From c38b24eb7c4f8282be497d4f73e9390e62df5ac8 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 13 Apr 2023 20:33:58 +0200 Subject: [PATCH] Synchronize the repo content with the previous state After the automated creation of the c8s branch, not all files tracked previously in dist-git were added to the repository. This commit adds all required files and also makes necessary changes. Related: rhbz#2093355 --- .fmf/version | 1 + COPYING | 340 +++++ Makefile | 670 +++++++++ README | 26 + macro-expander | 81 - make-rhat-patches.sh | 76 + modules-minimum.conf | 1 + modules-targeted.conf | 2558 ++++++++++++++++++++++++++++++++ plans/tests.fmf | 8 + selinux-factory-reset | 17 + selinux-factory-reset@.service | 17 + seusers | 3 + 12 files changed, 3717 insertions(+), 81 deletions(-) create mode 100644 .fmf/version create mode 100644 COPYING create mode 100644 Makefile create mode 100644 README delete mode 100644 macro-expander create mode 100755 make-rhat-patches.sh create mode 120000 modules-minimum.conf create mode 100644 modules-targeted.conf create mode 100644 plans/tests.fmf create mode 100755 selinux-factory-reset create mode 100644 selinux-factory-reset@.service create mode 100644 seusers diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 00000000..d00491fd --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/COPYING b/COPYING new file mode 100644 index 00000000..5b6e7c66 --- /dev/null +++ b/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..771a2ff9 --- /dev/null +++ b/Makefile @@ -0,0 +1,670 @@ +# +# Makefile for the security policy. +# +# Targets: +# +# install - compile and install the policy configuration, and context files. +# load - compile, install, and load the policy configuration. +# reload - compile, install, and load/reload the policy configuration. +# relabel - relabel filesystems based on the file contexts configuration. +# checklabels - check filesystems against the file context configuration +# restorelabels - check filesystems against the file context configuration +# and restore the label of files with incorrect labels +# policy - compile the policy configuration locally for testing/development. +# +# The default target is 'policy'. +# +# +# Please see build.conf for policy build options. +# + +######################################## +# +# NO OPTIONS BELOW HERE +# + +# Include the local build.conf if it exists, otherwise +# include the configuration of the root directory. +include build.conf + +ifdef LOCAL_ROOT + -include $(LOCAL_ROOT)/build.conf +endif + +# refpolicy version +version = $(shell cat VERSION) + +ifdef LOCAL_ROOT +builddir := $(LOCAL_ROOT)/ +tmpdir := $(LOCAL_ROOT)/tmp +tags := $(LOCAL_ROOT)/tags +else +tmpdir := tmp +tags := tags +endif + +# executable paths +BINDIR ?= /usr/bin +SBINDIR ?= /usr/sbin +ifdef TEST_TOOLCHAIN +tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR) +tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR) +tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin +else +tc_usrbindir := $(BINDIR) +tc_usrsbindir := $(SBINDIR) +tc_sbindir := /sbin +endif +CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy +CHECKMODULE ?= $(tc_usrbindir)/checkmodule +SEMODULE ?= $(tc_usrsbindir)/semodule +SEMOD_PKG ?= $(tc_usrbindir)/semodule_package +SEMOD_LNK ?= $(tc_usrbindir)/semodule_link +SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand +LOADPOLICY ?= $(tc_usrsbindir)/load_policy +SETFILES ?= $(tc_sbindir)/setfiles +XMLLINT ?= $(BINDIR)/xmllint +SECHECK ?= $(BINDIR)/sechecker + +# interpreters and aux tools +AWK ?= gawk +GREP ?= egrep +INSTALL ?= install +M4 ?= m4 +PYTHON ?= python3 +SED ?= sed +SORT ?= LC_ALL=C sort + +CFLAGS += -Wall + +# policy source layout +poldir := policy +moddir := $(poldir)/modules +flaskdir := $(poldir)/flask +secclass := $(flaskdir)/security_classes +isids := $(flaskdir)/initial_sids +avs := $(flaskdir)/access_vectors + +# local source layout +ifdef LOCAL_ROOT +local_poldir := $(LOCAL_ROOT)/policy +local_moddir := $(local_poldir)/modules +endif + +# policy building support tools +support := support +genxml := $(PYTHON) -E $(support)/segenxml.py +gendoc := $(PYTHON) -E $(support)/sedoctool.py +genperm := $(PYTHON) -E $(support)/genclassperms.py +fcsort := $(tmpdir)/fc_sort +setbools := $(AWK) -f $(support)/set_bools_tuns.awk +get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed +comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed +gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py +m4iferror := $(support)/iferror.m4 +m4divert := $(support)/divert.m4 +m4undivert := $(support)/undivert.m4 +# use our own genhomedircon to make sure we have a known usable one, +# so policycoreutils updates are not required (RHEL4) +genhomedircon := $(PYTHON) -E $(support)/genhomedircon + +# documentation paths +docs := doc +xmldtd = $(docs)/policy.dtd +metaxml = metadata.xml +doctemplate = $(docs)/templates +docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc) + +ifndef LOCAL_ROOT +polxml = $(docs)/policy.xml +tunxml = $(docs)/global_tunables.xml +boolxml = $(docs)/global_booleans.xml +htmldir = $(docs)/html +else +polxml = $(LOCAL_ROOT)/doc/policy.xml +tunxml = $(LOCAL_ROOT)/doc/global_tunables.xml +boolxml = $(LOCAL_ROOT)/doc/global_booleans.xml +htmldir = $(LOCAL_ROOT)/doc/html +endif + +# config file paths +globaltun = $(poldir)/global_tunables +globalbool = $(poldir)/global_booleans +rolemap = $(poldir)/rolemap +user_files := $(poldir)/users +policycaps := $(poldir)/policy_capabilities + +# local config file paths +ifndef LOCAL_ROOT +mod_conf = $(poldir)/modules.conf +booleans = $(poldir)/booleans.conf +tunables = $(poldir)/tunables.conf +else +mod_conf = $(local_poldir)/modules.conf +booleans = $(local_poldir)/booleans.conf +tunables = $(local_poldir)/tunables.conf +endif + +# install paths +PKGNAME ?= refpolicy-$(version) +prefix = $(DESTDIR)/usr +topdir = $(DESTDIR)/etc/selinux +installdir = $(topdir)/$(strip $(NAME)) +srcpath = $(installdir)/src +userpath = $(installdir)/users +policypath = $(installdir)/policy +contextpath = $(installdir)/contexts +homedirpath = $(contextpath)/files/homedir_template +fcpath = $(contextpath)/files/file_contexts +ncpath = $(contextpath)/netfilter_contexts +sharedir = $(prefix)/share/selinux +modpkgdir = $(sharedir)/$(strip $(NAME)) +headerdir = $(modpkgdir)/include +docsdir = $(prefix)/share/doc/$(PKGNAME) + +# enable MLS if requested. +ifeq "$(TYPE)" "mls" + M4PARAM += -D enable_mls + CHECKPOLICY += -M + CHECKMODULE += -M + gennetfilter += -m +endif + +# enable MLS if MCS requested. +ifeq "$(TYPE)" "mcs" + M4PARAM += -D enable_mcs + CHECKPOLICY += -M + CHECKMODULE += -M + gennetfilter += -c +endif + +# enable distribution-specific policy +ifneq ($(DISTRO),) + M4PARAM += -D distro_$(DISTRO) +endif + +# rhel4 also implies redhat +ifeq "$(DISTRO)" "rhel4" + M4PARAM += -D distro_redhat +endif + +ifeq "$(DISTRO)" "ubuntu" + M4PARAM += -D distro_debian +endif + +ifneq ($(OUTPUT_POLICY),) + CHECKPOLICY += -c $(OUTPUT_POLICY) +endif + +# if not set, use the type as the name. +NAME ?= $(TYPE) + +# default unknown permissions setting +#UNK_PERMS ?= deny + +ifeq ($(DIRECT_INITRC),y) + M4PARAM += -D direct_sysadm_daemon +endif + +ifeq "$(UBAC)" "y" + M4PARAM += -D enable_ubac +endif + +# default MLS/MCS sensitivity and category settings. +MLS_SENS ?= 16 +MLS_CATS ?= 1024 +MCS_CATS ?= 1024 + +ifeq ($(QUIET),y) + verbose = @ +endif + +M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms + +# we need exuberant ctags; unfortunately it is named +# differently on different distros +ifeq ($(DISTRO),debian) + CTAGS := ctags-exuberant +endif + +ifeq ($(DISTRO),gentoo) + CTAGS := exuberant-ctags +endif + +CTAGS ?= ctags + +m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt) +ifdef LOCAL_ROOT +m4support += $(wildcard $(local_poldir)/support/*.spt) +endif +m4support += $(m4undivert) + +appconf := config/appconfig-$(TYPE) +seusers := $(appconf)/seusers +appdir := $(contextpath) +user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) +user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) +appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names) +net_contexts := $(builddir)net_contexts + +all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +ifdef LOCAL_ROOT +all_layers += $(shell find $(wildcard $(local_moddir)/*) -maxdepth 0 -type d) +endif + +generated_te := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te.in))) +generated_if := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if.in))) +generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in))) + +# sort here since it removes duplicates, which can happen +# when a generated file is already generated +detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te)) + +modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml)) +layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers))))) +layer_names := $(sort $(notdir $(all_layers))) +all_metaxml = $(call detect-metaxml, $(layer_names)) + +# modules.conf setting for base module +configbase := base + +# modules.conf setting for loadable module +configmod := module + +# modules.conf setting for unused module +configoff := off + +# test for module overrides from command line +mod_test = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS)) +mod_test += $(filter $(APPS_MODS), $(APPS_BASE)) +ifneq "$(strip $(mod_test))" "" + $(error Applications must be base, module, or off, and not in more than one list! $(strip $(mod_test)) found in multiple lists!) +endif + +# add on suffix to modules specified on command line +cmdline_base := $(addsuffix .te,$(APPS_BASE)) +cmdline_mods := $(addsuffix .te,$(APPS_MODS)) +cmdline_off := $(addsuffix .te,$(APPS_OFF)) + +# extract settings from modules.conf +mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null))) +mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null))) +mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null))) + +base_mods := $(cmdline_base) +mod_mods := $(cmdline_mods) +off_mods := $(cmdline_off) + +base_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_base)) +mod_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_mods)) +off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_off)) + +# add modules not in modules.conf to the off list +off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods))) + +# filesystems to be used in labeling targets +filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';) +fs_names := "btrfs ext2 ext3 ext4 xfs jfs" + +######################################## +# +# Functions +# + +# parse-rolemap-compat modulename,outputfile +define parse-rolemap-compat + $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ + $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 +endef + +# parse-rolemap modulename,outputfile +define parse-rolemap + $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ + $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 +endef + +# perrole-expansion modulename,outputfile +define perrole-expansion + $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 + $(call parse-rolemap,$1,$2) + $(verbose) echo "')" >> $2 + + $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 + $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 + $(call parse-rolemap-compat,$1,$2) + $(verbose) echo "')" >> $2 +endef + +# create-base-per-role-tmpl modulenames,outputfile +define create-base-per-role-tmpl + $(verbose) echo "define(\`base_per_role_template',\`" >> $2 + + $(verbose) for i in $1; do \ + echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \ + >> $2 ;\ + done + + $(verbose) for i in $1; do \ + echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\ + echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\ + echo """$$i""_per_userdomain_template("'$$*'")')" >> $2 ;\ + done + $(verbose) echo "')" >> $@ + +endef + +# detect-metaxml layer_names +ifdef LOCAL_ROOT +define detect-metaxml + $(shell for i in $1; do \ + if [ -d $(moddir)/$$i -a -d $(local_moddir)/$$i ]; then \ + if [ -f $(local_moddir)/$$i/$(metaxml) ]; then \ + echo $(local_moddir)/$$i/$(metaxml) ;\ + else \ + echo $(moddir)/$$i/$(metaxml) ;\ + fi \ + elif [ -d $(local_moddir)/$$i ]; then + echo $(local_moddir)/$$i/$(metaxml) ;\ + else \ + echo $(moddir)/$$i/$(metaxml) ;\ + fi \ + done ) +endef +else +define detect-metaxml + $(shell for i in $1; do echo $(moddir)/$$i/$(metaxml); done) +endef +endif + +######################################## +# +# Load appropriate rules +# + +ifeq ($(MONOLITHIC),y) + include Rules.monolithic +else + include Rules.modular +endif + +######################################## +# +# Generated files +# +# NOTE: There is no "local" version of these files. +# +generate: $(generated_te) $(generated_if) $(generated_fc) + +$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in + @echo "#" > $@ + @echo "# This is a generated file! Instead of modifying this file, the" >> $@ + @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ + @echo "#" >> $@ + $(verbose) cat $@.in >> $@ + $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \ + | $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \ + | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ + +$(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in + @echo "#" > $@ + @echo "# This is a generated file! Instead of modifying this file, the" >> $@ + @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ + @echo "#" >> $@ + $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \ + | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ + +######################################## +# +# Network packet labeling +# +$(net_contexts): $(moddir)/kernel/corenetwork.te.in + @echo "Creating netfilter network labeling rules" + $(verbose) $(gennetfilter) $^ > $@ + +######################################## +# +# Create config files +# +conf: $(mod_conf) $(booleans) $(generated_te) $(generated_if) $(generated_fc) + +$(mod_conf) $(booleans): $(polxml) + @echo "Updating $(mod_conf) and $(booleans)" + $(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml) + +######################################## +# +# Generate the fc_sort program +# +$(fcsort) : $(support)/fc_sort.c + $(verbose) $(CC) $(CFLAGS) $^ -o $@ + +######################################## +# +# Documentation generation +# +$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))) + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > $@ + $(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done +ifdef LOCAL_ROOT + $(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done +endif + +$(tunxml): $(globaltun) + $(verbose) $(genxml) -w -t $< > $@ + +$(boolxml): $(globalbool) + $(verbose) $(genxml) -w -b $< > $@ + +$(polxml): $(layerxml) $(tunxml) $(boolxml) + @echo "Creating $(@F)" + @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml)) + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) echo '' > $@ + $(verbose) echo '' >> $@ + $(verbose) echo '' >> $@ + $(verbose) for i in $(basename $(notdir $(layerxml))); do echo "" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "" >> $@; done + $(verbose) cat $(tunxml) $(boolxml) >> $@ + $(verbose) echo '' >> $@ + $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \ + $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\ + fi + +xml: $(polxml) + +html $(tmpdir)/html: $(polxml) + @echo "Building html interface reference documentation in $(htmldir)" + @test -d $(htmldir) || mkdir -p $(htmldir) + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) $(gendoc) -d $(htmldir) -T $(doctemplate) -x $(polxml) + $(verbose) cp $(doctemplate)/*.css $(htmldir) + @touch $(tmpdir)/html + +######################################## +# +# Runtime binary policy patching of users +# +$(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files) + @mkdir -p $(tmpdir) + @mkdir -p $(userpath) + @echo "Installing system.users" + @echo "# " > $(tmpdir)/system.users + @echo "# Do not edit this file. " >> $(tmpdir)/system.users + @echo "# This file is replaced on reinstalls of this policy." >> $(tmpdir)/system.users + @echo "# Please edit local.users to make local changes." >> $(tmpdir)/system.users + @echo "#" >> $(tmpdir)/system.users + $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \ + -e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users + $(verbose) $(INSTALL) -m 644 $(tmpdir)/system.users $@ + +$(userpath)/local.users: config/local.users + @mkdir -p $(userpath) + @echo "Installing local.users" + $(verbose) $(INSTALL) -b -m 644 $< $@ + +######################################## +# +# Build Appconfig files +# +$(tmpdir)/initrc_context: $(appconf)/initrc_context + @mkdir -p $(tmpdir) + $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@ + +######################################## +# +# Install Appconfig files +# +install-appconfig: $(appfiles) + +$(installdir)/booleans: $(booleans) + @mkdir -p $(tmpdir) + @mkdir -p $(installdir) + $(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \ + -e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans + $(verbose) $(INSTALL) -m 644 $(tmpdir)/booleans $@ + +$(contextpath)/files/media: $(appconf)/media + @mkdir -p $(contextpath)/files/ + $(verbose) $(INSTALL) -m 644 $< $@ + +$(contextpath)/users/%: $(appconf)/%_default_contexts + @mkdir -p $(appdir)/users + $(verbose) $(INSTALL) -m 644 $^ $@ + +$(appdir)/%: $(appconf)/% + @mkdir -p $(appdir) + $(verbose) $(M4) $(M4PARAM) $(m4support) $< > $@ + +######################################## +# +# Install policy headers +# +install-headers: $(layerxml) $(tunxml) $(boolxml) + @mkdir -p $(headerdir) + @echo "Installing $(NAME) policy headers." + $(verbose) $(INSTALL) -m 644 $^ $(headerdir) + $(verbose) $(M4) $(M4PARAM) $(rolemap) > $(headerdir)/$(notdir $(rolemap)) + $(verbose) mkdir -p $(headerdir)/support + $(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support + $(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt + $(verbose) for i in $(notdir $(all_layers)); do \ + mkdir -p $(headerdir)/$$i ;\ + $(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\ + done + $(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf + $(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf +ifneq "$(DISTRO)" "" + $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(headerdir)/build.conf +endif + $(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf + $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf + $(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf + $(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf + $(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf + $(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf + $(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile + +######################################## +# +# Install policy documentation +# +install-docs: $(tmpdir)/html + @mkdir -p $(docsdir)/html + @echo "Installing policy documentation" + $(verbose) $(INSTALL) -m 644 $(docfiles) $(docsdir) + $(verbose) $(INSTALL) -m 644 $(wildcard $(htmldir)/*) $(docsdir)/html + +######################################## +# +# Install policy sources +# +install-src: + rm -rf $(srcpath)/policy.old + -mv $(srcpath)/policy $(srcpath)/policy.old + mkdir -p $(srcpath)/policy + cp -R . $(srcpath)/policy + +######################################## +# +# Generate tags file +# +tags: $(tags) +$(tags): + @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1) + @LC_ALL=C $(CTAGS) -f $(tags) --langdef=te --langmap=te:..te.if.spt \ + --regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \ + --regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \ + --regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \ + --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \ + --regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \ + --regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \ + --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt + +######################################## +# +# Filesystem labeling +# +checklabels: + @echo "Checking labels on filesystem types: $(fs_names)" + @if test -z "$(filesystems)"; then \ + echo "No filesystems with extended attributes found!" ;\ + false ;\ + fi + $(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems) + +restorelabels: + @echo "Restoring labels on filesystem types: $(fs_names)" + @if test -z "$(filesystems)"; then \ + echo "No filesystems with extended attributes found!" ;\ + false ;\ + fi + $(verbose) $(SETFILES) -v $(fcpath) $(filesystems) + +relabel: + @echo "Relabeling filesystem types: $(fs_names)" + @if test -z "$(filesystems)"; then \ + echo "No filesystems with extended attributes found!" ;\ + false ;\ + fi + $(verbose) $(SETFILES) $(fcpath) $(filesystems) + +resetlabels: + @echo "Resetting labels on filesystem types: $(fs_names)" + @if test -z "$(filesystems)"; then \ + echo "No filesystems with extended attributes found!" ;\ + false ;\ + fi + $(verbose) $(SETFILES) -F $(fcpath) $(filesystems) + +######################################## +# +# Clean everything +# +bare: clean + rm -f $(polxml) + rm -f $(layerxml) + rm -f $(modxml) + rm -f $(tunxml) + rm -f $(boolxml) + rm -f $(mod_conf) + rm -f $(booleans) + rm -fR $(htmldir) + rm -f $(tags) +# don't remove these files if we're given a local root +ifndef LOCAL_ROOT + rm -f $(fcsort) + rm -f $(support)/*.pyc +ifneq ($(generated_te),) + rm -f $(generated_te) +endif +ifneq ($(generated_if),) + rm -f $(generated_if) +endif +ifneq ($(generated_fc),) + rm -f $(generated_fc) +endif +endif + +.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags +.SUFFIXES: +.SUFFIXES: .c diff --git a/README b/README new file mode 100644 index 00000000..cad2d62b --- /dev/null +++ b/README @@ -0,0 +1,26 @@ + +## Build process + +1. clone [SELinux/selinux-policy](https://gitlab.cee.redhat.com/SELinux/selinux-policy) repository + + $ cd ~/devel/github + $ git clone git@gitlab.cee.redhat.com:SELinux/selinux-policy.git + $ cd selinux-policy + +2. create, backport, cherry-pick needed changes to a particular branch and push them + +3. clone **selinux-policy** dist-git repository + + $ cd ~/devel/dist-git + $ rhpkg clone selinux-policy + $ cd selinux-policy + +4. Download the latest snaphots from selinux-policy and selinux-policy-contrib github repositories + + $ ./make-rhat-patches.sh + +5. add changes to the dist-git repository, bump release, create a changelog entry, commit and push +6. build the package + + $ rhpkg build + diff --git a/macro-expander b/macro-expander deleted file mode 100644 index 2670b61d..00000000 --- a/macro-expander +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/bash - -function usage { - echo "Usage: $0 [ -c | -t [ -M ] ] " - echo "Options: - -c generate CIL output - -t generate standard policy source format (.te) allow rules - this is default - -M generate complete module .te output -" -} - -function cleanup { - rm -rf $TEMP_STORE -} - -while getopts "chMt" opt; do - case $opt in - c) GENCIL=1 - ;; - t) GENTE=1 - ;; - M) GENTEMODULE=1 - ;; - h) usage - exit 0 - ;; - \?) usage - exit 1 - ;; - esac -done - -shift $((OPTIND-1)) - -SELINUX_MACRO=$1 - -if [ -z "$SELINUX_MACRO" ] -then - exit 1 -fi - -TEMP_STORE="$(mktemp -d)" -cd $TEMP_STORE || exit 1 - -IFS="(" -set $1 -SELINUX_DOMAIN="${2::-1}" - -echo -e "policy_module(expander, 1.0.0) \n" \ - "gen_require(\`\n" \ - "type $SELINUX_DOMAIN ; \n" \ - "')" > expander.te - -echo "$SELINUX_MACRO" >> expander.te - -make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null - -if [ "x$GENCIL" = "x1" ]; then - - make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null - MAKE_RESULT=$? - - if [ $MAKE_RESULT -ne 2 ] - then - /usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null - grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u - fi -fi - -if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then - m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null - if [ "x$GENTEMODULE" = "x1" ]; then - # sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp - sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp - else - grep '^\s*allow' expander.tmp | sed 's/^\s*//' - fi -fi - -cd - > /dev/null || exit 1 -cleanup diff --git a/make-rhat-patches.sh b/make-rhat-patches.sh new file mode 100755 index 00000000..9940d9b9 --- /dev/null +++ b/make-rhat-patches.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +DISTGIT_PATH=$(pwd) + +RHEL_BASE_VERSION=rhel8.9-base +RHEL_CONTRIB_VERSION=rhel8.9-contrib +DOCKER_RHEL_VERSION=master +DISTGIT_BRANCH=c8s +REPO_SELINUX_POLICY=${REPO_SELINUX_POLICY:-git@gitlab.cee.redhat.com:SELinux/selinux-policy.git} +REPO_SELINUX_POLICY_BRANCH=${REPO_SELINUX_POLICY_BRANCH:-$RHEL_BASE_VERSION} +REPO_SELINUX_POLICY_CONTRIB=${REPO_SELINUX_POLICY_CONTRIB:-git@gitlab.cee.redhat.com:SELinux/selinux-policy.git} +REPO_SELINUX_POLICY_CONTRIB_BRANCH=${REPO_SELINUX_POLICY_CONTRIB_BRANCH:-$RHEL_CONTRIB_VERSION} +REPO_CONTAINER_SELINUX=${REPO_CONTAINER_SELINUX:-git@github.com:projectatomic/container-selinux.git} +REPO_MACRO_EXPANDER=${REPO_MACRO_EXPANDER:-git@gitlab.cee.redhat.com:SELinux/macro-expander.git} + +# When -l is specified, we use locally created tarballs and don't download them from github +DOWNLOAD_DEFAULT_GITHUB_TARBALLS=1 +if [ "$1" == "-l" ]; then + DOWNLOAD_DEFAULT_GITHUB_TARBALLS=0 +fi + +git checkout $DISTGIT_BRANCH -q + +POLICYSOURCES=`mktemp -d policysources.XXXXXX` +pushd $POLICYSOURCES > /dev/null + +git clone -q $REPO_SELINUX_POLICY selinux-policy +git clone -q $REPO_SELINUX_POLICY_CONTRIB selinux-policy-contrib +git clone -q $REPO_CONTAINER_SELINUX container-selinux +git clone -q $REPO_MACRO_EXPANDER macro-expander + +pushd selinux-policy > /dev/null +# prepare policy patches against upstream commits matching the last upstream merge +git checkout $REPO_SELINUX_POLICY_BRANCH +BASE_HEAD_ID=$(git rev-parse HEAD) +BASE_SHORT_HEAD_ID=$(c=${BASE_HEAD_ID}; echo ${c:0:7}) +if [ $DOWNLOAD_DEFAULT_GITHUB_TARBALLS == 1 ]; then + git archive --prefix=selinux-policy-$BASE_HEAD_ID/ --format tgz HEAD > $DISTGIT_PATH/selinux-policy-$BASE_SHORT_HEAD_ID.tar.gz +fi +popd > /dev/null + +pushd selinux-policy-contrib > /dev/null +# prepare policy patches against upstream commits matching the last upstream merge +git checkout $REPO_SELINUX_POLICY_CONTRIB_BRANCH +CONTRIB_HEAD_ID=$(git rev-parse HEAD) +CONTRIB_SHORT_HEAD_ID=$(c=${CONTRIB_HEAD_ID}; echo ${c:0:7}) +if [ $DOWNLOAD_DEFAULT_GITHUB_TARBALLS == 1 ]; then + git archive --prefix=selinux-policy-contrib-$CONTRIB_HEAD_ID/ --format tgz HEAD > $DISTGIT_PATH/selinux-policy-contrib-$CONTRIB_SHORT_HEAD_ID.tar.gz +fi +popd > /dev/null + +pushd container-selinux > /dev/null +# Actual container-selinux files are in master branch +#git checkout -b ${DOCKER_RHEL_VERSION} -t origin/${DOCKER_RHEL_VERSION} -q +tar -czf container-selinux.tgz container.if container.te container.fc +popd > /dev/null + +pushd $DISTGIT_PATH > /dev/null +cp $POLICYSOURCES/container-selinux/container-selinux.tgz . +cp $POLICYSOURCES/macro-expander/macro-expander.sh ./macro-expander +popd > /dev/null + +popd > /dev/null +rm -rf $POLICYSOURCES + +# Update commit ids in selinux-policy.spec file +sed -i "s/%global commit0 [^ ]*$/%global commit0 $BASE_HEAD_ID/" selinux-policy.spec +sed -i "s/%global commit1 [^ ]*$/%global commit1 $CONTRIB_HEAD_ID/" selinux-policy.spec + +# Update sources +sha512sum --tag selinux-policy-${BASE_SHORT_HEAD_ID}.tar.gz selinux-policy-contrib-${CONTRIB_SHORT_HEAD_ID}.tar.gz container-selinux.tgz macro-expander > sources + +echo -e "\nSELinux policy tarballs and container.tgz with container policy files have been created." +echo "Commit ids of selinux-policy and selinux-policy-contrib in spec file were changed to:" +echo "commit0 " ${BASE_HEAD_ID} +echo "commit1 " ${CONTRIB_HEAD_ID} diff --git a/modules-minimum.conf b/modules-minimum.conf new file mode 120000 index 00000000..f6016594 --- /dev/null +++ b/modules-minimum.conf @@ -0,0 +1 @@ +modules-targeted.conf \ No newline at end of file diff --git a/modules-targeted.conf b/modules-targeted.conf new file mode 100644 index 00000000..d5af7379 --- /dev/null +++ b/modules-targeted.conf @@ -0,0 +1,2558 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: ajaxterm +# +# Web Based Terminal +# +ajaxterm = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: services +# Module: callweaver +# +# callweaver telephony sever +# +callweaver = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Layer: services +# Module: collectd +# +# Statistics collection daemon for filling RRD files +# +collectd = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: couchdb +# +# Apache CouchDB database server +# +couchdb = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: module +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: services +# Module: abrt +# +# Automatic bug detection and reporting tool +# +abrt = module + +# Layer: services +# Module: aiccu +# +# SixXS Automatic IPv6 Connectivity Client Utility +# +aiccu = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: amavis +# +# Anti-virus +# +amavis = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: system +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: services +# Module: bcfg2 +# +# Configuration management server +# +bcfg2 = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: dirsrv +# +# An 309 directory server +# +dirsrv = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv-admin = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: blueman +# +# Blueman tools and system services. +# +blueman = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: services +# Module: cobbler +# +# cobbler +# +cobbler = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: corosync +# +# Corosync Cluster Engine Executive +# +corosync = module + +# Layer: services +# Module: clamav +# +# ClamAV Virus Scanner +# +clamav = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: services +# Module: consolekit +# +# ConsoleKit is a system daemon for tracking what users are logged +# +#consolekit = module + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: ctdbd +# +# Cluster Daemon +# +ctdbd = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: kernel +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: services +# Module: drbd +# +# DRBD mirrors a block device over the network to another machine. +# +drbd = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: services +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: admin +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services +# Module: passenger +# +# Passenger +# +passenger = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: puppet +# +# A network tool for managing many disparate systems +# +puppet = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: pwauth +# +# External plugin for mod_authnz_external authenticator +# +pwauth = module + +# Layer: services +# Module: quantum +# +# Quantum is a virtual network service for Openstack +# +quantum = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: services +# Module: icecast +# +# ShoutCast compatible streaming media server +# +icecast = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: jetty +# +# Java based http server +# +jetty = module + +# Layer: admin +# Module: kdump +# +# kdump is kernel crash dumping mechanism +# +kdump = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: l2ltpd +# +# Layer 2 Tunnelling Protocol Daemon +# +l2tpd = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: likewise +# +# Likewise Active Directory support for UNIX +# +likewise = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + + +# Layer: services +# Module: mailman +# +# Policy for mailscanner +# +mailscanner = module + +# Layer: services +# Module: matahari +# +# Matahari system maangement tools +# +matahari = module + +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = module + +# Layer: kernel +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Layer: apps +# Module: mediawiki +# +# mediawiki +# +mediawiki = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: services +# Module: mock +# +# Policy for mock rpm builder +# +mock = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mpd +# +# mpd - daemon for playing music +# +mpd = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: apps +# Module: gpg +# +# Policy for Mozilla and related web browsers +# +gpg = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: nut +# +# nut - Network UPS Tools +# +nut = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: service +# Module: openct +# +# Middleware framework for smart card terminals +# +openct = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: services +# Module: rgmanager +# +# Red Hat Resource Group Manager +# +rgmanager = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: aisexec +# +# RHCS - Red Hat Cluster Suite +# +aisexec = module + +# Layer: services +# Module: rgmanager +# +# rgmanager +# +rgmanager = module + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: services +# Module: samba +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# Layer: apps +# Module: sandbox +# +# Experimental policy for running apps within a sandbox +# +sandbox = module + +# Layer: services +# Module: sanlock +# +# sanlock policy +# +sanlock = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: admin +# Module: shutdown +# +# Policy for shutdown +# +shutdown = module + +# Layer: admin +# Module: sectoolm +# +# Policy for sectool-mechanism +# +sectoolm = module + +# Layer: system +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: smokeping +# +# Latency Logging and Graphing System +# +smokeping = module + +# Layer: admin +# Module: smoltclient +# +#The Fedora hardware profiler client +# +smoltclient = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: services +# Module: usbmuxd +# +# Daemon for communicating with Apple's iPod Touch and iPhone +# +usbmuxd = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + + +# Layer: kernel +# Module: unconfined +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: services +# Module: ulogd +# +# netfilter/iptables ULOG daemon +# +ulogd = module + +# Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module + +# Layer: services +# Module: vhostmd +# +# vhostmd - spice guest agent daemon. +# +vhostmd = module + +# Layer: apps +# Module: vhostmd +# +# vlock - Virtual Console lock program +# +vlock = module + +# Layer: services +# Module: wdmd +# +# wdmd policy +# +wdmd = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: services +# Module: varnishd +# +# Varnishd http accelerator daemon +# +varnishd = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: services +# Module: vnstatd +# +# Network traffic Monitor +# +vnstatd = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uuidd +# +# UUID generation daemon +# +uuidd = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + +# Layer: services +# Module: zarafa +# +# Zarafa Collaboration Platform +# +zarafa = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zoneminder +# +# Zoneminder Camera Security Surveillance Solution +# +zoneminder = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + +# Module: staff +# +# admin account +# +staff = module + +# Layer:role +# Module: sysadm +# +# System Administrator +# +sysadm = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: services +# Module: prelude +# +prelude = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: denyhosts +# +# script to help thwart ssh server attacks +# +denyhosts = module + +# Layer: apps +# Module: livecd +# +# livecd creator +# +livecd = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: services +# Module: keyboardd +# +# system-setup-keyboard is a keyboard layout daemon that monitors +# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet +# +keyboardd = module + +# Layer: services +# Module: keystone +# +# openstack-keystone +# +keystone = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: services +# Module: rhev +# +# rhev policy module contains policies for rhev apps +# +rhev = module + +# Layer: services +# Module: dspam +# +# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering +# +dspam = module + +# Layer: services +# Module: lldpad +# +# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon +# +lldpad = module + +# Layer: services +# Module: rhsmcertd +# +# Subscription Management Certificate Daemon policy +# +rhsmcertd = module + +# Layer: services +# Module: ctdbd +# +# ctdbd - The CTDB cluster daemon +# +ctdbd = module + +# Layer: services +# Module: fcoemon +# +# fcoemon +# +fcoemon = module + +# Layer: services +# Module: sblim +# +# sblim +# +sblim = module + +# Layer: services +# Module: cfengine +# +# cfengine +# +cfengine = module + +# Layer: services +# Module: pacemaker +# +# pacemaker +# +pacemaker = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: nova +# +# openstack-nova +# +nova = module + +# Layer: services +# Module: rabbitmq +# +# rabbitmq daemons +# +rabbitmq = module + +# Layer: services +# Module: cloudform +# +# cloudform daemons +# +cloudform = module + +# Layer: services +# Module: obex +# +# policy for obex-data-server +# +obex = module + +# Layer: services +# Module: sge +# +# policy for grindengine MPI jobs +# +sge = module + +# Layer: apps +# Module: jockey +# +# policy for jockey-backend +# +jockey = module + +# Layer: services +# Module: numad +# +# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology +# +numad = module + +# Layer: services +# Module: condor +# +# policy for condor +# +condor = module + +# Layer: services +# Module: svnserve +# +# policy for subversion service +# +svnserve = module + +# Layer: apps +# Module: man2html +# +# policy for man2html apps +# +man2html = module + +# Layer: contrib +# Module: tomcat +# +# policy for tomcat service +# +tomcat = module + +# Layer: contrib +# Module: php-fpm +# +# PHP-FPM is an alternative PHP FastCGI implementation +# +phpfpm = module + +# Layer: contrib +# Module: stapserver +# +# Instrumentation System Server +# +stapserver = module + +# Layer: contrib +# Module: stapserver +# +# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA +# +realmd = module + +# Layer: contrib +# Module: docker +# +# The open-source application container engine +# +docker = module diff --git a/plans/tests.fmf b/plans/tests.fmf new file mode 100644 index 00000000..4a51b0e0 --- /dev/null +++ b/plans/tests.fmf @@ -0,0 +1,8 @@ +summary: Tier 1 selinux-policy test plan +discover: + how: fmf + url: https://src.fedoraproject.org/tests/selinux.git + filter: "tier: 1 | component: selinux-policy" +execute: + how: tmt + diff --git a/selinux-factory-reset b/selinux-factory-reset new file mode 100755 index 00000000..b0d1ba73 --- /dev/null +++ b/selinux-factory-reset @@ -0,0 +1,17 @@ +#!/bin/bash + +if [ ! -f /etc/selinux/config ]; then + SELINUXTYPE=none +else + source /etc/selinux/config +fi + +cp -R --preserve=mode,ownership,timestamps,links /usr/share/selinux/$1/default/* /var/lib/selinux/$1 + +if selinuxenabled; then + semodule -B -n + + if [ "$1" = "$SELINUXTYPE" ]; then + reboot + fi +fi diff --git a/selinux-factory-reset@.service b/selinux-factory-reset@.service new file mode 100644 index 00000000..efc82d47 --- /dev/null +++ b/selinux-factory-reset@.service @@ -0,0 +1,17 @@ +[Unit] +Description=Reset SELinux policy to factory default +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target +ConditionSecurity=selinux +ConditionKernelCommandLine=|selinux-factory-reset +ConditionPathExists=|!/var/lib/selinux/%I/active/policy.kern + +[Service] +ExecStart=/usr/libexec/selinux/selinux-factory-reset %I +Type=oneshot +TimeoutSec=0 +RemainAfterExit=yes +StandardInput=tty diff --git a/seusers b/seusers new file mode 100644 index 00000000..461b003c --- /dev/null +++ b/seusers @@ -0,0 +1,3 @@ +root:root:s0-s0:c0.c1023 +system_u:system_u:s0-s0:c0.c1023 +__default__:user_u:s0