd -# -# Policy for nslcd -# -nslcd = module - -# Layer: services -# Module: ntop -# -# Policy for ntop -# -ntop = module - -# Layer: services -# Module: ntp -# -# Network time protocol daemon -# -ntp = module - -# Layer: services -# Module: nx -# -# NX Remote Desktop -# -nx = module - -# Layer: services -# Module: oddjob -# -# policy for oddjob -# -oddjob = module - -# Layer: services -# Module: openct -# -# Service for handling smart card readers. -# -openct = off - -# Layer: service -# Module: openct -# -# Middleware framework for smart card terminals -# -openct = module - -# Layer: services -# Module: openvpn -# -# Policy for OPENVPN full-featured SSL VPN solution -# -openvpn = module - -# Layer: contrib -# Module: prelude -# -# SELinux policy for prelude -# -prelude = module - -# Layer: contrib -# Module: prosody -# -# SELinux policy for prosody flexible communications server for Jabber/XMPP -# -prosody = module - -# Layer: services -# Module: pads -# -pads = module - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = module - -# Layer: service -# Module: pcscd -# -# PC/SC Smart Card Daemon -# -pcscd = module - -# Layer: services -# Module: pegasus -# -# The Open Group Pegasus CIM/WBEM Server. -# -pegasus = module - - -# Layer: services -# Module: pingd -# -# -pingd = module - -# Layer: services -# Module: piranha -# -# piranha - various tools to administer and configure the Linux Virtual Server -# -piranha = module - -# Layer: services -# Module: plymouthd -# -# Plymouth -# -plymouthd = module - -# Layer: apps -# Module: podsleuth -# -# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. -# -podsleuth = module - -# Layer: services -# Module: policykit -# -# Hardware abstraction layer -# -policykit = module - -# Layer: services -# Module: polipo -# -# polipo -# -polipo = module - -# Layer: services -# Module: portmap -# -# RPC port mapping service. -# -portmap = module - -# Layer: services -# Module: portreserve -# -# reserve ports to prevent portmap mapping them -# -portreserve = module - -# Layer: services -# Module: postfix -# -# Postfix email server -# -postfix = module - -o# Layer: services -# Module: postgrey -# -# email scanner -# -postgrey = module - -# Layer: services -# Module: ppp -# -# Point to Point Protocol daemon creates links in ppp networks -# -ppp = module - -# Layer: admin -# Module: prelink -# -# Manage temporary directory sizes and file ages -# -prelink = module - -# Layer: services -# Module: privoxy -# -# Privacy enhancing web proxy. -# -privoxy = module - -# Layer: services -# Module: procmail -# -# Procmail mail delivery agent -# -procmail = module - -# Layer: services -# Module: psad -# -# Analyze iptables log for hostile traffic -# -psad = module - -# Layer: apps -# Module: ptchown -# -# helper function for grantpt(3), changes ownship and permissions of pseudotty -# -ptchown = module - -# Layer: services -# Module: publicfile -# -# publicfile supplies files to the public through HTTP and FTP -# -publicfile = module - -# Layer: apps -# Module: pulseaudio -# -# The PulseAudio Sound System -# -pulseaudio = module - -# Layer: services -# Module: qmail -# -# Policy for qmail -# -qmail = module - -# Layer: services -# Module: qpidd -# -# Policy for qpidd -# -qpid = module - -# Layer: admin -# Module: quota -# -# File system quota management -# -quota = module - -# Layer: services -# Module: radius -# -# RADIUS authentication and accounting server. -# -radius = module - -# Layer: services -# Module: radvd -# -# IPv6 router advertisement daemon -# -radvd = module - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = module - -# Layer: services -# Module: rdisc -# -# Network router discovery daemon -# -rdisc = module - -# Layer: admin -# Module: readahead -# -# Readahead, read files into page cache for improved performance -# -readahead = module - -# Layer: services -# Module: remotelogin -# -# Policy for rshd, rlogind, and telnetd. -# -remotelogin = module - -# Layer: services -# Module: rhcs -# -# RHCS - Red Hat Cluster Suite -# -rhcs = module - -# Layer: services -# Module: rhgb -# -# X windows login display manager -# -rhgb = module - -# Layer: services -# Module: ricci -# -# policy for ricci -# -ricci = module - -# Layer: services -# Module: rlogin -# -# Remote login daemon -# -rlogin = module - -# Layer: services -# Module: roundup -# -# Roundup Issue Tracking System policy -# -roundup = module - -# Layer: services -# Module: rpcbind -# -# universal addresses to RPC program number mapper -# -rpcbind = module - -# Layer: services -# Module: rpc -# -# Remote Procedure Call Daemon for managment of network based process communication -# -rpc = module - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = module - -# Layer: services -# Module: rshd -# -# Remote shell service. -# -rshd = module - -# Layer: services -# Module: rsync -# -# Fast incremental file transfer for synchronization -# -rsync = module - -# Layer: services -# Module: rtkit -# -# Real Time Kit Daemon -# -rtkit = module - -# Layer: services -# Module: rwho -# -# who is logged in on local machines -# -rwho = module - -# Layer: apps -# Module: sambagui -# -# policy for system-config-samba -# -sambagui = module - -# -# SMB and CIFS client/server programs for UNIX and -# name Service Switch daemon for resolving names -# from Windows NT servers. -# -samba = module - -# Layer: services -# Module: sasl -# -# SASL authentication server -# -sasl = module - -# Layer: apps -# Module: screen -# -# GNU terminal multiplexer -# -screen = module - -# Layer: services -# Module: sendmail -# -# Policy for sendmail. -# -sendmail = module - -# Layer: services -# Module: setroubleshoot -# -# Policy for the SELinux troubleshooting utility -# -setroubleshoot = module - -# Layer: admin -# Module: shorewall -# -# Policy for shorewall -# -shorewall = module - -# Layer: apps -# Module: slocate -# -# Update database for mlocate -# -slocate = module - -# Layer: services -# Module: slrnpull -# -# Service for downloading news feeds the slrn newsreader. -# -slrnpull = off - -# Layer: services -# Module: smartmon -# -# Smart disk monitoring daemon policy -# -smartmon = module - -# Layer: services -# Module: snmp -# -# Simple network management protocol services -# -snmp = module - -# Layer: services -# Module: snort -# -# Snort network intrusion detection system -# -snort = module - -# Layer: admin -# Module: sosreport -# -# sosreport debuggin information generator -# -sosreport = module - -# Layer: services -# Module: soundserver -# -# sound server for network audio server programs, nasd, yiff, etc -# -soundserver = module - -# Layer: services -# Module: spamassassin -# -# Filter used for removing unsolicited email. -# -spamassassin = module - -# Layer: services -# Module: squid -# -# Squid caching http proxy server -# -squid = module - -# Layer: services -# Module: sssd -# -# System Security Services Daemon -# -sssd = module - -# Layer: services -# Module: stunnel -# -# SSL Tunneling Proxy -# -stunnel = module - -# Layer: services -# Module: sysstat -# -# Policy for sysstat. Reports on various system states -# -sysstat = module - -# Layer: services -# Module: tcpd -# -# Policy for TCP daemon. -# -tcpd = module - -# Layer: services -# Module: tcsd -# -# tcsd - daemon that manages Trusted Computing resources -# -tcsd = module - -# Layer: apps -# Module: telepathy -# -# telepathy - Policy for Telepathy framework -# -telepathy = module - -# Layer: services -# Module: telnet -# -# Telnet daemon -# -telnet = module - -# Layer: services -# Module: tftp -# -# Trivial file transfer protocol daemon -# -tftp = module - -# Layer: services -# Module: tgtd -# -# Linux Target Framework Daemon. -# -tgtd = module - -# Layer: apps -# Module: thumb -# -# Thumbnailer confinement -# -thumb = module - -# Layer: services -# Module: timidity -# -# MIDI to WAV converter and player configured as a service -# -timidity = off - -# Layer: admin -# Module: tmpreaper -# -# Manage temporary directory sizes and file ages -# -tmpreaper = module - -# Layer: services -# Module: tor -# -# TOR, the onion router -# -tor = module - -# Layer: services -# Module: ksmtuned -# -# Kernel Samepage Merging (KSM) Tuning Daemon -# -ksmtuned = module - -# Layer: services -# Module: tuned -# -# Dynamic adaptive system tuning daemon -# -tuned = module - -# Layer: apps -# Module: tvtime -# -# tvtime - a high quality television application -# -tvtime = module - -# Layer: services -# Module: ulogd -# -# -# -ulogd = module - -# Layer: apps -# Module: uml -# -# Policy for UML -# -uml = module - -# Layer: admin -# Module: updfstab -# -# Red Hat utility to change /etc/fstab. -# -updfstab = module - -# Layer: admin -# Module: usbmodules -# -# List kernel modules of USB devices -# -usbmodules = module - -# Layer: apps -# Module: userhelper -# -# A helper interface to pam. -# -userhelper = module - -# Layer: apps -# Module: usernetctl -# -# User network interface configuration helper -# -usernetctl = module - -# Layer: services -# Module: uucp -# -# Unix to Unix Copy -# -uucp = module - -# Layer: services -# Module: virt -# -# Virtualization libraries -# -virt = module - -# Layer: apps -# Module: vmware -# -# VMWare Workstation virtual machines -# -vmware = module - -# Layer: contrib -# Module: openvswitch -# -# SELinux policy for openvswitch programs -# -openvswitch = module - -# Layer: admin -# Module: vpn -# -# Virtual Private Networking client -# -vpn = module - -# Layer: services -# Module: w3c -# -# w3c -# -w3c = module - -# Layer: role -# Module: webadm -# -# Minimally prived root role for managing apache -# -webadm = module - -# Layer: apps -# Module: webalizer -# -# Web server log analysis -# -webalizer = module - -# Layer: apps -# Module: wine -# -# wine executable -# -wine = module - -# Layer: apps -# Module: wireshark -# -# wireshark executable -# -wireshark = module - -# Layer: apps -# Module: wm -# -# X windows window manager -# -wm = module - -# Layer: system -# Module: xen -# -# virtualization software -# -xen = module - -# Layer: role -# Module: xguest -# -# Minimally privs guest account on X Windows logins -# -xguest = module - -# Layer: services -# Module: zabbix -# -# Open-source monitoring solution for your IT infrastructure -# -zabbix = module - -# Layer: services -# Module: zebra -# -# Zebra border gateway protocol network routing service -# -zebra = module - -# Layer: services -# Module: zosremote -# -# policy for z/OS Remote-services Audit dispatcher plugin -# -zosremote = module - -# Layer: contrib -# Module: mandb -# -# Policy for mandb -# -mandb = module diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf deleted file mode 100644 index e7456ef911ae21223b0edaa9a656e3695ba96210..0000000000000000000000000000000000000000 --- a/modules-targeted-base.conf +++ /dev/null @@ -1,393 +0,0 @@ -# Layer: kernel -# Module: bootloader -# -# Policy for the kernel modules, kernel image, and bootloader. -# -bootloader = module - -# Layer: kernel -# Module: corecommands -# Required in base -# -# Core policy for shells, and generic programs -# in /bin, /sbin, /usr/bin, and /usr/sbin. -# -corecommands = base - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: admin -# Module: dmesg -# -# Policy for dmesg. -# -dmesg = module - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = module - -# Layer: admin -# Module: sudo -# -# Execute a command with a substitute user -# -sudo = module - -# Layer: admin -# Module: su -# -# Run shells with substitute user and group -# -su = module - -# Layer: admin -# Module: usermanage -# -# Policy for managing user accounts. -# -usermanage = module - -# Layer: apps -# Module: seunshare -# -# seunshare executable -# -seunshare = module - -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Module: domain -# Required in base -# -# Core policy for domains. -# -domain = base - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = module - -# Module: files -# Required in base -# -# Basic filesystem types and interfaces. -# -files = base - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = module - -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Module: mcs -# Required in base -# -# MultiCategory security policy -# -mcs = base - -# Module: mls -# Required in base -# -# Multilevel security policy -# -mls = base - -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = base - -# Module: terminal -# Required in base -# -# Policy for terminals. -# -terminal = base - -# Layer: kernel -# Module: ubac -# -# -# -ubac = base - -# Layer: kernel -# Module: unconfined -# -# The unlabelednet module. -# -unlabelednet = module - -# Layer: role -# Module: auditadm -# -# auditadm account on tty logins -# -auditadm = module - -# Layer: role -# Module: logadm -# -# Minimally prived root role for managing logging system -# -logadm = module - -# Layer: role -# Module: secadm -# -# secadm account on tty logins -# -secadm = module - -# Layer:role -# Module: sysadm_secadm -# -# System Administrator with Security Admin rules -# -sysadm_secadm = module - -# Module: staff -# -# admin account -# -staff = module - -# Layer:role -# Module: sysadm -# -# System Administrator -# -sysadm = module - -# Layer: role -# Module: unconfineduser -# -# The unconfined user domain. -# -unconfineduser = module - -# Layer: role -# Module: unprivuser -# -# Minimally privs guest account on tty logins -# -unprivuser = module - -# Layer: services -# Module: postgresql -# -# PostgreSQL relational database -# -postgresql = module - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = module - -# Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = module - -# Module: application -# Required in base -# -# Defines attributs and interfaces for all user applications -# -application = module - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = module - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = module - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = module - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = module - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = module - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = module - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = module - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = module - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = module - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = module - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = module - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = module - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = module - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = module - -# Layer: system -# Module: netlabel -# -# Basic netlabel types and interfaces. -# -netlabel = module - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = module - -# Module: setrans -# Required in base -# -# Policy for setrans -# -setrans = module - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = module - -# Layer: system -# Module: systemd -# -# Policy for systemd components -# -systemd = module - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = module - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = module diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf deleted file mode 100644 index ba8dbf036701089d5165b23f0f9acb547dda84e7..0000000000000000000000000000000000000000 --- a/modules-targeted-contrib.conf +++ /dev/null @@ -1,2686 +0,0 @@ -# Layer: services -# Module: abrt -# -# Automatic bug detection and reporting tool -# -abrt = module - -# Layer: services -# Module: accountsd -# -# An application to view and modify user accounts information -# -accountsd = module - -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = module - -# Layer: services -# Module: afs -# -# Andrew Filesystem server -# -afs = module - -# Layer: services -# Module: aiccu -# -# SixXS Automatic IPv6 Connectivity Client Utility -# -aiccu = module - -# Layer: services -# Module: aide -# -# Policy for aide -# -aide = module - -# Layer: services -# Module: ajaxterm -# -# Web Based Terminal -# -ajaxterm = module - -# Layer: admin -# Module: alsa -# -# Ainit ALSA configuration tool -# -alsa = module - -# Layer: admin -# Module: amanda -# -# Automated backup program. -# -amanda = module - -# Layer: admin -# Module: amtu -# -# Abstract Machine Test Utility (AMTU) -# -amtu = module - -# Layer: admin -# Module: anaconda -# -# Policy for the Anaconda installer. -# -anaconda = module - -# Layer: contrib -# Module: antivirus -# -# SELinux policy for antivirus programs -# -antivirus = module - -# Layer: services -# Module: apache -# -# Apache web server -# -apache = module - -# Layer: services -# Module: apcupsd -# -# daemon for most APC’s UPS for Linux -# -apcupsd = module - -# Layer: services -# Module: apm -# -# Advanced power management daemon -# -apm = module - -# Layer: services -# Module: arpwatch -# -# Ethernet activity monitor. -# -arpwatch = module - -# Layer: services -# Module: asterisk -# -# Asterisk IP telephony server -# -asterisk = module - -# Layer: contrib -# Module: authconfig -# -# Authorization configuration tool -# -authconfig = module - -# Layer: services -# Module: automount -# -# Filesystem automounter service. -# -automount = module - -# Layer: services -# Module: avahi -# -# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture -# -avahi = module - -# Layer: module -# Module: awstats -# -# awstats executable -# -awstats = module - -# Layer: services -# Module: bcfg2 -# -# Configuration management server -# -bcfg2 = module - -# Layer: services -# Module: bind -# -# Berkeley internet name domain DNS server. -# -bind = module - -# Layer: contrib -# Module: rngd -# -# Daemon used to feed random data from hardware device to kernel random device -# -rngd = module - -# Layer: services -# Module: bitlbee -# -# An IRC to other chat networks gateway -# -bitlbee = module - -# Layer: services -# Module: blueman -# -# Blueman tools and system services. -# -blueman = module - -# Layer: services -# Module: bluetooth -# -# Bluetooth tools and system services. -# -bluetooth = module - -# Layer: services -# Module: boinc -# -# Berkeley Open Infrastructure for Network Computing -# -boinc = module - -# Layer: system -# Module: brctl -# -# Utilities for configuring the linux ethernet bridge -# -brctl = module - -# Layer: services -# Module: bugzilla -# -# Bugzilla server -# -bugzilla = module - -# Layer: services -# Module: bumblebee -# -# Support NVIDIA Optimus technology under Linux -# -bumblebee = module - -# Layer: services -# Module: cachefilesd -# -# CacheFiles userspace management daemon -# -cachefilesd = module - -# Module: calamaris -# -# -# Squid log analysis -# -calamaris = module - -# Layer: services -# Module: callweaver -# -# callweaver telephony sever -# -callweaver = module - -# Layer: services -# Module: canna -# -# Canna - kana-kanji conversion server -# -canna = module - -# Layer: services -# Module: ccs -# -# policy for ccs -# -ccs = module - -# Layer: apps -# Module: cdrecord -# -# Policy for cdrecord -# -cdrecord = module - -# Layer: admin -# Module: certmaster -# -# Digital Certificate master -# -certmaster = module - -# Layer: services -# Module: certmonger -# -# Certificate status monitor and PKI enrollment client -# -certmonger = module - -# Layer: admin -# Module: certwatch -# -# Digital Certificate Tracking -# -certwatch = module - -# Layer: services -# Module: cfengine -# -# cfengine -# -cfengine = module - -# Layer: services -# Module: cgroup -# -# Tools and libraries to control and monitor control groups -# -cgroup = module - -# Layer: apps -# Module: chrome -# -# chrome sandbox -# -chrome = module - -# Layer: services -# Module: chronyd -# -# Daemon for maintaining clock time -# -chronyd = module - -# Layer: services -# Module: cipe -# -# Encrypted tunnel daemon -# -cipe = module - - -# Layer: services -# Module: clogd -# -# clogd - clustered mirror log server -# -clogd = module - -# Layer: services -# Module: cloudform -# -# cloudform daemons -# -cloudform = module - -# Layer: services -# Module: cmirrord -# -# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster -# -cmirrord = module - -# Layer: services -# Module: cobbler -# -# cobbler -# -cobbler = module - -# Layer: services -# Module: collectd -# -# Statistics collection daemon for filling RRD files -# -collectd = module - -# Layer: services -# Module: colord -# -# color device daemon -# -colord = module - -# Layer: services -# Module: comsat -# -# Comsat, a biff server. -# -comsat = module - -# Layer: services -# Module: condor -# -# policy for condor -# -condor = module - -# Layer: services -# Module: conman -# -# Conman is a program for connecting to remote consoles being managed by conmand -# -conman = module - -# Layer: services -# Module: consolekit -# -# ConsoleKit is a system daemon for tracking what users are logged -# -consolekit = module - -# Layer: services -# Module: couchdb -# -# Apache CouchDB database server -# -couchdb = module - -# Layer: services -# Module: courier -# -# IMAP and POP3 email servers -# -courier = module - -# Layer: services -# Module: cpucontrol -# -# Services for loading CPU microcode and CPU frequency scaling. -# -cpucontrol = module - -# Layer: apps -# Module: cpufreqselector -# -# cpufreqselector executable -# -cpufreqselector = module - -# Layer: services -# Module: cron -# -# Periodic execution of scheduled commands. -# -cron = module - -# Layer: services -# Module: ctdbd -# -# Cluster Daemon -# -ctdb = module - -# Layer: services -# Module: cups -# -# Common UNIX printing system -# -cups = module - -# Layer: services -# Module: cvs -# -# Concurrent versions system -# -cvs = module - -# Layer: services -# Module: cyphesis -# -# cyphesis game server -# -cyphesis = module - -# Layer: services -# Module: cyrus -# -# Cyrus is an IMAP service intended to be run on sealed servers -# -cyrus = module - -# Layer: system -# Module: daemontools -# -# Collection of tools for managing UNIX services -# -daemontools = module - -# Layer: role -# Module: dbadm -# -# Minimally prived root role for managing databases -# -dbadm = module - -# Layer: services -# Module: dbskk -# -# Dictionary server for the SKK Japanese input method system. -# -dbskk = module - -# Layer: services -# Module: dbus -# -# Desktop messaging bus -# -dbus = module - -# Layer: services -# Module: dcc -# -# A distributed, collaborative, spam detection and filtering network. -# -dcc = module - -# Layer: services -# Module: ddclient -# -# Update dynamic IP address at DynDNS.org -# -ddclient = module - -# Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information -# -ddcprobe = off - -# Layer: services -# Module: denyhosts -# -# script to help thwart ssh server attacks -# -denyhosts = module - -# Layer: services -# Module: devicekit -# -# devicekit-daemon -# -devicekit = module - -# Layer: services -# Module: dhcp -# -# Dynamic host configuration protocol (DHCP) server -# -dhcp = module - -# Layer: services -# Module: dictd -# -# Dictionary daemon -# -dictd = module - -# Layer: services -# Module: dirsrv-admin -# -# An 309 directory admin server -# -dirsrv-admin = module - -# Layer: services -# Module: dirsrv -# -# An 309 directory server -# -dirsrv = module - -# Layer: services -# Module: distcc -# -# Distributed compiler daemon -# -distcc = off - -# Layer: admin -# Module: dmidecode -# -# Decode DMI data for x86/ia64 bioses. -# -dmidecode = module - -# Layer: services -# Module: dnsmasq -# -# A lightweight DHCP and caching DNS server. -# -dnsmasq = module - -# Layer: services -# Module: dnssec -# -# A dnssec server application -# -dnssec = module - -# Layer: services -# Module: dovecot -# -# Dovecot POP and IMAP mail server -# -dovecot = module - -# Layer: services -# Module: drbd -# -# DRBD mirrors a block device over the network to another machine. -# -drbd = module - -# Layer: services -# Module: dspam -# -# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering -# -dspam = module - -# Layer: services -# Module: entropy -# -# Generate entropy from audio input -# -entropyd = module - -# Layer: services -# Module: exim -# -# exim mail server -# -exim = module - -# Layer: services -# Module: fail2ban -# -# daiemon that bans IP that makes too many password failures -# -fail2ban = module - -# Layer: services -# Module: fcoe -# -# fcoe -# -fcoe = module - -# Layer: services -# Module: fetchmail -# -# Remote-mail retrieval and forwarding utility -# -fetchmail = module - -# Layer: services -# Module: finger -# -# Finger user information service. -# -finger = module - -# Layer: services -# Module: firewalld -# -# firewalld is firewall service daemon that provides dynamic customizable -# -firewalld = module - -# Layer: apps -# Module: firewallgui -# -# policy for system-config-firewall -# -firewallgui = module - -# Module: firstboot -# -# Final system configuration run during the first boot -# after installation of systems. -# -firstboot = module - -# Layer: services -# Module: fprintd -# -# finger print server -# -fprintd = module - -# Layer: services -# Module: freqset -# -# Utility for CPU frequency scaling -# -freqset = module - -# Layer: services -# Module: ftp -# -# File transfer protocol service -# -ftp = module - -# Layer: apps -# Module: games -# -# The Open Group Pegasus CIM/WBEM Server. -# -games = module - -# Layer: apps -# Module: gitosis -# -# Policy for gitosis -# -gitosis = module - -# Layer: services -# Module: git -# -# Policy for the stupid content tracker -# -git = module - -# Layer: services -# Module: glance -# -# Policy for glance -# -glance = module - -# Layer: contrib -# Module: glusterd -# -# policy for glusterd service -# -glusterd = module - -# Layer: apps -# Module: gnome -# -# gnome session and gconf -# -gnome = module - -# Layer: apps -# Module: gpg -# -# Policy for GNU Privacy Guard and related programs. -# -gpg = module - -# Layer: services -# Module: gpm -# -# General Purpose Mouse driver -# -gpm = module - -# Module: gpsd -# -# gpsd monitor daemon -# -# -gpsd = module - -# Module: gssproxy -# -# A proxy for GSSAPI credential handling -# -# -gssproxy = module - -# Layer: role -# Module: guest -# -# Minimally privs guest account on tty logins -# -guest = module - -# Layer: role -# Module: xguest -# -# Minimally privs guest account on X Windows logins -# -xguest = module - -# Layer: services -# Module: hddtemp -# -# hddtemp hard disk temperature tool running as a daemon -# -hddtemp = module - -# Layer: services -# Module: hostapd -# -# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator -# -hostapd = module - -# Layer: services -# Module: i18n_input -# -# IIIMF htt server -# -i18n_input = off - -# Layer: services -# Module: icecast -# -# ShoutCast compatible streaming media server -# -icecast = module - -# Layer: services -# Module: inetd -# -# Internet services daemon. -# -inetd = module - -# Layer: services -# Module: inn -# -# Internet News NNTP server -# -inn = module - -# Layer: services -# Module: lircd -# -# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. -# -lircd = module - -# Layer: apps -# Module: irc -# -# IRC client policy -# -irc = module - -# Layer: services -# Module: irqbalance -# -# IRQ balancing daemon -# -irqbalance = module - -# Layer: system -# Module: iscsi -# -# Open-iSCSI daemon -# -iscsi = module - -# Layer: system -# Module: isnsd -# -# -# -isns = module - -# Layer: services -# Module: jabber -# -# Jabber instant messaging server -# -jabber = module - -# Layer: services -# Module: jetty -# -# Java based http server -# -jetty = module - -# Layer: apps -# Module: jockey -# -# policy for jockey-backend -# -jockey = module - -# Layer: apps -# Module: kdumpgui -# -# system-config-kdump policy -# -kdumpgui = module - -# Layer: admin -# Module: kdump -# -# kdump is kernel crash dumping mechanism -# -kdump = module - -# Layer: services -# Module: kerberos -# -# MIT Kerberos admin and KDC -# -kerberos = module - -# Layer: services -# Module: keepalived -# -# keepalived - load-balancing and high-availability service -# -keepalived = module - -# Module: keyboardd -# -# system-setup-keyboard is a keyboard layout daemon that monitors -# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet -# -keyboardd = module - -# Layer: services -# Module: keystone -# -# openstack-keystone -# -keystone = module - -# Layer: services -# Module: kismet -# -# Wireless sniffing and monitoring -# -kismet = module - -# Layer: services -# Module: ksmtuned -# -# Kernel Samepage Merging (KSM) Tuning Daemon -# -ksmtuned = module - -# Layer: services -# Module: ktalk -# -# KDE Talk daemon -# -ktalk = module - -# Layer: services -# Module: l2ltpd -# -# Layer 2 Tunnelling Protocol Daemon -# -l2tp = module - -# Layer: services -# Module: ldap -# -# OpenLDAP directory server -# -ldap = module - -# Layer: services -# Module: likewise -# -# Likewise Active Directory support for UNIX -# -likewise = module - -# Layer: apps -# Module: livecd -# -# livecd creator -# -livecd = module - -# Layer: services -# Module: lldpad -# -# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon -# -lldpad = module - -# Layer: apps -# Module: loadkeys -# -# Load keyboard mappings. -# -loadkeys = module - -# Layer: apps -# Module: lockdev -# -# device locking policy for lockdev -# -lockdev = module - -# Layer: admin -# Module: logrotate -# -# Rotate and archive system logs -# -logrotate = module - -# Layer: services -# Module: logwatch -# -# logwatch executable -# -logwatch = module - -# Layer: services -# Module: lpd -# -# Line printer daemon -# -lpd = module - -# Layer: services -# Module: mailman -# -# Mailman is for managing electronic mail discussion and e-newsletter lists -# -mailman = module - -# Layer: services -# Module: mailman -# -# Policy for mailscanner -# -mailscanner = module - -# Layer: apps -# Module: man2html -# -# policy for man2html apps -# -man2html = module - -# Layer: admin -# Module: mcelog -# -# Policy for mcelog. -# -mcelog = module - -# Layer: apps -# Module: mediawiki -# -# mediawiki -# -mediawiki = module - -# Layer: services -# Module: memcached -# -# high-performance memory object caching system -# -memcached = module - -# Layer: services -# Module: milter -# -# -# -milter = module - -# Layer: services -# Module: mip6d -# -# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation -# -mip6d = module - -# Layer: services -# Module: mock -# -# Policy for mock rpm builder -# -mock = module - -# Layer: services -# Module: modemmanager -# -# Manager for dynamically switching between modems. -# -modemmanager = module - -# Layer: services -# Module: mojomojo -# -# Wiki server -# -mojomojo = module - -# Layer: apps -# Module: mozilla -# -# Policy for Mozilla and related web browsers -# -mozilla = module - -# Layer: services -# Module: mpd -# -# mpd - daemon for playing music -# -mpd = module - -# Layer: apps -# Module: mplayer -# -# Policy for Mozilla and related web browsers -# -mplayer = module - -# Layer: admin -# Module: mrtg -# -# Network traffic graphing -# -mrtg = module - -# Layer: services -# Module: mta -# -# Policy common to all email tranfer agents. -# -mta = module - -# Layer: services -# Module: munin -# -# Munin -# -munin = module - -# Layer: services -# Module: mysql -# -# Policy for MySQL -# -mysql = module - -# Layer: contrib -# Module: mythtv -# -# Policy for Mythtv (Web Server) -# -mythtv = module - -# Layer: services -# Module: nagios -# -# policy for nagios Host/service/network monitoring program -# -nagios = module - -# Layer: apps -# Module: namespace -# -# policy for namespace.init script -# -namespace = module - -# Layer: admin -# Module: ncftool -# -# Tool to modify the network configuration of a system -# -ncftool = module - -# Layer: services -# Module: networkmanager -# -# Manager for dynamically switching between networks. -# -networkmanager = module - -# Layer: services -# Module: ninfod -# -# Respond to IPv6 Node Information Queries -# -ninfod = module - -# Layer: services -# Module: nis -# -# Policy for NIS (YP) servers and clients -# -nis = module - -# Layer: services -# Module: nova -# -# openstack-nova -# -nova = module - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = module - -# Layer: services -# Module: nslcd -# -# Policy for nslcd -# -nslcd = module - -# Layer: services -# Module: ntop -# -# Policy for ntop -# -ntop = module - -# Layer: services -# Module: ntp -# -# Network time protocol daemon -# -ntp = module - -# Layer: services -# Module: numad -# -# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology -# -numad = module - -# Layer: services -# Module: nut -# -# nut - Network UPS Tools -# -nut = module - -# Layer: services -# Module: nx -# -# NX Remote Desktop -# -nx = module - -# Layer: services -# Module: obex -# -# policy for obex-data-server -# -obex = module - -# Layer: services -# Module: oddjob -# -# policy for oddjob -# -oddjob = module - -# Layer: services -# Module: openct -# -# Service for handling smart card readers. -# -openct = off - -# Layer: service -# Module: openct -# -# Middleware framework for smart card terminals -# -openct = module - -# Layer: contrib -# Module: openshift-origin -# -# Origin version of openshift policy -# -openshift-origin = module -# Layer: contrib -# Module: openshift -# -# Core openshift policy -# -openshift = module - -# Layer: services -# Module: opensm -# -# InfiniBand subnet manager and administration (SM/SA) -# -opensm = module - -# Layer: services -# Module: openvpn -# -# Policy for OPENVPN full-featured SSL VPN solution -# -openvpn = module - -# Layer: contrib -# Module: openvswitch -# -# SELinux policy for openvswitch programs -# -openvswitch = module - -# Layer: services -# Module: openwsman -# -# WS-Management Server -# -openwsman = module - -# Layer: services -# Module: osad -# -# Client-side service written in Python that responds to pings -# -osad = module - -# Layer: contrib -# Module: prelude -# -# SELinux policy for prelude -# -prelude = module - -# Layer: contrib -# Module: prosody -# -# SELinux policy for prosody flexible communications server for Jabber/XMPP -# -prosody = module - -# Layer: services -# Module: pads -# -pads = module - -# Layer: services -# Module: passenger -# -# Passenger -# -passenger = module - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = module - -# Layer: service -# Module: pcscd -# -# PC/SC Smart Card Daemon -# -pcscd = module - -# Layer: services -# Module: pdns -# -# PowerDNS DNS server -# -pdns = module - -# Layer: services -# Module: pegasus -# -# The Open Group Pegasus CIM/WBEM Server. -# -pegasus = module - -# Layer: services -# Module: pingd -# -# -pingd = module - -# Layer: services -# Module: piranha -# -# piranha - various tools to administer and configure the Linux Virtual Server -# -piranha = module - -# Layer: contrib -# Module: pkcs -# -# daemon manages PKCS#11 objects between PKCS#11-enabled applications -# -pkcs = module - -# Layer: services -# Module: plymouthd -# -# Plymouth -# -plymouthd = module - -# Layer: apps -# Module: podsleuth -# -# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. -# -podsleuth = module - -# Layer: services -# Module: policykit -# -# Hardware abstraction layer -# -policykit = module - -# Layer: services -# Module: polipo -# -# polipo -# -polipo = module - -# Layer: services -# Module: portmap -# -# RPC port mapping service. -# -portmap = module - -# Layer: services -# Module: portreserve -# -# reserve ports to prevent portmap mapping them -# -portreserve = module - -# Layer: services -# Module: postfix -# -# Postfix email server -# -postfix = module - -# Layer: services -# Module: postgrey -# -# email scanner -# -postgrey = module - -# Layer: services -# Module: ppp -# -# Point to Point Protocol daemon creates links in ppp networks -# -ppp = module - -# Layer: admin -# Module: prelink -# -# Manage temporary directory sizes and file ages -# -prelink = module - -# Layer: services -# Module: privoxy -# -# Privacy enhancing web proxy. -# -privoxy = module - -# Layer: services -# Module: procmail -# -# Procmail mail delivery agent -# -procmail = module - -# Layer: services -# Module: psad -# -# Analyze iptables log for hostile traffic -# -psad = module - -# Layer: apps -# Module: ptchown -# -# helper function for grantpt(3), changes ownship and permissions of pseudotty -# -ptchown = module - -# Layer: services -# Module: publicfile -# -# publicfile supplies files to the public through HTTP and FTP -# -publicfile = module - -# Layer: apps -# Module: pulseaudio -# -# The PulseAudio Sound System -# -pulseaudio = module - -# Layer: services -# Module: puppet -# -# A network tool for managing many disparate systems -# -puppet = module - -# Layer: apps -# Module: pwauth -# -# External plugin for mod_authnz_external authenticator -# -pwauth = module - -# Layer: services -# Module: qmail -# -# Policy for qmail -# -qmail = module - -# Layer: services -# Module: qpidd -# -# Policy for qpidd -# -qpid = module - -# Layer: services -# Module: quantum -# -# Quantum is a virtual network service for Openstack -# -quantum = module - -# Layer: admin -# Module: quota -# -# File system quota management -# -quota = module - -# Layer: services -# Module: rabbitmq -# -# rabbitmq daemons -# -rabbitmq = module - -# Layer: services -# Module: radius -# -# RADIUS authentication and accounting server. -# -radius = module - -# Layer: services -# Module: radvd -# -# IPv6 router advertisement daemon -# -radvd = module - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = module - -# Layer: services -# Module: rasdaemon -# -# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing -# -rasdaemon = module - -# Layer: services -# Module: rdisc -# -# Network router discovery daemon -# -rdisc = module - -# Layer: admin -# Module: readahead -# -# Readahead, read files into page cache for improved performance -# -readahead = module - -# Layer: contrib -# Module: stapserver -# -# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA -# -realmd = module - -# Layer: services -# Module: remotelogin -# -# Policy for rshd, rlogind, and telnetd. -# -remotelogin = module - -# Layer: services -# Module: rhcs -# -# RHCS - Red Hat Cluster Suite -# -rhcs = module - -# Layer: services -# Module: rhev -# -# rhev policy module contains policies for rhev apps -# -rhev = module - -# Layer: services -# Module: rhgb -# -# X windows login display manager -# -rhgb = module - -# Layer: services -# Module: rhsmcertd -# -# Subscription Management Certificate Daemon policy -# -rhsmcertd = module - -# Layer: services -# Module: ricci -# -# policy for ricci -# -ricci = module - -# Layer: services -# Module: rlogin -# -# Remote login daemon -# -rlogin = module - -# Layer: services -# Module: roundup -# -# Roundup Issue Tracking System policy -# -roundup = module - -# Layer: services -# Module: rpcbind -# -# universal addresses to RPC program number mapper -# -rpcbind = module - -# Layer: services -# Module: rpc -# -# Remote Procedure Call Daemon for managment of network based process communication -# -rpc = module - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = module - -# Layer: services -# Module: rshd -# -# Remote shell service. -# -rshd = module - -# Layer: apps -# Module: rssh -# -# Restricted (scp/sftp) only shell -# -rssh = module - -# Layer: services -# Module: rsync -# -# Fast incremental file transfer for synchronization -# -rsync = module - -# Layer: services -# Module: rtkit -# -# Real Time Kit Daemon -# -rtkit = module - -# Layer: services -# Module: rwho -# -# who is logged in on local machines -# -rwho = module - -# Layer: apps -# Module: sambagui -# -# policy for system-config-samba -# -sambagui = module - -# -# SMB and CIFS client/server programs for UNIX and -# name Service Switch daemon for resolving names -# from Windows NT servers. -# -samba = module - -# Layer: apps -# Module: sandbox -# -# Policy for running apps within a sandbox -# -sandbox = module - -# Layer: apps -# Module: sandbox -# -# Policy for running apps within a X sandbox -# -sandboxX = module - -# Layer: services -# Module: sanlock -# -# sanlock policy -# -sanlock = module - -# Layer: services -# Module: sasl -# -# SASL authentication server -# -sasl = module - -# Layer: services -# Module: sblim -# -# sblim -# -sblim = module - -# Layer: apps -# Module: screen -# -# GNU terminal multiplexer -# -screen = module - -# Layer: admin -# Module: sectoolm -# -# Policy for sectool-mechanism -# -sectoolm = module - -# Layer: services -# Module: sendmail -# -# Policy for sendmail. -# -sendmail = module - -# Layer: contrib -# Module: sensord -# -# Sensor information logging daemon -# -sensord = module - -# Layer: services -# Module: setroubleshoot -# -# Policy for the SELinux troubleshooting utility -# -setroubleshoot = module - -# Layer: services -# Module: sge -# -# policy for grindengine MPI jobs -# -sge = module - -# Layer: admin -# Module: shorewall -# -# Policy for shorewall -# -shorewall = module - -# Layer: apps -# Module: slocate -# -# Update database for mlocate -# -slocate = module - -# Layer: contrib -# Module: slpd -# -# OpenSLP server daemon to dynamically register services -# -slpd = module - -# Layer: services -# Module: slrnpull -# -# Service for downloading news feeds the slrn newsreader. -# -slrnpull = off - -# Layer: services -# Module: smartmon -# -# Smart disk monitoring daemon policy -# -smartmon = module - -# Layer: services -# Module: smokeping -# -# Latency Logging and Graphing System -# -smokeping = module - -# Layer: admin -# Module: smoltclient -# -#The hardware profiler client -# -smoltclient = module - -# Layer: services -# Module: snmp -# -# Simple network management protocol services -# -snmp = module - -# Layer: services -# Module: snort -# -# Snort network intrusion detection system -# -snort = module - -# Layer: admin -# Module: sosreport -# -# sosreport debuggin information generator -# -sosreport = module - -# Layer: services -# Module: soundserver -# -# sound server for network audio server programs, nasd, yiff, etc -# -soundserver = module - -# Layer: services -# Module: spamassassin -# -# Filter used for removing unsolicited email. -# -spamassassin = module - -# Layer: services -# Module: speech-dispatcher -# -# speech-dispatcher - server process managing speech requests in Speech Dispatcher -# -speech-dispatcher = module - -# Layer: services -# Module: squid -# -# Squid caching http proxy server -# -squid = module - -# Layer: services -# Module: sssd -# -# System Security Services Daemon -# -sssd = module - -# Layer: services -# Module: sslh -# -# Applicative protocol(SSL/SSH) multiplexer -# -sslh = module - -# Layer: contrib -# Module: stapserver -# -# Instrumentation System Server -# -stapserver = module - -# Layer: services -# Module: stunnel -# -# SSL Tunneling Proxy -# -stunnel = module - -# Layer: services -# Module: svnserve -# -# policy for subversion service -# -svnserve = module - -# Layer: services -# Module: swift -# -# openstack-swift -# -swift = module - -# Layer: services -# Module: sysstat -# -# Policy for sysstat. Reports on various system states -# -sysstat = module - -# Layer: services -# Module: tcpd -# -# Policy for TCP daemon. -# -tcpd = module - -# Layer: services -# Module: tcsd -# -# tcsd - daemon that manages Trusted Computing resources -# -tcsd = module - -# Layer: apps -# Module: telepathy -# -# telepathy - Policy for Telepathy framework -# -telepathy = module - -# Layer: services -# Module: telnet -# -# Telnet daemon -# -telnet = module - -# Layer: services -# Module: tftp -# -# Trivial file transfer protocol daemon -# -tftp = module - -# Layer: services -# Module: tgtd -# -# Linux Target Framework Daemon. -# -tgtd = module - -# Layer: apps -# Module: thumb -# -# Thumbnailer confinement -# -thumb = module - -# Layer: services -# Module: timidity -# -# MIDI to WAV converter and player configured as a service -# -timidity = off - -# Layer: admin -# Module: tmpreaper -# -# Manage temporary directory sizes and file ages -# -tmpreaper = module - -# Layer: contrib -# Module: glusterd -# -# policy for tomcat service -# -tomcat = module -# Layer: services -# Module: tor -# -# TOR, the onion router -# -tor = module - -# Layer: services -# Module: tuned -# -# Dynamic adaptive system tuning daemon -# -tuned = module - -# Layer: apps -# Module: tvtime -# -# tvtime - a high quality television application -# -tvtime = module - -# Layer: services -# Module: ulogd -# -# netfilter/iptables ULOG daemon -# -ulogd = module - -# Layer: apps -# Module: uml -# -# Policy for UML -# -uml = module - -# Layer: admin -# Module: updfstab -# -# Red Hat utility to change /etc/fstab. -# -updfstab = module - -# Layer: admin -# Module: usbmodules -# -# List kernel modules of USB devices -# -usbmodules = module - -# Layer: services -# Module: usbmuxd -# -# Daemon for communicating with Apple's iPod Touch and iPhone -# -usbmuxd = module - -# Layer: apps -# Module: userhelper -# -# A helper interface to pam. -# -userhelper = module - -# Layer: apps -# Module: usernetctl -# -# User network interface configuration helper -# -usernetctl = module - -# Layer: services -# Module: uucp -# -# Unix to Unix Copy -# -uucp = module - -# Layer: services -# Module: uuidd -# -# UUID generation daemon -# -uuidd = module - -# Layer: services -# Module: varnishd -# -# Varnishd http accelerator daemon -# -varnishd = module - -# Layer: services -# Module: vdagent -# -# vdagent -# -vdagent = module - -# Layer: services -# Module: vhostmd -# -# vhostmd - spice guest agent daemon. -# -vhostmd = module - -# Layer: services -# Module: virt -# -# Virtualization libraries -# -virt = module - -# Layer: apps -# Module: vhostmd -# -# vlock - Virtual Console lock program -# -vlock = module - -# Layer: services -# Module: vmtools -# -# VMware Tools daemon -# -vmtools = module - -# Layer: apps -# Module: vmware -# -# VMWare Workstation virtual machines -# -vmware = module - -# Layer: services -# Module: vnstatd -# -# Network traffic Monitor -# -vnstatd = module - -# Layer: admin -# Module: vpn -# -# Virtual Private Networking client -# -vpn = module - -# Layer: services -# Module: w3c -# -# w3c -# -w3c = module - -# Layer: services -# Module: wdmd -# -# wdmd policy -# -wdmd = module - -# Layer: role -# Module: webadm -# -# Minimally prived root role for managing apache -# -webadm = module - -# Layer: apps -# Module: webalizer -# -# Web server log analysis -# -webalizer = module - -# Layer: apps -# Module: wine -# -# wine executable -# -wine = module - -# Layer: apps -# Module: wireshark -# -# wireshark executable -# -wireshark = module - -# Layer: system -# Module: xen -# -# virtualization software -# -xen = module - -# Layer: services -# Module: zabbix -# -# Open-source monitoring solution for your IT infrastructure -# -zabbix = module - -# Layer: services -# Module: zarafa -# -# Zarafa Collaboration Platform -# -zarafa = module - -# Layer: services -# Module: zebra -# -# Zebra border gateway protocol network routing service -# -zebra = module - -# Layer: services -# Module: zoneminder -# -# Zoneminder Camera Security Surveillance Solution -# -zoneminder = module - -# Layer: services -# Module: zosremote -# -# policy for z/OS Remote-services Audit dispatcher plugin -# -zosremote = module - -# Layer: contrib -# Module: thin -# -# Policy for thin -# -thin = module - -# Layer: contrib -# Module: mandb -# -# Policy for mandb -# -mandb = module - -# Layer: services -# Module: pki -# -# policy for pki -# -pki = module - -# Layer: services -# Module: smsd -# -# policy for smsd -# -smsd = module - -# Layer: contrib -# Module: pesign -# -# policy for pesign -# -pesign = module - -# Layer: contrib -# Module: nsd -# -# Fast and lean authoritative DNS Name Server -# -nsd = module - -# Layer: contrib -# Module: iodine -# -# Fast and lean authoritative DNS Name Server -# -iodine = module - -# Layer: contrib -# Module: openhpid -# -# OpenHPI daemon runs as a background process and accepts connecti -# -openhpid = module - -# Layer: contrib -# Module: watchdog -# -# Watchdog policy -# -watchdog = module - -# Layer: contrib -# Module: oracleasm -# -# oracleasm policy -# -oracleasm = module - -# Layer: contrib -# Module: redis -# -# redis policy -# -redis = module - -# Layer: contrib -# Module: hypervkvp -# -# hypervkvp policy -# -hypervkvp = module - -# Layer: contrib -# Module: lsm -# -# lsm policy -# -lsm = module - -# Layer: contrib -# Module: motion -# -# Daemon for detect motion using a video4linux device -motion = module - -# Layer: contrib -# Module: rtas -# -# rtas policy -# -rtas = module - -# Layer: contrib -# Module: journalctl -# -# journalctl policy -# -journalctl = module - -# Layer: contrib -# Module: gdomap -# -# gdomap policy -# -gdomap = module - -# Layer: contrib -# Module: minidlna -# -# minidlna policy -# -minidlna = module - -# Layer: contrib -# Module: minissdpd -# -# minissdpd policy -# -minissdpd = module - -# Layer: contrib -# Module: freeipmi -# -# Remote-Console (out-of-band) and System Management Software (in-band) -# based on IntelligentPlatform Management Interface specification -# -freeipmi = module - -# Layer: contrib -# Module: mirrormanager -# -# mirrormanager policy -# -mirrormanager = module - -# Layer: contrib -# Module: snapper -# -# snapper policy -# -snapper = module - -# Layer: contrib -# Module: pcp -# -# pcp policy -# -pcp = module - -# Layer: contrib -# Module: geoclue -# -# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information -# -geoclue = module - -# Layer: contrib -# Module: rkhunter -# -# rkhunter policy for /var/lib/rkhunter -# -rkhunter = module - -# Layer: contrib -# Module: bacula -# -# bacula policy -# -bacula = module - -# Layer: contrib -# Module: rhnsd -# -# rhnsd policy -# -rhnsd = module - -# Layer: contrib -# Module: mongodb -# -# mongodb policy -# - -mongodb = module - -# Layer: contrib -# Module: iotop -# -# iotop policy -# - -iotop = module - -# Layer: contrib -# Module: kmscon -# -# kmscon policy -# - -kmscon = module - -# Layer: contrib -# Module: naemon -# -# naemon policy -# -naemon = module - -# Layer: contrib -# Module: brltty -# -# brltty policy -# -brltty = module - -# Layer: contrib -# Module: cpuplug -# -# cpuplug policy -# -cpuplug = module - -# Layer: contrib -# Module: mon_statd -# -# mon_statd policy -# -mon_statd = module - -# Layer: contrib -# Module: cinder -# -# openstack-cinder policy -# -cinder = module - -# Layer: contrib -# Module: linuxptp -# -# linuxptp policy -# -linuxptp = module - -# Layer: contrib -# Module: rolekit -# -# rolekit policy -# -rolekit = module - -# Layer: contrib -# Module: targetd -# -# targetd policy -# -targetd = module - -# Layer: contrib -# Module: hsqldb -# -# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. -# -hsqldb = module - -# Layer: contrib -# Module: blkmapd -# -# The blkmapd daemon performs device discovery and mapping for pNFS block layout client. -# -blkmapd = module - -# Layer: contrib -# Module: pkcs11proxyd -# -# pkcs11proxyd policy -# -pkcs11proxyd = module - -# Layer: contrib -# Module: ipmievd -# -# IPMI event daemon for sending events to syslog -# -ipmievd = module - -# Layer: contrib -# Module: openfortivpn -# -# Fortinet compatible SSL VPN daemons. -# -openfortivpn = module - -# Layer: contrib -# Module: fwupd -# -# fwupd is a daemon to allow session software to update device firmware. -# -fwupd = module - -# Layer: contrib -# Module: lttng-tools -# -# LTTng 2.x central tracing registry session daemon. -# -lttng-tools = module - -# Layer: contrib -# Module: rkt -# -# CLI for running app containers -# -rkt = module - -# Layer: contrib -# Module: opendnssec -# -# opendnssec -# -opendnssec = module - -# Layer: contrib -# Module: hwloc -# -# hwloc -# -hwloc = module - -# Layer: contrib -# Module: sbd -# -# sbd -# -sbd = module - -# Layer: contrib -# Module: tlp -# -# tlp -# -tlp = module - -# Layer: contrib -# Module: conntrackd -# -# conntrackd -# -conntrackd = module - -# Layer: contrib -# Module: tangd -# -# tangd -# -tangd = module - -# Layer: contrib -# Module: ibacm -# -# ibacm -# -ibacm = module - -# Layer: contrib -# Module: opafm -# -# opafm -# -opafm = module - -# Layer: contrib -# Module: boltd -# -# boltd -# -boltd = module - -# Layer: contrib -# Module: kpatch -# -# kpatch -# -kpatch = module - -# Layer: contrib -# Module: timedatex -# -# timedatex -# -timedatex = module - -# Layer: contrib -# Module: rrdcached -# -# rrdcached -# -rrdcached = module - -# Layer: contrib -# Module: stratisd -# -# stratisd -# -stratisd = module - -# Layer: contrib -# Module: ica -# -# ica -# -ica = module - -# Layer: contrib -# Module: fedoratp -# -# fedoratp -# -fedoratp = module - -# Layer: contrib -# Module: insights_client -# -# insights_client -# -insights_client = module - -# Layer: contrib -# Module: stalld -# -# stalld -# -stalld = module - -# Layer: contrib -# Module: rhcd -# -# rhcd -# -rhcd = module diff --git a/permissivedomains.cil b/permissivedomains.cil deleted file mode 100644 index 400bcf60c11dce880adef60eb53e7128b72cc7fe..0000000000000000000000000000000000000000 --- a/permissivedomains.cil +++ /dev/null @@ -1,2 +0,0 @@ -(roleattributeset cil_gen_require system_r) - diff --git a/rpm.macros b/rpm.macros index 9da4c611ce9c0236dcd42f7d63a154bd73a7c1a9..c5c737721234b7c6a02e21eeaa984a84e18008f8 100644 --- a/rpm.macros +++ b/rpm.macros @@ -38,7 +38,11 @@ BuildRequires: selinux-policy-devel \ Requires(post): selinux-policy-base >= %{_selinux_policy_version} \ Requires(post): libselinux-utils \ Requires(post): policycoreutils \ +%if 0%{?fedora} || 0%{?rhel} > 7\ Requires(post): policycoreutils-python-utils \ +%else \ +Requires(post): policycoreutils-python \ +%endif \ %{nil} # %selinux_modules_install [-s ] [-p ] module [module]... @@ -51,8 +55,10 @@ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ - %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \ + semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ + selinuxenabled && load_policy || : \ + %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \ fi \ %{nil} @@ -67,15 +73,17 @@ if [ -z "${_policytype}" ]; then \ fi \ if [ $1 -eq 0 ]; then \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ - %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \ + semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ + selinuxenabled && load_policy || : \ + %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \ fi \ fi \ %{nil} # %selinux_relabel_pre [-s ] %selinux_relabel_pre("s:") \ -if %{_sbindir}/selinuxenabled; then \ +if selinuxenabled; then \ if [ -e /etc/selinux/config ]; then \ . /etc/selinux/config \ fi \ @@ -99,9 +107,9 @@ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ -if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ +if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ if [ -f %{_file_context_file_pre} ]; then \ - %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \ + fixfiles -C %{_file_context_file_pre} restore &> /dev/null \ rm -f %{_file_context_file_pre} \ fi \ fi \ @@ -117,9 +125,9 @@ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ if [ -d "%{_selinux_store_policy_path}" ]; then \ - LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \ + LOCAL_MODIFICATIONS=$(semanage boolean -E) \ if [ ! -f %_file_custom_defined_booleans ]; then \ - /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ + echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ fi \ semanage_import='' \ for boolean in %*; do \ @@ -130,20 +138,20 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \ semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ if [ -n "$boolean_customized_string" ]; then \ - /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \ + echo $boolean_customized_string >> %_file_custom_defined_booleans \ else \ - /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \ + echo $boolean_local_string >> %_file_custom_defined_booleans \ fi \ else \ semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ - boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ - /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ + boolean_default_value=$(LC_ALL=C semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ + echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ fi \ done; \ - if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + echo -e "$semanage_import" | semanage import -S "${_policytype}" \ elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \ fi \ fi \ %{nil} @@ -169,10 +177,10 @@ if [ -d "%{_selinux_store_policy_path}" ]; then \ fi \ fi \ done; \ - if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + if selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + echo -e "$semanage_import" | semanage import -S "${_policytype}" \ elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + echo -e "$semanage_import" | semanage import -S "${_policytype}" -N \ fi \ fi \ %{nil} diff --git a/securetty_types-minimum b/securetty_types-minimum deleted file mode 100644 index 7055096f75a6c0d8ef27a884d6c7026a22f321ac..0000000000000000000000000000000000000000 --- a/securetty_types-minimum +++ /dev/null @@ -1,4 +0,0 @@ -console_device_t -sysadm_tty_device_t -user_tty_device_t -staff_tty_device_t diff --git a/securetty_types-mls b/securetty_types-mls deleted file mode 100644 index 89bf54d7ba41090eebaf71c028b7979db8d759d4..0000000000000000000000000000000000000000 --- a/securetty_types-mls +++ /dev/null @@ -1,6 +0,0 @@ -console_device_t -sysadm_tty_device_t -user_tty_device_t -staff_tty_device_t -auditadm_tty_device_t -secureadm_tty_device_t diff --git a/securetty_types-targeted b/securetty_types-targeted deleted file mode 100644 index 7055096f75a6c0d8ef27a884d6c7026a22f321ac..0000000000000000000000000000000000000000 --- a/securetty_types-targeted +++ /dev/null @@ -1,4 +0,0 @@ -console_device_t -sysadm_tty_device_t -user_tty_device_t -staff_tty_device_t diff --git a/selinux-policy-f13cb45.tar.gz b/selinux-policy-f13cb45.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..3f04ceb7dfd3b0b32aafb6070acae83e91e64843 Binary files /dev/null and b/selinux-policy-f13cb45.tar.gz differ diff --git a/selinux-policy-mls.conf b/selinux-policy-mls.conf new file mode 100644 index 0000000000000000000000000000000000000000..0a16d05303c447a53d4e855e6556f24e86889091 --- /dev/null +++ b/selinux-policy-mls.conf @@ -0,0 +1 @@ +selinux-policy-mls diff --git a/selinux-policy-targeted.conf b/selinux-policy-targeted.conf new file mode 100644 index 0000000000000000000000000000000000000000..9c87c4016d354d171cc09017bed47ee90c993cbc --- /dev/null +++ b/selinux-policy-targeted.conf @@ -0,0 +1 @@ +selinux-policy-targeted diff --git a/selinux-policy.spec b/selinux-policy.spec index b964141ef84693beac69d895cc80b2812a818f74..69d80f1e06ec6493a07bd406d8001b31d3b79907 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,72 +1,65 @@ -%define anolis_release 2 +%define anolis_release 1 + +# Conditionals for policy types (all built by default) +%bcond targeted 1 +%bcond minimum 1 +%bcond mls 1 + +# github repo with selinux-policy sources +%global giturl https://github.com/fedora-selinux/selinux-policy +%global commit f13cb453322580ba0fcf31157b3e6dd83c81c5d9 +%global shortcommit %(c=%{commit}; echo ${c:0:7}) + %define distro redhat %define polyinstatiate n %define monolithic n -%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} -%define BUILD_DOC 1 -%endif -%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} -%define BUILD_TARGETED 1 -%endif -%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} -%define BUILD_MINIMUM 1 -%endif -%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} -%define BUILD_MLS 1 -%endif -%define policy_version 33 -%define policy_coreutils_version 3.4 -%define check_policy_version 3.2 +%define POLICYVER 34 +%define POLICYCOREUTILSVER 3.8 +%define CHECKPOLICYVER 3.8 Summary: SELinux policy configuration Name: selinux-policy -Version: 37.18 +Version: 40.13.24 Release: %{anolis_release}%{?dist} -License: GPLv2+ -Url: https://github.com/fedora-selinux/%{name} - -Source0: https://github.com/fedora-selinux/%{name}/archive/refs/tags/v%{version}.tar.gz -Source1: modules-targeted-base.conf -Source2: booleans-targeted.conf -Source3: Makefile.devel -Source4: setrans-targeted.conf -Source5: modules-mls-base.conf -Source6: booleans-mls.conf - -Source8: setrans-mls.conf - -Source14: securetty_types-targeted -Source15: securetty_types-mls - -#Source16: modules-minimum.conf -Source17: booleans-minimum.conf -Source18: setrans-minimum.conf -Source19: securetty_types-minimum -Source20: customizable_types -Source22: users-mls -Source23: users-targeted -Source25: users-minimum -Source26: file_contexts.subs_dist -Source27: %{name}.conf -Source28: permissivedomains.cil -Source30: booleans.subs_dist -Source31: modules-targeted-contrib.conf -Source32: modules-mls-contrib.conf -Source33: macro-expander -Source35: container-selinux.tgz +License: GPL-2.0-or-later +Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +Source1: Makefile.devel +Source2: selinux-policy.conf + +# Tool helps during policy development, to expand system m4 macros to raw allow rules +# Git repo: https://github.com/fedora-selinux/macro-expander.git +Source3: macro-expander + +# Include SELinux policy for container from separate container-selinux repo +# Git repo: https://github.com/containers/container-selinux.git +Source4: container-selinux.tgz + +# modules enabled in -minimum policy +Source16: modules-minimum.lst + Source36: selinux-check-proper-disable.service -Source102: rpm.macros +# Script to convert /var/run file context entries to /run +Source37: varrun-convert.sh +# Configuration files to dnf-protect targeted and/or mls subpackages +Source38: selinux-policy-targeted.conf +Source39: selinux-policy-mls.conf + +# Provide rpm macros for packages installing SELinux modules +Source5: rpm.macros + +Url: %{giturl} BuildArch: noarch -BuildRequires: python3 gawk checkpolicy >= %{check_policy_version} m4 policycoreutils-devel >= %{policy_coreutils_version} bzip2 -BuildRequires: make python3-distro +BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 +BuildRequires: make BuildRequires: systemd-rpm-macros -Requires(pre): policycoreutils >= %{policy_coreutils_version} +BuildRequires: groff +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(post): /bin/awk /usr/bin/sha512sum -Requires: rpm-plugin-selinux -Requires: %{name}-any = %{version}-%{release} -Provides: %{name}-base = %{version}-%{release} -Suggests: %{name}-targeted +Requires(meta): (rpm-plugin-selinux if rpm-libs) +Requires: selinux-policy-any = %{version}-%{release} +Provides: selinux-policy-base = %{version}-%{release} +Suggests: selinux-policy-targeted %description SELinux core policy package. @@ -76,19 +69,20 @@ the policy has been adjusted to provide support for Anolis. %files %{!?_licensedir:%global license %%doc} %license COPYING -%{_unitdir}/selinux-check-proper-disable.service -%{_rpmconfigdir}/macros.d/macros.%{name} -%{_usr}/lib/tmpfiles.d/%{name}.conf -%ghost %{_sysconfdir}/sysconfig/selinux -%ghost %config(noreplace) %{_sysconfdir}/selinux/config -%dir %{_sysconfdir}/selinux -%dir %{_datadir}/selinux/packages %dir %{_datadir}/selinux +%dir %{_datadir}/selinux/packages +%dir %{_sysconfdir}/selinux +%ghost %config(noreplace) %{_sysconfdir}/selinux/config +%ghost %{_sysconfdir}/sysconfig/selinux +%{_usr}/lib/tmpfiles.d/selinux-policy.conf +%{_rpmconfigdir}/macros.d/macros.selinux-policy +%{_unitdir}/selinux-check-proper-disable.service +%{_libexecdir}/selinux/varrun-convert.sh %package sandbox Summary: SELinux sandbox policy -Requires(pre): %{name}-base = %{version}-%{release} -Requires(pre): %{name}-targeted = %{version}-%{release} +Requires(pre): selinux-policy-base = %{version}-%{release} +Requires(pre): selinux-policy-targeted = %{version}-%{release} %description sandbox SELinux sandbox policy for use with the sandbox utility. @@ -99,27 +93,28 @@ SELinux sandbox policy for use with the sandbox utility. %post sandbox rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null -%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp +%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy + %{_sbindir}/load_policy fi; exit 0 %preun sandbox if [ $1 -eq 0 ] ; then - %{_sbindir}/semodule -n -d sandbox 2>/dev/null - if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy - fi; + %{_sbindir}/semodule -n -d sandbox 2>/dev/null + if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy + fi; fi; exit 0 %package devel Summary: SELinux policy development files -Requires(pre): %{name} = %{version}-%{release} -Requires: %{name} = %{version}-%{release} -Requires: m4 checkpolicy >= %{check_policy_version} make -Requires(post): policycoreutils-devel >= %{policy_coreutils_version} +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Requires: m4 checkpolicy >= %{CHECKPOLICYVER} +Requires: /usr/bin/make +Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} %description devel SELinux policy development package. @@ -130,19 +125,18 @@ This package contains: and some additional files. %files devel -%dir %{abidir} -%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info -%{_datadir}/selinux/devel/policy.* -%{_datadir}/selinux/devel/example.* -%{_datadir}/selinux/devel/Makefile -%{_datadir}/selinux/devel/html/*css -%{_datadir}/selinux/devel/html/*html -%dir %{_datadir}/selinux/devel/html -%{_datadir}/selinux/devel/include/* -%dir %{_datadir}/selinux/devel/include -%dir %{_datadir}/selinux/devel -%{abidir}/macro-expander-option.list %{_bindir}/macro-expander +%dir %{_datadir}/selinux/devel +%dir %{_datadir}/selinux/devel/include +%{_datadir}/selinux/devel/include/* +%exclude %{_datadir}/selinux/devel/include/contrib/container.if +%dir %{_datadir}/selinux/devel/html +%{_datadir}/selinux/devel/html/*html +%{_datadir}/selinux/devel/html/*css +%{_datadir}/selinux/devel/Makefile +%{_datadir}/selinux/devel/example.* +%{_datadir}/selinux/devel/policy.* +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info %post devel %{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null @@ -150,346 +144,381 @@ exit 0 %package doc Summary: SELinux policy documentation -Requires(pre): %{name} = %{version}-%{release} -Requires: %{name} = %{version}-%{release} +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} %description doc SELinux policy documentation package. This package contains manual pages and documentation of the policy modules. +%files doc +%{_mandir}/man*/* +%exclude %{_mandir}/man8/container_selinux.8.gz +%doc %{_datadir}/doc/%{name} + %define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 -%define backupConfigLua() \ -local sysconfdir = rpm.expand("%{_sysconfdir}") \ -local config_file = sysconfdir .. "/selinux/config" \ -local config_backup = sysconfdir .. "/selinux/.config_backup" \ -os.remove(config_backup) \ -if posix.stat(config_file) then \ - local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \ - local content = f:read("*all") \ - f:close() \ - local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \ - local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \ - bf:write(backup) \ - bf:close() \ -end +%define makeCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ +install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \ +install -p -m0644 ./dist/%1/users ./policy/users \ -%define nonBaseModulesList() \ -contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ -base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ -for i in $contrib_modules $base_modules; do \ - if [ $i != "sandbox" ];then \ - echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ - fi; \ -done; -%define checkConfigConsistency() \ -if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \ - . %{_sysconfdir}/selinux/.config_backup; \ -else \ - BACKUP_SELINUXTYPE=targeted; \ -fi; \ -if [ -s %{_sysconfdir}/selinux/config ]; then \ - . %{_sysconfdir}/selinux/config; \ - if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \ - if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \ - sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \ - fi; \ - elif [ "%1" = "targeted" ]; then \ - if [ "%1" != "$SELINUXTYPE" ]; then \ - sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ - fi; \ - elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \ - if [ "%1" != "$SELINUXTYPE" ]; then \ - sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ - fi; \ - fi; \ -fi; +%define makeModulesConf() \ +install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \ -%define modulesList() \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ -if [ -e ./policy/modules-contrib.conf ];then \ - awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ -fi; +%define installCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ +%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +install -p -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -p -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -p -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \ +rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ +%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ +rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ +%nil -%define postInstall() \ +%define fileList() \ +%defattr(-,root,root) \ +%dir %{_sysconfdir}/selinux/%1 \ +%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ +%dir %{_sysconfdir}/selinux/%1/logins \ +%dir %{_sharedstatedir}/selinux/%1/active \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ +%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ +%dir %{_sysconfdir}/selinux/%1/policy/ \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ +%{_sysconfdir}/selinux/%1/.policy.sha512 \ +%dir %{_sysconfdir}/selinux/%1/contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ +%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ +%dir %{_sysconfdir}/selinux/%1/contexts/files \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ +%{_sysconfdir}/selinux/%1/booleans.subs_dist \ +%config %{_sysconfdir}/selinux/%1/contexts/files/media \ +%dir %{_sysconfdir}/selinux/%1/contexts/users \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ +%dir %{_datadir}/selinux/%1 \ +%{_datadir}/selinux/%1/base.lst \ +%{_datadir}/selinux/%1/modules.lst \ +%{_datadir}/selinux/%1/nonbasemodules.lst \ +%dir %{_sharedstatedir}/selinux/%1 \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \ +%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ +%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ +%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil \ +%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/lang_ext \ +%nil + +%define relabel() \ if [ -s %{_sysconfdir}/selinux/config ]; then \ - . %{_sysconfdir}/selinux/config &> /dev/null || true; \ + . %{_sysconfdir}/selinux/config &> /dev/null || true; \ fi; \ -if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ - rm %{_sysconfdir}/selinux/%2/.rebuild; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ + %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ + rm -f ${FILE_CONTEXT}.pre; \ fi; \ -%{_sbindir}/semodule -B -n -s %2; \ -[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \ -if [ %1 -eq 1 ]; then \ - %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ -else \ -%relabel %2 \ +# rebuilding the rpm database still can sometimes result in an incorrect context \ +%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \ +# In some scenarios, /usr/bin/httpd is labelled incorrectly after sbin merge. \ +# Relabel all files under /usr/bin, in case they got installed before policy \ +# was updated and the labels were incorrect. \ +%{_sbindir}/restorecon -R /usr/bin /usr/sbin \ +if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ + continue; \ fi; %define preInstall() \ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ - for MOD_NAME in ganesha ipa_custodia kdbus; do \ - if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ - %{_sbindir}/semodule -n -d $MOD_NAME; \ - fi; \ - done; \ - . %{_sysconfdir}/selinux/config; \ - FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ - if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ - [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ - fi; \ - touch %{_sysconfdir}/selinux/%1/.rebuild; \ - if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ - POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ - sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ + for MOD_NAME in ganesha ipa_custodia kdbus; do \ + if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ + %{_sbindir}/semodule -n -d $MOD_NAME 2> /dev/null; \ + fi; \ + done; \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ + [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ + fi; \ + touch %{_sysconfdir}/selinux/%1/.rebuild; \ + if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ + POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ + sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \ if [ "$sha512" == "$checksha512" ] ; then \ rm %{_sysconfdir}/selinux/%1/.rebuild; \ fi; \ - fi; \ + fi; \ fi; -%define relabel() \ +%define postInstall() \ if [ -s %{_sysconfdir}/selinux/config ]; then \ - . %{_sysconfdir}/selinux/config &> /dev/null || true; \ + . %{_sysconfdir}/selinux/config &> /dev/null || true; \ fi; \ -FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ -if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ - %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ - rm -f ${FILE_CONTEXT}.pre; \ +if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ + rm %{_sysconfdir}/selinux/%2/.rebuild; \ fi; \ -# rebuilding the rpm database still can sometimes result in an incorrect context \ -%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \ -if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ - continue; \ +%{_sbindir}/semodule -B -n -s %2 2> /dev/null; \ +[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \ +if [ %1 -eq 1 ]; then \ + %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ +else \ +%relabel %2 \ fi; -%define fileList() \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ -%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ -%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ -%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ -%dir %{_sharedstatedir}/selinux/%1 \ -%{_datadir}/selinux/%1/nonbasemodules.lst \ -%{_datadir}/selinux/%1/modules-contrib.lst \ -%{_datadir}/selinux/%1/modules-base.lst \ -%{_datadir}/selinux/%1/base.lst \ -%dir %{_datadir}/selinux/%1 \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ -%dir %{_sysconfdir}/selinux/%1/contexts/users \ -%config %{_sysconfdir}/selinux/%1/contexts/files/media \ -%{_sysconfdir}/selinux/%1/booleans.subs_dist \ -%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ -%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ -%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ -%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ -%dir %{_sysconfdir}/selinux/%1/contexts/files \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ -%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ -%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ -%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ -%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ -%dir %{_sysconfdir}/selinux/%1/contexts \ -%{_sysconfdir}/selinux/%1/.policy.sha512 \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{policy_version} \ -%dir %{_sysconfdir}/selinux/%1/policy/ \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ -%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ -%dir %{_sharedstatedir}/selinux/%1/active \ -%dir %{_sysconfdir}/selinux/%1/logins \ -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ -%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ -%dir %{_sysconfdir}/selinux/%1 \ -%defattr(-,root,root) \ -%nil +%define modulesList() \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ -%define installCmds() \ -%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ -%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ -make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ -make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ -make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ -%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ -install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ -install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ -install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ -install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ -cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ -rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ -%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{policy_version} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ -rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ -rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ -rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ -%nil +%define nonBaseModulesList() \ +modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \ +for i in $modules; do \ + if [ $i != "sandbox" ];then \ + echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ + fi; \ +done; -%define makeModulesConf() \ -cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ -cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ -if [ %3 == "contrib" ];then \ - cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ - cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ +# Make sure the config is consistent with what packages are installed in the system +# this covers cases when system is installed with selinux-policy-{mls,minimal} +# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not +# been rebooted yet. +# The macro should be called at the beginning of "post" (to make sure load_policy does not fail) +# and in "posttrans" (to make sure that the store is consistent when all package transitions are done) +# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable) +# Steps: +# * load values from config and its backup +# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so +# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used +# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't +%define checkConfigConsistency() \ +if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \ + . %{_sysconfdir}/selinux/.config_backup; \ +else \ + BACKUP_SELINUXTYPE=targeted; \ fi; \ +if [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \ + if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \ + fi; \ + elif [ "%1" = "targeted" ]; then \ + if [ "%1" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ + fi; \ + elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \ + if [ "%1" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ + fi; \ + fi; \ +fi; -%define makeCmds() \ -%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ -%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ -cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ -cp -f selinux_config/users-%1 ./policy/users \ +# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names +# of variables inside so that they are easy to use later +# This should be done in "pretrans" because config content can change during RPM operations +# The macro has to be used in a script slot with "-p " +%define backupConfigLua() \ +local sysconfdir = rpm.expand("%{_sysconfdir}") \ +local config_file = sysconfdir .. "/selinux/config" \ +local config_backup = sysconfdir .. "/selinux/.config_backup" \ +os.remove(config_backup) \ +if posix.stat(config_file) then \ + local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \ + local content = f:read("*all") \ + f:close() \ + local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \ + local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \ + bf:write(backup) \ + bf:close() \ +end + +# Remove the local_varrun SELinux module +%define removeVarrunModuleLua() \ +if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \ + os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \ +end %build %prep -%setup -n %{name}-%{version} -q -tar -C policy/modules/contrib -xf %{SOURCE35} - -mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do - cp $i selinux_config -done +%autosetup -p 1 -n %{name}-%{commit} +tar -C policy/modules/contrib -xf %{SOURCE4} %install +# Build targeted policy %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/selinux mkdir -p %{buildroot}%{_sysconfdir}/sysconfig touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ -cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ +install -p -m0644 %{SOURCE2} %{buildroot}%{_usr}/lib/tmpfiles.d/ mkdir -p %{buildroot}%{_bindir} -install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ +install -p -m 755 %{SOURCE3} %{buildroot}%{_bindir}/ +mkdir -p %{buildroot}%{_libexecdir}/selinux +install -p -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux +# Always create policy module package directories mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ + mkdir -p %{buildroot}%{_datadir}/selinux/packages -make clean +mkdir -p %{buildroot}%{_sysconfdir}/dnf/protected.d/ -%if %{BUILD_MLS} -%makeCmds mls mls deny -%makeModulesConf mls base contrib -%installCmds mls mls deny -%modulesList mls -%nonBaseModulesList mls +# Install devel +make clean +%if %{with targeted} +# Build targeted policy +%makeCmds targeted mcs allow +%makeModulesConf targeted +%installCmds targeted mcs allow +# install permissivedomains.cil +%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i \ + ./dist/permissivedomains.cil +# recreate sandbox.pp +rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox +%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp +mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp +%modulesList targeted +%nonBaseModulesList targeted +install -p -m 644 %{SOURCE38} %{buildroot}%{_sysconfdir}/dnf/protected.d/ %endif -%if %{BUILD_MINIMUM} +%if %{with minimum} +# Build minimum policy %makeCmds minimum mcs allow -%makeModulesConf targeted base contrib +%makeModulesConf targeted %installCmds minimum mcs allow rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox +install -p -m 644 %{SOURCE16} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst %modulesList minimum %nonBaseModulesList minimum %endif -%if %{BUILD_TARGETED} -%makeCmds targeted mcs allow -%makeModulesConf targeted base contrib -%installCmds targeted mcs allow -%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28} -rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox -%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp -mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp -%modulesList targeted -%nonBaseModulesList targeted +%if %{with mls} +# Build mls policy +%makeCmds mls mls deny +%makeModulesConf mls +%installCmds mls mls deny +%modulesList mls +%nonBaseModulesList mls +install -p -m 644 %{SOURCE39} %{buildroot}%{_sysconfdir}/dnf/protected.d/ %endif +# remove leftovers when save-previous=true (semanage.conf) is used rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous -mkdir -p %{buildroot}%{_mandir} -cp -R man/* %{buildroot}%{_mandir} make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers mkdir %{buildroot}%{_datadir}/selinux/devel/ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include -install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile -install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ -install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ -%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} +install -p -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/Makefile +install -p -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ +install -p -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ +%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_mandir}/man8/ -w -r %{buildroot} mkdir %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d -install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.%{name} -sed -i 's/SELINUXpolicy_versionSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.%{name} -sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.%{name} +install -p -m 644 %{SOURCE5} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy mkdir -p %{buildroot}%{_unitdir} -install -m 644 %{SOURCE36} %{buildroot}%{_unitdir} - -rm -rf selinux_config - -%generate_compatibility_deps +install -p -m 644 %{SOURCE36} %{buildroot}%{_unitdir} %post %systemd_post selinux-check-proper-disable.service if [ ! -s %{_sysconfdir}/selinux/config ]; then - +# +# New install so we will default to targeted policy +# echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. - -# NOTE: If you need a system with SELinux +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +# See also: +# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes +# +# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also +# fully disable SELinux during boot. If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # -# grubby --update-kernel ALL --args selinux=0 +# grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # -# grubby --update-kernel ALL --remove-args selinux +# grubby --update-kernel ALL --remove-args selinux # SELINUX=enforcing # SELINUXTYPE= can take one of these three values: -# targeted - Targeted processes are protected, -# minimum - Modification of targeted policy. Only selected processes are protected. -# mls - Multi Level Security protection. +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. SELINUXTYPE=targeted " > %{_sysconfdir}/selinux/config - ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux - %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : + ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux + %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : else - . %{_sysconfdir}/selinux/config + . %{_sysconfdir}/selinux/config fi exit 0 @@ -499,26 +528,103 @@ exit 0 %postun %systemd_postun selinux-check-proper-disable.service if [ $1 = 0 ]; then - %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config - fi + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi +fi +exit 0 + +%if %{with targeted} +%package targeted +Summary: SELinux targeted policy +Provides: selinux-policy-any = %{version}-%{release} +Obsoletes: selinux-policy-targeted-sources < 2 +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: audispd-plugins <= 1.7.7-1 +Obsoletes: mod_fcgid-selinux <= %{version}-%{release} +Obsoletes: cachefilesd-selinux <= 0.10-1 +Conflicts: seedit +Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 +Conflicts: container-selinux < 2:1.12.1-22 + +%description targeted +SELinux targeted policy package. + +%pretrans targeted -p +%backupConfigLua +%removeVarrunModuleLua targeted + +%pre targeted +%preInstall targeted + +%post targeted +%checkConfigConsistency targeted +exit 0 + +%posttrans targeted +%checkConfigConsistency targeted +%{_libexecdir}/selinux/varrun-convert.sh targeted +%postInstall $1 targeted +%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm /etc/mdevctl.d + +%postun targeted +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "targeted" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi fi exit 0 +%triggerin -- pcre2 +%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null +exit 0 + +%triggerprein -p -- container-selinux +%removeVarrunModuleLua targeted + +%triggerprein -p -- pcp-selinux +%removeVarrunModuleLua targeted + +%triggerpostun -- pcp-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + +%triggerpostun -- container-selinux +%{_libexecdir}/selinux/varrun-convert.sh targeted +exit 0 + +%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-targeted.conf +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u +%fileList targeted +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains +%endif -%if %{BUILD_MINIMUM} +%if %{with minimum} %package minimum Summary: SELinux minimum policy -Provides: %{name}-any = %{version}-%{release} -Requires(post): policycoreutils-python-utils >= %{policy_coreutils_version} +Provides: selinux-policy-any = %{version}-%{release} +Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils -Requires(pre): %{name} = %{version}-%{release} -Requires: %{name} = %{version}-%{release} -Conflicts: seedit +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description minimum @@ -530,80 +636,61 @@ SELinux minimum policy package. %pre minimum %preInstall minimum if [ $1 -ne 1 ]; then - %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst + %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst fi %post minimum %checkConfigConsistency minimum -contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` -basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` +modules=`cat %{_datadir}/selinux/minimum/modules.lst` +basemodules=`cat %{_datadir}/selinux/minimum/base.lst` +enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst` if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then - mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled + mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled fi if [ $1 -eq 1 ]; then -for p in $contribpackages; do - touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +for p in $modules; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done -for p in $basepackages apache dbus inetd kerberos mta nis; do - rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +for p in $basemodules $enabledmodules; do + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done %{_sbindir}/semanage import -S minimum -f - << __eof -login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ -login -m -s unconfined_u -r s0-s0:c0.c1023 root +login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ +login -m -s unconfined_u -r s0-s0:c0.c1023 root __eof %{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null -%{_sbindir}/semodule -B -s minimum +%{_sbindir}/semodule -B -s minimum 2> /dev/null else instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` -for p in $contribpackages; do - touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p +for p in $packages; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $instpackages apache dbus inetd kerberos mta nis; do - rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done -%{_sbindir}/semodule -B -s minimum +%{_sbindir}/semodule -B -s minimum 2> /dev/null %relabel minimum fi exit 0 %posttrans minimum %checkConfigConsistency minimum +%{_libexecdir}/selinux/varrun-convert.sh minimum %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun minimum if [ $1 = 0 ]; then - if [ -s %{_sysconfdir}/selinux/config ]; then - source %{_sysconfdir}/selinux/config &> /dev/null || true - fi - if [ "$SELINUXTYPE" = "minimum" ]; then - %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config - fi - fi -fi -exit 0 - -%triggerpostun minimum -- %{name}-minimum < 3.13.1-138 -if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then - rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/* -fi -CR=$'\n' -INPUT="" -for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then - touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p - fi -done -for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do - INPUT="${INPUT}${CR}module -N -a $i" -done -echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "minimum" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi fi exit 0 @@ -611,19 +698,20 @@ exit 0 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u %fileList minimum +%{_datadir}/selinux/minimum/modules-enabled.lst %endif -%if %{BUILD_MLS} +%if %{with mls} %package mls Summary: SELinux MLS policy -Provides: %{name}-any = %{version}-%{release} -Obsoletes: %{name}-mls-sources < 2 -Requires: policycoreutils-newrole >= %{policy_coreutils_version} setransd -Requires(pre): policycoreutils >= %{policy_coreutils_version} +Provides: selinux-policy-any = %{version}-%{release} +Obsoletes: selinux-policy-mls-sources < 2 +Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils -Requires(pre): %{name} = %{version}-%{release} -Requires: %{name} = %{version}-%{release} -Conflicts: seedit +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description mls @@ -637,144 +725,40 @@ SELinux MLS (Multi Level Security) policy package. %post mls %checkConfigConsistency mls -%postInstall $1 mls exit 0 %posttrans mls %checkConfigConsistency mls +%{_libexecdir}/selinux/varrun-convert.sh mls +%postInstall $1 mls %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun mls if [ $1 = 0 ]; then - if [ -s %{_sysconfdir}/selinux/config ]; then - source %{_sysconfdir}/selinux/config &> /dev/null || true - fi - if [ "$SELINUXTYPE" = "mls" ]; then - %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config - fi - fi + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "mls" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi fi exit 0 -%triggerpostun mls -- %{name}-mls < 3.13.1-138 -CR=$'\n' -INPUT="" -for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then - touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p - fi -done -for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do - INPUT="${INPUT}${CR}module -N -a $i" -done -echo "$INPUT" | %{_sbindir}/semanage import -S mls -N -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy -fi -exit 0 - - %files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-mls.conf %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls %endif -%if %{BUILD_TARGETED} -%package targeted -Conflicts: container-selinux < 2:1.12.1-22 -Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 -Conflicts: seedit cachefilesd-selinux <= 0.10-1 -Obsoletes: mod_fcgid-selinux <= %{version}-%{release} -Conflicts: audispd-plugins <= 1.7.7-1 -Requires: %{name} = %{version}-%{release} -Requires(pre): %{name} = %{version}-%{release} coreutils -Requires(pre): policycoreutils >= %{policy_coreutils_version} -Obsoletes: %{name}-targeted-sources < 2 -Provides: %{name}-any = %{version}-%{release} -Summary: SELinux targeted policy - -%description targeted -SELinux targeted policy package. - -%pretrans targeted -p -%backupConfigLua - -%pre targeted -%preInstall targeted - -%post targeted -%checkConfigConsistency targeted -%postInstall $1 targeted -exit 0 - -%posttrans targeted -%checkConfigConsistency targeted -%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm - -%postun targeted -if [ $1 = 0 ]; then - if [ -s %{_sysconfdir}/selinux/config ]; then - source %{_sysconfdir}/selinux/config &> /dev/null || true - fi - if [ "$SELINUXTYPE" = "targeted" ]; then - %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config - fi - fi -fi -exit 0 - -%triggerin -- pcre2 -%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB -exit 0 - -%triggerpostun -- %{name}-targeted < 3.12.1-74 -rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null -exit 0 - -%triggerpostun targeted -- %{name}-targeted < 3.13.1-138 -CR=$'\n' -INPUT="" -for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then - touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p - fi -done -for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do - INPUT="${INPUT}${CR}module -N -a $i" -done -for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do - cp $i %{_sharedstatedir}/selinux/targeted/active -done -echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy -fi -exit 0 - -%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst -%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u -%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u -%fileList targeted -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains -%endif - -%files doc -%{_mandir}/man*/* -%{_mandir}/ru/*/* -%doc %{_datadir}/doc/%{name} - - %changelog +* Mon Mar 24 2025 Bo Ren - 40.13.24-1 +- Update to 40.13.24 from 37.18 + * Sat Apr 15 2023 Zhongling He 37.18-2 - refactor rpm spec diff --git a/setrans-minimum.conf b/setrans-minimum.conf deleted file mode 100644 index 09a6ce3dd0ae797a5c4048f2af36387eabae201f..0000000000000000000000000000000000000000 --- a/setrans-minimum.conf +++ /dev/null @@ -1,19 +0,0 @@ -# -# Multi-Category Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be categorized with 0-1023 categories defined by the admin. -# Objects can be in more than one category at a time. -# Categories are stored in the system as c0-c1023. Users can use this -# table to translate the categories into a more meaningful output. -# Examples: -# s0:c0=CompanyConfidential -# s0:c1=PatientRecord -# s0:c2=Unclassified -# s0:c3=TopSecret -# s0:c1,c3=CompanyConfidentialRedHat -s0=SystemLow -s0-s0:c0.c1023=SystemLow-SystemHigh -s0:c0.c1023=SystemHigh diff --git a/setrans-mls.conf b/setrans-mls.conf deleted file mode 100644 index eb181d2f304b53356a8394be94353bca99fd8df2..0000000000000000000000000000000000000000 --- a/setrans-mls.conf +++ /dev/null @@ -1,52 +0,0 @@ -# -# Multi-Level Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be labeled with one of 16 levels and be categorized with 0-1023 -# categories defined by the admin. -# Objects can be in more than one category at a time. -# Users can modify this table to translate the MLS labels for different purpose. -# -# Assumptions: using below MLS labels. -# SystemLow -# SystemHigh -# Unclassified -# Secret with compartments A and B. -# -# SystemLow and SystemHigh -s0=SystemLow -s15:c0.c1023=SystemHigh -s0-s15:c0.c1023=SystemLow-SystemHigh - -# Unclassified level -s1=Unclassified - -# Secret level with compartments -s2=Secret -s2:c0=A -s2:c1=B - -# ranges for Unclassified -s0-s1=SystemLow-Unclassified -s1-s2=Unclassified-Secret -s1-s15:c0.c1023=Unclassified-SystemHigh - -# ranges for Secret with compartments -s0-s2=SystemLow-Secret -s0-s2:c0=SystemLow-Secret:A -s0-s2:c1=SystemLow-Secret:B -s0-s2:c0,c1=SystemLow-Secret:AB -s1-s2:c0=Unclassified-Secret:A -s1-s2:c1=Unclassified-Secret:B -s1-s2:c0,c1=Unclassified-Secret:AB -s2-s2:c0=Secret-Secret:A -s2-s2:c1=Secret-Secret:B -s2-s2:c0,c1=Secret-Secret:AB -s2-s15:c0.c1023=Secret-SystemHigh -s2:c0-s2:c0,c1=Secret:A-Secret:AB -s2:c0-s15:c0.c1023=Secret:A-SystemHigh -s2:c1-s2:c0,c1=Secret:B-Secret:AB -s2:c1-s15:c0.c1023=Secret:B-SystemHigh -s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh diff --git a/setrans-targeted.conf b/setrans-targeted.conf deleted file mode 100644 index 09a6ce3dd0ae797a5c4048f2af36387eabae201f..0000000000000000000000000000000000000000 --- a/setrans-targeted.conf +++ /dev/null @@ -1,19 +0,0 @@ -# -# Multi-Category Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be categorized with 0-1023 categories defined by the admin. -# Objects can be in more than one category at a time. -# Categories are stored in the system as c0-c1023. Users can use this -# table to translate the categories into a more meaningful output. -# Examples: -# s0:c0=CompanyConfidential -# s0:c1=PatientRecord -# s0:c2=Unclassified -# s0:c3=TopSecret -# s0:c1,c3=CompanyConfidentialRedHat -s0=SystemLow -s0-s0:c0.c1023=SystemLow-SystemHigh -s0:c0.c1023=SystemHigh diff --git a/users-minimum b/users-minimum deleted file mode 100644 index 66af86081a45eeebbb1b5f3e9141651e97ec3283..0000000000000000000000000000000000000000 --- a/users-minimum +++ /dev/null @@ -1,39 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls deleted file mode 100644 index 8fad9ea21e122378c02559a46335daa10dca890c..0000000000000000000000000000000000000000 --- a/users-mls +++ /dev/null @@ -1,40 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(guest_u, user, guest_r, s0, s0) -gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/users-targeted b/users-targeted deleted file mode 100644 index a875306f1258f02deacfcb82d3537c85f84988db..0000000000000000000000000000000000000000 --- a/users-targeted +++ /dev/null @@ -1,41 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(guest_u, user, guest_r, s0, s0) -gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/v37.18.tar.gz b/v37.18.tar.gz deleted file mode 100644 index ddc856aa1adf828caa642ece81105e3b4580c448..0000000000000000000000000000000000000000 Binary files a/v37.18.tar.gz and /dev/null differ diff --git a/varrun-convert.sh b/varrun-convert.sh new file mode 100755 index 0000000000000000000000000000000000000000..bdf6f997a8d6a9b1a40decc7044a227ae04b00c8 --- /dev/null +++ b/varrun-convert.sh @@ -0,0 +1,95 @@ +#!/usr/bin/bash +### varrun-convert.sh +### convert legacy filecontext entries containing /var/run to /run +### and load an extra selinux module with the new content +### the script takes a policy name as an argument + +# Set DEBUG=yes before running the script to get more verbose output +# on the terminal and to the $LOG file +if [ "${DEBUG}" = "yes" ]; then + set -x +fi + +# Auxiliary and log files will be created in OUTPUTDIR +OUTPUTDIR="/run/selinux-policy" +LOG="$OUTPUTDIR/log" +mkdir -p ${OUTPUTDIR} + +if [ -z ${1} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG + exit +fi + +SEMODULEOPT="-s ${1}" +[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" + +# Take current file_contexts and unify whitespace separators +FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" +FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified" +if [ ! -f ${FILE_CONTEXTS} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG + exit +fi + +if ! grep -q ^/var/run ${FILE_CONTEXTS}; then + [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG + exit +fi + +EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt" +EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" +EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil" + +# Print only /var/run entries +grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP} + +# Unify whitespace separators +sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP} +sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED} + +# Deduplicate already existing /var/run=/run entries +while read line +do + subline="${line#/var}" + if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then + echo "$line" + fi +done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES} + +# Change /var/run to /run +sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} + +# Exception handling: packages with already duplicate entries +sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES} +sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES} +sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES} + +# Change format to cil +sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES} + +# Handle entries with <> which do not match previous regexps +sed -i s'/ <>$/ ())/' ${EXTRA_VARRUN_ENTRIES} + +# Wrap each line with an optional block +i=1 +while read line +do + echo "(optional extra_var_run_${i}" + echo " $line" + echo ")" + ((i++)) +done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} + +# Load module +[ -s ${EXTRA_VARRUN_CIL} ] && +/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL} +