From bbd06ec607d5f30dd02b0321641c930f3907b863 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Tue, 11 Jun 2024 11:41:53 +0200 Subject: [PATCH] Add selinux-policy-automotive sub-package The package is modeled after selinux-policy-minimum in that it contains all the modules that are present in selinux-policy-targeted, but most of them are disabled (content of module-automotive-contrib.conf). The rest of the configuration files is copied from targeted, only booleans-automotive.conf and users-automotive are missing booleans and users defined in disabled modules. Resolves: RHEL-69666 --- booleans-automotive.conf | 15 + modules-automotive-base.conf | 604 ++++++++ modules-automotive-contrib.conf | 2563 +++++++++++++++++++++++++++++++ readme-automotive | 52 + securetty_types-automotive | 4 + selinux-policy.spec | 106 +- setrans-automotive.conf | 19 + users-automotive | 39 + 8 files changed, 3397 insertions(+), 5 deletions(-) create mode 100644 booleans-automotive.conf create mode 100644 modules-automotive-base.conf create mode 100644 modules-automotive-contrib.conf create mode 100644 readme-automotive create mode 100644 securetty_types-automotive create mode 100644 setrans-automotive.conf create mode 100644 users-automotive diff --git a/booleans-automotive.conf b/booleans-automotive.conf new file mode 100644 index 00000000..751bb0e8 --- /dev/null +++ b/booleans-automotive.conf @@ -0,0 +1,15 @@ +gssd_read_tmp = true +httpd_builtin_scripting = true +httpd_enable_cgi = true +kerberos_enabled = true +mount_anyfile = true +nfs_export_all_ro = true +nfs_export_all_rw = true +pppd_can_insmod = false +selinuxuser_direct_dri_enabled = true +selinuxuser_execstack = true +selinuxuser_rw_noexattrfile=true +selinuxuser_ping = true +unconfined_chrome_sandbox_transition=true +unconfined_mozilla_plugin_transition=true +use_virtualbox = true diff --git a/modules-automotive-base.conf b/modules-automotive-base.conf new file mode 100644 index 00000000..4bb4e52a --- /dev/null +++ b/modules-automotive-base.conf @@ -0,0 +1,604 @@ +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: contrib +# Module: fwupd +# +# fwupd is a daemon to allow session software to update device firmware. +# +fwupd = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: contrib +# Module: journalctl +# +# journalctl policy +# +journalctl = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: contrib +# Module: mandb +# +# Policy for mandb +# +mandb = module + +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: contrib +# Module: pesign +# +# policy for pesign +# +pesign = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpc = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: contrib +# Module: stalld +# +# stalld +# +stalld = module + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +su = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfined = module + +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + +# Layer: kernel +# Module: unconfined +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: apps +# Module: vhostmd +# +# vlock - Virtual Console lock program +# +vlock = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + diff --git a/modules-automotive-contrib.conf b/modules-automotive-contrib.conf new file mode 100644 index 00000000..aa69276e --- /dev/null +++ b/modules-automotive-contrib.conf @@ -0,0 +1,2563 @@ +# Layer: services +# Module: abrt +# +# Automatic bug detection and reporting tool +# +abrt = module + +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: contrib +# Module: afterburn +# +# afterburn +# +afterburn = module + +# Layer: services +# Module: aiccu +# +# SixXS Automatic IPv6 Connectivity Client Utility +# +aiccu = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: services +# Module: ajaxterm +# +# Web Based Terminal +# +ajaxterm = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: contrib +# Module: antivirus +# +# SELinux policy for antivirus programs +# +antivirus = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: contrib +# Module: authconfig +# +# Authorization configuration tool +# +authconfig = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: module +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: contrib +# Module: bacula +# +# bacula policy +# +bacula = module + +# Layer: services +# Module: bcfg2 +# +# Configuration management server +# +bcfg2 = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: contrib +# Module: blkmapd +# +# The blkmapd daemon performs device discovery and mapping for pNFS block layout client. +# +blkmapd = module + +# Layer: services +# Module: blueman +# +# Blueman tools and system services. +# +blueman = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: contrib +# Module: boltd +# +# boltd +# +boltd = module + +# Layer: contrib +# Module: boothd +# +# boothd - Booth cluster ticket manager +# +boothd = module + +# Layer: contrib +# Module: bootupd +# +# bootupd - bootloader update daemon +# +bootupd = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: contrib +# Module: brltty +# +# brltty policy +# +brltty = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: bumblebee +# +# Support NVIDIA Optimus technology under Linux +# +bumblebee = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: services +# Module: callweaver +# +# callweaver telephony sever +# +callweaver = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cfengine +# +# cfengine +# +cfengine = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: contrib +# Module: cinder +# +# openstack-cinder policy +# +cinder = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cloudform +# +# cloudform daemons +# +cloudform = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: cobbler +# +# cobbler +# +cobbler = module + +# Layer: services +# Module: collectd +# +# Statistics collection daemon for filling RRD files +# +collectd = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: condor +# +# policy for condor +# +condor = module + +# Layer: services +# Module: conman +# +# Conman is a program for connecting to remote consoles being managed by conmand +# +conman = module + +# Layer: contrib +# Module: conntrackd +# +# conntrackd +# +conntrackd = module + +# Layer: services +# Module: consolekit +# +# ConsoleKit is a system daemon for tracking what users are logged +# +consolekit = module + +# Layer: contrib +# Module: coreos_installer +# +# coreos_installer +# +coreos_installer = module + +# Layer: services +# Module: couchdb +# +# Apache CouchDB database server +# +couchdb = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: contrib +# Module: cpuplug +# +# cpuplug policy +# +cpuplug = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: ctdbd +# +# Cluster Daemon +# +ctdb = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: services +# Module: denyhosts +# +# script to help thwart ssh server attacks +# +denyhosts = module + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv-admin = module + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: drbd +# +# DRBD mirrors a block device over the network to another machine. +# +drbd = module + +# Layer: services +# Module: dspam +# +# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering +# +dspam = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fcoe +# +# fcoe +# +fcoe = module + +# Layer: contrib +# Module: fdo +# +# fdo - fido device onboard protocol for IoT devices +# +fdo = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: contrib +# Module: freeipmi +# +# Remote-Console (out-of-band) and System Management Software (in-band) +# based on IntelligentPlatform Management Interface specification +# +freeipmi = module + +# Layer: services +# Module: freqset +# +# Utility for CPU frequency scaling +# +freqset = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: contrib +# Module: gdomap +# +# gdomap policy +# +gdomap = module + +# Layer: contrib +# Module: geoclue +# +# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information +# +geoclue = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +git = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Module: gssproxy +# +# A proxy for GSSAPI credential handling +# +# +gssproxy = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services +# Module: hostapd +# +# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator +# +hostapd = module + +# Layer: contrib +# Module: hsqldb +# +# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. +# +hsqldb = module + +# Layer: contrib +# Module: hwloc +# +# hwloc +# +hwloc = module + +# Layer: contrib +# Module: hypervkvp +# +# hypervkvp policy +# +hypervkvp = module + +# Layer: contrib +# Module: ibacm +# +# ibacm +# +ibacm = module + +# Layer: contrib +# Module: ica +# +# ica +# +ica = module + +# Layer: services +# Module: icecast +# +# ShoutCast compatible streaming media server +# +icecast = module + +# Layer: contrib +# Module: iiosensorproxy +# +# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy +# +iiosensorproxy = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: contrib +# Module: insights_client +# +# insights_client +# +insights_client = module + +# Layer: contrib +# Module: iodine +# +# Fast and lean authoritative DNS Name Server +# +iodine = module + +iotop = module + +# Layer: contrib +# Module: ipmievd +# +# IPMI event daemon for sending events to syslog +# +ipmievd = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: system +# Module: isnsd +# +# +# +isns = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: jetty +# +# Java based http server +# +jetty = module + +# Layer: apps +# Module: jockey +# +# policy for jockey-backend +# +jockey = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdump = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: services +# Module: keepalived +# +# keepalived - load-balancing and high-availability service +# +keepalived = module + +# Module: keyboardd +# +# system-setup-keyboard is a keyboard layout daemon that monitors +# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet +# +keyboardd = module + +# Layer: services +# Module: keystone +# +# openstack-keystone +# +keystone = module + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +kmscon = module + +# Layer: contrib +# Module: kpatch +# +# kpatch +# +kpatch = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: l2ltpd +# +# Layer 2 Tunnelling Protocol Daemon +# +l2tp = module + +# Layer: services +# Module: likewise +# +# Likewise Active Directory support for UNIX +# +likewise = module + +# Layer: contrib +# Module: linuxptp +# +# linuxptp policy +# +linuxptp = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: apps +# Module: livecd +# +# livecd creator +# +livecd = module + +# Layer: services +# Module: lldpad +# +# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon +# +lldpad = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: contrib +# Module: lsm +# +# lsm policy +# +lsm = module + +# Layer: contrib +# Module: lttng-tools +# +# LTTng 2.x central tracing registry session daemon. +# +lttng-tools = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: mailman +# +# Policy for mailscanner +# +mailscanner = module + +# Layer: apps +# Module: man2html +# +# policy for man2html apps +# +man2html = module + +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = module + +# Layer: apps +# Module: mediawiki +# +# mediawiki +# +mediawiki = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: contrib +# Module: minidlna +# +# minidlna policy +# +minidlna = module + +# Layer: contrib +# Module: minissdpd +# +# minissdpd policy +# +minissdpd = module + +# Layer: services +# Module: mip6d +# +# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation +# +mip6d = module + +# Layer: contrib +# Module: mirrormanager +# +# mirrormanager policy +# +mirrormanager = module + +# Layer: services +# Module: mock +# +# Policy for mock rpm builder +# +mock = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: contrib +# Module: mon_statd +# +# mon_statd policy +# +mon_statd = module + +mongodb = module + +# Layer: contrib +# Module: motion +# +# Daemon for detect motion using a video4linux device +motion = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: services +# Module: mpd +# +# mpd - daemon for playing music +# +mpd = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: contrib +# Module: mptcpd +# +# mptcpd +# +mptcpd = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: contrib +# Module: mythtv +# +# Policy for Mythtv (Web Server) +# +mythtv = module + +# Layer: contrib +# Module: naemon +# +# naemon policy +# +naemon = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: services +# Module: ninfod +# +# Respond to IPv6 Node Information Queries +# +ninfod = module + +# Layer: services +# Module: nova +# +# openstack-nova +# +nova = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: contrib +# Module: nsd +# +# Fast and lean authoritative DNS Name Server +# +nsd = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: numad +# +# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology +# +numad = module + +# Layer: services +# Module: nut +# +# nut - Network UPS Tools +# +nut = module + +# Layer: contrib +# Module: nvme_stas +# +# nvme_stas +# +nvme_stas = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + +# Layer: services +# Module: obex +# +# policy for obex-data-server +# +obex = module + +# Layer: contrib +# Module: opafm +# +# opafm +# +opafm = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = module + +# Layer: contrib +# Module: opendnssec +# +# opendnssec +# +opendnssec = module + +# Layer: contrib +# Module: openfortivpn +# +# Fortinet compatible SSL VPN daemons. +# +openfortivpn = module + +# Layer: contrib +# Module: openhpid +# +# OpenHPI daemon runs as a background process and accepts connecti +# +openhpid = module + +# Layer: contrib +# Module: openshift-origin +# +# Origin version of openshift policy +# +openshift = module + +# Layer: contrib +# Module: openshift-origin +# +# Origin version of openshift policy +# +openshift-origin = module + +# Layer: services +# Module: opensm +# +# InfiniBand subnet manager and administration (SM/SA) +# +opensm = module + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + +# Layer: contrib +# Module: openvswitch +# +# SELinux policy for openvswitch programs +# +openvswitch = module + +# Layer: services +# Module: openwsman +# +# WS-Management Server +# +openwsman = module + +# Layer: contrib +# Module: oracleasm +# +# oracleasm policy +# +oracleasm = module + +# Layer: services +# Module: osad +# +# Client-side service written in Python that responds to pings +# +osad = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: services +# Module: passenger +# +# Passenger +# +passenger = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: contrib +# Module: pcp +# +# pcp policy +# +pcp = module + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: services +# Module: pdns +# +# PowerDNS DNS server +# +pdns = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: contrib +# Module: pkcs +# +# daemon manages PKCS#11 objects between PKCS#11-enabled applications +# +pkcs = module + +# Layer: contrib +# Module: pkcs11proxyd +# +# pkcs11proxyd policy +# +pkcs11proxyd = module + +# Layer: services +# Module: pki +# +# policy for pki +# +pki = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: system +# Module: powerprofiles +# +# Policy for power-profiles-daemon - power profiles handling over D-Bus +# +powerprofiles = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +# Layer: contrib +# Module: prelude +# +# SELinux policy for prelude +# +prelude = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: contrib +# Module: prosody +# +# SELinux policy for prosody flexible communications server for Jabber/XMPP +# +prosody = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: puppet +# +# A network tool for managing many disparate systems +# +puppet = module + +# Layer: apps +# Module: pwauth +# +# External plugin for mod_authnz_external authenticator +# +pwauth = module + +# Layer: contrib +# Module: qatlib +# +# qatlib - Intel QuickAssist technology library and resources management +# +qatlib = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: services +# Module: quantum +# +# Quantum is a virtual network service for Openstack +# +quantum = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: services +# Module: rabbitmq +# +# rabbitmq daemons +# +rabbitmq = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: rasdaemon +# +# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing +# +rasdaemon = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: contrib +# Module: stapserver +# +# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA +# +realmd = module + +# Layer: contrib +# Module: redis +# +# redis policy +# +redis = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: contrib +# Module: rhcd +# +# rhcd +# +rhcd = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: rhev +# +# rhev policy module contains policies for rhev apps +# +rhev = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: contrib +# Module: rhnsd +# +# rhnsd policy +# +rhnsd = module + +# Layer: services +# Module: rhsmcertd +# +# Subscription Management Certificate Daemon policy +# +rhsmcertd = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: contrib +# Module: rkhunter +# +# rkhunter policy for /var/lib/rkhunter +# +rkhunter = module + +# Layer: contrib +# Module: rkt +# +# CLI for running app containers +# +rkt = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: contrib +# Module: rngd +# +# Daemon used to feed random data from hardware device to kernel random device +# +rngd = module + +# Layer: contrib +# Module: rolekit +# +# rolekit policy +# +rolekit = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: contrib +# Module: rrdcached +# +# rrdcached +# +rrdcached = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: contrib +# Module: rshim +# +# rshim +# +rshim = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: contrib +# Module: rtas +# +# rtas policy +# +rtas = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +samba = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a X sandbox +# +sandboxX = module + +# Layer: services +# Module: sanlock +# +# sanlock policy +# +sanlock = module + +# Layer: contrib +# Module: sap_unconfined +# +# sap_unconfined +# +sap = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: contrib +# Module: sbd +# +# sbd +# +sbd = module + +# Layer: services +# Module: sblim +# +# sblim +# +sblim = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: admin +# Module: sectoolm +# +# Policy for sectool-mechanism +# +sectoolm = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: contrib +# Module: sensord +# +# Sensor information logging daemon +# +sensord = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: services +# Module: sge +# +# policy for grindengine MPI jobs +# +sge = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: contrib +# Module: slpd +# +# OpenSLP server daemon to dynamically register services +# +slpd = module + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: smokeping +# +# Latency Logging and Graphing System +# +smokeping = module + +# Layer: admin +# Module: smoltclient +# +#The Fedora hardware profiler client +# +smoltclient = module + +# Layer: services +# Module: smsd +# +# policy for smsd +# +smsd = module + +# Layer: contrib +# Module: snapper +# +# snapper policy +# +snapper = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: speech-dispatcher +# +# speech-dispatcher - server process managing speech requests in Speech Dispatcher +# +speech-dispatcher = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: sslh +# +# Applicative protocol(SSL/SSH) multiplexer +# +sslh = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Module: staff +# +# admin account +# +staff = module + +# Layer: contrib +# Module: stapserver +# +# Instrumentation System Server +# +stapserver = module + +# Layer: contrib +# Module: stratisd +# +# stratisd +# +stratisd = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: svnserve +# +# policy for subversion service +# +svnserve = module + +# Layer: services +# Module: swift +# +# openstack-swift +# +swift = module + +# Layer: system +# Module: switcheroo +# +# Policy for switcheroo-control: D-Bus service to check dual GPU availability +# +switcheroo = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: contrib +# Module: tangd +# +# tangd +# +tangd = module + +# Layer: contrib +# Module: targetd +# +# targetd policy +# +targetd = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: contrib +# Module: thin +# +# Policy for thin +# +thin = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: contrib +# Module: timedatex +# +# timedatex +# +timedatex = module + +# Layer: contrib +# Module: tlp +# +# tlp +# +tlp = module + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: contrib +# Module: glusterd +# +# policy for tomcat service +# +tomcat = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: services +# Module: ulogd +# +# netfilter/iptables ULOG daemon +# +ulogd = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: services +# Module: usbmuxd +# +# Daemon for communicating with Apple's iPod Touch and iPhone +# +usbmuxd = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uuidd +# +# UUID generation daemon +# +uuidd = module + +# Layer: services +# Module: varnishd +# +# Varnishd http accelerator daemon +# +varnishd = module + +# Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module + +# Layer: services +# Module: vhostmd +# +# vhostmd - spice guest agent daemon. +# +vhostmd = module + +# Layer: services +# Module: vmtools +# +# VMware Tools daemon +# +vmtools = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: services +# Module: vnstatd +# +# Network traffic Monitor +# +vnstatd = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: contrib +# Module: watchdog +# +# Watchdog policy +# +watchdog = module + +# Layer: services +# Module: wdmd +# +# wdmd policy +# +wdmd = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: contrib +# Module: wireguard +# +# wireguard +# +wireguard = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: zarafa +# +# Zarafa Collaboration Platform +# +zarafa = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zoneminder +# +# Zoneminder Camera Security Surveillance Solution +# +zoneminder = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a sandbox +# +sandbox = off + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off diff --git a/readme-automotive b/readme-automotive new file mode 100644 index 00000000..1a403b82 --- /dev/null +++ b/readme-automotive @@ -0,0 +1,52 @@ +The automotive package is modeled after selinux-policy-minimum in that it +contains all the modules that are present in selinux-policy-targeted, but most +of them are disabled (content of module-automotive-contrib.conf). +The rest of the configuration files is copied from targeted, only +booleans-automotive.conf and users-automotive are missing booleans and users +defined in disabled modules. + + +The content of module-automotive-base.conf was determined as follows. +Modules providing file context definitions related to packages in qm-minimal +image package set [1]: +["anaconda", "authlogin", "bluetooth", "bootloader", "clock", "cpucontrol", +"cups", "daemontools", "dbus", "dmesg", "fstools", "fwupd", "games", "gpg", +"hostname", "init", "iptables", "journalctl", "kerberos", "ldap", "libraries", +"loadkeys", "locallogin", "logging", "lpd", "lvm", "miscfiles", "modutils", +"mount", "mta", "namespace", "networkmanager", "nis", "oddjob", "rpc", "rpm", +"selinuxutil", "stalld", "su", "sysnetwork", "systemd", "udev", "userdomain", +"userhelper", "usermanage", "vlock"] + +Modules chosen based on name comparison with the qm-minimal image package set: +["cyrus","dbus","gpg","ldap","rpm","sasl","fwupd","stalld","ssh","hostname", +"iptables","mount","systemd","udev"] + +The following are additions based on qm-developer image package set: +["netutils", "ssh", "sudo ", "chronyd", "mandb", "pesign", "rdisc", "rsync", +"sosreport", "virt"] + +Dependencies of container-selinux: +["anaconda","gnome","sssd"] + +Dependency of gpg: +["apache"] + +systemd_logind does not work properly without: +["dhcp"] + + +All remaining modules are listed in module-automotive-contrib.conf and +therefore disabled (modules set to "off" in modules-targeted-* where kept +"off" in automotive as well). + +sandbox module was set to "off" instead of it being removed in spec file (as +done in "minimum") to simplify the spec file. + +Note that DSP modules will not be installed if they follow [2], which is +probably for the best, since they do not consistently use optional_policy +blocks and would likely fail to install. However, container module is needed +even for the qm-minimal image and has to be installed manually (probably in +automotive-image-builder). + +[1] - https://autosd.sig.centos.org/AutoSD-9/nightly/core-rpms/autosd-core-rpms-x86_64.txt +[2] - https://fedoraproject.org/wiki/SELinux/IndependentPolicy diff --git a/securetty_types-automotive b/securetty_types-automotive new file mode 100644 index 00000000..7055096f --- /dev/null +++ b/securetty_types-automotive @@ -0,0 +1,4 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t diff --git a/selinux-policy.spec b/selinux-policy.spec index 692f6549..1f4e9dd1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -18,13 +18,16 @@ %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif +%if %{?BUILD_AUTOMOTIVE:0}%{!?BUILD_AUTOMOTIVE:1} +%define BUILD_AUTOMOTIVE 1 +%endif %define POLICYVER 33 %define POLICYCOREUTILSVER 3.4-1 %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy Version: 38.1.53 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: modules-targeted-base.conf @@ -61,6 +64,13 @@ Source35: container-selinux.tgz Source36: selinux-check-proper-disable.service +Source37: modules-automotive-base.conf +Source38: modules-automotive-contrib.conf +Source39: booleans-automotive.conf +Source40: users-automotive +Source41: setrans-automotive.conf +Source42: securetty_types-automotive + # Provide rpm macros for packages installing SELinux modules Source102: rpm.macros @@ -408,7 +418,7 @@ end tar -C policy/modules/contrib -xf %{SOURCE35} mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32} %{SOURCE37} %{SOURCE38} %{SOURCE39} %{SOURCE40} %{SOURCE41} %{SOURCE42};do cp $i selinux_config done @@ -425,8 +435,8 @@ mkdir -p %{buildroot}%{_bindir} install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ # Always create policy module package directories -mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ -mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ +mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,automotive,modules}/ +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,automotive,modules}/ mkdir -p %{buildroot}%{_datadir}/selinux/packages @@ -466,8 +476,17 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox %nonBaseModulesList mls %endif +%if %{BUILD_AUTOMOTIVE} +# Build automotive policy +%makeCmds automotive mcs allow +%makeModulesConf automotive base contrib +%installCmds automotive mcs allow +%modulesList automotive +%nonBaseModulesList automotive +%endif + # remove leftovers when save-previous=true (semanage.conf) is used -rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous +rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls,automotive}/previous mkdir -p %{buildroot}%{_mandir} cp -R man/* %{buildroot}%{_mandir} @@ -739,6 +758,83 @@ exit 0 %fileList minimum %endif +%if %{BUILD_AUTOMOTIVE} +%package automotive +Summary: SELinux automotive policy +Provides: selinux-policy-any = %{version}-%{release} +Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit +Conflicts: container-selinux <= 1.9.0-9 + +%description automotive +SELinux automotive policy package. + +%pretrans automotive -p +%backupConfigLua + +%pre automotive +%preInstall automotive +if [ $1 -ne 1 ]; then + %{_sbindir}/semodule -s automotive --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/automotive/instmodules.lst +fi + +%post automotive +%checkConfigConsistency automotive +contribpackages=`cat %{_datadir}/selinux/automotive/modules-contrib.lst` +basepackages=`cat %{_datadir}/selinux/automotive/modules-base.lst` +if [ ! -d %{_sharedstatedir}/selinux/automotive/active/modules/disabled ]; then + mkdir %{_sharedstatedir}/selinux/automotive/active/modules/disabled +fi +if [ $1 -eq 1 ]; then +for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +for p in $basepackages apache dbus inetd kerberos mta nis; do + rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null +%{_sbindir}/semodule -B -s automotive +else +instpackages=`cat %{_datadir}/selinux/automotive/instmodules.lst` +for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +for p in $instpackages apache dbus inetd kerberos mta nis; do + rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +%{_sbindir}/semodule -B -s automotive +%relabel automotive +fi +exit 0 + +%posttrans automotive +%checkConfigConsistency automotive + +%postun automotive +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "automotive" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + +%files automotive -f %{buildroot}%{_datadir}/selinux/automotive/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/sysadm_u +%fileList automotive +%endif + %if %{BUILD_MLS} %package mls Summary: SELinux MLS policy diff --git a/setrans-automotive.conf b/setrans-automotive.conf new file mode 100644 index 00000000..09a6ce3d --- /dev/null +++ b/setrans-automotive.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/users-automotive b/users-automotive new file mode 100644 index 00000000..8e0da0c6 --- /dev/null +++ b/users-automotive @@ -0,0 +1,39 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix will not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)