From 2a9b648b37b002156f5c5a74a922909546481c4d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sun, 11 Mar 2007 05:19:36 +0000 Subject: [PATCH] - More of my patches from upstream --- .cvsignore | 1 + modules-mls.conf | 7 + modules-strict.conf | 32 +- modules-targeted.conf | 2282 ++++++++++++++++++++++------------------- selinux-policy.spec | 7 +- sources | 2 +- 6 files changed, 1272 insertions(+), 1059 deletions(-) diff --git a/.cvsignore b/.cvsignore index 1d210951..72822658 100644 --- a/.cvsignore +++ b/.cvsignore @@ -108,3 +108,4 @@ serefpolicy-2.5.4.tgz serefpolicy-2.5.5.tgz serefpolicy-2.5.6.tgz serefpolicy-2.5.7.tgz +serefpolicy-2.5.8.tgz diff --git a/modules-mls.conf b/modules-mls.conf index cf9effa5..aad8005b 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1037,3 +1037,10 @@ pcscd = module # Policy for tzdata-update # tzdata = base + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module diff --git a/modules-strict.conf b/modules-strict.conf index 64cadcb5..b80282b1 100644 --- a/modules-strict.conf +++ b/modules-strict.conf @@ -456,7 +456,7 @@ ethereal = module # Layer: apps # Module: userhelper # -# SELinux utility to run a shell with a new role +# A helper interface to pam. # userhelper = module @@ -814,13 +814,6 @@ openct = module # snmp = module -# Layer: services -# Module: ucspitcp -# -# ucspitcp policy -# -ucspitcp = module - # Layer: services # Module: publicfile # @@ -1128,7 +1121,7 @@ xserver = module # # Apache web server # -apache = module +apache = base # Layer: services # Module: slrnpull @@ -1340,3 +1333,24 @@ qmail = module # daiemon that bans IP that makes too many password failures # fail2ban = module + +# Layer: services +# Module: pyzor +# +# Spam Blocker +# +pyzor = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module diff --git a/modules-targeted.conf b/modules-targeted.conf index 319370dd..2c442a68 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -11,92 +11,205 @@ # as individual loadable modules. # -# Layer: kernel -# Module: terminal -# Required in base +# Layer: admin +# Module: acct # -# Policy for terminals. +# Berkeley process accounting # -terminal = base - -# Layer: kernel -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Layer: kernel -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Layer: kernel -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: kernel -# Module: mls -# Required in base -# -# Multilevel security policy -# -mls = base - -# Layer: kernel -# Module: mcs -# Required in base -# -# MultiCategory security policy -# -mcs = base - -# Layer: kernel -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base +acct = base # Layer: admin -# Module: prelink +# Module: alsa # -# Manage temporary directory sizes and file ages +# Ainit ALSA configuration tool # -prelink = base +alsa = off -# Layer: kernel -# Module: files -# Required in base +# Layer: apps +# Module: ada # -# Basic filesystem types and interfaces. +# ada executable # -files = base +ada = base + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = base + +# Layer: services +# Module: amavis +# +# Anti-virus +# +amavis = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = base + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = base + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = base # Layer: system -# Module: domain +# Module: application # Required in base # -# Core policy for domains. +# Defines attributs and interfaces for all user applications # -domain = base +application = base + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = base + +# Layer: services +# Module: audioentropy +# +# Generate entropy from audio input +# +audioentropy = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = base + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = base + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = base + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = base + +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = base + + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = base + + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = base + +# Layer: services +# Module: clamav +# +# ClamAV Virus Scanner +# +clamav = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + +# Layer: services +# Module: consolekit +# +# ConsoleKit is a system daemon for tracking what users are logged +# +consolekit = module + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = base # Layer: kernel # Module: corecommands @@ -107,216 +220,13 @@ domain = base # corecommands = base -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = base - -# Layer: admin -# Module: usermanage -# -# Policy for managing user accounts. -# -usermanage = base - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = base - -# Layer: admin -# Module: readahead -# -# Readahead, read files into page cache for improved performance -# -readahead = base - -# Layer: admin -# Module: kudzu -# -# Hardware detection and configuration tools -# -kudzu = base - # Layer: kernel -# Module: bootloader +# Module: corenetwork +# Required in base # -# Policy for the kernel modules, kernel image, and bootloader. +# Policy controlling access to network objects # -bootloader = base - -# Layer: admin -# Module: updfstab -# -# Red Hat utility to change /etc/fstab. -# -updfstab = base - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = base - -# Layer: admin -# Module: alsa -# -# Ainit ALSA configuration tool -# -alsa = off - -# Layer: admin -# Module: vpn -# -# Virtual Private Networking client -# -vpn = base - -# Layer: admin -# Module: su -# -# Run shells with substitute user and group -# -su = base - -# Layer: admin -# Module: dmesg -# -# Policy for dmesg. -# -dmesg = base - -# Layer: admin -# Module: anaconda -# -# Policy for the Anaconda installer. -# -anaconda = base - -# Layer: admin -# Module: amanda -# -# Automated backup program. -# -amanda = base - -# Layer: admin -# Module: logrotate -# -# Rotate and archive system logs -# -logrotate = base - -# Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information -# -ddcprobe = off - -# Layer: admin -# Module: quota -# -# File system quota management -# -quota = off - -# Layer: admin -# Module: consoletype -# -# Determine of the console connected to the controlling terminal. -# -consoletype = base - -# Layer: admin -# Module: sudo -# -# Execute a command with a substitute user -# -sudo = base - -# Layer: admin -# Module: vbetool -# -# run real-mode video BIOS code to alter hardware state -# -vbetool = base - -# Layer: admin -# Module: firstboot -# -# Final system configuration run during the first boot -# after installation of Red Hat/Fedora systems. -# -firstboot = base - -# Layer: admin -# Module: tmpreaper -# -# Manage temporary directory sizes and file ages -# -tmpreaper = off - -# Layer: admin -# Module: dmidecode -# -# Decode DMI data for x86/ia64 bioses. -# -dmidecode = base - -# Layer: apps -# Module: gpg -# -# Policy for GNU Privacy Guard and related programs. -# -gpg = off - -# Layer: apps -# Module: loadkeys -# -# Load keyboard mappings. -# -loadkeys = base - -# Layer: apps -# Module: webalizer -# -# Web server log analysis -# -webalizer = base - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = base - -# Layer: services -# Module: nis -# -# Policy for NIS (YP) servers and clients -# -nis = base - -# Layer: services -# Module: distcc -# -# Distributed compiler daemon -# -distcc = off - -# Layer: services -# Module: rshd -# -# Remote shell service. -# -rshd = base +corenetwork = base # Layer: services # Module: cpucontrol @@ -326,25 +236,320 @@ rshd = base cpucontrol = base # Layer: services -# Module: vbetool +# Module: cron # -# run real-mode video BIOS code to alter hardware state +# Periodic execution of scheduled commands. # -vbetool = base +cron = base # Layer: services -# Module: bind +# Module: cups # -# Berkeley internet name domain DNS server. +# Common UNIX printing system # -bind = base +cups = base # Layer: services -# Module: canna +# Module: cvs # -# Canna - kana-kanji conversion server +# Concurrent versions system # -canna = base +cvs = base + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = base + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = base + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = base + + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = base + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = base + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = base + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = base + +# Layer: system +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = base + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = off + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = base + +# Layer: apps +# Module: ethereal +# +# Ethereal packet capture tool. +# +ethereal = module + +# Layer: apps +# Module: evolution +# +# Evolution email client +# +evolution = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = base + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = base + +# Layer: admin +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = base + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = base + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = base + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: services +# Module: hal +# +# Hardware abstraction layer +# +hal = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = base + + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = base + +# Layer: services +# Module: howl +# +# Port of Apple Rendezvous multicast DNS +# +howl = base + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = base + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = base + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = base + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = base + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = off + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = base + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module # Layer: services # Module: i18n_input @@ -353,19 +558,284 @@ canna = base # i18n_input = off -# Layer: services -# Module: uucp + +# Layer: apps +# Module: java # -# Unix to Unix Copy +# java executable # -uucp = base +java = base # Layer: services -# Module: sasl +# Module: kerberos # -# SASL authentication server +# MIT Kerberos admin and KDC # -sasl = base +kerberos = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = base + +# Layer: admin +# Module: kudzu +# +# Hardware detection and configuration tools +# +kudzu = base + + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = base + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = base + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = base + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = base + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = base + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = base + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = base + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = base + + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = base + +# Layer: kernel +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = base + +# Layer: apps +# Module: mono +# +# mono executable +# +mono = base + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = base + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = base + + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = base + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = base + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = base + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = base + + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = base + + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = base + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = base + + + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = base # Layer: services # Module: pegasus @@ -375,11 +845,205 @@ sasl = base pegasus = base # Layer: services -# Module: cron +# Module: postgresql # -# Periodic execution of scheduled commands. +# PostgreSQL relational database # -cron = base +postgresql = base + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = base + + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = base + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = base + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = base + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = base + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = base + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: services +# Module: pyzor +# +# Spam Blocker +# +pyzor = module + + +# Layer: services +# Module: qmail +# +# Policy for sendmail. +# +qmail = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = off + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = base + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = base + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = base + + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = base + +# Layer: services +# Module: razor +# +# A distributed, collaborative, spam detection and filtering network. +# +razor = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = base + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = base + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = base + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = base + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = base + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = base + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = base + + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = base + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = base + + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = base # Layer: services # Module: sendmail @@ -397,511 +1061,20 @@ sendmail = base # samba = base -# Layer: services -# Module: dbus +# Layer: apps +# Module: screen # -# Desktop messaging bus +# GNU terminal multiplexer # -dbus = base +screen = module -# Layer: services -# Module: howl -# -# Port of Apple Rendezvous multicast DNS -# -howl = base - -# Layer: services -# Module: timidity -# -# MIDI to WAV converter and player configured as a service -# -timidity = off - -# Layer: services -# Module: postgresql -# -# PostgreSQL relational database -# -postgresql = base - -# Layer: services -# Module: openct -# -# Service for handling smart card readers. -# -openct = off - -# Layer: services -# Module: snmp -# -# Simple network management protocol services -# -snmp = base - -# Layer: services -# Module: remotelogin -# -# Policy for rshd, rlogind, and telnetd. -# -remotelogin = base - -# Layer: services -# Module: telnet -# -# Telnet daemon -# -telnet = base - -# Layer: services -# Module: irqbalance -# -# IRQ balancing daemon -# -irqbalance = base - - -# Layer: services -# Module: mailman -# -# Mailman is for managing electronic mail discussion and e-newsletter lists -# -mailman = base - -# Layer: services -# Module: dbskk -# -# Dictionary server for the SKK Japanese input method system. -# -dbskk = base - -# Layer: services -# Module: ldap -# -# OpenLDAP directory server -# -ldap = base - -# Layer: services -# Module: tftp -# -# Trivial file transfer protocol daemon -# -tftp = base - -# Layer: services -# Module: portmap -# -# RPC port mapping service. -# -portmap = base - -# Layer: services -# Module: arpwatch -# -# Ethernet activity monitor. -# -arpwatch = base - -# Layer: services -# Module: dovecot -# -# Dovecot POP and IMAP mail server -# -dovecot = base - -# Layer: services -# Module: cups -# -# Common UNIX printing system -# -cups = base - -# Layer: services -# Module: networkmanager -# -# Manager for dynamically switching between networks. -# -networkmanager = base - -# Layer: services -# Module: inn -# -# Internet News NNTP server -# -inn = base - -# Layer: services -# Module: sysstat -# -# Policy for sysstat. Reports on various system states -# -sysstat = base - -# Layer: services -# Module: comsat -# -# Comsat, a biff server. -# -comsat = base - -# Layer: services -# Module: squid -# -# Squid caching http proxy server -# -squid = base - -# Layer: services -# Module: zebra -# -# Zebra border gateway protocol network routing service -# -zebra = base - -# Layer: services -# Module: xfs -# -# X Windows Font Server -# -xfs = base - -# Layer: services -# Module: ktalk -# -# KDE Talk daemon -# -ktalk = base - -# Layer: services -# Module: procmail -# -# Procmail mail delivery agent -# -procmail = base - -# Layer: services -# Module: lpd -# -# Line printer daemon -# -lpd = base - -# Layer: services -# Module: cyrus -# -# Cyrus is an IMAP service intended to be run on sealed servers -# -cyrus = base - -# Layer: services -# Module: rdisc -# -# Network router discovery daemon -# -rdisc = base - -# Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = base - -# Layer: services -# Module: rhgb -# -# X windows login display manager -# -rhgb = base - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = base - -# Layer: services -# Module: ppp -# -# Point to Point Protocol daemon creates links in ppp networks -# -ppp = base - -# Layer: services -# Module: ftp -# -# File transfer protocol service -# -ftp = base - -# Layer: services -# Module: gpm -# -# General Purpose Mouse driver -# -gpm = base - -# Layer: services -# Module: mta -# -# Policy common to all email tranfer agents. -# -mta = base - -# Layer: services -# Module: postfix -# -# Postfix email server -# -postfix = base - -# Layer: services -# Module: fetchmail -# -# Remote-mail retrieval and forwarding utility -# -fetchmail = base - -# Layer: services -# Module: ntp -# -# Network time protocol daemon -# -ntp = base - -# Layer: services -# Module: bluetooth -# -# Bluetooth tools and system services. -# -bluetooth = base - -# Layer: services -# Module: hal -# -# Hardware abstraction layer -# -hal = module - -# Layer: services -# Module: consolekit -# -# ConsoleKit is a system daemon for tracking what users are logged -# -consolekit = module - -# Layer: services -# Module: avahi -# -# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture -# -avahi = base - -# Layer: services -# Module: rpc -# -# Remote Procedure Call Daemon for managment of network based process communication -# -rpc = base - -# Layer: services -# Module: apache -# -# Apache web server -# -apache = base - -# Layer: services -# Module: slrnpull -# -# Service for downloading news feeds the slrn newsreader. -# -slrnpull = off - -# Layer: services -# Module: rsync -# -# Fast incremental file transfer for synchronization -# -rsync = base - -# Layer: services -# Module: automount -# -# Filesystem automounter service. -# -automount = base - -# Layer: services -# Module: kerberos -# -# MIT Kerberos admin and KDC -# -kerberos = base - -# Layer: services -# Module: dhcp -# -# Dynamic host configuration protocol (DHCP) server -# -dhcp = base - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = base - -# Layer: services -# Module: inetd -# -# Internet services daemon. -# -inetd = base - -# Layer: services -# Module: mysql -# -# Policy for MySQL -# -mysql = base - -# Layer: services -# Module: dictd -# -# Dictionary daemon -# -dictd = base - -# Layer: services -# Module: finger -# -# Finger user information service. -# -finger = base - -# Layer: services -# Module: radius -# -# RADIUS authentication and accounting server. -# -radius = base - -# Layer: services -# Module: spamassassin -# -# Filter used for removing unsolicited email. -# -spamassassin = base - -# Layer: services -# Module: radvd -# -# IPv6 router advertisement daemon -# -radvd = base - -# Layer: services -# Module: apm -# -# Advanced power management daemon -# -apm = base - -# Layer: services -# Module: tcpd -# -# Policy for TCP daemon. -# -tcpd = base - -# Layer: services -# Module: stunnel -# -# SSL Tunneling Proxy -# -stunnel = base - -# Layer: services -# Module: privoxy -# -# Privacy enhancing web proxy. -# -privoxy = base - -# Layer: services -# Module: cvs -# -# Concurrent versions system -# -cvs = base - -# Layer: services -# Module: rlogin -# -# Remote login daemon -# -rlogin = base - -# Layer: system -# Module: application +# Layer: kernel +# Module: selinux # Required in base # -# Defines attributs and interfaces for all user applications +# Policy for kernel security interface, in particular, selinuxfs. # -application = base - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = base - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = base - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = base - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = base - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = base - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = base - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = base +selinux = base # Layer: system # Module: selinuxutil @@ -910,182 +1083,6 @@ init = base # selinuxutil = base -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = base - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = base - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = base - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = base - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = base - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = base - -# Layer: system -# Module: hotplug -# -# Policy for hotplug system, for supporting the -# connection and disconnection of devices at runtime. -# -hotplug = base - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = base - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = base - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = base - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = base - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = base - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = base - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = off - -# Layer: system -# Module: xen -# -# TCP/IP encryption -# -xen = base - -# Layer: apps -# Module: java -# -# java executable -# -java = base - -# Layer: apps -# Module: ada -# -# ada executable -# -ada = base - -# Layer: services -# Module: logwatch -# -# logwatch executable -# -logwatch = base - -# Layer: apps -# Module: wine -# -# wine executable -# -wine = base - -# Layer: apps -# Module: mono -# -# mono executable -# -mono = base - -# Layer: services -# Module: pyzor -# -# Spam Blocker -# -pyzor = module - -# Layer: services -# Module: amavis -# -# Anti-virus -# -amavis = module - -# Layer: services -# Module: clamav -# -# ClamAV Virus Scanner -# -clamav = module - -# Layer: services -# Module: razor -# -# A distributed, collaborative, spam detection and filtering network. -# -razor = module - -# Layer: services -# Module: dcc -# -# A distributed, collaborative, spam detection and filtering network. -# -dcc = module - # Layer: system # Module: setrans # Required in base @@ -1094,14 +1091,6 @@ dcc = module # setrans = base -# Layer: services -# Module: openvpn -# -# Policy for OPENVPN full-featured SSL VPN solution -# -openvpn = base - - # Layer: services # Module: setroubleshoot # @@ -1110,61 +1099,19 @@ openvpn = base setroubleshoot = base # Layer: services -# Module: nagios +# Module: slrnpull # -# policy for nagios Host/service/network monitoring program +# Service for downloading news feeds the slrn newsreader. # -nagios = module +slrnpull = off # Layer: apps -# Module: evolution +# Module: slocate # -# Evolution email client +# Update database for mlocate # -evolution = module - -# Layer: apps -# Module: mplayer -# -# Policy for Mozilla and related web browsers -# -mplayer = module - -# Layer: apps -# Module: mozilla -# -# Policy for Mozilla and related web browsers -# -mozilla = module - -# Layer: services -# Module: ricci -# -# policy for ricci -# -ricci = module - -# Layer: services -# Module: oddjob -# -# policy for oddjob -# -oddjob = module - -# Layer: services -# Module: ccs -# -# policy for ccs -# -ccs = module - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = base +slocate = module # Layer: services # Module: smartmon @@ -1173,19 +1120,111 @@ raid = base # smartmon = module -# Layer: system -# Module: iscsi +# Layer: services +# Module: snmp # -# Open-iSCSI daemon +# Simple network management protocol services # -iscsi = module +snmp = base -# Layer: service -# Module: pcscd +# Layer: services +# Module: spamassassin # -# PC/SC Smart Card Daemon +# Filter used for removing unsolicited email. +# +spamassassin = base + +# Layer: services +# Module: squid # -pcscd = module +# Squid caching http proxy server +# +squid = base + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = base + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = base + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = base + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = base + + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = base + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = base + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = base + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = base # Layer: admin # Module: tzdata @@ -1194,24 +1233,173 @@ pcscd = module # tzdata = base -# Layer: services -# Module: qmail +# Layer: apps +# Module: userhelper # -# Policy for sendmail. +# A helper interface to pam. # -qmail = module +userhelper = module # Layer: apps -# Module: games +# Module: thunderbird # -# The Open Group Pegasus CIM/WBEM Server. +# Thunderbird email client # -games = module +thunderbird = module # Layer: services -# Module: fail2ban +# Module: tor # -# daiemon that bans IP that makes too many password failures +# TOR, the onion router # -fail2ban = module +tor = module +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + + + +# Layer: system +# Module: xen +# +# TCP/IP encryption +# +xen = base + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = base + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = base + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = base + +# Layer: services +# Module: vbetool +# +# run real-mode video BIOS code to alter hardware state +# +vbetool = base + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = base + +# Layer: services +# Module: xfs +# +# X Windows Font Server +# +xfs = base + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = base + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = base + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = base + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = base + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = base + +# Layer: admin +# Module: vbetool +# +# run real-mode video BIOS code to alter hardware state +# +vbetool = base + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = off + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module diff --git a/selinux-policy.spec b/selinux-policy.spec index 2c45d326..7fa24439 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,7 +16,7 @@ %define CHECKPOLICYVER 1.30.11-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 2.5.7 +Version: 2.5.8 Release: 1%{?dist} License: GPL Group: System Environment/Base @@ -166,7 +166,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2204. +Based off of reference policy: Checked out revision 2215. %prep %setup -q -n serefpolicy-%{version} @@ -356,6 +356,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Thu Mar 1 2007 Dan Walsh 2.5.8-1 +- More of my patches from upstream + * Thu Mar 1 2007 Dan Walsh 2.5.7-1 - Update to latest from upstream - Add fail2ban policy diff --git a/sources b/sources index 55293839..79bead58 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -5209f5a625764686415aac33935756f5 serefpolicy-2.5.7.tgz +4fdcc031513d86d233bab7661226046a serefpolicy-2.5.8.tgz