From 857c813190240d333674cb10e0d731c0a91cdeed Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 9 Jun 2011 22:36:45 -0400 Subject: [PATCH] Eliminate olpc stuff and other no longer needed files. Update to new system to build policy.* file within payload. --- booleans-olpc.conf | 51 ------ build.conf | 71 ------- file_contexts.subs_dist | 2 - modules-olpc.conf | 397 ---------------------------------------- policygentool | 3 - securetty_types-olpc | 0 selinux-policy.spec | 93 ++++++---- setrans-olpc.conf | 19 -- setrans.conf | 19 -- users-olpc | 38 ---- 10 files changed, 53 insertions(+), 640 deletions(-) delete mode 100644 booleans-olpc.conf delete mode 100644 build.conf delete mode 100644 modules-olpc.conf delete mode 100644 policygentool delete mode 100644 securetty_types-olpc delete mode 100644 setrans-olpc.conf delete mode 100644 setrans.conf delete mode 100644 users-olpc diff --git a/booleans-olpc.conf b/booleans-olpc.conf deleted file mode 100644 index 9bac2490..00000000 --- a/booleans-olpc.conf +++ /dev/null @@ -1,51 +0,0 @@ -# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. -# -allow_execmem = false - -# Allow making a modified private filemapping executable (text relocation). -# -allow_execmod = false - -# Allow making the stack executable via mprotect.Also requires allow_execmem. -# -allow_execstack = false - -# Allow ftp servers to modify public filesused for public file transfer services. -# -allow_ftpd_anon_write = false - -# Allow gssd to read temp directory. -# -allow_gssd_read_tmp = false - -# Allow sysadm to ptrace all processes -# -allow_ptrace = false - -# Allow reading of default_t files. -# -read_default_t = false - -# Allow system cron jobs to relabel filesystemfor restoring file contexts. -# -cron_can_relabel = false - -# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc) -# -staff_read_sysadm_file = false - -# Allow users to read system messages. -# -user_dmesg = false - -# Allow sysadm to ptrace all processes -# -allow_ptrace = false - -## Control users use of ping and traceroute -user_ping = true - -# Allow unlabeled packets to flow -# -allow_unlabeled_packets = true - diff --git a/build.conf b/build.conf deleted file mode 100644 index 4aae82de..00000000 --- a/build.conf +++ /dev/null @@ -1,71 +0,0 @@ -######################################## -# -# Policy build options -# - -# Policy version -# By default, checkpolicy will create the highest -# version policy it supports. Setting this will -# override the version. This only has an -# effect for monolithic policies. -#OUTPUT_POLICY = 18 - -# Policy Type -# standard, mls, mcs -TYPE = standard - -# Policy Name -# If set, this will be used as the policy -# name. Otherwise the policy type will be -# used for the name. -NAME = refpolicy - -# Distribution -# Some distributions have portions of policy -# for programs or configurations specific to the -# distribution. Setting this will enable options -# for the distribution. -# redhat, gentoo, debian, suse, and rhel4 are current options. -# Fedora users should enable redhat. -#DISTRO = redhat - -# Unknown Permissions Handling -# The behavior for handling permissions defined in the -# kernel but missing from the policy. The permissions -# can either be allowed, denied, or the policy loading -# can be rejected. -# allow, deny, and reject are current options. -#UNK_PERMS = deny - -# Direct admin init -# Setting this will allow sysadm to directly -# run init scripts, instead of requring run_init. -# This is a build option, as role transitions do -# not work in conditional policy. -DIRECT_INITRC = n - -# Build monolithic policy. Putting n here -# will build a loadable module policy. -MONOLITHIC = y - -# User-based access control (UBAC) -# Enable UBAC for role separations. -UBAC = y - -# Number of MLS Sensitivities -# The sensitivities will be s0 to s(MLS_SENS-1). -# Dominance will be in increasing numerical order -# with s0 being lowest. -MLS_SENS = 16 - -# Number of MLS Categories -# The categories will be c0 to c(MLS_CATS-1). -MLS_CATS = 1024 - -# Number of MCS Categories -# The categories will be c0 to c(MLS_CATS-1). -MCS_CATS = 1024 - -# Set this to y to only display status messages -# during build. -QUIET = n diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist index c16c75ff..d206fdb6 100644 --- a/file_contexts.subs_dist +++ b/file_contexts.subs_dist @@ -4,5 +4,3 @@ /lib64 /lib /usr/lib64 /usr/lib /usr/lib/debug / - - diff --git a/modules-olpc.conf b/modules-olpc.conf deleted file mode 100644 index 9b43e3d4..00000000 --- a/modules-olpc.conf +++ /dev/null @@ -1,397 +0,0 @@ -# -# This file contains a listing of available modules. -# To prevent a module from being used in policy -# creation, set the module name to "off". -# -# For monolithic policies, modules set to "base" and "module" -# will be built into the policy. -# -# For modular policies, modules set to "base" will be -# included in the base module. "module" will be compiled -# as individual loadable modules. -# - -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = base - -# Layer: admin -# Module: alsa -# -# Ainit ALSA configuration tool -# -alsa = base - -# Layer: apps -# Module: ada -# -# ada executable -# -ada = base - -# Layer: admin -# Module: anaconda -# -# Policy for the Anaconda installer. -# -anaconda = base - -# Layer: system -# Module: application -# Required in base -# -# Defines attributs and interfaces for all user applications -# -application = base - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = base - -# Layer: services -# Module: canna -# -# Canna - kana-kanji conversion server -# -canna = base - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = base - -# Layer: admin -# Module: consoletype -# -# Determine of the console connected to the controlling terminal. -# -consoletype = base - -# Layer: kernel -# Module: corecommands -# Required in base -# -# Core policy for shells, and generic programs -# in /bin, /sbin, /usr/bin, and /usr/sbin. -# -corecommands = base - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: services -# Module: cpucontrol -# -# Services for loading CPU microcode and CPU frequency scaling. -# -cpucontrol = base - -# Layer: services -# Module: dbus -# -# Desktop messaging bus -# -dbus = base - -# Layer: kernel -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Layer: services -# Module: dhcp -# -# Dynamic host configuration protocol (DHCP) server -# -dhcp = base - -# Layer: system -# Module: domain -# Required in base -# -# Core policy for domains. -# -domain = base - -# Layer: kernel -# Module: files -# Required in base -# -# Basic filesystem types and interfaces. -# -files = base - -# Layer: kernel -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = base - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = base - -# Layer: services -# Module: hal -# -# Hardware abstraction layer -# -hal = base - -# Layer: system -# Module: hotplug -# -# Policy for hotplug system, for supporting the -# connection and disconnection of devices at runtime. -# -hotplug = base - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = base - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = base - -# Layer: apps -# Module: java -# -# java executable -# -java = base - -# Layer: kernel -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Layer: admin -# Module: kudzu -# -# Hardware detection and configuration tools -# -kudzu = base - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = base - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = base - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = base - -# Layer: kernel -# Module: mcs -# Required in base -# -# MultiCategory security policy -# -mcs = base - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = base - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = base - -# Layer: apps -# Module: mono -# -# mono executable -# -mono = base - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = base - -# Layer: services -# Module: networkmanager -# -# Manager for dynamically switching between networks. -# -networkmanager = base - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = base - -# Layer: services -# Module: ntp -# -# Network time protocol daemon -# -ntp = base - -# Layer: admin -# Module: prelink -# -# Manage temporary directory sizes and file ages -# -prelink = base - -# Layer: admin -# Module: readahead -# -# Readahead, read files into page cache for improved performance -# -readahead = base - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = base - -# Layer: kernel -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = base - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = base - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = base - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = base - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = base - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = base - -# Layer: admin -# Module: usbmodules -# -# List kernel modules of USB devices -# -usbmodules = base - -# Layer: services -# Module: xfs -# -# X Windows Font Server -# -xfs = base - -# Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = base - -# Module: terminal -# Required in base -# -# Policy for terminals. -# -terminal = base - -# Layer: kernel -# Module: mls -# Required in base -# -# Multilevel security policy -# -mls = base - diff --git a/policygentool b/policygentool deleted file mode 100644 index 117f4fa0..00000000 --- a/policygentool +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -echo "$0 is no longer supported, better tools exist for creating policy" -echo "Please use /usr/bin/sepolgen, slide or polgengui to generate policy" diff --git a/securetty_types-olpc b/securetty_types-olpc deleted file mode 100644 index e69de29b..00000000 diff --git a/selinux-policy.spec b/selinux-policy.spec index d8fd4ca7..8c1034a8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -30,7 +30,6 @@ Source4: setrans-targeted.conf Source5: modules-mls.conf Source6: booleans-mls.conf Source8: setrans-mls.conf -Source13: policygentool Source14: securetty_types-targeted Source15: securetty_types-mls Source16: modules-minimum.conf @@ -71,7 +70,6 @@ SELinux Base package %ghost %{_sysconfdir}/sysconfig/selinux %{_usr}/share/selinux/devel/include/* %{_usr}/share/selinux/devel/Makefile -%{_usr}/share/selinux/devel/policygentool %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* @@ -116,12 +114,13 @@ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/seli install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \ -bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp.bz2 > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \ -for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/$i; done \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \ +bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \ +rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \ +for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \ rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ -semodule -n -B -p %{buildroot}; \ -/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} > %{buildroot}%{_sysconfdir}/selinux/%1/policy/.policymd5 \ +semodule -s %1 -n -B -p %{buildroot}; \ +/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policymd5 \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts %nil @@ -136,12 +135,12 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts %verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ %verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \ -%config(noreplace) %dir %{_sysconfdir}/selinux/%1/modules/active/* \ -%config %dir %{_sysconfdir}/selinux/%1/modules/active/modules/* \ +%dir %{_sysconfdir}/selinux/%1/modules/active/* \ +%{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \ #%verify(not md5 size mtime) %attr(600,root,root) %config(noreplace) %{_sysconfdir}/selinux/%1/modules/active/seusers \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %config(noreplace) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ -%{_sysconfdir}/selinux/%1/policy/.policymd5 \ +%{_sysconfdir}/selinux/%1/.policymd5 \ %dir %{_sysconfdir}/selinux/%1/contexts \ %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ @@ -176,7 +175,7 @@ if [ -s /etc/selinux/config ]; then \ if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ fi \ -fi +fi; %define relabel() \ . %{_sysconfdir}/selinux/config; \ @@ -188,6 +187,24 @@ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ rm -f ${FILE_CONTEXT}.pre; \ fi; +%define postInstall() \ +. %{_sysconfdir}/selinux/config; \ +md5=`md5sum /etc/selinux/%2/policy/policy.%{POLICYVER} | cut -d ' ' -f 1`; \ +checkmd5=`cat /etc/selinux/%2/.policymd5`; \ +if [ "$md5" != "$checkmd5" ] ; then \ + if [ %1 -ne 1 ]; then \ + semodule -n -s %2 -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger 2>/dev/null; \ + fi \ + semodule -B -s %2; \ +else \ + [ "${SELINUXTYPE}" == "%2" ] && [ selinuxenabled ] && load_policy; \ +fi; \ +if [ %1 -eq 1 ]; then \ + restorecon -R /root /var/log /var/run 2> /dev/null; \ +else \ +%relabel %2 \ +fi; + %description SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 @@ -200,7 +217,7 @@ Based off of reference policy: Checked out revision 2.20091117 %install mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do cp $i selinux_config done tar zxvf selinux_config/config.tgz @@ -242,7 +259,6 @@ make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITR mkdir %{buildroot}%{_usr}/share/selinux/devel/ mkdir %{buildroot}%{_usr}/share/selinux/packages/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include -install -m 755 selinux_config/policygentool %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ @@ -315,22 +331,7 @@ SELinux Reference policy targeted base module. %saveFileContext targeted %post targeted -md5=`md5sum /etc/selinux/targeted/policy/policy.%{POLICYVER}` -checkmd5=`cat /etc/selinux/targeted/policy/policy.%{POLICYVER}.md5sum` -if [ "$md5" != "$checkmd5" ] ; then - if [ $1 -ne 1 ]; then - semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null - fi - semodule -B -s targeted -else - [ "${SELINUXTYPE}" == "targeted" ] && [ selinuxenabled ] && load_policy -fi - -if [ $1 -eq 1 ]; then - restorecon -R /root /var/log /var/run 2> /dev/null -else - %relabel targeted -fi +%postInstall $1 targeted exit 0 %triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9 @@ -373,17 +374,35 @@ SELinux Reference policy minimum base module. %pre minimum %saveFileContext minimum +if [ $1 -ne 1 ]; then + semodule -s minimum -l 2>/dev/null | awk '{ print $1 }' > /usr/share/selinux/minimum/instmodules.lst +fi %post minimum -packages="execmem.pp.bz2 unconfined.pp.bz2 unconfineduser.pp.bz2 application.pp.bz2 userdomain.pp.bz2 authlogin.pp.bz2 logging.pp.bz2 selinuxutil.pp.bz2 init.pp.bz2 systemd.pp.bz2 sysnetwork.pp.bz2 miscfiles.pp.bz2 libraries.pp.bz2 modutils.pp.bz2 sysadm.pp.bz2 locallogin.pp.bz2 dbus.pp.bz2 rpm.pp.bz2 mount.pp.bz2 fstools.pp.bz2 usermanage.pp.bz2 mta.pp.bz2" -semodule -B -s minimum +allpackages=`cat /usr/share/selinux/minimum/modules.lst` if [ $1 -eq 1 ]; then +packages="clock.pp execmem.pp unconfined.pp unconfineduser.pp application.pp userdomain.pp authlogin.pp logging.pp selinuxutil.pp init.pp systemd.pp sysnetwork.pp miscfiles.pp libraries.pp modutils.pp sysadm.pp locallogin.pp dbus.pp rpm.pp mount.pp fstools.pp usermanage.pp mta.pp" +for p in $allpackages; do + touch /etc/selinux/minimum/modules/active/modules/$p.disabled +done +for p in $packages; do + rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled +done semanage -S minimum -i - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root __eof restorecon -R /root /var/log /var/run 2> /dev/null +semodule -B -s minimum else +instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` +for p in $allpackages; do + touch /etc/selinux/minimum/modules/active/modules/$p.disabled +done +for p in $instpackages; do + rm -f /etc/selinux/minimum/modules/active/modules/$p.pp.disabled +done +semodule -B -s minimum %relabel minimum fi exit 0 @@ -414,15 +433,7 @@ SELinux Reference policy mls base module. %saveFileContext mls %post mls -semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null -semodule -B -s mls - -if [ $1 -eq 1 ]; then - restorecon -R /root /var/log /var/run 2> /dev/null -else - %relabel mls -fi -exit 0 +%postInstall $1 mls %files mls %defattr(-,root,root,-) @@ -434,6 +445,8 @@ exit 0 %changelog * Wed Jun 8 2011 Dan Walsh 3.9.16-28.1 - Add policy.26 to the payload +- Remove olpc stuff +- Remove policygentool * Wed Jun 8 2011 Miroslav Grepl 3.9.16-27 - Fixes for zabbix diff --git a/setrans-olpc.conf b/setrans-olpc.conf deleted file mode 100644 index 09a6ce3d..00000000 --- a/setrans-olpc.conf +++ /dev/null @@ -1,19 +0,0 @@ -# -# Multi-Category Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be categorized with 0-1023 categories defined by the admin. -# Objects can be in more than one category at a time. -# Categories are stored in the system as c0-c1023. Users can use this -# table to translate the categories into a more meaningful output. -# Examples: -# s0:c0=CompanyConfidential -# s0:c1=PatientRecord -# s0:c2=Unclassified -# s0:c3=TopSecret -# s0:c1,c3=CompanyConfidentialRedHat -s0=SystemLow -s0-s0:c0.c1023=SystemLow-SystemHigh -s0:c0.c1023=SystemHigh diff --git a/setrans.conf b/setrans.conf deleted file mode 100644 index 09a6ce3d..00000000 --- a/setrans.conf +++ /dev/null @@ -1,19 +0,0 @@ -# -# Multi-Category Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be categorized with 0-1023 categories defined by the admin. -# Objects can be in more than one category at a time. -# Categories are stored in the system as c0-c1023. Users can use this -# table to translate the categories into a more meaningful output. -# Examples: -# s0:c0=CompanyConfidential -# s0:c1=PatientRecord -# s0:c2=Unclassified -# s0:c3=TopSecret -# s0:c1,c3=CompanyConfidentialRedHat -s0=SystemLow -s0-s0:c0.c1023=SystemLow-SystemHigh -s0:c0.c1023=SystemHigh diff --git a/users-olpc b/users-olpc deleted file mode 100644 index 8207eed4..00000000 --- a/users-olpc +++ /dev/null @@ -1,38 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)