- Remove ifdef strict policy from upstream

booleans-olpc.conf

@@ -0,0 +1,51 @@
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# 
+allow_execmem = false
+
+# Allow making a modified private filemapping executable (text relocation).
+# 
+allow_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+# 
+allow_execstack = false
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+# 
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+# 
+allow_gssd_read_tmp = false
+
+# Allow sysadm to ptrace all processes
+# 
+allow_ptrace = false
+
+# Allow reading of default_t files.
+# 
+read_default_t = false
+
+# Allow system cron jobs to relabel filesystemfor restoring file contexts.
+# 
+cron_can_relabel = false
+
+# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
+# 
+staff_read_sysadm_file = false
+
+# Allow users to read system messages.
+# 
+user_dmesg = false
+
+# Allow sysadm to ptrace all processes
+# 
+allow_ptrace = false
+
+## Control users use of ping and traceroute
+user_ping = true
+
+# Allow unlabeled packets to flow
+# 
+allow_unlabeled_packets = true
+

modules-olpc.conf

@@ -0,0 +1,397 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from  being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module.  "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+# 
+acct = base
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+# 
+alsa = base
+
+# Layer: apps
+# Module: ada
+#
+# ada executable
+# 
+ada = base
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+# 
+anaconda = base
+
+# Layer: system
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+# 
+application = base
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+# 
+authlogin = base
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+# 
+canna = base
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+# 
+clock = base
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+# 
+consoletype = base
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+# 
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+# 
+corenetwork = base
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+# 
+cpucontrol = base
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+# 
+dbus = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+# 
+devices = base
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+# 
+dhcp = base
+
+# Layer: system
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+# 
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+# 
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+# 
+filesystem = base
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+# 
+fstools = base
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+# 
+getty = base
+
+# Layer: services
+# Module: hal
+#
+# Hardware abstraction layer
+# 
+hal = base
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+# 
+hotplug = base
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+# 
+init = base
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+# 
+iptables = base
+
+# Layer: apps
+# Module: java
+#
+# java executable
+# 
+java = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+# 
+kernel = base
+
+# Layer: admin
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+# 
+kudzu = base
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+# 
+libraries = base
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+# 
+locallogin = base
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+# 
+logging = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+# 
+mcs = base
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+# 
+miscfiles = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+# 
+modutils = base
+
+# Layer: apps
+# Module: mono
+#
+# mono executable
+# 
+mono = base
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+# 
+netutils = base
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+# 
+networkmanager = base
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+# 
+nscd = base
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+# 
+ntp = base
+
+# Layer: admin
+# Module: prelink
+#
+# Manage temporary directory sizes and file ages
+# 
+prelink = base
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+# 
+readahead = base
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+# 
+rpm = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+# 
+selinux = base
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+# 
+selinuxutil = base
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+# 
+storage = base
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+# 
+sysnetwork = base
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+# 
+udev = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+# 
+userdomain = base
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+# 
+unconfined = base 
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+# 
+usbmodules = base
+
+# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+# 
+xfs = base
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+# 
+xserver = base
+
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+# 
+terminal = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+# 
+mls = base
+

policy-20070525.patch

@@ -1,3 +1,11 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts	2007-06-26 07:57:11.000000000 -0400
+@@ -0,0 +1,4 @@
++system_r:local_login_t:s0	guest_r:guest_t:s0
++system_r:remote_login_t:s0	guest_r:guest_t:s0
++system_r:sshd_t:s0		guest_r:guest_t:s0
++system_r:crond_t:s0		guest_r:guest_crond_t:s0
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts
 --- nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts	2007-06-19 17:06:27.000000000 -0400
@@ -4650,8 +4658,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.1/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/ftp.te	2007-06-19 17:06:27.000000000 -0400
-@@ -156,6 +156,7 @@
++++ serefpolicy-3.0.1/policy/modules/services/ftp.te	2007-06-26 07:22:44.000000000 -0400
+@@ -88,6 +88,7 @@
+ allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+ allow ftpd_t self:tcp_socket create_stream_socket_perms;
+ allow ftpd_t self:udp_socket create_socket_perms;
++allow ftpd_t self:key { search write link };
+ 
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
+ 
+@@ -156,6 +157,7 @@
  
  auth_use_nsswitch(ftpd_t)
  auth_domtrans_chk_passwd(ftpd_t)
@@ -4659,15 +4675,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  # Append to /var/log/wtmp.
  auth_append_login_records(ftpd_t)
  #kerberized ftp requires the following
-@@ -167,6 +168,7 @@
+@@ -167,7 +169,9 @@
  libs_use_ld_so(ftpd_t)
  libs_use_shared_libs(ftpd_t)
  
 +logging_send_audit_msgs(ftpd_t)
  logging_send_syslog_msg(ftpd_t)
++logging_set_loginuid(ftpd_t)
  
  miscfiles_read_localization(ftpd_t)
-@@ -216,6 +218,14 @@
+ miscfiles_read_public_files(ftpd_t)
+@@ -216,6 +220,14 @@
  	userdom_manage_all_users_home_content_dirs(ftpd_t)
  	userdom_manage_all_users_home_content_files(ftpd_t)
  	userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -9661,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/userdomain.if	2007-06-21 14:03:09.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/userdomain.if	2007-06-26 07:46:18.000000000 -0400
 @@ -62,6 +62,10 @@
  
  	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -9749,7 +9767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -677,16 +674,6 @@
+@@ -677,67 +674,39 @@
  		attribute unpriv_userdomain;
  	')
  
@@ -9766,12 +9784,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	userdom_untrusted_content_template($1)
  
  	userdom_basic_networking_template($1)
-@@ -695,49 +682,29 @@
  
- 	userdom_xwindows_client_template($1)
+ 	userdom_exec_generic_pgms_template($1)
  
--	userdom_change_password_template($1)
+-	userdom_xwindows_client_template($1)
 -
+-	userdom_change_password_template($1)
++	optional_policy(`
++		userdom_xwindows_client_template($1)
++	')
+ 
  	##############################
  	#
  	# User domain Local policy
@@ -9816,7 +9838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_exec_etc_files($1_t)
  	files_search_locks($1_t)
  	# Check to see if cdrom is mounted
-@@ -750,12 +717,6 @@
+@@ -750,12 +719,6 @@
  	# Stat lost+found.
  	files_getattr_lost_found_dirs($1_t)
  
@@ -9829,7 +9851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
  	selinux_validate_context($1_t)
-@@ -768,31 +729,16 @@
+@@ -768,31 +731,16 @@
  	storage_getattr_fixed_disk_dev($1_t)
  
  	auth_read_login_records($1_t)
@@ -9863,7 +9885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
  	seutil_exec_checkpolicy($1_t)
  	seutil_exec_setfiles($1_t)
-@@ -807,19 +753,12 @@
+@@ -807,19 +755,12 @@
  		files_read_default_symlinks($1_t)
  		files_read_default_sockets($1_t)
  		files_read_default_pipes($1_t)
@@ -9883,7 +9905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	optional_policy(`
  		alsa_read_rw_config($1_t)
  	')
-@@ -834,34 +773,14 @@
+@@ -834,34 +775,14 @@
  	')
  
  	optional_policy(`
@@ -9918,7 +9940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -889,17 +808,19 @@
+@@ -889,17 +810,19 @@
  	')
  
  	optional_policy(`
@@ -9944,7 +9966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -913,16 +834,6 @@
+@@ -913,16 +836,6 @@
  	')
  
  	optional_policy(`
@@ -9961,7 +9983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		resmgr_stream_connect($1_t)
  	')
  
-@@ -932,11 +843,6 @@
+@@ -932,11 +845,6 @@
  	')
  
  	optional_policy(`
@@ -9973,7 +9995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		samba_stream_connect_winbind($1_t)
  	')
  
-@@ -967,21 +873,122 @@
+@@ -967,21 +875,122 @@
  ##	</summary>
  ## </param>
  #
@@ -10102,7 +10124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	domain_interactive_fd($1_t)
  
  	typeattribute $1_devpts_t user_ptynode;
-@@ -990,15 +997,45 @@
+@@ -990,15 +999,45 @@
  	typeattribute $1_tmp_t user_tmpfile;
  	typeattribute $1_tty_device_t user_ttynode;
  
@@ -10152,7 +10174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1038,14 +1075,6 @@
+@@ -1038,14 +1077,6 @@
  	')
  
  	optional_policy(`
@@ -10167,7 +10189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
  		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
  	')
-@@ -1059,12 +1088,8 @@
+@@ -1059,12 +1090,8 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -10181,7 +10203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	# Do not audit write denials to /etc/ld.so.cache.
  	dontaudit $1_t ld_so_cache_t:file write;
  
-@@ -1107,6 +1132,8 @@
+@@ -1107,6 +1134,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -10190,7 +10212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Declarations
-@@ -1132,7 +1159,7 @@
+@@ -1132,7 +1161,7 @@
  	# $1_t local policy
  	#
  
@@ -10199,7 +10221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1144,8 +1171,6 @@
+@@ -1144,8 +1173,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -10208,7 +10230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -3083,7 +3108,7 @@
+@@ -3083,7 +3110,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -10217,7 +10239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5553,6 +5578,26 @@
+@@ -5553,6 +5580,26 @@
  
  ########################################
  ## <summary>
@@ -10244,7 +10266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Unconfined access to user domains.  (Deprecated)
  ## </summary>
  ## <param name="domain">
-@@ -5564,3 +5609,124 @@
+@@ -5564,3 +5611,124 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')

selinux-policy.spec

@@ -172,7 +172,7 @@ fi;
 
 %description
 SELinux Reference Policy - modular.
-Based off of reference policy: Checked out revision 2336.
+Based off of reference policy: Checked out revision 2348.
 
 %prep 
 %setup -q -n serefpolicy-%{version}

setrans-olpc.conf

@@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023.  Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh

sources

@@ -1 +1 @@
-7c004ddde0e20cfeba8a94b2aa308a06  serefpolicy-3.0.1.tgz
+15e7cf49d82f31ea9b50c3520399c22d  serefpolicy-3.0.1.tgz