Eliminate olpc stuff and other no longer needed files. Update to new system to build policy.* file within payload.
This commit is contained in:
parent
d0597c1c15
commit
857c813190
@ -1,51 +0,0 @@
|
||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||
#
|
||||
allow_execmem = false
|
||||
|
||||
# Allow making a modified private filemapping executable (text relocation).
|
||||
#
|
||||
allow_execmod = false
|
||||
|
||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||
#
|
||||
allow_execstack = false
|
||||
|
||||
# Allow ftp servers to modify public filesused for public file transfer services.
|
||||
#
|
||||
allow_ftpd_anon_write = false
|
||||
|
||||
# Allow gssd to read temp directory.
|
||||
#
|
||||
allow_gssd_read_tmp = false
|
||||
|
||||
# Allow sysadm to ptrace all processes
|
||||
#
|
||||
allow_ptrace = false
|
||||
|
||||
# Allow reading of default_t files.
|
||||
#
|
||||
read_default_t = false
|
||||
|
||||
# Allow system cron jobs to relabel filesystemfor restoring file contexts.
|
||||
#
|
||||
cron_can_relabel = false
|
||||
|
||||
# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
|
||||
#
|
||||
staff_read_sysadm_file = false
|
||||
|
||||
# Allow users to read system messages.
|
||||
#
|
||||
user_dmesg = false
|
||||
|
||||
# Allow sysadm to ptrace all processes
|
||||
#
|
||||
allow_ptrace = false
|
||||
|
||||
## Control users use of ping and traceroute
|
||||
user_ping = true
|
||||
|
||||
# Allow unlabeled packets to flow
|
||||
#
|
||||
allow_unlabeled_packets = true
|
||||
|
71
build.conf
71
build.conf
@ -1,71 +0,0 @@
|
||||
########################################
|
||||
#
|
||||
# Policy build options
|
||||
#
|
||||
|
||||
# Policy version
|
||||
# By default, checkpolicy will create the highest
|
||||
# version policy it supports. Setting this will
|
||||
# override the version. This only has an
|
||||
# effect for monolithic policies.
|
||||
#OUTPUT_POLICY = 18
|
||||
|
||||
# Policy Type
|
||||
# standard, mls, mcs
|
||||
TYPE = standard
|
||||
|
||||
# Policy Name
|
||||
# If set, this will be used as the policy
|
||||
# name. Otherwise the policy type will be
|
||||
# used for the name.
|
||||
NAME = refpolicy
|
||||
|
||||
# Distribution
|
||||
# Some distributions have portions of policy
|
||||
# for programs or configurations specific to the
|
||||
# distribution. Setting this will enable options
|
||||
# for the distribution.
|
||||
# redhat, gentoo, debian, suse, and rhel4 are current options.
|
||||
# Fedora users should enable redhat.
|
||||
#DISTRO = redhat
|
||||
|
||||
# Unknown Permissions Handling
|
||||
# The behavior for handling permissions defined in the
|
||||
# kernel but missing from the policy. The permissions
|
||||
# can either be allowed, denied, or the policy loading
|
||||
# can be rejected.
|
||||
# allow, deny, and reject are current options.
|
||||
#UNK_PERMS = deny
|
||||
|
||||
# Direct admin init
|
||||
# Setting this will allow sysadm to directly
|
||||
# run init scripts, instead of requring run_init.
|
||||
# This is a build option, as role transitions do
|
||||
# not work in conditional policy.
|
||||
DIRECT_INITRC = n
|
||||
|
||||
# Build monolithic policy. Putting n here
|
||||
# will build a loadable module policy.
|
||||
MONOLITHIC = y
|
||||
|
||||
# User-based access control (UBAC)
|
||||
# Enable UBAC for role separations.
|
||||
UBAC = y
|
||||
|
||||
# Number of MLS Sensitivities
|
||||
# The sensitivities will be s0 to s(MLS_SENS-1).
|
||||
# Dominance will be in increasing numerical order
|
||||
# with s0 being lowest.
|
||||
MLS_SENS = 16
|
||||
|
||||
# Number of MLS Categories
|
||||
# The categories will be c0 to c(MLS_CATS-1).
|
||||
MLS_CATS = 1024
|
||||
|
||||
# Number of MCS Categories
|
||||
# The categories will be c0 to c(MLS_CATS-1).
|
||||
MCS_CATS = 1024
|
||||
|
||||
# Set this to y to only display status messages
|
||||
# during build.
|
||||
QUIET = n
|
@ -4,5 +4,3 @@
|
||||
/lib64 /lib
|
||||
/usr/lib64 /usr/lib
|
||||
/usr/lib/debug /
|
||||
|
||||
|
||||
|
@ -1,397 +0,0 @@
|
||||
#
|
||||
# This file contains a listing of available modules.
|
||||
# To prevent a module from being used in policy
|
||||
# creation, set the module name to "off".
|
||||
#
|
||||
# For monolithic policies, modules set to "base" and "module"
|
||||
# will be built into the policy.
|
||||
#
|
||||
# For modular policies, modules set to "base" will be
|
||||
# included in the base module. "module" will be compiled
|
||||
# as individual loadable modules.
|
||||
#
|
||||
|
||||
# Layer: admin
|
||||
# Module: acct
|
||||
#
|
||||
# Berkeley process accounting
|
||||
#
|
||||
acct = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: alsa
|
||||
#
|
||||
# Ainit ALSA configuration tool
|
||||
#
|
||||
alsa = base
|
||||
|
||||
# Layer: apps
|
||||
# Module: ada
|
||||
#
|
||||
# ada executable
|
||||
#
|
||||
ada = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: anaconda
|
||||
#
|
||||
# Policy for the Anaconda installer.
|
||||
#
|
||||
anaconda = base
|
||||
|
||||
# Layer: system
|
||||
# Module: application
|
||||
# Required in base
|
||||
#
|
||||
# Defines attributs and interfaces for all user applications
|
||||
#
|
||||
application = base
|
||||
|
||||
# Layer: system
|
||||
# Module: authlogin
|
||||
#
|
||||
# Common policy for authentication and user login.
|
||||
#
|
||||
authlogin = base
|
||||
|
||||
# Layer: services
|
||||
# Module: canna
|
||||
#
|
||||
# Canna - kana-kanji conversion server
|
||||
#
|
||||
canna = base
|
||||
|
||||
# Layer: system
|
||||
# Module: clock
|
||||
#
|
||||
# Policy for reading and setting the hardware clock.
|
||||
#
|
||||
clock = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: consoletype
|
||||
#
|
||||
# Determine of the console connected to the controlling terminal.
|
||||
#
|
||||
consoletype = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corecommands
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for shells, and generic programs
|
||||
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||
#
|
||||
corecommands = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: corenetwork
|
||||
# Required in base
|
||||
#
|
||||
# Policy controlling access to network objects
|
||||
#
|
||||
corenetwork = base
|
||||
|
||||
# Layer: services
|
||||
# Module: cpucontrol
|
||||
#
|
||||
# Services for loading CPU microcode and CPU frequency scaling.
|
||||
#
|
||||
cpucontrol = base
|
||||
|
||||
# Layer: services
|
||||
# Module: dbus
|
||||
#
|
||||
# Desktop messaging bus
|
||||
#
|
||||
dbus = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: devices
|
||||
# Required in base
|
||||
#
|
||||
# Device nodes and interfaces for many basic system devices.
|
||||
#
|
||||
devices = base
|
||||
|
||||
# Layer: services
|
||||
# Module: dhcp
|
||||
#
|
||||
# Dynamic host configuration protocol (DHCP) server
|
||||
#
|
||||
dhcp = base
|
||||
|
||||
# Layer: system
|
||||
# Module: domain
|
||||
# Required in base
|
||||
#
|
||||
# Core policy for domains.
|
||||
#
|
||||
domain = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: files
|
||||
# Required in base
|
||||
#
|
||||
# Basic filesystem types and interfaces.
|
||||
#
|
||||
files = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: filesystem
|
||||
# Required in base
|
||||
#
|
||||
# Policy for filesystems.
|
||||
#
|
||||
filesystem = base
|
||||
|
||||
# Layer: system
|
||||
# Module: fstools
|
||||
#
|
||||
# Tools for filesystem management, such as mkfs and fsck.
|
||||
#
|
||||
fstools = base
|
||||
|
||||
# Layer: system
|
||||
# Module: getty
|
||||
#
|
||||
# Policy for getty.
|
||||
#
|
||||
getty = base
|
||||
|
||||
# Layer: services
|
||||
# Module: hal
|
||||
#
|
||||
# Hardware abstraction layer
|
||||
#
|
||||
hal = base
|
||||
|
||||
# Layer: system
|
||||
# Module: hotplug
|
||||
#
|
||||
# Policy for hotplug system, for supporting the
|
||||
# connection and disconnection of devices at runtime.
|
||||
#
|
||||
hotplug = base
|
||||
|
||||
# Layer: system
|
||||
# Module: init
|
||||
#
|
||||
# System initialization programs (init and init scripts).
|
||||
#
|
||||
init = base
|
||||
|
||||
# Layer: system
|
||||
# Module: iptables
|
||||
#
|
||||
# Policy for iptables.
|
||||
#
|
||||
iptables = base
|
||||
|
||||
# Layer: apps
|
||||
# Module: java
|
||||
#
|
||||
# java executable
|
||||
#
|
||||
java = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: kernel
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||
#
|
||||
kernel = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: kudzu
|
||||
#
|
||||
# Hardware detection and configuration tools
|
||||
#
|
||||
kudzu = base
|
||||
|
||||
# Layer: system
|
||||
# Module: libraries
|
||||
#
|
||||
# Policy for system libraries.
|
||||
#
|
||||
libraries = base
|
||||
|
||||
# Layer: system
|
||||
# Module: locallogin
|
||||
#
|
||||
# Policy for local logins.
|
||||
#
|
||||
locallogin = base
|
||||
|
||||
# Layer: system
|
||||
# Module: logging
|
||||
#
|
||||
# Policy for the kernel message logger and system logging daemon.
|
||||
#
|
||||
logging = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: mcs
|
||||
# Required in base
|
||||
#
|
||||
# MultiCategory security policy
|
||||
#
|
||||
mcs = base
|
||||
|
||||
# Layer: system
|
||||
# Module: miscfiles
|
||||
#
|
||||
# Miscelaneous files.
|
||||
#
|
||||
miscfiles = base
|
||||
|
||||
# Layer: system
|
||||
# Module: modutils
|
||||
#
|
||||
# Policy for kernel module utilities
|
||||
#
|
||||
modutils = base
|
||||
|
||||
# Layer: apps
|
||||
# Module: mono
|
||||
#
|
||||
# mono executable
|
||||
#
|
||||
mono = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: netutils
|
||||
#
|
||||
# Network analysis utilities
|
||||
#
|
||||
netutils = base
|
||||
|
||||
# Layer: services
|
||||
# Module: networkmanager
|
||||
#
|
||||
# Manager for dynamically switching between networks.
|
||||
#
|
||||
networkmanager = base
|
||||
|
||||
# Layer: services
|
||||
# Module: nscd
|
||||
#
|
||||
# Name service cache daemon
|
||||
#
|
||||
nscd = base
|
||||
|
||||
# Layer: services
|
||||
# Module: ntp
|
||||
#
|
||||
# Network time protocol daemon
|
||||
#
|
||||
ntp = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: prelink
|
||||
#
|
||||
# Manage temporary directory sizes and file ages
|
||||
#
|
||||
prelink = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: readahead
|
||||
#
|
||||
# Readahead, read files into page cache for improved performance
|
||||
#
|
||||
readahead = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: rpm
|
||||
#
|
||||
# Policy for the RPM package manager.
|
||||
#
|
||||
rpm = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: selinux
|
||||
# Required in base
|
||||
#
|
||||
# Policy for kernel security interface, in particular, selinuxfs.
|
||||
#
|
||||
selinux = base
|
||||
|
||||
# Layer: system
|
||||
# Module: selinuxutil
|
||||
#
|
||||
# Policy for SELinux policy and userland applications.
|
||||
#
|
||||
selinuxutil = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: storage
|
||||
#
|
||||
# Policy controlling access to storage devices
|
||||
#
|
||||
storage = base
|
||||
|
||||
# Layer: system
|
||||
# Module: sysnetwork
|
||||
#
|
||||
# Policy for network configuration: ifconfig and dhcp client.
|
||||
#
|
||||
sysnetwork = base
|
||||
|
||||
# Layer: system
|
||||
# Module: udev
|
||||
#
|
||||
# Policy for udev.
|
||||
#
|
||||
udev = base
|
||||
|
||||
# Layer: system
|
||||
# Module: userdomain
|
||||
#
|
||||
# Policy for user domains
|
||||
#
|
||||
userdomain = base
|
||||
|
||||
# Layer: system
|
||||
# Module: unconfined
|
||||
#
|
||||
# The unconfined domain.
|
||||
#
|
||||
unconfined = base
|
||||
|
||||
# Layer: admin
|
||||
# Module: usbmodules
|
||||
#
|
||||
# List kernel modules of USB devices
|
||||
#
|
||||
usbmodules = base
|
||||
|
||||
# Layer: services
|
||||
# Module: xfs
|
||||
#
|
||||
# X Windows Font Server
|
||||
#
|
||||
xfs = base
|
||||
|
||||
# Layer: services
|
||||
# Module: xserver
|
||||
#
|
||||
# X windows login display manager
|
||||
#
|
||||
xserver = base
|
||||
|
||||
# Module: terminal
|
||||
# Required in base
|
||||
#
|
||||
# Policy for terminals.
|
||||
#
|
||||
terminal = base
|
||||
|
||||
# Layer: kernel
|
||||
# Module: mls
|
||||
# Required in base
|
||||
#
|
||||
# Multilevel security policy
|
||||
#
|
||||
mls = base
|
||||
|
@ -1,3 +0,0 @@
|
||||
#!/bin/sh
|
||||
echo "$0 is no longer supported, better tools exist for creating policy"
|
||||
echo "Please use /usr/bin/sepolgen, slide or polgengui to generate policy"
|
@ -30,7 +30,6 @@ Source4: setrans-targeted.conf
|
||||
Source5: modules-mls.conf
|
||||
Source6: booleans-mls.conf
|
||||
Source8: setrans-mls.conf
|
||||
Source13: policygentool
|
||||
Source14: securetty_types-targeted
|
||||
Source15: securetty_types-mls
|
||||
Source16: modules-minimum.conf
|
||||
@ -71,7 +70,6 @@ SELinux Base package
|
||||
%ghost %{_sysconfdir}/sysconfig/selinux
|
||||
%{_usr}/share/selinux/devel/include/*
|
||||
%{_usr}/share/selinux/devel/Makefile
|
||||
%{_usr}/share/selinux/devel/policygentool
|
||||
%{_usr}/share/selinux/devel/example.*
|
||||
%{_usr}/share/selinux/devel/policy.*
|
||||
|
||||
@ -116,12 +114,13 @@ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/seli
|
||||
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
|
||||
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
|
||||
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \
|
||||
bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp.bz2 > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
||||
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/$i; done \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \
|
||||
bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
||||
rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \
|
||||
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
|
||||
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
|
||||
semodule -n -B -p %{buildroot}; \
|
||||
/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} > %{buildroot}%{_sysconfdir}/selinux/%1/policy/.policymd5 \
|
||||
semodule -s %1 -n -B -p %{buildroot}; \
|
||||
/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policymd5 \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||
%nil
|
||||
|
||||
@ -136,12 +135,12 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
||||
%verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
||||
%verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
||||
%attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
|
||||
%config(noreplace) %dir %{_sysconfdir}/selinux/%1/modules/active/* \
|
||||
%config %dir %{_sysconfdir}/selinux/%1/modules/active/modules/* \
|
||||
%dir %{_sysconfdir}/selinux/%1/modules/active/* \
|
||||
%{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \
|
||||
#%verify(not md5 size mtime) %attr(600,root,root) %config(noreplace) %{_sysconfdir}/selinux/%1/modules/active/seusers \
|
||||
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
||||
%{_sysconfdir}/selinux/%1/policy/.policymd5 \
|
||||
%{_sysconfdir}/selinux/%1/.policymd5 \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts \
|
||||
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
||||
@ -176,7 +175,7 @@ if [ -s /etc/selinux/config ]; then \
|
||||
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
|
||||
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
||||
fi \
|
||||
fi
|
||||
fi;
|
||||
|
||||
%define relabel() \
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
@ -188,6 +187,24 @@ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
||||
rm -f ${FILE_CONTEXT}.pre; \
|
||||
fi;
|
||||
|
||||
%define postInstall() \
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
md5=`md5sum /etc/selinux/%2/policy/policy.%{POLICYVER} | cut -d ' ' -f 1`; \
|
||||
checkmd5=`cat /etc/selinux/%2/.policymd5`; \
|
||||
if [ "$md5" != "$checkmd5" ] ; then \
|
||||
if [ %1 -ne 1 ]; then \
|
||||
semodule -n -s %2 -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger 2>/dev/null; \
|
||||
fi \
|
||||
semodule -B -s %2; \
|
||||
else \
|
||||
[ "${SELINUXTYPE}" == "%2" ] && [ selinuxenabled ] && load_policy; \
|
||||
fi; \
|
||||
if [ %1 -eq 1 ]; then \
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null; \
|
||||
else \
|
||||
%relabel %2 \
|
||||
fi;
|
||||
|
||||
%description
|
||||
SELinux Reference Policy - modular.
|
||||
Based off of reference policy: Checked out revision 2.20091117
|
||||
@ -200,7 +217,7 @@ Based off of reference policy: Checked out revision 2.20091117
|
||||
|
||||
%install
|
||||
mkdir selinux_config
|
||||
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do
|
||||
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do
|
||||
cp $i selinux_config
|
||||
done
|
||||
tar zxvf selinux_config/config.tgz
|
||||
@ -242,7 +259,6 @@ make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITR
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
||||
mkdir %{buildroot}%{_usr}/share/selinux/packages/
|
||||
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
|
||||
install -m 755 selinux_config/policygentool %{buildroot}%{_usr}/share/selinux/devel/
|
||||
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
|
||||
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||
@ -315,22 +331,7 @@ SELinux Reference policy targeted base module.
|
||||
%saveFileContext targeted
|
||||
|
||||
%post targeted
|
||||
md5=`md5sum /etc/selinux/targeted/policy/policy.%{POLICYVER}`
|
||||
checkmd5=`cat /etc/selinux/targeted/policy/policy.%{POLICYVER}.md5sum`
|
||||
if [ "$md5" != "$checkmd5" ] ; then
|
||||
if [ $1 -ne 1 ]; then
|
||||
semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
|
||||
fi
|
||||
semodule -B -s targeted
|
||||
else
|
||||
[ "${SELINUXTYPE}" == "targeted" ] && [ selinuxenabled ] && load_policy
|
||||
fi
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
else
|
||||
%relabel targeted
|
||||
fi
|
||||
%postInstall $1 targeted
|
||||
exit 0
|
||||
|
||||
%triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9
|
||||
@ -373,17 +374,35 @@ SELinux Reference policy minimum base module.
|
||||
|
||||
%pre minimum
|
||||
%saveFileContext minimum
|
||||
if [ $1 -ne 1 ]; then
|
||||
semodule -s minimum -l 2>/dev/null | awk '{ print $1 }' > /usr/share/selinux/minimum/instmodules.lst
|
||||
fi
|
||||
|
||||
%post minimum
|
||||
packages="execmem.pp.bz2 unconfined.pp.bz2 unconfineduser.pp.bz2 application.pp.bz2 userdomain.pp.bz2 authlogin.pp.bz2 logging.pp.bz2 selinuxutil.pp.bz2 init.pp.bz2 systemd.pp.bz2 sysnetwork.pp.bz2 miscfiles.pp.bz2 libraries.pp.bz2 modutils.pp.bz2 sysadm.pp.bz2 locallogin.pp.bz2 dbus.pp.bz2 rpm.pp.bz2 mount.pp.bz2 fstools.pp.bz2 usermanage.pp.bz2 mta.pp.bz2"
|
||||
semodule -B -s minimum
|
||||
allpackages=`cat /usr/share/selinux/minimum/modules.lst`
|
||||
if [ $1 -eq 1 ]; then
|
||||
packages="clock.pp execmem.pp unconfined.pp unconfineduser.pp application.pp userdomain.pp authlogin.pp logging.pp selinuxutil.pp init.pp systemd.pp sysnetwork.pp miscfiles.pp libraries.pp modutils.pp sysadm.pp locallogin.pp dbus.pp rpm.pp mount.pp fstools.pp usermanage.pp mta.pp"
|
||||
for p in $allpackages; do
|
||||
touch /etc/selinux/minimum/modules/active/modules/$p.disabled
|
||||
done
|
||||
for p in $packages; do
|
||||
rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled
|
||||
done
|
||||
semanage -S minimum -i - << __eof
|
||||
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
|
||||
login -m -s unconfined_u -r s0-s0:c0.c1023 root
|
||||
__eof
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
semodule -B -s minimum
|
||||
else
|
||||
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
|
||||
for p in $allpackages; do
|
||||
touch /etc/selinux/minimum/modules/active/modules/$p.disabled
|
||||
done
|
||||
for p in $instpackages; do
|
||||
rm -f /etc/selinux/minimum/modules/active/modules/$p.pp.disabled
|
||||
done
|
||||
semodule -B -s minimum
|
||||
%relabel minimum
|
||||
fi
|
||||
exit 0
|
||||
@ -414,15 +433,7 @@ SELinux Reference policy mls base module.
|
||||
%saveFileContext mls
|
||||
|
||||
%post mls
|
||||
semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
|
||||
semodule -B -s mls
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
restorecon -R /root /var/log /var/run 2> /dev/null
|
||||
else
|
||||
%relabel mls
|
||||
fi
|
||||
exit 0
|
||||
%postInstall $1 mls
|
||||
|
||||
%files mls
|
||||
%defattr(-,root,root,-)
|
||||
@ -434,6 +445,8 @@ exit 0
|
||||
%changelog
|
||||
* Wed Jun 8 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-28.1
|
||||
- Add policy.26 to the payload
|
||||
- Remove olpc stuff
|
||||
- Remove policygentool
|
||||
|
||||
* Wed Jun 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-27
|
||||
- Fixes for zabbix
|
||||
|
@ -1,19 +0,0 @@
|
||||
#
|
||||
# Multi-Category Security translation table for SELinux
|
||||
#
|
||||
# Uncomment the following to disable translation libary
|
||||
# disable=1
|
||||
#
|
||||
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||
# Objects can be in more than one category at a time.
|
||||
# Categories are stored in the system as c0-c1023. Users can use this
|
||||
# table to translate the categories into a more meaningful output.
|
||||
# Examples:
|
||||
# s0:c0=CompanyConfidential
|
||||
# s0:c1=PatientRecord
|
||||
# s0:c2=Unclassified
|
||||
# s0:c3=TopSecret
|
||||
# s0:c1,c3=CompanyConfidentialRedHat
|
||||
s0=SystemLow
|
||||
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||
s0:c0.c1023=SystemHigh
|
19
setrans.conf
19
setrans.conf
@ -1,19 +0,0 @@
|
||||
#
|
||||
# Multi-Category Security translation table for SELinux
|
||||
#
|
||||
# Uncomment the following to disable translation libary
|
||||
# disable=1
|
||||
#
|
||||
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||
# Objects can be in more than one category at a time.
|
||||
# Categories are stored in the system as c0-c1023. Users can use this
|
||||
# table to translate the categories into a more meaningful output.
|
||||
# Examples:
|
||||
# s0:c0=CompanyConfidential
|
||||
# s0:c1=PatientRecord
|
||||
# s0:c2=Unclassified
|
||||
# s0:c3=TopSecret
|
||||
# s0:c1,c3=CompanyConfidentialRedHat
|
||||
s0=SystemLow
|
||||
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||
s0:c0.c1023=SystemHigh
|
38
users-olpc
38
users-olpc
@ -1,38 +0,0 @@
|
||||
##################################
|
||||
#
|
||||
# Core User configuration.
|
||||
#
|
||||
|
||||
#
|
||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||
#
|
||||
# Note: Identities without a prefix wil not be listed
|
||||
# in the users_extra file used by genhomedircon.
|
||||
|
||||
#
|
||||
# system_u is the user identity for system processes and objects.
|
||||
# There should be no corresponding Unix user identity for system,
|
||||
# and a user process should never be assigned the system user
|
||||
# identity.
|
||||
#
|
||||
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# user_u is a generic user identity for Linux users who have no
|
||||
# SELinux user identity defined. The modified daemons will use
|
||||
# this user identity in the security context if there is no matching
|
||||
# SELinux user identity for a Linux user. If you do not want to
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
# These identities are typically assigned as the user attribute
|
||||
# when login starts the user shell. Users with access to the sysadm_r
|
||||
# role should use the staff_r role instead of the user_r role when
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
Loading…
Reference in New Issue
Block a user