import selinux-policy-3.14.3-9.el8
This commit is contained in:
commit
c3537309fd
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
SOURCES/container-selinux.tgz
|
||||||
|
SOURCES/selinux-policy-68c5655.tar.gz
|
||||||
|
SOURCES/selinux-policy-contrib-ff0abc8.tar.gz
|
3
.selinux-policy.metadata
Normal file
3
.selinux-policy.metadata
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
d062b78207b84dff3bc74f0c67c21943040723d5 SOURCES/container-selinux.tgz
|
||||||
|
3a55719eee1f5aea3664adad331ed48c3f14f2eb SOURCES/selinux-policy-68c5655.tar.gz
|
||||||
|
31cc8d555c60212a119855c4d385b4e619c0e044 SOURCES/selinux-policy-contrib-ff0abc8.tar.gz
|
22
SOURCES/Makefile.devel
Normal file
22
SOURCES/Makefile.devel
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
# installation paths
|
||||||
|
SHAREDIR := /usr/share/selinux
|
||||||
|
|
||||||
|
AWK ?= gawk
|
||||||
|
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
|
||||||
|
|
||||||
|
ifeq ($(MLSENABLED),)
|
||||||
|
MLSENABLED := 1
|
||||||
|
endif
|
||||||
|
|
||||||
|
ifeq ($(MLSENABLED),1)
|
||||||
|
NTYPE = mcs
|
||||||
|
endif
|
||||||
|
|
||||||
|
ifeq ($(NAME),mls)
|
||||||
|
NTYPE = mls
|
||||||
|
endif
|
||||||
|
|
||||||
|
TYPE ?= $(NTYPE)
|
||||||
|
|
||||||
|
HEADERDIR := $(SHAREDIR)/devel/include
|
||||||
|
include $(HEADERDIR)/Makefile
|
248
SOURCES/booleans-minimum.conf
Normal file
248
SOURCES/booleans-minimum.conf
Normal file
@ -0,0 +1,248 @@
|
|||||||
|
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||||
|
#
|
||||||
|
allow_execmem = false
|
||||||
|
|
||||||
|
# Allow making a modified private filemapping executable (text relocation).
|
||||||
|
#
|
||||||
|
allow_execmod = false
|
||||||
|
|
||||||
|
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||||
|
#
|
||||||
|
allow_execstack = true
|
||||||
|
|
||||||
|
# Allow ftpd to read cifs directories.
|
||||||
|
#
|
||||||
|
allow_ftpd_use_cifs = false
|
||||||
|
|
||||||
|
# Allow ftpd to read nfs directories.
|
||||||
|
#
|
||||||
|
allow_ftpd_use_nfs = false
|
||||||
|
|
||||||
|
# Allow ftp servers to modify public filesused for public file transfer services.
|
||||||
|
#
|
||||||
|
allow_ftpd_anon_write = false
|
||||||
|
|
||||||
|
# Allow gssd to read temp directory.
|
||||||
|
#
|
||||||
|
allow_gssd_read_tmp = true
|
||||||
|
|
||||||
|
# Allow Apache to modify public filesused for public file transfer services.
|
||||||
|
#
|
||||||
|
allow_httpd_anon_write = false
|
||||||
|
|
||||||
|
# Allow Apache to use mod_auth_pam module
|
||||||
|
#
|
||||||
|
allow_httpd_mod_auth_pam = false
|
||||||
|
|
||||||
|
# Allow system to run with kerberos
|
||||||
|
#
|
||||||
|
allow_kerberos = true
|
||||||
|
|
||||||
|
# Allow rsync to modify public filesused for public file transfer services.
|
||||||
|
#
|
||||||
|
allow_rsync_anon_write = false
|
||||||
|
|
||||||
|
# Allow sasl to read shadow
|
||||||
|
#
|
||||||
|
allow_saslauthd_read_shadow = false
|
||||||
|
|
||||||
|
# Allow samba to modify public filesused for public file transfer services.
|
||||||
|
#
|
||||||
|
allow_smbd_anon_write = false
|
||||||
|
|
||||||
|
# Allow system to run with NIS
|
||||||
|
#
|
||||||
|
allow_ypbind = false
|
||||||
|
|
||||||
|
# Allow zebra to write it own configuration files
|
||||||
|
#
|
||||||
|
allow_zebra_write_config = false
|
||||||
|
|
||||||
|
# Enable extra rules in the cron domainto support fcron.
|
||||||
|
#
|
||||||
|
fcron_crond = false
|
||||||
|
|
||||||
|
#
|
||||||
|
# allow httpd to connect to mysql/posgresql
|
||||||
|
httpd_can_network_connect_db = false
|
||||||
|
|
||||||
|
#
|
||||||
|
# allow httpd to send dbus messages to avahi
|
||||||
|
httpd_dbus_avahi = true
|
||||||
|
|
||||||
|
#
|
||||||
|
# allow httpd to network relay
|
||||||
|
httpd_can_network_relay = false
|
||||||
|
|
||||||
|
# Allow httpd to use built in scripting (usually php)
|
||||||
|
#
|
||||||
|
httpd_builtin_scripting = true
|
||||||
|
|
||||||
|
# Allow http daemon to tcp connect
|
||||||
|
#
|
||||||
|
httpd_can_network_connect = false
|
||||||
|
|
||||||
|
# Allow httpd cgi support
|
||||||
|
#
|
||||||
|
httpd_enable_cgi = true
|
||||||
|
|
||||||
|
# Allow httpd to act as a FTP server bylistening on the ftp port.
|
||||||
|
#
|
||||||
|
httpd_enable_ftp_server = false
|
||||||
|
|
||||||
|
# Allow httpd to read home directories
|
||||||
|
#
|
||||||
|
httpd_enable_homedirs = false
|
||||||
|
|
||||||
|
# Run SSI execs in system CGI script domain.
|
||||||
|
#
|
||||||
|
httpd_ssi_exec = false
|
||||||
|
|
||||||
|
# Allow http daemon to communicate with the TTY
|
||||||
|
#
|
||||||
|
httpd_tty_comm = false
|
||||||
|
|
||||||
|
# Run CGI in the main httpd domain
|
||||||
|
#
|
||||||
|
httpd_unified = false
|
||||||
|
|
||||||
|
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
|
||||||
|
#
|
||||||
|
named_write_master_zones = false
|
||||||
|
|
||||||
|
# Allow nfs to be exported read/write.
|
||||||
|
#
|
||||||
|
nfs_export_all_rw = true
|
||||||
|
|
||||||
|
# Allow nfs to be exported read only
|
||||||
|
#
|
||||||
|
nfs_export_all_ro = true
|
||||||
|
|
||||||
|
# Allow pppd to load kernel modules for certain modems
|
||||||
|
#
|
||||||
|
pppd_can_insmod = false
|
||||||
|
|
||||||
|
# Allow reading of default_t files.
|
||||||
|
#
|
||||||
|
read_default_t = false
|
||||||
|
|
||||||
|
# Allow samba to export user home directories.
|
||||||
|
#
|
||||||
|
samba_enable_home_dirs = false
|
||||||
|
|
||||||
|
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
|
||||||
|
#
|
||||||
|
squid_connect_any = false
|
||||||
|
|
||||||
|
# Support NFS home directories
|
||||||
|
#
|
||||||
|
use_nfs_home_dirs = true
|
||||||
|
|
||||||
|
# Support SAMBA home directories
|
||||||
|
#
|
||||||
|
use_samba_home_dirs = false
|
||||||
|
|
||||||
|
# Control users use of ping and traceroute
|
||||||
|
#
|
||||||
|
user_ping = false
|
||||||
|
|
||||||
|
# allow host key based authentication
|
||||||
|
#
|
||||||
|
allow_ssh_keysign = false
|
||||||
|
|
||||||
|
# Allow pppd to be run for a regular user
|
||||||
|
#
|
||||||
|
pppd_for_user = false
|
||||||
|
|
||||||
|
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
|
||||||
|
#
|
||||||
|
read_untrusted_content = false
|
||||||
|
|
||||||
|
# Allow spamd to write to users homedirs
|
||||||
|
#
|
||||||
|
spamd_enable_home_dirs = false
|
||||||
|
|
||||||
|
# Allow regular users direct mouse access
|
||||||
|
#
|
||||||
|
user_direct_mouse = false
|
||||||
|
|
||||||
|
# Allow users to read system messages.
|
||||||
|
#
|
||||||
|
user_dmesg = false
|
||||||
|
|
||||||
|
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
|
||||||
|
#
|
||||||
|
user_rw_noexattrfile = false
|
||||||
|
|
||||||
|
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
|
||||||
|
#
|
||||||
|
user_tcp_server = false
|
||||||
|
|
||||||
|
# Allow w to display everyone
|
||||||
|
#
|
||||||
|
user_ttyfile_stat = false
|
||||||
|
|
||||||
|
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
|
||||||
|
#
|
||||||
|
write_untrusted_content = false
|
||||||
|
|
||||||
|
# Allow all domains to talk to ttys
|
||||||
|
#
|
||||||
|
allow_daemons_use_tty = false
|
||||||
|
|
||||||
|
# Allow login domains to polyinstatiate directories
|
||||||
|
#
|
||||||
|
allow_polyinstantiation = false
|
||||||
|
|
||||||
|
# Allow all domains to dump core
|
||||||
|
#
|
||||||
|
allow_daemons_dump_core = true
|
||||||
|
|
||||||
|
# Allow samba to act as the domain controller
|
||||||
|
#
|
||||||
|
samba_domain_controller = false
|
||||||
|
|
||||||
|
# Allow samba to export user home directories.
|
||||||
|
#
|
||||||
|
samba_run_unconfined = false
|
||||||
|
|
||||||
|
# Allows XServer to execute writable memory
|
||||||
|
#
|
||||||
|
allow_xserver_execmem = false
|
||||||
|
|
||||||
|
# disallow guest accounts to execute files that they can create
|
||||||
|
#
|
||||||
|
allow_guest_exec_content = false
|
||||||
|
allow_xguest_exec_content = false
|
||||||
|
|
||||||
|
# Only allow browser to use the web
|
||||||
|
#
|
||||||
|
browser_confine_xguest=false
|
||||||
|
|
||||||
|
# Allow postfix locat to write to mail spool
|
||||||
|
#
|
||||||
|
allow_postfix_local_write_mail_spool=false
|
||||||
|
|
||||||
|
# Allow common users to read/write noexattrfile systems
|
||||||
|
#
|
||||||
|
user_rw_noexattrfile=true
|
||||||
|
|
||||||
|
# Allow qemu to connect fully to the network
|
||||||
|
#
|
||||||
|
qemu_full_network=true
|
||||||
|
|
||||||
|
# Allow nsplugin execmem/execstack for bad plugins
|
||||||
|
#
|
||||||
|
allow_nsplugin_execmem=true
|
||||||
|
|
||||||
|
# Allow unconfined domain to transition to confined domain
|
||||||
|
#
|
||||||
|
allow_unconfined_nsplugin_transition=true
|
||||||
|
|
||||||
|
# System uses init upstart program
|
||||||
|
#
|
||||||
|
init_upstart = true
|
||||||
|
|
||||||
|
# Allow mount to mount any file/dir
|
||||||
|
#
|
||||||
|
allow_mount_anyfile = true
|
6
SOURCES/booleans-mls.conf
Normal file
6
SOURCES/booleans-mls.conf
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
kerberos_enabled = true
|
||||||
|
mount_anyfile = true
|
||||||
|
polyinstantiation_enabled = true
|
||||||
|
ftpd_is_daemon = true
|
||||||
|
selinuxuser_ping = true
|
||||||
|
xserver_object_manager = true
|
24
SOURCES/booleans-targeted.conf
Normal file
24
SOURCES/booleans-targeted.conf
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
gssd_read_tmp = true
|
||||||
|
httpd_builtin_scripting = true
|
||||||
|
httpd_enable_cgi = true
|
||||||
|
kerberos_enabled = true
|
||||||
|
mount_anyfile = true
|
||||||
|
nfs_export_all_ro = true
|
||||||
|
nfs_export_all_rw = true
|
||||||
|
nscd_use_shm = true
|
||||||
|
openvpn_enable_homedirs = true
|
||||||
|
postfix_local_write_mail_spool=true
|
||||||
|
pppd_can_insmod = false
|
||||||
|
privoxy_connect_any = true
|
||||||
|
selinuxuser_direct_dri_enabled = true
|
||||||
|
selinuxuser_execmem = true
|
||||||
|
selinuxuser_execmod = true
|
||||||
|
selinuxuser_execstack = true
|
||||||
|
selinuxuser_rw_noexattrfile=true
|
||||||
|
selinuxuser_ping = true
|
||||||
|
squid_connect_any = true
|
||||||
|
telepathy_tcp_connect_generic_network_ports=true
|
||||||
|
unconfined_chrome_sandbox_transition=true
|
||||||
|
unconfined_mozilla_plugin_transition=true
|
||||||
|
xguest_exec_content = true
|
||||||
|
mozilla_plugin_can_network_connect = true
|
54
SOURCES/booleans.subs_dist
Normal file
54
SOURCES/booleans.subs_dist
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
allow_auditadm_exec_content auditadm_exec_content
|
||||||
|
allow_console_login login_console_enabled
|
||||||
|
allow_cvs_read_shadow cvs_read_shadow
|
||||||
|
allow_daemons_dump_core daemons_dump_core
|
||||||
|
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
|
||||||
|
allow_daemons_use_tty daemons_use_tty
|
||||||
|
allow_domain_fd_use domain_fd_use
|
||||||
|
allow_execheap selinuxuser_execheap
|
||||||
|
allow_execmod selinuxuser_execmod
|
||||||
|
allow_execstack selinuxuser_execstack
|
||||||
|
allow_ftpd_anon_write ftpd_anon_write
|
||||||
|
allow_ftpd_full_access ftpd_full_access
|
||||||
|
allow_ftpd_use_cifs ftpd_use_cifs
|
||||||
|
allow_ftpd_use_nfs ftpd_use_nfs
|
||||||
|
allow_gssd_read_tmp gssd_read_tmp
|
||||||
|
allow_guest_exec_content guest_exec_content
|
||||||
|
allow_httpd_anon_write httpd_anon_write
|
||||||
|
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
|
||||||
|
allow_httpd_mod_auth_pam httpd_mod_auth_pam
|
||||||
|
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
|
||||||
|
allow_kerberos kerberos_enabled
|
||||||
|
allow_mplayer_execstack mplayer_execstack
|
||||||
|
allow_mount_anyfile mount_anyfile
|
||||||
|
allow_nfsd_anon_write nfsd_anon_write
|
||||||
|
allow_polyinstantiation polyinstantiation_enabled
|
||||||
|
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
|
||||||
|
allow_rsync_anon_write rsync_anon_write
|
||||||
|
allow_saslauthd_read_shadow saslauthd_read_shadow
|
||||||
|
allow_secadm_exec_content secadm_exec_content
|
||||||
|
allow_smbd_anon_write smbd_anon_write
|
||||||
|
allow_ssh_keysign ssh_keysign
|
||||||
|
allow_staff_exec_content staff_exec_content
|
||||||
|
allow_sysadm_exec_content sysadm_exec_content
|
||||||
|
allow_user_exec_content user_exec_content
|
||||||
|
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
|
||||||
|
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
|
||||||
|
allow_write_xshm xserver_clients_write_xshm
|
||||||
|
allow_xguest_exec_content xguest_exec_content
|
||||||
|
allow_xserver_execmem xserver_execmem
|
||||||
|
allow_ypbind nis_enabled
|
||||||
|
allow_zebra_write_config zebra_write_config
|
||||||
|
user_direct_dri selinuxuser_direct_dri_enabled
|
||||||
|
user_ping selinuxuser_ping
|
||||||
|
user_share_music selinuxuser_share_music
|
||||||
|
user_tcp_server selinuxuser_tcp_server
|
||||||
|
sepgsql_enable_pitr_implementation postgresql_can_rsync
|
||||||
|
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
|
||||||
|
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
|
||||||
|
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
|
||||||
|
clamd_use_jit antivirus_use_jit
|
||||||
|
amavis_use_jit antivirus_use_jit
|
||||||
|
logwatch_can_sendmail logwatch_can_network_connect_mail
|
||||||
|
puppet_manage_all_files puppetagent_manage_all_files
|
||||||
|
virt_sandbox_use_nfs virt_use_nfs
|
14
SOURCES/customizable_types
Normal file
14
SOURCES/customizable_types
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
container_file_t
|
||||||
|
sandbox_file_t
|
||||||
|
svirt_image_t
|
||||||
|
svirt_home_t
|
||||||
|
svirt_sandbox_file_t
|
||||||
|
virt_content_t
|
||||||
|
httpd_user_htaccess_t
|
||||||
|
httpd_user_script_exec_t
|
||||||
|
httpd_user_rw_content_t
|
||||||
|
httpd_user_ra_content_t
|
||||||
|
httpd_user_content_t
|
||||||
|
git_session_content_t
|
||||||
|
home_bin_t
|
||||||
|
user_tty_device_t
|
19
SOURCES/file_contexts.subs_dist
Normal file
19
SOURCES/file_contexts.subs_dist
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
/run /var/run
|
||||||
|
/run/lock /var/lock
|
||||||
|
/run/systemd/system /usr/lib/systemd/system
|
||||||
|
/run/systemd/generator /usr/lib/systemd/system
|
||||||
|
/run/systemd/generator.late /usr/lib/systemd/system
|
||||||
|
/lib /usr/lib
|
||||||
|
/lib64 /usr/lib
|
||||||
|
/usr/lib64 /usr/lib
|
||||||
|
/usr/local/lib64 /usr/lib
|
||||||
|
/usr/local/lib32 /usr/lib
|
||||||
|
/etc/systemd/system /usr/lib/systemd/system
|
||||||
|
/var/lib/xguest/home /home
|
||||||
|
/var/named/chroot/usr/lib64 /usr/lib
|
||||||
|
/var/named/chroot/lib64 /usr/lib
|
||||||
|
/home-inst /home
|
||||||
|
/home/home-inst /home
|
||||||
|
/var/roothome /root
|
||||||
|
/sbin /usr/sbin
|
||||||
|
/sysroot/tmp /tmp
|
81
SOURCES/macro-expander
Normal file
81
SOURCES/macro-expander
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
function usage {
|
||||||
|
echo "Usage: $0 [ -c | -t [ -M ] ] <macro>"
|
||||||
|
echo "Options:
|
||||||
|
-c generate CIL output
|
||||||
|
-t generate standard policy source format (.te) allow rules - this is default
|
||||||
|
-M generate complete module .te output
|
||||||
|
"
|
||||||
|
}
|
||||||
|
|
||||||
|
function cleanup {
|
||||||
|
rm -rf $TEMP_STORE
|
||||||
|
}
|
||||||
|
|
||||||
|
while getopts "chMt" opt; do
|
||||||
|
case $opt in
|
||||||
|
c) GENCIL=1
|
||||||
|
;;
|
||||||
|
t) GENTE=1
|
||||||
|
;;
|
||||||
|
M) GENTEMODULE=1
|
||||||
|
;;
|
||||||
|
h) usage
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
\?) usage
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
shift $((OPTIND-1))
|
||||||
|
|
||||||
|
SELINUX_MACRO=$1
|
||||||
|
|
||||||
|
if [ -z "$SELINUX_MACRO" ]
|
||||||
|
then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
TEMP_STORE="$(mktemp -d)"
|
||||||
|
cd $TEMP_STORE
|
||||||
|
|
||||||
|
IFS="("
|
||||||
|
set $1
|
||||||
|
SELINUX_DOMAIN="${2::-1}"
|
||||||
|
|
||||||
|
echo -e "policy_module(expander, 1.0.0) \n" \
|
||||||
|
"gen_require(\`\n" \
|
||||||
|
"type $SELINUX_DOMAIN ; \n" \
|
||||||
|
"')" > expander.te
|
||||||
|
|
||||||
|
echo "$SELINUX_MACRO" >> expander.te
|
||||||
|
|
||||||
|
make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null
|
||||||
|
|
||||||
|
if [ "x$GENCIL" = "x1" ]; then
|
||||||
|
|
||||||
|
make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null
|
||||||
|
MAKE_RESULT=$?
|
||||||
|
|
||||||
|
if [ $MAKE_RESULT -ne 2 ]
|
||||||
|
then
|
||||||
|
/usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null
|
||||||
|
grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$GENTE" = "1" -o "x$GENCIL" != "x1" ]; then
|
||||||
|
m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null
|
||||||
|
if [ "x$GENTEMODULE" = "x1" ]; then
|
||||||
|
# sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp
|
||||||
|
sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp
|
||||||
|
else
|
||||||
|
grep '^\s*allow' expander.tmp | sed 's/^\s*//'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
cd - > /dev/null
|
||||||
|
cleanup
|
380
SOURCES/modules-mls-base.conf
Normal file
380
SOURCES/modules-mls-base.conf
Normal file
@ -0,0 +1,380 @@
|
|||||||
|
# Layer: kernel
|
||||||
|
# Module: bootloader
|
||||||
|
#
|
||||||
|
# Policy for the kernel modules, kernel image, and bootloader.
|
||||||
|
#
|
||||||
|
bootloader = module
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: corenetwork
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy controlling access to network objects
|
||||||
|
#
|
||||||
|
corenetwork = base
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: dmesg
|
||||||
|
#
|
||||||
|
# Policy for dmesg.
|
||||||
|
#
|
||||||
|
dmesg = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: netutils
|
||||||
|
#
|
||||||
|
# Network analysis utilities
|
||||||
|
#
|
||||||
|
netutils = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: sudo
|
||||||
|
#
|
||||||
|
# Execute a command with a substitute user
|
||||||
|
#
|
||||||
|
sudo = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: su
|
||||||
|
#
|
||||||
|
# Run shells with substitute user and group
|
||||||
|
#
|
||||||
|
su = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: usermanage
|
||||||
|
#
|
||||||
|
# Policy for managing user accounts.
|
||||||
|
#
|
||||||
|
usermanage = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: seunshare
|
||||||
|
#
|
||||||
|
# seunshare executable
|
||||||
|
#
|
||||||
|
seunshare = module
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: corecommands
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Core policy for shells, and generic programs
|
||||||
|
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||||
|
#
|
||||||
|
corecommands = base
|
||||||
|
|
||||||
|
# Module: devices
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Device nodes and interfaces for many basic system devices.
|
||||||
|
#
|
||||||
|
devices = base
|
||||||
|
|
||||||
|
# Module: domain
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Core policy for domains.
|
||||||
|
#
|
||||||
|
domain = base
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: userdomain
|
||||||
|
#
|
||||||
|
# Policy for user domains
|
||||||
|
#
|
||||||
|
userdomain = module
|
||||||
|
|
||||||
|
# Module: files
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Basic filesystem types and interfaces.
|
||||||
|
#
|
||||||
|
files = base
|
||||||
|
|
||||||
|
# Module: filesystem
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for filesystems.
|
||||||
|
#
|
||||||
|
filesystem = base
|
||||||
|
|
||||||
|
# Module: kernel
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||||
|
#
|
||||||
|
kernel = base
|
||||||
|
|
||||||
|
# Module: mcs
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# MultiCategory security policy
|
||||||
|
#
|
||||||
|
mcs = base
|
||||||
|
|
||||||
|
# Module: mls
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Multilevel security policy
|
||||||
|
#
|
||||||
|
mls = base
|
||||||
|
|
||||||
|
# Module: selinux
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for kernel security interface, in particular, selinuxfs.
|
||||||
|
#
|
||||||
|
selinux = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: storage
|
||||||
|
#
|
||||||
|
# Policy controlling access to storage devices
|
||||||
|
#
|
||||||
|
storage = base
|
||||||
|
|
||||||
|
# Module: terminal
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for terminals.
|
||||||
|
#
|
||||||
|
terminal = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: ubac
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#
|
||||||
|
ubac = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: unlabelednet
|
||||||
|
#
|
||||||
|
# The unlabelednet module.
|
||||||
|
#
|
||||||
|
unlabelednet = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: auditadm
|
||||||
|
#
|
||||||
|
# auditadm account on tty logins
|
||||||
|
#
|
||||||
|
auditadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: logadm
|
||||||
|
#
|
||||||
|
# Minimally prived root role for managing logging system
|
||||||
|
#
|
||||||
|
logadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: secadm
|
||||||
|
#
|
||||||
|
# secadm account on tty logins
|
||||||
|
#
|
||||||
|
secadm = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: staff
|
||||||
|
#
|
||||||
|
# admin account
|
||||||
|
#
|
||||||
|
staff = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: sysadm_secadm
|
||||||
|
#
|
||||||
|
# System Administrator with Security Admin rules
|
||||||
|
#
|
||||||
|
sysadm_secadm = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: sysadm
|
||||||
|
#
|
||||||
|
# System Administrator
|
||||||
|
#
|
||||||
|
sysadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: unprivuser
|
||||||
|
#
|
||||||
|
# Minimally privs guest account on tty logins
|
||||||
|
#
|
||||||
|
unprivuser = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: postgresql
|
||||||
|
#
|
||||||
|
# PostgreSQL relational database
|
||||||
|
#
|
||||||
|
postgresql = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: ssh
|
||||||
|
#
|
||||||
|
# Secure shell client and server policy.
|
||||||
|
#
|
||||||
|
ssh = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: xserver
|
||||||
|
#
|
||||||
|
# X windows login display manager
|
||||||
|
#
|
||||||
|
xserver = module
|
||||||
|
|
||||||
|
# Module: application
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Defines attributs and interfaces for all user applications
|
||||||
|
#
|
||||||
|
application = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: authlogin
|
||||||
|
#
|
||||||
|
# Common policy for authentication and user login.
|
||||||
|
#
|
||||||
|
authlogin = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: clock
|
||||||
|
#
|
||||||
|
# Policy for reading and setting the hardware clock.
|
||||||
|
#
|
||||||
|
clock = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: fstools
|
||||||
|
#
|
||||||
|
# Tools for filesystem management, such as mkfs and fsck.
|
||||||
|
#
|
||||||
|
fstools = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: getty
|
||||||
|
#
|
||||||
|
# Policy for getty.
|
||||||
|
#
|
||||||
|
getty = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: hostname
|
||||||
|
#
|
||||||
|
# Policy for changing the system host name.
|
||||||
|
#
|
||||||
|
hostname = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: init
|
||||||
|
#
|
||||||
|
# System initialization programs (init and init scripts).
|
||||||
|
#
|
||||||
|
init = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: ipsec
|
||||||
|
#
|
||||||
|
# TCP/IP encryption
|
||||||
|
#
|
||||||
|
ipsec = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: iptables
|
||||||
|
#
|
||||||
|
# Policy for iptables.
|
||||||
|
#
|
||||||
|
iptables = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: libraries
|
||||||
|
#
|
||||||
|
# Policy for system libraries.
|
||||||
|
#
|
||||||
|
libraries = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: locallogin
|
||||||
|
#
|
||||||
|
# Policy for local logins.
|
||||||
|
#
|
||||||
|
locallogin = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: logging
|
||||||
|
#
|
||||||
|
# Policy for the kernel message logger and system logging daemon.
|
||||||
|
#
|
||||||
|
logging = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: lvm
|
||||||
|
#
|
||||||
|
# Policy for logical volume management programs.
|
||||||
|
#
|
||||||
|
lvm = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: miscfiles
|
||||||
|
#
|
||||||
|
# Miscelaneous files.
|
||||||
|
#
|
||||||
|
miscfiles = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: modutils
|
||||||
|
#
|
||||||
|
# Policy for kernel module utilities
|
||||||
|
#
|
||||||
|
modutils = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: mount
|
||||||
|
#
|
||||||
|
# Policy for mount.
|
||||||
|
#
|
||||||
|
mount = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: netlabel
|
||||||
|
#
|
||||||
|
# Basic netlabel types and interfaces.
|
||||||
|
#
|
||||||
|
netlabel = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: selinuxutil
|
||||||
|
#
|
||||||
|
# Policy for SELinux policy and userland applications.
|
||||||
|
#
|
||||||
|
selinuxutil = module
|
||||||
|
|
||||||
|
# Module: setrans
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for setrans
|
||||||
|
#
|
||||||
|
setrans = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: sysnetwork
|
||||||
|
#
|
||||||
|
# Policy for network configuration: ifconfig and dhcp client.
|
||||||
|
#
|
||||||
|
sysnetwork = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: systemd
|
||||||
|
#
|
||||||
|
# Policy for systemd components
|
||||||
|
#
|
||||||
|
systemd = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: udev
|
||||||
|
#
|
||||||
|
# Policy for udev.
|
||||||
|
#
|
||||||
|
udev = module
|
1574
SOURCES/modules-mls-contrib.conf
Normal file
1574
SOURCES/modules-mls-contrib.conf
Normal file
File diff suppressed because it is too large
Load Diff
400
SOURCES/modules-targeted-base.conf
Normal file
400
SOURCES/modules-targeted-base.conf
Normal file
@ -0,0 +1,400 @@
|
|||||||
|
# Layer: kernel
|
||||||
|
# Module: bootloader
|
||||||
|
#
|
||||||
|
# Policy for the kernel modules, kernel image, and bootloader.
|
||||||
|
#
|
||||||
|
bootloader = module
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: corecommands
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Core policy for shells, and generic programs
|
||||||
|
# in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||||
|
#
|
||||||
|
corecommands = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: corenetwork
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy controlling access to network objects
|
||||||
|
#
|
||||||
|
corenetwork = base
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: dmesg
|
||||||
|
#
|
||||||
|
# Policy for dmesg.
|
||||||
|
#
|
||||||
|
dmesg = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: netutils
|
||||||
|
#
|
||||||
|
# Network analysis utilities
|
||||||
|
#
|
||||||
|
netutils = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: sudo
|
||||||
|
#
|
||||||
|
# Execute a command with a substitute user
|
||||||
|
#
|
||||||
|
sudo = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: su
|
||||||
|
#
|
||||||
|
# Run shells with substitute user and group
|
||||||
|
#
|
||||||
|
su = module
|
||||||
|
|
||||||
|
# Layer: admin
|
||||||
|
# Module: usermanage
|
||||||
|
#
|
||||||
|
# Policy for managing user accounts.
|
||||||
|
#
|
||||||
|
usermanage = module
|
||||||
|
|
||||||
|
# Layer: apps
|
||||||
|
# Module: seunshare
|
||||||
|
#
|
||||||
|
# seunshare executable
|
||||||
|
#
|
||||||
|
seunshare = module
|
||||||
|
|
||||||
|
# Module: devices
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Device nodes and interfaces for many basic system devices.
|
||||||
|
#
|
||||||
|
devices = base
|
||||||
|
|
||||||
|
# Module: domain
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Core policy for domains.
|
||||||
|
#
|
||||||
|
domain = base
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: userdomain
|
||||||
|
#
|
||||||
|
# Policy for user domains
|
||||||
|
#
|
||||||
|
userdomain = module
|
||||||
|
|
||||||
|
# Module: files
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Basic filesystem types and interfaces.
|
||||||
|
#
|
||||||
|
files = base
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: miscfiles
|
||||||
|
#
|
||||||
|
# Miscelaneous files.
|
||||||
|
#
|
||||||
|
miscfiles = module
|
||||||
|
|
||||||
|
# Module: filesystem
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for filesystems.
|
||||||
|
#
|
||||||
|
filesystem = base
|
||||||
|
|
||||||
|
# Module: kernel
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
|
||||||
|
#
|
||||||
|
kernel = base
|
||||||
|
|
||||||
|
# Module: mcs
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# MultiCategory security policy
|
||||||
|
#
|
||||||
|
mcs = base
|
||||||
|
|
||||||
|
# Module: mls
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Multilevel security policy
|
||||||
|
#
|
||||||
|
mls = base
|
||||||
|
|
||||||
|
# Module: selinux
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for kernel security interface, in particular, selinuxfs.
|
||||||
|
#
|
||||||
|
selinux = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: storage
|
||||||
|
#
|
||||||
|
# Policy controlling access to storage devices
|
||||||
|
#
|
||||||
|
storage = base
|
||||||
|
|
||||||
|
# Module: terminal
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for terminals.
|
||||||
|
#
|
||||||
|
terminal = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: ubac
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#
|
||||||
|
ubac = base
|
||||||
|
|
||||||
|
# Layer: kernel
|
||||||
|
# Module: unconfined
|
||||||
|
#
|
||||||
|
# The unlabelednet module.
|
||||||
|
#
|
||||||
|
unlabelednet = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: auditadm
|
||||||
|
#
|
||||||
|
# auditadm account on tty logins
|
||||||
|
#
|
||||||
|
auditadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: logadm
|
||||||
|
#
|
||||||
|
# Minimally prived root role for managing logging system
|
||||||
|
#
|
||||||
|
logadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: secadm
|
||||||
|
#
|
||||||
|
# secadm account on tty logins
|
||||||
|
#
|
||||||
|
secadm = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: sysadm_secadm
|
||||||
|
#
|
||||||
|
# System Administrator with Security Admin rules
|
||||||
|
#
|
||||||
|
sysadm_secadm = module
|
||||||
|
|
||||||
|
# Module: staff
|
||||||
|
#
|
||||||
|
# admin account
|
||||||
|
#
|
||||||
|
staff = module
|
||||||
|
|
||||||
|
# Layer:role
|
||||||
|
# Module: sysadm
|
||||||
|
#
|
||||||
|
# System Administrator
|
||||||
|
#
|
||||||
|
sysadm = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: unconfineduser
|
||||||
|
#
|
||||||
|
# The unconfined user domain.
|
||||||
|
#
|
||||||
|
unconfineduser = module
|
||||||
|
|
||||||
|
# Layer: role
|
||||||
|
# Module: unprivuser
|
||||||
|
#
|
||||||
|
# Minimally privs guest account on tty logins
|
||||||
|
#
|
||||||
|
unprivuser = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: postgresql
|
||||||
|
#
|
||||||
|
# PostgreSQL relational database
|
||||||
|
#
|
||||||
|
postgresql = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: ssh
|
||||||
|
#
|
||||||
|
# Secure shell client and server policy.
|
||||||
|
#
|
||||||
|
ssh = module
|
||||||
|
|
||||||
|
# Layer: services
|
||||||
|
# Module: xserver
|
||||||
|
#
|
||||||
|
# X windows login display manager
|
||||||
|
#
|
||||||
|
xserver = module
|
||||||
|
|
||||||
|
# Module: application
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Defines attributs and interfaces for all user applications
|
||||||
|
#
|
||||||
|
application = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: authlogin
|
||||||
|
#
|
||||||
|
# Common policy for authentication and user login.
|
||||||
|
#
|
||||||
|
authlogin = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: clock
|
||||||
|
#
|
||||||
|
# Policy for reading and setting the hardware clock.
|
||||||
|
#
|
||||||
|
clock = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: fstools
|
||||||
|
#
|
||||||
|
# Tools for filesystem management, such as mkfs and fsck.
|
||||||
|
#
|
||||||
|
fstools = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: getty
|
||||||
|
#
|
||||||
|
# Policy for getty.
|
||||||
|
#
|
||||||
|
getty = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: hostname
|
||||||
|
#
|
||||||
|
# Policy for changing the system host name.
|
||||||
|
#
|
||||||
|
hostname = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: init
|
||||||
|
#
|
||||||
|
# System initialization programs (init and init scripts).
|
||||||
|
#
|
||||||
|
init = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: ipsec
|
||||||
|
#
|
||||||
|
# TCP/IP encryption
|
||||||
|
#
|
||||||
|
ipsec = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: iptables
|
||||||
|
#
|
||||||
|
# Policy for iptables.
|
||||||
|
#
|
||||||
|
iptables = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: libraries
|
||||||
|
#
|
||||||
|
# Policy for system libraries.
|
||||||
|
#
|
||||||
|
libraries = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: locallogin
|
||||||
|
#
|
||||||
|
# Policy for local logins.
|
||||||
|
#
|
||||||
|
locallogin = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: logging
|
||||||
|
#
|
||||||
|
# Policy for the kernel message logger and system logging daemon.
|
||||||
|
#
|
||||||
|
logging = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: lvm
|
||||||
|
#
|
||||||
|
# Policy for logical volume management programs.
|
||||||
|
#
|
||||||
|
lvm = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: modutils
|
||||||
|
#
|
||||||
|
# Policy for kernel module utilities
|
||||||
|
#
|
||||||
|
modutils = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: mount
|
||||||
|
#
|
||||||
|
# Policy for mount.
|
||||||
|
#
|
||||||
|
mount = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: netlabel
|
||||||
|
#
|
||||||
|
# Basic netlabel types and interfaces.
|
||||||
|
#
|
||||||
|
netlabel = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: selinuxutil
|
||||||
|
#
|
||||||
|
# Policy for SELinux policy and userland applications.
|
||||||
|
#
|
||||||
|
selinuxutil = module
|
||||||
|
|
||||||
|
# Module: setrans
|
||||||
|
# Required in base
|
||||||
|
#
|
||||||
|
# Policy for setrans
|
||||||
|
#
|
||||||
|
setrans = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: sysnetwork
|
||||||
|
#
|
||||||
|
# Policy for network configuration: ifconfig and dhcp client.
|
||||||
|
#
|
||||||
|
sysnetwork = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: systemd
|
||||||
|
#
|
||||||
|
# Policy for systemd components
|
||||||
|
#
|
||||||
|
systemd = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: udev
|
||||||
|
#
|
||||||
|
# Policy for udev.
|
||||||
|
#
|
||||||
|
udev = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: unconfined
|
||||||
|
#
|
||||||
|
# The unconfined domain.
|
||||||
|
#
|
||||||
|
unconfined = module
|
||||||
|
|
||||||
|
# Layer: system
|
||||||
|
# Module: kdbus
|
||||||
|
#
|
||||||
|
# Policy for kdbus.
|
||||||
|
#
|
||||||
|
kdbus = module
|
2644
SOURCES/modules-targeted-contrib.conf
Normal file
2644
SOURCES/modules-targeted-contrib.conf
Normal file
File diff suppressed because it is too large
Load Diff
2
SOURCES/permissivedomains.cil
Normal file
2
SOURCES/permissivedomains.cil
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
(roleattributeset cil_gen_require system_r)
|
||||||
|
|
169
SOURCES/rpm.macros
Normal file
169
SOURCES/rpm.macros
Normal file
@ -0,0 +1,169 @@
|
|||||||
|
# Copyright (C) 2017 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# Author: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
# Author: Lukáš Vrabec <lvrabec@redhat.com>
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License
|
||||||
|
# as published by the Free Software Foundation; either version 2
|
||||||
|
# of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# RPM macros for packages installing SELinux modules
|
||||||
|
|
||||||
|
%_selinux_policy_version SELINUXPOLICYVERSION
|
||||||
|
|
||||||
|
%_selinux_store_path SELINUXSTOREPATH
|
||||||
|
%_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
|
||||||
|
|
||||||
|
%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
|
||||||
|
%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre
|
||||||
|
|
||||||
|
%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
|
||||||
|
%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
|
||||||
|
|
||||||
|
# %selinux_requires
|
||||||
|
%selinux_requires \
|
||||||
|
Requires: selinux-policy >= %{_selinux_policy_version} \
|
||||||
|
BuildRequires: git \
|
||||||
|
BuildRequires: pkgconfig(systemd) \
|
||||||
|
BuildRequires: selinux-policy \
|
||||||
|
BuildRequires: selinux-policy-devel \
|
||||||
|
Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
|
||||||
|
Requires(post): libselinux-utils \
|
||||||
|
Requires(post): policycoreutils \
|
||||||
|
%if 0%{?fedora} || 0%{?rhel} > 7\
|
||||||
|
Requires(post): policycoreutils-python-utils \
|
||||||
|
%else \
|
||||||
|
Requires(post): policycoreutils-python \
|
||||||
|
%endif \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
|
||||||
|
%selinux_modules_install("s:p:") \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
_policytype=%{-s*} \
|
||||||
|
if [ -z "${_policytype}" ]; then \
|
||||||
|
_policytype="targeted" \
|
||||||
|
fi \
|
||||||
|
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||||
|
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
|
||||||
|
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
|
||||||
|
fi \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
|
||||||
|
%selinux_modules_uninstall("s:p:") \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
_policytype=%{-s*} \
|
||||||
|
if [ -z "${_policytype}" ]; then \
|
||||||
|
_policytype="targeted" \
|
||||||
|
fi \
|
||||||
|
if [ $1 -eq 0 ]; then \
|
||||||
|
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||||
|
%{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
|
||||||
|
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
|
||||||
|
fi \
|
||||||
|
fi \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
# %selinux_relabel_pre [-s <policytype>]
|
||||||
|
%selinux_relabel_pre("s:") \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
_policytype=%{-s*} \
|
||||||
|
if [ -z "${_policytype}" ]; then \
|
||||||
|
_policytype="targeted" \
|
||||||
|
fi \
|
||||||
|
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||||
|
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
|
||||||
|
fi \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
|
||||||
|
# %selinux_relabel_post [-s <policytype>]
|
||||||
|
%selinux_relabel_post("s:") \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
_policytype=%{-s*} \
|
||||||
|
if [ -z "${_policytype}" ]; then \
|
||||||
|
_policytype="targeted" \
|
||||||
|
fi \
|
||||||
|
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||||
|
if [ -f %{_file_context_file_pre} ]; then \
|
||||||
|
%{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
|
||||||
|
rm -f %{_file_context_file_pre} \
|
||||||
|
fi \
|
||||||
|
fi \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
|
||||||
|
%selinux_set_booleans("s:") \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
_policytype=%{-s*} \
|
||||||
|
if [ -z "${_policytype}" ]; then \
|
||||||
|
_policytype="targeted" \
|
||||||
|
fi \
|
||||||
|
if [ -d "%{_selinux_store_policy_path}" ]; then \
|
||||||
|
LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
|
||||||
|
if [ ! -f %_file_custom_defined_booleans ]; then \
|
||||||
|
/bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
|
||||||
|
fi \
|
||||||
|
semanage_import='' \
|
||||||
|
for boolean in %*; do \
|
||||||
|
boolean_name=${boolean%=*} \
|
||||||
|
boolean_value=${boolean#*=} \
|
||||||
|
boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
|
||||||
|
if [ -n "$boolean_local_string" ]; then \
|
||||||
|
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
|
||||||
|
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
|
||||||
|
if [ -n "$boolean_customized_string" ]; then \
|
||||||
|
/bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
|
||||||
|
else \
|
||||||
|
/bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
|
||||||
|
fi \
|
||||||
|
else \
|
||||||
|
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
|
||||||
|
boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
|
||||||
|
/bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
|
||||||
|
fi \
|
||||||
|
done; \
|
||||||
|
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||||
|
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
|
||||||
|
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
|
||||||
|
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
|
||||||
|
fi \
|
||||||
|
fi \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
|
||||||
|
%selinux_unset_booleans("s:") \
|
||||||
|
. /etc/selinux/config \
|
||||||
|
_policytype=%{-s*} \
|
||||||
|
if [ -z "${_policytype}" ]; then \
|
||||||
|
_policytype="targeted" \
|
||||||
|
fi \
|
||||||
|
if [ -d "%{_selinux_store_policy_path}" ]; then \
|
||||||
|
semanage_import='' \
|
||||||
|
for boolean in %*; do \
|
||||||
|
boolean_name=${boolean%=*} \
|
||||||
|
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
|
||||||
|
if [ -n "$boolean_customized_string" ]; then \
|
||||||
|
awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \
|
||||||
|
if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \
|
||||||
|
semanage_import="${semanage_import}\\n${boolean_customized_string}" \
|
||||||
|
fi \
|
||||||
|
fi \
|
||||||
|
done; \
|
||||||
|
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
|
||||||
|
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
|
||||||
|
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
|
||||||
|
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
|
||||||
|
fi \
|
||||||
|
fi \
|
||||||
|
%{nil}
|
4
SOURCES/securetty_types-minimum
Normal file
4
SOURCES/securetty_types-minimum
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
console_device_t
|
||||||
|
sysadm_tty_device_t
|
||||||
|
user_tty_device_t
|
||||||
|
staff_tty_device_t
|
6
SOURCES/securetty_types-mls
Normal file
6
SOURCES/securetty_types-mls
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
console_device_t
|
||||||
|
sysadm_tty_device_t
|
||||||
|
user_tty_device_t
|
||||||
|
staff_tty_device_t
|
||||||
|
auditadm_tty_device_t
|
||||||
|
secureadm_tty_device_t
|
4
SOURCES/securetty_types-targeted
Normal file
4
SOURCES/securetty_types-targeted
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
console_device_t
|
||||||
|
sysadm_tty_device_t
|
||||||
|
user_tty_device_t
|
||||||
|
staff_tty_device_t
|
4
SOURCES/selinux-policy.conf
Normal file
4
SOURCES/selinux-policy.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
z /sys/devices/system/cpu/online - - -
|
||||||
|
Z /sys/class/net - - -
|
||||||
|
z /sys/kernel/uevent_helper - - -
|
||||||
|
w /sys/fs/selinux/checkreqprot - - - - 0
|
19
SOURCES/setrans-minimum.conf
Normal file
19
SOURCES/setrans-minimum.conf
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
#
|
||||||
|
# Multi-Category Security translation table for SELinux
|
||||||
|
#
|
||||||
|
# Uncomment the following to disable translation libary
|
||||||
|
# disable=1
|
||||||
|
#
|
||||||
|
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||||
|
# Objects can be in more than one category at a time.
|
||||||
|
# Categories are stored in the system as c0-c1023. Users can use this
|
||||||
|
# table to translate the categories into a more meaningful output.
|
||||||
|
# Examples:
|
||||||
|
# s0:c0=CompanyConfidential
|
||||||
|
# s0:c1=PatientRecord
|
||||||
|
# s0:c2=Unclassified
|
||||||
|
# s0:c3=TopSecret
|
||||||
|
# s0:c1,c3=CompanyConfidentialRedHat
|
||||||
|
s0=SystemLow
|
||||||
|
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||||
|
s0:c0.c1023=SystemHigh
|
52
SOURCES/setrans-mls.conf
Normal file
52
SOURCES/setrans-mls.conf
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
#
|
||||||
|
# Multi-Level Security translation table for SELinux
|
||||||
|
#
|
||||||
|
# Uncomment the following to disable translation libary
|
||||||
|
# disable=1
|
||||||
|
#
|
||||||
|
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
|
||||||
|
# categories defined by the admin.
|
||||||
|
# Objects can be in more than one category at a time.
|
||||||
|
# Users can modify this table to translate the MLS labels for different purpose.
|
||||||
|
#
|
||||||
|
# Assumptions: using below MLS labels.
|
||||||
|
# SystemLow
|
||||||
|
# SystemHigh
|
||||||
|
# Unclassified
|
||||||
|
# Secret with compartments A and B.
|
||||||
|
#
|
||||||
|
# SystemLow and SystemHigh
|
||||||
|
s0=SystemLow
|
||||||
|
s15:c0.c1023=SystemHigh
|
||||||
|
s0-s15:c0.c1023=SystemLow-SystemHigh
|
||||||
|
|
||||||
|
# Unclassified level
|
||||||
|
s1=Unclassified
|
||||||
|
|
||||||
|
# Secret level with compartments
|
||||||
|
s2=Secret
|
||||||
|
s2:c0=A
|
||||||
|
s2:c1=B
|
||||||
|
|
||||||
|
# ranges for Unclassified
|
||||||
|
s0-s1=SystemLow-Unclassified
|
||||||
|
s1-s2=Unclassified-Secret
|
||||||
|
s1-s15:c0.c1023=Unclassified-SystemHigh
|
||||||
|
|
||||||
|
# ranges for Secret with compartments
|
||||||
|
s0-s2=SystemLow-Secret
|
||||||
|
s0-s2:c0=SystemLow-Secret:A
|
||||||
|
s0-s2:c1=SystemLow-Secret:B
|
||||||
|
s0-s2:c0,c1=SystemLow-Secret:AB
|
||||||
|
s1-s2:c0=Unclassified-Secret:A
|
||||||
|
s1-s2:c1=Unclassified-Secret:B
|
||||||
|
s1-s2:c0,c1=Unclassified-Secret:AB
|
||||||
|
s2-s2:c0=Secret-Secret:A
|
||||||
|
s2-s2:c1=Secret-Secret:B
|
||||||
|
s2-s2:c0,c1=Secret-Secret:AB
|
||||||
|
s2-s15:c0.c1023=Secret-SystemHigh
|
||||||
|
s2:c0-s2:c0,c1=Secret:A-Secret:AB
|
||||||
|
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
|
||||||
|
s2:c1-s2:c0,c1=Secret:B-Secret:AB
|
||||||
|
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
|
||||||
|
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
|
19
SOURCES/setrans-targeted.conf
Normal file
19
SOURCES/setrans-targeted.conf
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
#
|
||||||
|
# Multi-Category Security translation table for SELinux
|
||||||
|
#
|
||||||
|
# Uncomment the following to disable translation libary
|
||||||
|
# disable=1
|
||||||
|
#
|
||||||
|
# Objects can be categorized with 0-1023 categories defined by the admin.
|
||||||
|
# Objects can be in more than one category at a time.
|
||||||
|
# Categories are stored in the system as c0-c1023. Users can use this
|
||||||
|
# table to translate the categories into a more meaningful output.
|
||||||
|
# Examples:
|
||||||
|
# s0:c0=CompanyConfidential
|
||||||
|
# s0:c1=PatientRecord
|
||||||
|
# s0:c2=Unclassified
|
||||||
|
# s0:c3=TopSecret
|
||||||
|
# s0:c1,c3=CompanyConfidentialRedHat
|
||||||
|
s0=SystemLow
|
||||||
|
s0-s0:c0.c1023=SystemLow-SystemHigh
|
||||||
|
s0:c0.c1023=SystemHigh
|
38
SOURCES/users-minimum
Normal file
38
SOURCES/users-minimum
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
##################################
|
||||||
|
#
|
||||||
|
# Core User configuration.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||||
|
#
|
||||||
|
# Note: Identities without a prefix wil not be listed
|
||||||
|
# in the users_extra file used by genhomedircon.
|
||||||
|
|
||||||
|
#
|
||||||
|
# system_u is the user identity for system processes and objects.
|
||||||
|
# There should be no corresponding Unix user identity for system,
|
||||||
|
# and a user process should never be assigned the system user
|
||||||
|
# identity.
|
||||||
|
#
|
||||||
|
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# user_u is a generic user identity for Linux users who have no
|
||||||
|
# SELinux user identity defined. The modified daemons will use
|
||||||
|
# this user identity in the security context if there is no matching
|
||||||
|
# SELinux user identity for a Linux user. If you do not want to
|
||||||
|
# permit any access to such users, then remove this entry.
|
||||||
|
#
|
||||||
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
|
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following users correspond to Unix identities.
|
||||||
|
# These identities are typically assigned as the user attribute
|
||||||
|
# when login starts the user shell. Users with access to the sysadm_r
|
||||||
|
# role should use the staff_r role instead of the user_r role when
|
||||||
|
# not in the sysadm_r.
|
||||||
|
#
|
||||||
|
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
38
SOURCES/users-mls
Normal file
38
SOURCES/users-mls
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
##################################
|
||||||
|
#
|
||||||
|
# Core User configuration.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||||
|
#
|
||||||
|
# Note: Identities without a prefix wil not be listed
|
||||||
|
# in the users_extra file used by genhomedircon.
|
||||||
|
|
||||||
|
#
|
||||||
|
# system_u is the user identity for system processes and objects.
|
||||||
|
# There should be no corresponding Unix user identity for system,
|
||||||
|
# and a user process should never be assigned the system user
|
||||||
|
# identity.
|
||||||
|
#
|
||||||
|
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# user_u is a generic user identity for Linux users who have no
|
||||||
|
# SELinux user identity defined. The modified daemons will use
|
||||||
|
# this user identity in the security context if there is no matching
|
||||||
|
# SELinux user identity for a Linux user. If you do not want to
|
||||||
|
# permit any access to such users, then remove this entry.
|
||||||
|
#
|
||||||
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
|
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following users correspond to Unix identities.
|
||||||
|
# These identities are typically assigned as the user attribute
|
||||||
|
# when login starts the user shell. Users with access to the sysadm_r
|
||||||
|
# role should use the staff_r role instead of the user_r role when
|
||||||
|
# not in the sysadm_r.
|
||||||
|
#
|
||||||
|
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
38
SOURCES/users-targeted
Normal file
38
SOURCES/users-targeted
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
##################################
|
||||||
|
#
|
||||||
|
# Core User configuration.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||||
|
#
|
||||||
|
# Note: Identities without a prefix wil not be listed
|
||||||
|
# in the users_extra file used by genhomedircon.
|
||||||
|
|
||||||
|
#
|
||||||
|
# system_u is the user identity for system processes and objects.
|
||||||
|
# There should be no corresponding Unix user identity for system,
|
||||||
|
# and a user process should never be assigned the system user
|
||||||
|
# identity.
|
||||||
|
#
|
||||||
|
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# user_u is a generic user identity for Linux users who have no
|
||||||
|
# SELinux user identity defined. The modified daemons will use
|
||||||
|
# this user identity in the security context if there is no matching
|
||||||
|
# SELinux user identity for a Linux user. If you do not want to
|
||||||
|
# permit any access to such users, then remove this entry.
|
||||||
|
#
|
||||||
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
|
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following users correspond to Unix identities.
|
||||||
|
# These identities are typically assigned as the user attribute
|
||||||
|
# when login starts the user shell. Users with access to the sysadm_r
|
||||||
|
# role should use the staff_r role instead of the user_r role when
|
||||||
|
# not in the sysadm_r.
|
||||||
|
#
|
||||||
|
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
14060
SPECS/selinux-policy.spec
Normal file
14060
SPECS/selinux-policy.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user