Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy
This commit is contained in:
commit
d618232c77
340
COPYING
Normal file
340
COPYING
Normal file
@ -0,0 +1,340 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Library General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) year name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Library General
|
||||
Public License instead of this License.
|
820
Changelog
Normal file
820
Changelog
Normal file
@ -0,0 +1,820 @@
|
||||
- Unconditional staff and user oidentd home config access from Dominick Grift.
|
||||
- Conditional mmap_zero support from Dominick Grift.
|
||||
- Added devtmpfs support.
|
||||
- Dbadm updates from KaiGai Kohei.
|
||||
- Virtio disk file context update from Mika Pfluger.
|
||||
- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
|
||||
- Add JIT usage for freshclam.
|
||||
- Remove ethereal module since the application was renamed to wireshark.
|
||||
- Remove duplicate/redundant rules, from Russell Coker.
|
||||
- Increased default number of categories to 1024, from Russell Coker.
|
||||
- Added modules:
|
||||
accountsd (Dan Walsh)
|
||||
cgroup (Dominick Grift)
|
||||
kdumpgui (Dan Walsh)
|
||||
livecd (Dan Walsh)
|
||||
mojomojo (Lain Arnell)
|
||||
sambagui (Dan Walsh)
|
||||
shutdown (Dan Walsh)
|
||||
|
||||
* Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524
|
||||
- Merged a significant portion of Fedora policy.
|
||||
- Move rules from mta mailserver delivery from interface to .te to use
|
||||
attributes.
|
||||
- Remove concept of users from terminal module interfaces since the
|
||||
attributes are not specific to users.
|
||||
- Add non-drawing X client support, for consolekit usage.
|
||||
- Misc Gentoo fixes from Chris Richards.
|
||||
- AFS and abrt fixes from Dominick Grift.
|
||||
- Improved the XML docs of 55 most-used interfaces.
|
||||
- Apcupsd and amavis fixes from Dominick Grift.
|
||||
- Fix network_port() in corenetwork to correctly handle port ranges.
|
||||
- SE-Postgresql updates from KaiGai Kohei.
|
||||
- X object manager revisions from Eamon Walsh.
|
||||
- Added modules:
|
||||
aisexec (Dan Walsh)
|
||||
chronyd (Miroslav Grepl)
|
||||
cobbler (Dominick Grift)
|
||||
corosync (Dan Walsh)
|
||||
dbadm (KaiGai Kohei)
|
||||
denyhosts (Dan Walsh)
|
||||
nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
|
||||
likewise (Scott Salley)
|
||||
plymouthd (Dan Walsh)
|
||||
pyicqt (Stefan Schulze Frielinghaus)
|
||||
rhcs (Dan Walsh)
|
||||
rgmanager (Dan Walsh)
|
||||
sectoolm (Miroslav Grepl)
|
||||
usbmuxd (Dan Walsh)
|
||||
vhostmd (Dan Walsh)
|
||||
|
||||
* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
|
||||
- Add separate x_pointer and x_keyboard classes inheriting from x_device.
|
||||
From Eamon Walsh.
|
||||
- Deprecated the userdom_xwindows_client_template().
|
||||
- Misc Gentoo fixes from Corentin Labbe.
|
||||
- Debian policykit fixes from Martin Orr.
|
||||
- Fix unconfined_r use of unconfined_java_t.
|
||||
- Add missing x_device rules for XI2 functions, from Eamon Walsh.
|
||||
- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
|
||||
- Add btrfs and ext4 to labeling targets.
|
||||
- Fix infrastructure to expand macros in initrc_context when installing.
|
||||
- Handle unix_chkpwd usage by useradd and groupadd.
|
||||
- Add missing compatibility aliases for xdm_xserver*_t types.
|
||||
- Added modules:
|
||||
abrt (Dan Walsh)
|
||||
dkim (Stefan Schulze Frielinghaus)
|
||||
gitosis (Miroslav Grepl)
|
||||
gnomeclock (Dan Walsh)
|
||||
hddtemp (Dan Walsh)
|
||||
kdump (Dan Walsh)
|
||||
modemmanager(Dan Walsh)
|
||||
nslcd (Dan Walsh)
|
||||
puppet (Craig Grube)
|
||||
rtkit (Dan Walsh)
|
||||
seunshare (Dan Walsh)
|
||||
shorewall (Dan Walsh)
|
||||
tgtd (Matthew Ife)
|
||||
tuned (Miroslav Grepl)
|
||||
xscreensaver (Corentin Labbe)
|
||||
|
||||
* Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
|
||||
- Gentoo fixes for init scripts and system startup.
|
||||
- Remove read_default_t tunable.
|
||||
- Greylist milter from Paul Howarth.
|
||||
- Crack db access for su to handle password expiration, from Brandon Whalen.
|
||||
- Misc fixes for unix_update from Brandon Whalen.
|
||||
- Add x_device permissions for XI2 functions, from Eamon Walsh.
|
||||
- MLS constraints for the x_selection class, from Eamon Walsh.
|
||||
- Postgresql updates from KaiGai Kohei.
|
||||
- Milter state directory patch from Paul Howarth.
|
||||
- Add MLS constrains for ingress/egress and secmark from Paul Moore.
|
||||
- Drop write permission from fs_read_rpc_sockets().
|
||||
- Remove unused udev_runtime_t type.
|
||||
- Patch for RadSec port from Glen Turner.
|
||||
- Enable network_peer_controls policy capability from Paul Moore.
|
||||
- Btrfs xattr support from Paul Moore.
|
||||
- Add db_procedure install permission from KaiGai Kohei.
|
||||
- Add support for network interfaces with access controlled by a Boolean
|
||||
from the CLIP project.
|
||||
- Several fixes from the CLIP project.
|
||||
- Add support for labeled Booleans.
|
||||
- Remove node definitions and change node usage to generic nodes.
|
||||
- Add kernel_service access vectors, from Stephen Smalley.
|
||||
- Added modules:
|
||||
certmaster (Dan Walsh)
|
||||
cpufreqselector (Dan Walsh)
|
||||
devicekit (Dan Walsh)
|
||||
fprintd (Dan Walsh)
|
||||
git (Dan Walsh)
|
||||
gpsd (Miroslav Grepl)
|
||||
guest (Dan Walsh)
|
||||
ifplugd (Dan Walsh)
|
||||
lircd (Miroslav Grepl)
|
||||
logadm (Dan Walsh)
|
||||
pads (Dan Walsh)
|
||||
pingd (Dan Walsh)
|
||||
policykit (Dan Walsh)
|
||||
pulseaudio (Dan Walsh)
|
||||
psad (Dan Walsh)
|
||||
portreserve (Dan Walsh)
|
||||
sssd (Dan Walsh)
|
||||
ulogd (Dan Walsh)
|
||||
varnishd (Dan Walsh)
|
||||
webadm (Dan Walsh)
|
||||
wm (Dan Walsh)
|
||||
xguest (Dan Walsh)
|
||||
zosremote (Dan Walsh)
|
||||
|
||||
* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
|
||||
- Fix consistency of audioentropy and iscsi module naming.
|
||||
- Debian file context fix for xen from Russell Coker.
|
||||
- Xserver MLS fix from Eamon Walsh.
|
||||
- Add omapi port for dhcpcd.
|
||||
- Deprecate per-role templates and rolemap support.
|
||||
- Implement user-based access control for use as role separations.
|
||||
- Move shared library calls from individual modules to the domain module.
|
||||
- Enable open permission checks policy capability.
|
||||
- Remove hierarchy from portage module as it is not a good example of
|
||||
hieararchy.
|
||||
- Remove enableaudit target from modular build as semodule -DB supplants it.
|
||||
- Added modules:
|
||||
milter (Paul Howarth)
|
||||
|
||||
* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
|
||||
- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
|
||||
- Logrotate and Bind updates from Vaclav Ovsik.
|
||||
- Init script file and domain support.
|
||||
- Glibc 2.7 fix from Vaclav Ovsik.
|
||||
- Samba/winbind update from Mike Edenfield.
|
||||
- Policy size optimization with a non-security file attribute from James
|
||||
Carter.
|
||||
- Database labeled networking update from KaiGai Kohei.
|
||||
- Several misc changes from the Fedora policy, cherry picked by David
|
||||
Hardeman.
|
||||
- Large whitespace fix from Dominick Grift.
|
||||
- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
|
||||
- Issuing commands to upstart is over a datagram socket, not the initctl
|
||||
named pipe. Updated init_telinit() to match.
|
||||
- Added modules:
|
||||
cyphesis (Dan Walsh)
|
||||
memcached (Dan Walsh)
|
||||
oident (Dominick Grift)
|
||||
w3c (Dan Walsh)
|
||||
|
||||
* Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702
|
||||
- Fix httpd_enable_homedirs to actually provide the access it is supposed to
|
||||
provide.
|
||||
- Add unused interface/template parameter metadata in XML.
|
||||
- Patch to handle postfix data_directory from Vaclav Ovsik.
|
||||
- SE-Postgresql policy from KaiGai Kohei.
|
||||
- Patch for X.org dbus support from Martin Orr.
|
||||
- Patch for labeled networking controls in 2.6.25 from Paul Moore.
|
||||
- Module loading now requires setsched on kernel threads.
|
||||
- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
|
||||
- X application data class from Eamon Walsh and Ted Toth.
|
||||
- Move user roles into individual modules.
|
||||
- Make hald_log_t a log file.
|
||||
- Cryptsetup runs shell scripts. Patch from Martin Orr.
|
||||
- Add file for enabling policy capabilities.
|
||||
- Patch to fix leaky interface/template call depth calculator from Vaclav
|
||||
Ovsik.
|
||||
- Added modules:
|
||||
kerneloops (Dan Walsh)
|
||||
kismet (Dan Walsh)
|
||||
podsleuth (Dan Walsh)
|
||||
prelude (Dan Walsh)
|
||||
qemu (Dan Walsh)
|
||||
virt (Dan Walsh)
|
||||
|
||||
* Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402
|
||||
- Add core Security Enhanced X Windows support.
|
||||
- Fix winbind socket connection interface for default location of the
|
||||
sock_file.
|
||||
- Add wireshark module based on ethereal module.
|
||||
- Revise upstart support in init module to use a tunable, as upstart is now
|
||||
used in Fedora too.
|
||||
- Add iferror.m4 rather generate it out of the Makefiles.
|
||||
- Definitions for open permisson on file and similar objects from Eric
|
||||
Paris.
|
||||
- Apt updates for ptys and logs, from Martin Orr.
|
||||
- RPC update from Vaclav Ovsik.
|
||||
- Exim updates on Debian from Devin Carrawy.
|
||||
- Pam and samba updates from Stefan Schulze Frielinghaus.
|
||||
- Backup update on Debian from Vaclav Ovsik.
|
||||
- Cracklib update on Debian from Vaclav Ovsik.
|
||||
- Label /proc/kallsyms with system_map_t.
|
||||
- 64-bit capabilities from Stephen Smalley.
|
||||
- Labeled networking peer object class updates.
|
||||
|
||||
* Fri Dec 14 2007 Chris PeBenito <selinux@tresys.com> - 20071214
|
||||
- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
|
||||
- Improve several tunables descriptions from Dan Walsh.
|
||||
- Patch to clean up ns switch usage in the policy from Dan Walsh.
|
||||
- More complete labeled networking infrastructure from KaiGai Kohei.
|
||||
- Add interface for libselinux constructor, for libselinux-linked
|
||||
SELinux-enabled programs.
|
||||
- Patch to restructure user role templates to create restricted user roles
|
||||
from Dan Walsh.
|
||||
- Russian man page translations from Andrey Markelov.
|
||||
- Remove unused types from dbus.
|
||||
- Add infrastructure for managing all user web content.
|
||||
- Deprecate some old file and dir permission set macros in favor of the
|
||||
newer, more consistently-named macros.
|
||||
- Patch to clean up unescaped periods in several file context entries from
|
||||
Jan-Frode Myklebust.
|
||||
- Merge shlib_t into lib_t.
|
||||
- Merge strict and targeted policies. The policy will now behave like the
|
||||
strict policy if the unconfined module is not present. If it is, it will
|
||||
behave like the targeted policy. Added an unconfined role to have a mix
|
||||
of confined and unconfined users.
|
||||
- Added modules:
|
||||
exim (Dan Walsh)
|
||||
postfixpolicyd (Jan-Frode Myklebust)
|
||||
|
||||
* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
|
||||
- Add support for setting the unknown permissions handling.
|
||||
- Fix XML building for external reference builds and headers builds.
|
||||
- Patch to add missing requirements in userdomain interfaces from Shintaro
|
||||
Fujiwara.
|
||||
- Add tcpd_wrapped_domain() for services that use tcp wrappers.
|
||||
- Update MLS constraints from LSPP evaluated policy.
|
||||
- Allow initrc_t file descriptors to be inherited regardless of MLS level.
|
||||
Accordingly drop MLS permissions from daemons that inherit from any level.
|
||||
- Files and radvd updates from Stefan Schulze Frielinghaus.
|
||||
- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
|
||||
mls_write_all_levels() and mls_read_all_levels(), for consistency.
|
||||
- Add make kernel and init ranged interfaces pass the range transition MLS
|
||||
constraints. Also remove calls to mls_rangetrans_target() in modules that use
|
||||
the kernel and init interfaces, since its redundant.
|
||||
- Add interfaces for all MLS attributes except X object classes.
|
||||
- Require all sensitivities and categories for MLS and MCS policies, not just
|
||||
the low and high sensitivity and category.
|
||||
- Database userspace object manager classes from KaiGai Kohei.
|
||||
- Add third-party interface for Apache CGI.
|
||||
- Add getserv and shmemserv nscd permissions.
|
||||
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
|
||||
- Added modules:
|
||||
application
|
||||
awstats (Stefan Schulze Frielinghaus)
|
||||
bitlbee (Devin Carraway)
|
||||
brctl (Dan Walsh)
|
||||
|
||||
* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
|
||||
- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
|
||||
libraries module.
|
||||
- Unified labeled networking policy from Paul Moore.
|
||||
- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
|
||||
- Xen updates from Dan Walsh.
|
||||
- Filesystem updates from Dan Walsh.
|
||||
- Large samba update from Dan Walsh.
|
||||
- Drop snmpd_etc_t.
|
||||
- Confine sendmail and logrotate on targeted.
|
||||
- Tunable connection to postgresql for users from KaiGai Kohei.
|
||||
- Memprotect support patch from Stephen Smalley.
|
||||
- Add logging_send_audit_msgs() interface and deprecate
|
||||
send_audit_msgs_pattern().
|
||||
- Openct updates patch from Dan Walsh.
|
||||
- Merge restorecon into setfiles.
|
||||
- Patch to begin separating out hald helper programs from Dan Walsh.
|
||||
- Fixes for squid, dovecot, and snmp from Dan Walsh.
|
||||
- Miscellaneous consolekit fixes from Dan Walsh.
|
||||
- Patch to have avahi use the nsswitch interface rather than individual
|
||||
permissions from Dan Walsh.
|
||||
- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
|
||||
- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
|
||||
to handle usage from userhelper from Dan Walsh.
|
||||
- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
|
||||
- Patch to allow slocate to getattr other filesystems and directories on those
|
||||
filesystems from Dan Walsh.
|
||||
- Fixes for RHEL4 from the CLIP project.
|
||||
- Replace the old lrrd fc entries with munin ones.
|
||||
- Move program admin template usage out of userdom_admin_user_template() to
|
||||
sysadm policy in userdomain.te to fix usage of the template for third
|
||||
parties.
|
||||
- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
|
||||
template instead of an interface.
|
||||
- Added modules:
|
||||
amtu (Dan Walsh)
|
||||
apcupsd (Dan Walsh)
|
||||
rpcbind (Dan Walsh)
|
||||
rwho (Nalin Dahyabhai)
|
||||
|
||||
* Tue Apr 17 2007 Chris PeBenito <selinux@tresys.com> - 20070417
|
||||
- Patch for sasl's use of kerberos from Dan Walsh.
|
||||
- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
|
||||
- Man page updates from Dan Walsh.
|
||||
- Two patches from Paul Moore to for ipsec to remove redundant rules and
|
||||
have setkey read the config file.
|
||||
- Move booleans and tunables to modules when it is only used in a single
|
||||
module.
|
||||
- Add support for tunables and booleans local to a module.
|
||||
- Merge sbin_t and ls_exec_t into bin_t.
|
||||
- Remove disable_trans booleans.
|
||||
- Output different header sets for kernel and userland from flask headers.
|
||||
- Marked the pax class as deprecated, changed it to userland so
|
||||
it will be removed from the kernel.
|
||||
- Stop including netfilter contexts by default.
|
||||
- Add dontaudits for init fds and console to init_daemon_domain().
|
||||
- Patch to allow gpg to create user keys dir.
|
||||
- Patch to support kvmfs from Dan Walsh.
|
||||
- Patch for misc fixes in sudo from Dan Walsh.
|
||||
- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
|
||||
- Patch for handling restart of nscd when ran from useradd, groupadd, and
|
||||
admin passwd, from Dan Walsh.
|
||||
- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
|
||||
- Patch for setroubleshoot for validating file contexts from Dan Walsh.
|
||||
- Patch for gssd fixes from Dan Walsh.
|
||||
- Patch for lvm fixes from Dan Walsh.
|
||||
- Patch for ricci fixes from Dan Walsh.
|
||||
- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
|
||||
- Patch for kerberized telnet fixes from Dan Walsh.
|
||||
- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
|
||||
- Patch for an additional wine executable from Dan Walsh.
|
||||
- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
|
||||
corecommands, devices, and java from Dan Walsh.
|
||||
- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
|
||||
- Patch for misc fixes to bluetooth from Dan Walsh.
|
||||
- Patch for misc fixes to kerberos from Dan Walsh.
|
||||
- Patch to start deprecating usercanread attribute from Ryan Bradetich.
|
||||
- Add dccp_socket object class which was added in kernel 2.6.20.
|
||||
- Patch for prelink relabefrom it's temp files from Dan Walsh.
|
||||
- Patch for capability fix for auditd and networking fix for syslogd from
|
||||
Dan Walsh.
|
||||
- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
|
||||
- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
|
||||
- Patch to allow apmd to telinit from Dan Walsh.
|
||||
- Patch for additional labeling of samba files from Stefan Schulze
|
||||
Frielinghaus.
|
||||
- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
|
||||
- Fix ptys and ttys to be device nodes.
|
||||
- Fix explicit use of httpd_t in openca_domtrans().
|
||||
- Clean up file context regexes in apache and java, from Eamon Walsh.
|
||||
- Patches from Dan Walsh:
|
||||
Thu, 25 Jan 2007
|
||||
- Added modules:
|
||||
consolekit (Dan Walsh)
|
||||
fail2ban (Dan Walsh)
|
||||
zabbix (Dan Walsh)
|
||||
|
||||
* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
|
||||
- Add policy patterns support macros. This changes the behavior of
|
||||
the create_dir_perms and create_file_perms permission sets.
|
||||
- Association polmatch MLS constraint making unlabeled_t an exception
|
||||
is no longer needed, patch from Venkat Yekkirala.
|
||||
- Context contains checking for PAM and cron from James Antill.
|
||||
- Add a reload target to Modules.devel and change the load
|
||||
target to only insert modules that were changed.
|
||||
- Allow semanage to read from /root on strict non-MLS for
|
||||
local policy modules.
|
||||
- Gentoo init script fixes for udev.
|
||||
- Allow udev to read kernel modules.inputmap.
|
||||
- Dnsmasq fixes from testing.
|
||||
- Allow kernel NFS server to getattr filesystems so df can work
|
||||
on clients.
|
||||
- Patch from Matt Anderson for a MLS constraint exemption on a
|
||||
file that can be written to from a subject whose range is
|
||||
within the object's range.
|
||||
- Enhanced setransd support from Darrel Goeddel.
|
||||
- Patches from Dan Walsh:
|
||||
Tue, 24 Oct 2006
|
||||
Wed, 29 Nov 2006
|
||||
- Added modules:
|
||||
aide (Matt Anderson)
|
||||
ccs (Dan Walsh)
|
||||
iscsi (Dan Walsh)
|
||||
ricci (Dan Walsh)
|
||||
|
||||
* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
|
||||
- Patch from Russell Coker Thu, 5 Oct 2006
|
||||
- Move range transitions to modules.
|
||||
- Make number of MLS sensitivities, and number of MLS and MCS
|
||||
categories configurable as build options.
|
||||
- Add role infrastructure.
|
||||
- Debian updates from Erich Schubert.
|
||||
- Add nscd_socket_use() to auth_use_nsswitch().
|
||||
- Remove old selopt rules.
|
||||
- Full support for netfilter_contexts.
|
||||
- MRTG patch for daemon operation from Stefan.
|
||||
- Add authlogin interface to abstract common access for login programs.
|
||||
- Remove setbool auditallow, except for RHEL4.
|
||||
- Change eventpollfs to task SID labeling.
|
||||
- Add key support from Michael LeMay.
|
||||
- Add ftpdctl domain to ftp, from Paul Howarth.
|
||||
- Fix build system to not move type declarations out of optionals.
|
||||
- Add gcc-config domain to portage.
|
||||
- Add packet object class and support in corenetwork.
|
||||
- Add a copy of genhomedircon for monolithic policy building, so that a
|
||||
policycoreutils package update is not required for RHEL4 systems.
|
||||
- Add appletalk sockets for use in cups.
|
||||
- Add Make target to validate module linking.
|
||||
- Make duplicate template and interface declarations a fatal error.
|
||||
- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
|
||||
- Move xconsole_device_t from devices to xserver since it is
|
||||
not actually a device, it is a named pipe.
|
||||
- Handle nonexistant .fc and .if files in devel Makefile by
|
||||
automatically creating empty files.
|
||||
- Remove unused devfs_control_t.
|
||||
- Add rhel4 distro, which also implies redhat distro.
|
||||
- Remove unneeded range_transition for su_exec_t and move the
|
||||
type declaration back to the su module.
|
||||
- Constrain transitions in MCS so unconfined_t cannot have
|
||||
arbitrary category sets.
|
||||
- Change reiserfs from xattr filesystem to genfscon as it's xattrs
|
||||
are currently nonfunctional.
|
||||
- Change files and filesystem modules to use their own interfaces.
|
||||
- Add user fonts to xserver.
|
||||
- Additional interfaces in corecommands, miscfiles, and userdomain
|
||||
from Joy Latten.
|
||||
- Miscellaneous fixes from Thomas Bleher.
|
||||
- Deprecate module name as first parameter of optional_policy()
|
||||
now that optionals are allowed everywhere.
|
||||
- Enable optional blocks in base module and monolithic policy.
|
||||
This requires checkpolicy 1.30.1.
|
||||
- Fix vpn module declaration.
|
||||
- Numerous fixes from Dan Walsh.
|
||||
- Change build order to preserve m4 line number information so policy
|
||||
compile errors are useful again.
|
||||
- Additional MLS interfaces from Chad Hanson.
|
||||
- Move some rules out of domain_type() and domain_base_type()
|
||||
to the TE file, to use the domain attribute to take advantage
|
||||
of space savings from attribute use.
|
||||
- Add global stack smashing protector rule for urandom access from
|
||||
Petre Rodan.
|
||||
- Fix temporary rules at the bottom of portmap.
|
||||
- Updated comments in mls file from Chad Hanson.
|
||||
- Patches from Dan Walsh:
|
||||
Fri, 17 Mar 2006
|
||||
Wed, 29 Mar 2006
|
||||
Tue, 11 Apr 2006
|
||||
Fri, 14 Apr 2006
|
||||
Tue, 18 Apr 2006
|
||||
Thu, 20 Apr 2006
|
||||
Tue, 02 May 2006
|
||||
Mon, 15 May 2006
|
||||
Thu, 18 May 2006
|
||||
Tue, 06 Jun 2006
|
||||
Mon, 12 Jun 2006
|
||||
Tue, 20 Jun 2006
|
||||
Wed, 26 Jul 2006
|
||||
Wed, 23 Aug 2006
|
||||
Thu, 31 Aug 2006
|
||||
Fri, 01 Sep 2006
|
||||
Tue, 05 Sep 2006
|
||||
Wed, 20 Sep 2006
|
||||
Fri, 22 Sep 2006
|
||||
Mon, 25 Sep 2006
|
||||
- Added modules:
|
||||
afs
|
||||
amavis (Erich Schubert)
|
||||
apt (Erich Schubert)
|
||||
asterisk
|
||||
audioentropy
|
||||
authbind
|
||||
backup
|
||||
calamaris
|
||||
cipe
|
||||
clamav (Erich Schubert)
|
||||
clockspeed (Petre Rodan)
|
||||
courier
|
||||
dante
|
||||
dcc
|
||||
ddclient
|
||||
dpkg (Erich Schubert)
|
||||
dnsmasq
|
||||
ethereal
|
||||
evolution
|
||||
games
|
||||
gatekeeper
|
||||
gift
|
||||
gnome (James Carter)
|
||||
imaze
|
||||
ircd
|
||||
jabber
|
||||
monop
|
||||
mozilla
|
||||
mplayer
|
||||
munin
|
||||
nagios
|
||||
nessus
|
||||
netlabel (Paul Moore)
|
||||
nsd
|
||||
ntop
|
||||
nx
|
||||
oav
|
||||
oddjob (Dan Walsh)
|
||||
openca
|
||||
openvpn (Petre Rodan)
|
||||
perdition
|
||||
portslave
|
||||
postgrey
|
||||
pxe
|
||||
pyzor (Dan Walsh)
|
||||
qmail (Petre Rodan)
|
||||
razor
|
||||
resmgr
|
||||
rhgb
|
||||
rssh
|
||||
snort
|
||||
soundserver
|
||||
speedtouch
|
||||
sxid
|
||||
thunderbird
|
||||
tor (Erich Schubert)
|
||||
transproxy
|
||||
tripwire
|
||||
uptime
|
||||
uwimap
|
||||
vmware
|
||||
watchdog
|
||||
xen (Dan Walsh)
|
||||
xprint
|
||||
yam
|
||||
|
||||
* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
|
||||
- Make all interface parameters required.
|
||||
- Move boot_t, system_map_t, and modules_object_t to files module,
|
||||
and move bootloader to admin layer.
|
||||
- Add semanage policy for semodule from Dan Walsh.
|
||||
- Remove allow_execmem from targeted policy domain_base_type().
|
||||
- Add users_extra and seusers support.
|
||||
- Postfix fixes from Serge Hallyn.
|
||||
- Run python and shell directly to interpret scripts so policy
|
||||
sources need not be executable.
|
||||
- Add desc tag XML to booleans and tunables, and add summary
|
||||
to param XML tag, to make future translations possible.
|
||||
- Remove unused lvm_vg_t.
|
||||
- Many interface renames to improve naming consistency.
|
||||
- Merge xdm into xserver.
|
||||
- Remove kernel module reversed interfaces.
|
||||
- Add filename attribute to module XML tag and lineno attribute to
|
||||
interface XML tag.
|
||||
- Changed QUIET build option to a yes or no option.
|
||||
- Add a Makefile used for compiling loadable modules in a
|
||||
user's development environment, building against policy headers.
|
||||
- Add Make target for installing policy headers.
|
||||
- Separate per-userdomain template expansion from the userdomain
|
||||
module and add infrastructure to expand templates in the modules
|
||||
that own the template.
|
||||
- Enable secadm only for MLS policies.
|
||||
- Remove role change rules in su and sudo since this functionality has been
|
||||
removed from these programs.
|
||||
- Add ctags Make target from Thomas Bleher.
|
||||
- Collapse commands with grep piped to sed into one sed command.
|
||||
- Fix type_change bug in term_user_pty().
|
||||
- Move ice_tmp_t from miscfiles to xserver.
|
||||
- Login fixes from Serge Hallyn.
|
||||
- Move xserver_log_t from xdm to xserver.
|
||||
- Add lpr per-userdomain policy to lpd.
|
||||
- Miscellaneous fixes from Dan Walsh.
|
||||
- Change initrc_var_run_t interface noun from script_pid to utmp,
|
||||
for greater clarity.
|
||||
- Added modules:
|
||||
certwatch
|
||||
mono (Dan Walsh)
|
||||
mrtg
|
||||
portage
|
||||
tvtime
|
||||
userhelper
|
||||
usernetctl
|
||||
wine (Dan Walsh)
|
||||
xserver
|
||||
|
||||
* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
|
||||
- Adds support for generating corenetwork interfaces based on attributes
|
||||
in addition to types.
|
||||
- Permits the listing of multiple nodes in a network_node() that will be
|
||||
given the same type.
|
||||
- Add two new permission sets for stream sockets.
|
||||
- Rename file type transition interfaces verb from create to
|
||||
filetrans to differentiate it from create interfaces without
|
||||
type transitions.
|
||||
- Fix expansion of interfaces from disabled modules.
|
||||
- Rsync can be long running from init,
|
||||
added rules to allow this.
|
||||
- Add polyinstantiation build option.
|
||||
- Add setcontext to the association object class.
|
||||
- Add apache relay and db connect tunables.
|
||||
- Rename texrel_shlib_t to textrel_shlib_t.
|
||||
- Add swat to samba module.
|
||||
- Numerous miscellaneous fixes from Dan Walsh.
|
||||
- Added modules:
|
||||
alsa
|
||||
automount
|
||||
cdrecord
|
||||
daemontools (Petre Rodan)
|
||||
ddcprobe
|
||||
djbdns (Petre Rodan)
|
||||
fetchmail
|
||||
irc
|
||||
java
|
||||
lockdev
|
||||
logwatch (Dan Walsh)
|
||||
openct
|
||||
prelink (Dan Walsh)
|
||||
publicfile (Petre Rodan)
|
||||
readahead
|
||||
roundup
|
||||
screen
|
||||
slocate (Dan Walsh)
|
||||
slrnpull
|
||||
smartmon
|
||||
sysstat
|
||||
ucspitcp (Petre Rodan)
|
||||
usbmodules
|
||||
vbetool (Dan Walsh)
|
||||
|
||||
* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
|
||||
- Add unlabeled IPSEC association rule to domains with
|
||||
networking permissions.
|
||||
- Merge systemuser back in to users, as these files
|
||||
do not need to be split.
|
||||
- Add check for duplicate interface/template definitions.
|
||||
- Move domain, files, and corecommands modules to kernel
|
||||
layer to resolve some layering inconsistencies.
|
||||
- Move policy build options out of Makefile into build.conf.
|
||||
- Add yppasswd to nis module.
|
||||
- Change optional_policy() to refer to the module name
|
||||
rather than modulename.te.
|
||||
- Fix labeling targets to use installed file_contexts rather
|
||||
than partial file_contexts in the policy source directory.
|
||||
- Fix build process to use make's internal vpath functions
|
||||
to detect modules rather than using subshells and find.
|
||||
- Add install target for modular policy.
|
||||
- Add load target for modular policy.
|
||||
- Add appconfig dependency to the load target.
|
||||
- Miscellaneous fixes from Dan Walsh.
|
||||
- Fix corenetwork gen_context()'s to expand during the policy
|
||||
build phase instead of during the generation phase.
|
||||
- Added policies:
|
||||
amanda
|
||||
avahi
|
||||
canna
|
||||
cyrus
|
||||
dbskk
|
||||
dovecot
|
||||
distcc
|
||||
i18n_input
|
||||
irqbalance
|
||||
lpd
|
||||
networkmanager
|
||||
pegasus
|
||||
postfix
|
||||
procmail
|
||||
radius
|
||||
rdisc
|
||||
rpc
|
||||
spamassassin
|
||||
timidity
|
||||
xdm
|
||||
xfs
|
||||
|
||||
* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
|
||||
- Many fixes to make loadable modules build.
|
||||
- Add targets for sechecker.
|
||||
- Updated to sedoctool to read bool files and tunable
|
||||
files separately.
|
||||
- Changed the xml tag of <boolean> to <bool> to be consistent
|
||||
with gen_bool().
|
||||
- Modified the implementation of segenxml to use regular
|
||||
expressions.
|
||||
- Rename context_template() to gen_context() to clarify
|
||||
that its not a Reference Policy template, but a support
|
||||
macro.
|
||||
- Add disable_*_trans bool support for targeted policy.
|
||||
- Add MLS module to handle MLS constraint exceptions,
|
||||
such as reading up and writing down.
|
||||
- Fix errors uncovered by sediff.
|
||||
- Added policies:
|
||||
anaconda
|
||||
apache
|
||||
apm
|
||||
arpwatch
|
||||
bluetooth
|
||||
dmidecode
|
||||
finger
|
||||
ftp
|
||||
kudzu
|
||||
mailman
|
||||
ppp
|
||||
radvd
|
||||
sasl
|
||||
webalizer
|
||||
|
||||
* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
|
||||
- Make logrotate, sendmail, sshd, and rpm policies
|
||||
unconfined in the targeted policy so no special
|
||||
modules.conf is required.
|
||||
- Add experimental MCS support.
|
||||
- Add appconfig for MLS.
|
||||
- Add equivalents for old can_resolve(), can_ldap(), and
|
||||
can_portmap() to sysnetwork.
|
||||
- Fix base module compile issues.
|
||||
- Added policies:
|
||||
cpucontrol
|
||||
cvs
|
||||
ktalk
|
||||
portmap
|
||||
postgresql
|
||||
rlogin
|
||||
samba
|
||||
snmp
|
||||
stunnel
|
||||
telnet
|
||||
tftp
|
||||
uucp
|
||||
vpn
|
||||
zebra
|
||||
|
||||
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
|
||||
- Fix errors uncovered by sediff.
|
||||
- Doc tool will explicitly say a module does not have interfaces
|
||||
or templates on the module page.
|
||||
- Added policies:
|
||||
comsat
|
||||
dbus
|
||||
dhcp
|
||||
dictd
|
||||
hal
|
||||
inn
|
||||
ntp
|
||||
squid
|
||||
|
||||
* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
|
||||
- Add Makefile support for building loadable modules.
|
||||
- Add genclassperms.py tool to add require blocks
|
||||
for loadable modules.
|
||||
- Change sedoctool to make required modules part of base
|
||||
by default, otherwise make as modules, in modules.conf.
|
||||
- Fix segenxml to handle modules with no interfaces.
|
||||
- Rename ipsec connect interface for consistency.
|
||||
- Add missing parts of unix stream socket connect interface
|
||||
of ipsec.
|
||||
- Rename inetd connect interface for consistency.
|
||||
- Rename interface for purging contents of tmp, for clarity,
|
||||
since it allows deletion of classes other than file.
|
||||
- Misc. cleanups.
|
||||
- Added policies:
|
||||
acct
|
||||
bind
|
||||
firstboot
|
||||
gpm
|
||||
howl
|
||||
ldap
|
||||
loadkeys
|
||||
mysql
|
||||
privoxy
|
||||
quota
|
||||
rshd
|
||||
rsync
|
||||
su
|
||||
sudo
|
||||
tcpd
|
||||
tmpreaper
|
||||
updfstab
|
||||
|
||||
* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
|
||||
- Fix comparison bug in fc_sort.
|
||||
- Fix handling of ordered and unordered HTML lists.
|
||||
- Corenetwork now supports multiple network interfaces having the
|
||||
same type.
|
||||
- Doc tool now creates pages for global Booleans and global tunables.
|
||||
- Doc tool now links directly to the interface/template in the
|
||||
module page when it is selected in the interface/template index.
|
||||
- Added support for layer summaries.
|
||||
- Added policies:
|
||||
ipsec
|
||||
nscd
|
||||
pcmcia
|
||||
raid
|
||||
|
||||
* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
|
||||
- Changed xml to have modules encapsulated by layer tags, rather
|
||||
than putting layer="foo" in the module tags. Also in the future
|
||||
we can put a summary and description for each layer.
|
||||
- Added tool to infer interface, module, and layer tags. This will
|
||||
now list all interfaces, even if they are missing xml docs.
|
||||
- Shortened xml tag names.
|
||||
- Added macros to declare interfaces and templates.
|
||||
- Added interface call trace.
|
||||
- Updated all xml documentation for shorter and inferred tags.
|
||||
- Doc tool now displays templates in the web pages.
|
||||
- Doc tool retains the user's settings in modules.conf and
|
||||
tunables.conf if the files already exist.
|
||||
- Modules.conf behavior has been changed to be a list of all
|
||||
available modules, and the user can specify if the module is
|
||||
built as a loadable module, included in the monolithic policy,
|
||||
or excluded.
|
||||
- Added policies:
|
||||
fstools (fsck, mkfs, swapon, etc. tools)
|
||||
logrotate
|
||||
inetd
|
||||
kerberos
|
||||
nis (ypbind and ypserv)
|
||||
ssh (server, client, and agent)
|
||||
unconfined
|
||||
- Added infrastructure for targeted policy support, only missing
|
||||
transition boolean support.
|
||||
|
||||
* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
|
||||
- Initial release
|
48
INSTALL
Normal file
48
INSTALL
Normal file
@ -0,0 +1,48 @@
|
||||
Reference Policy has a requirement of checkpolicy 1.33.1 and
|
||||
libsepol-1.16.2. Red Hat Enterprise Linux 4 and Fedora Core 4 RPMs
|
||||
are available on the CLIP download page at http://oss.tresys.com,
|
||||
and can be installed thusly:
|
||||
|
||||
Red Hat Enterprise Linux 4:
|
||||
|
||||
rpm -i libsepol-1.11.7-1.i386.rpm
|
||||
rpm -U checkpolicy-1.28-4.i386.rpm
|
||||
|
||||
Fedora Core 4:
|
||||
|
||||
rpm -U libsepol-1.11.7-1.i386.rpm checkpolicy-1.28-4.i386.rpm
|
||||
|
||||
To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
|
||||
|
||||
make install-src
|
||||
|
||||
This will back up a pre-existing source policy to the
|
||||
/etc/selinux/refpolicy/src/policy.bak directory.
|
||||
|
||||
If you do not have a modules.conf, one can be generated:
|
||||
|
||||
make conf
|
||||
|
||||
This will create a default modules.conf. Options for the policy
|
||||
build process can be found in build.conf. After installing the policy sources,
|
||||
the old Make targets have been maintained for the monolithic policy:
|
||||
|
||||
Local policy development:
|
||||
|
||||
make policy
|
||||
|
||||
Compile and install the policy:
|
||||
|
||||
make install
|
||||
|
||||
Compile, install, and load the policy:
|
||||
|
||||
make load
|
||||
|
||||
Filesystem labeling:
|
||||
|
||||
make relabel
|
||||
make checklabels
|
||||
make restorelabels
|
||||
|
||||
See the README for more information on available make targets.
|
670
Makefile
Normal file
670
Makefile
Normal file
@ -0,0 +1,670 @@
|
||||
#
|
||||
# Makefile for the security policy.
|
||||
#
|
||||
# Targets:
|
||||
#
|
||||
# install - compile and install the policy configuration, and context files.
|
||||
# load - compile, install, and load the policy configuration.
|
||||
# reload - compile, install, and load/reload the policy configuration.
|
||||
# relabel - relabel filesystems based on the file contexts configuration.
|
||||
# checklabels - check filesystems against the file context configuration
|
||||
# restorelabels - check filesystems against the file context configuration
|
||||
# and restore the label of files with incorrect labels
|
||||
# policy - compile the policy configuration locally for testing/development.
|
||||
#
|
||||
# The default target is 'policy'.
|
||||
#
|
||||
#
|
||||
# Please see build.conf for policy build options.
|
||||
#
|
||||
|
||||
########################################
|
||||
#
|
||||
# NO OPTIONS BELOW HERE
|
||||
#
|
||||
|
||||
# Include the local build.conf if it exists, otherwise
|
||||
# include the configuration of the root directory.
|
||||
include build.conf
|
||||
|
||||
ifdef LOCAL_ROOT
|
||||
-include $(LOCAL_ROOT)/build.conf
|
||||
endif
|
||||
|
||||
# refpolicy version
|
||||
version = $(shell cat VERSION)
|
||||
|
||||
ifdef LOCAL_ROOT
|
||||
builddir := $(LOCAL_ROOT)/
|
||||
tmpdir := $(LOCAL_ROOT)/tmp
|
||||
tags := $(LOCAL_ROOT)/tags
|
||||
else
|
||||
tmpdir := tmp
|
||||
tags := tags
|
||||
endif
|
||||
|
||||
# executable paths
|
||||
BINDIR ?= /usr/bin
|
||||
SBINDIR ?= /usr/sbin
|
||||
ifdef TEST_TOOLCHAIN
|
||||
tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
|
||||
tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
|
||||
tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
|
||||
else
|
||||
tc_usrbindir := $(BINDIR)
|
||||
tc_usrsbindir := $(SBINDIR)
|
||||
tc_sbindir := /sbin
|
||||
endif
|
||||
CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
|
||||
CHECKMODULE ?= $(tc_usrbindir)/checkmodule
|
||||
SEMODULE ?= $(tc_usrsbindir)/semodule
|
||||
SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
|
||||
SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
|
||||
SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
|
||||
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
|
||||
SETFILES ?= $(tc_sbindir)/setfiles
|
||||
XMLLINT ?= $(BINDIR)/xmllint
|
||||
SECHECK ?= $(BINDIR)/sechecker
|
||||
|
||||
# interpreters and aux tools
|
||||
AWK ?= gawk
|
||||
GREP ?= egrep
|
||||
INSTALL ?= install
|
||||
M4 ?= m4
|
||||
PYTHON ?= python
|
||||
SED ?= sed
|
||||
SORT ?= LC_ALL=C sort
|
||||
|
||||
CFLAGS += -Wall
|
||||
|
||||
# policy source layout
|
||||
poldir := policy
|
||||
moddir := $(poldir)/modules
|
||||
flaskdir := $(poldir)/flask
|
||||
secclass := $(flaskdir)/security_classes
|
||||
isids := $(flaskdir)/initial_sids
|
||||
avs := $(flaskdir)/access_vectors
|
||||
|
||||
# local source layout
|
||||
ifdef LOCAL_ROOT
|
||||
local_poldir := $(LOCAL_ROOT)/policy
|
||||
local_moddir := $(local_poldir)/modules
|
||||
endif
|
||||
|
||||
# policy building support tools
|
||||
support := support
|
||||
genxml := $(PYTHON) -E $(support)/segenxml.py
|
||||
gendoc := $(PYTHON) -E $(support)/sedoctool.py
|
||||
genperm := $(PYTHON) -E $(support)/genclassperms.py
|
||||
fcsort := $(tmpdir)/fc_sort
|
||||
setbools := $(AWK) -f $(support)/set_bools_tuns.awk
|
||||
get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
|
||||
comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
|
||||
gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
|
||||
m4iferror := $(support)/iferror.m4
|
||||
m4divert := $(support)/divert.m4
|
||||
m4undivert := $(support)/undivert.m4
|
||||
# use our own genhomedircon to make sure we have a known usable one,
|
||||
# so policycoreutils updates are not required (RHEL4)
|
||||
genhomedircon := $(PYTHON) -E $(support)/genhomedircon
|
||||
|
||||
# documentation paths
|
||||
docs := doc
|
||||
xmldtd = $(docs)/policy.dtd
|
||||
metaxml = metadata.xml
|
||||
doctemplate = $(docs)/templates
|
||||
docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
|
||||
|
||||
ifndef LOCAL_ROOT
|
||||
polxml = $(docs)/policy.xml
|
||||
tunxml = $(docs)/global_tunables.xml
|
||||
boolxml = $(docs)/global_booleans.xml
|
||||
htmldir = $(docs)/html
|
||||
else
|
||||
polxml = $(LOCAL_ROOT)/doc/policy.xml
|
||||
tunxml = $(LOCAL_ROOT)/doc/global_tunables.xml
|
||||
boolxml = $(LOCAL_ROOT)/doc/global_booleans.xml
|
||||
htmldir = $(LOCAL_ROOT)/doc/html
|
||||
endif
|
||||
|
||||
# config file paths
|
||||
globaltun = $(poldir)/global_tunables
|
||||
globalbool = $(poldir)/global_booleans
|
||||
rolemap = $(poldir)/rolemap
|
||||
user_files := $(poldir)/users
|
||||
policycaps := $(poldir)/policy_capabilities
|
||||
|
||||
# local config file paths
|
||||
ifndef LOCAL_ROOT
|
||||
mod_conf = $(poldir)/modules.conf
|
||||
booleans = $(poldir)/booleans.conf
|
||||
tunables = $(poldir)/tunables.conf
|
||||
else
|
||||
mod_conf = $(local_poldir)/modules.conf
|
||||
booleans = $(local_poldir)/booleans.conf
|
||||
tunables = $(local_poldir)/tunables.conf
|
||||
endif
|
||||
|
||||
# install paths
|
||||
PKGNAME ?= refpolicy-$(version)
|
||||
prefix = $(DESTDIR)/usr
|
||||
topdir = $(DESTDIR)/etc/selinux
|
||||
installdir = $(topdir)/$(strip $(NAME))
|
||||
srcpath = $(installdir)/src
|
||||
userpath = $(installdir)/users
|
||||
policypath = $(installdir)/policy
|
||||
contextpath = $(installdir)/contexts
|
||||
homedirpath = $(contextpath)/files/homedir_template
|
||||
fcpath = $(contextpath)/files/file_contexts
|
||||
ncpath = $(contextpath)/netfilter_contexts
|
||||
sharedir = $(prefix)/share/selinux
|
||||
modpkgdir = $(sharedir)/$(strip $(NAME))
|
||||
headerdir = $(modpkgdir)/include
|
||||
docsdir = $(prefix)/share/doc/$(PKGNAME)
|
||||
|
||||
# enable MLS if requested.
|
||||
ifeq "$(TYPE)" "mls"
|
||||
M4PARAM += -D enable_mls
|
||||
CHECKPOLICY += -M
|
||||
CHECKMODULE += -M
|
||||
gennetfilter += -m
|
||||
endif
|
||||
|
||||
# enable MLS if MCS requested.
|
||||
ifeq "$(TYPE)" "mcs"
|
||||
M4PARAM += -D enable_mcs
|
||||
CHECKPOLICY += -M
|
||||
CHECKMODULE += -M
|
||||
gennetfilter += -c
|
||||
endif
|
||||
|
||||
# enable distribution-specific policy
|
||||
ifneq ($(DISTRO),)
|
||||
M4PARAM += -D distro_$(DISTRO)
|
||||
endif
|
||||
|
||||
# rhel4 also implies redhat
|
||||
ifeq "$(DISTRO)" "rhel4"
|
||||
M4PARAM += -D distro_redhat
|
||||
endif
|
||||
|
||||
ifeq "$(DISTRO)" "ubuntu"
|
||||
M4PARAM += -D distro_debian
|
||||
endif
|
||||
|
||||
ifneq ($(OUTPUT_POLICY),)
|
||||
CHECKPOLICY += -c $(OUTPUT_POLICY)
|
||||
endif
|
||||
|
||||
# if not set, use the type as the name.
|
||||
NAME ?= $(TYPE)
|
||||
|
||||
# default unknown permissions setting
|
||||
#UNK_PERMS ?= deny
|
||||
|
||||
ifeq ($(DIRECT_INITRC),y)
|
||||
M4PARAM += -D direct_sysadm_daemon
|
||||
endif
|
||||
|
||||
ifeq "$(UBAC)" "y"
|
||||
M4PARAM += -D enable_ubac
|
||||
endif
|
||||
|
||||
# default MLS/MCS sensitivity and category settings.
|
||||
MLS_SENS ?= 16
|
||||
MLS_CATS ?= 1024
|
||||
MCS_CATS ?= 1024
|
||||
|
||||
ifeq ($(QUIET),y)
|
||||
verbose = @
|
||||
endif
|
||||
|
||||
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
|
||||
|
||||
# we need exuberant ctags; unfortunately it is named
|
||||
# differently on different distros
|
||||
ifeq ($(DISTRO),debian)
|
||||
CTAGS := ctags-exuberant
|
||||
endif
|
||||
|
||||
ifeq ($(DISTRO),gentoo)
|
||||
CTAGS := exuberant-ctags
|
||||
endif
|
||||
|
||||
CTAGS ?= ctags
|
||||
|
||||
m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt)
|
||||
ifdef LOCAL_ROOT
|
||||
m4support += $(wildcard $(local_poldir)/support/*.spt)
|
||||
endif
|
||||
m4support += $(m4undivert)
|
||||
|
||||
appconf := config/appconfig-$(TYPE)
|
||||
seusers := $(appconf)/seusers
|
||||
appdir := $(contextpath)
|
||||
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
|
||||
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
|
||||
appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
|
||||
net_contexts := $(builddir)net_contexts
|
||||
|
||||
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
|
||||
ifdef LOCAL_ROOT
|
||||
all_layers += $(shell find $(wildcard $(local_moddir)/*) -maxdepth 0 -type d)
|
||||
endif
|
||||
|
||||
generated_te := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te.in)))
|
||||
generated_if := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if.in)))
|
||||
generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in)))
|
||||
|
||||
# sort here since it removes duplicates, which can happen
|
||||
# when a generated file is already generated
|
||||
detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
|
||||
|
||||
modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
|
||||
layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
|
||||
layer_names := $(sort $(notdir $(all_layers)))
|
||||
all_metaxml = $(call detect-metaxml, $(layer_names))
|
||||
|
||||
# modules.conf setting for base module
|
||||
configbase := base
|
||||
|
||||
# modules.conf setting for loadable module
|
||||
configmod := module
|
||||
|
||||
# modules.conf setting for unused module
|
||||
configoff := off
|
||||
|
||||
# test for module overrides from command line
|
||||
mod_test = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
|
||||
mod_test += $(filter $(APPS_MODS), $(APPS_BASE))
|
||||
ifneq "$(strip $(mod_test))" ""
|
||||
$(error Applications must be base, module, or off, and not in more than one list! $(strip $(mod_test)) found in multiple lists!)
|
||||
endif
|
||||
|
||||
# add on suffix to modules specified on command line
|
||||
cmdline_base := $(addsuffix .te,$(APPS_BASE))
|
||||
cmdline_mods := $(addsuffix .te,$(APPS_MODS))
|
||||
cmdline_off := $(addsuffix .te,$(APPS_OFF))
|
||||
|
||||
# extract settings from modules.conf
|
||||
mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
|
||||
mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
|
||||
mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
|
||||
|
||||
base_mods := $(cmdline_base)
|
||||
mod_mods := $(cmdline_mods)
|
||||
off_mods := $(cmdline_off)
|
||||
|
||||
base_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_base))
|
||||
mod_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_mods))
|
||||
off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_off))
|
||||
|
||||
# add modules not in modules.conf to the off list
|
||||
off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
|
||||
|
||||
# filesystems to be used in labeling targets
|
||||
filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
|
||||
fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
|
||||
|
||||
########################################
|
||||
#
|
||||
# Functions
|
||||
#
|
||||
|
||||
# parse-rolemap-compat modulename,outputfile
|
||||
define parse-rolemap-compat
|
||||
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
||||
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||
endef
|
||||
|
||||
# parse-rolemap modulename,outputfile
|
||||
define parse-rolemap
|
||||
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
||||
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||
endef
|
||||
|
||||
# perrole-expansion modulename,outputfile
|
||||
define perrole-expansion
|
||||
$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
|
||||
$(call parse-rolemap,$1,$2)
|
||||
$(verbose) echo "')" >> $2
|
||||
|
||||
$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
|
||||
$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
|
||||
$(call parse-rolemap-compat,$1,$2)
|
||||
$(verbose) echo "')" >> $2
|
||||
endef
|
||||
|
||||
# create-base-per-role-tmpl modulenames,outputfile
|
||||
define create-base-per-role-tmpl
|
||||
$(verbose) echo "define(\`base_per_role_template',\`" >> $2
|
||||
|
||||
$(verbose) for i in $1; do \
|
||||
echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \
|
||||
>> $2 ;\
|
||||
done
|
||||
|
||||
$(verbose) for i in $1; do \
|
||||
echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\
|
||||
echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\
|
||||
echo """$$i""_per_userdomain_template("'$$*'")')" >> $2 ;\
|
||||
done
|
||||
$(verbose) echo "')" >> $@
|
||||
|
||||
endef
|
||||
|
||||
# detect-metaxml layer_names
|
||||
ifdef LOCAL_ROOT
|
||||
define detect-metaxml
|
||||
$(shell for i in $1; do \
|
||||
if [ -d $(moddir)/$$i -a -d $(local_moddir)/$$i ]; then \
|
||||
if [ -f $(local_moddir)/$$i/$(metaxml) ]; then \
|
||||
echo $(local_moddir)/$$i/$(metaxml) ;\
|
||||
else \
|
||||
echo $(moddir)/$$i/$(metaxml) ;\
|
||||
fi \
|
||||
elif [ -d $(local_moddir)/$$i ]; then
|
||||
echo $(local_moddir)/$$i/$(metaxml) ;\
|
||||
else \
|
||||
echo $(moddir)/$$i/$(metaxml) ;\
|
||||
fi \
|
||||
done )
|
||||
endef
|
||||
else
|
||||
define detect-metaxml
|
||||
$(shell for i in $1; do echo $(moddir)/$$i/$(metaxml); done)
|
||||
endef
|
||||
endif
|
||||
|
||||
########################################
|
||||
#
|
||||
# Load appropriate rules
|
||||
#
|
||||
|
||||
ifeq ($(MONOLITHIC),y)
|
||||
include Rules.monolithic
|
||||
else
|
||||
include Rules.modular
|
||||
endif
|
||||
|
||||
########################################
|
||||
#
|
||||
# Generated files
|
||||
#
|
||||
# NOTE: There is no "local" version of these files.
|
||||
#
|
||||
generate: $(generated_te) $(generated_if) $(generated_fc)
|
||||
|
||||
$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
|
||||
@echo "#" > $@
|
||||
@echo "# This is a generated file! Instead of modifying this file, the" >> $@
|
||||
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
|
||||
@echo "#" >> $@
|
||||
$(verbose) cat $@.in >> $@
|
||||
$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
|
||||
| $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
|
||||
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
|
||||
|
||||
$(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in
|
||||
@echo "#" > $@
|
||||
@echo "# This is a generated file! Instead of modifying this file, the" >> $@
|
||||
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
|
||||
@echo "#" >> $@
|
||||
$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \
|
||||
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Network packet labeling
|
||||
#
|
||||
$(net_contexts): $(moddir)/kernel/corenetwork.te.in
|
||||
@echo "Creating netfilter network labeling rules"
|
||||
$(verbose) $(gennetfilter) $^ > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Create config files
|
||||
#
|
||||
conf: $(mod_conf) $(booleans) $(generated_te) $(generated_if) $(generated_fc)
|
||||
|
||||
$(mod_conf) $(booleans): $(polxml)
|
||||
@echo "Updating $(mod_conf) and $(booleans)"
|
||||
$(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Generate the fc_sort program
|
||||
#
|
||||
$(fcsort) : $(support)/fc_sort.c
|
||||
$(verbose) $(CC) $(CFLAGS) $^ -o $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Documentation generation
|
||||
#
|
||||
$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > $@
|
||||
$(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
|
||||
ifdef LOCAL_ROOT
|
||||
$(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
|
||||
endif
|
||||
|
||||
$(tunxml): $(globaltun)
|
||||
$(verbose) $(genxml) -w -t $< > $@
|
||||
|
||||
$(boolxml): $(globalbool)
|
||||
$(verbose) $(genxml) -w -b $< > $@
|
||||
|
||||
$(polxml): $(layerxml) $(tunxml) $(boolxml)
|
||||
@echo "Creating $(@F)"
|
||||
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
|
||||
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
|
||||
$(verbose) echo '<policy>' >> $@
|
||||
$(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
|
||||
$(verbose) cat $(tunxml) $(boolxml) >> $@
|
||||
$(verbose) echo '</policy>' >> $@
|
||||
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
|
||||
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
|
||||
fi
|
||||
|
||||
xml: $(polxml)
|
||||
|
||||
html $(tmpdir)/html: $(polxml)
|
||||
@echo "Building html interface reference documentation in $(htmldir)"
|
||||
@test -d $(htmldir) || mkdir -p $(htmldir)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(gendoc) -d $(htmldir) -T $(doctemplate) -x $(polxml)
|
||||
$(verbose) cp $(doctemplate)/*.css $(htmldir)
|
||||
@touch $(tmpdir)/html
|
||||
|
||||
########################################
|
||||
#
|
||||
# Runtime binary policy patching of users
|
||||
#
|
||||
$(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files)
|
||||
@mkdir -p $(tmpdir)
|
||||
@mkdir -p $(userpath)
|
||||
@echo "Installing system.users"
|
||||
@echo "# " > $(tmpdir)/system.users
|
||||
@echo "# Do not edit this file. " >> $(tmpdir)/system.users
|
||||
@echo "# This file is replaced on reinstalls of this policy." >> $(tmpdir)/system.users
|
||||
@echo "# Please edit local.users to make local changes." >> $(tmpdir)/system.users
|
||||
@echo "#" >> $(tmpdir)/system.users
|
||||
$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
|
||||
-e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users
|
||||
$(verbose) $(INSTALL) -m 644 $(tmpdir)/system.users $@
|
||||
|
||||
$(userpath)/local.users: config/local.users
|
||||
@mkdir -p $(userpath)
|
||||
@echo "Installing local.users"
|
||||
$(verbose) $(INSTALL) -b -m 644 $< $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Build Appconfig files
|
||||
#
|
||||
$(tmpdir)/initrc_context: $(appconf)/initrc_context
|
||||
@mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install Appconfig files
|
||||
#
|
||||
install-appconfig: $(appfiles)
|
||||
|
||||
$(installdir)/booleans: $(booleans)
|
||||
@mkdir -p $(tmpdir)
|
||||
@mkdir -p $(installdir)
|
||||
$(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
|
||||
-e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans
|
||||
$(verbose) $(INSTALL) -m 644 $(tmpdir)/booleans $@
|
||||
|
||||
$(contextpath)/files/media: $(appconf)/media
|
||||
@mkdir -p $(contextpath)/files/
|
||||
$(verbose) $(INSTALL) -m 644 $< $@
|
||||
|
||||
$(contextpath)/users/%: $(appconf)/%_default_contexts
|
||||
@mkdir -p $(appdir)/users
|
||||
$(verbose) $(INSTALL) -m 644 $^ $@
|
||||
|
||||
$(appdir)/%: $(appconf)/%
|
||||
@mkdir -p $(appdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(m4support) $< > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install policy headers
|
||||
#
|
||||
install-headers: $(layerxml) $(tunxml) $(boolxml)
|
||||
@mkdir -p $(headerdir)
|
||||
@echo "Installing $(NAME) policy headers."
|
||||
$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(rolemap) > $(headerdir)/$(notdir $(rolemap))
|
||||
$(verbose) mkdir -p $(headerdir)/support
|
||||
$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
|
||||
$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
|
||||
$(verbose) for i in $(notdir $(all_layers)); do \
|
||||
mkdir -p $(headerdir)/$$i ;\
|
||||
$(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
|
||||
done
|
||||
$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
|
||||
$(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
|
||||
ifneq "$(DISTRO)" ""
|
||||
$(verbose) echo "DISTRO ?= $(DISTRO)" >> $(headerdir)/build.conf
|
||||
endif
|
||||
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
|
||||
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
|
||||
$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install policy documentation
|
||||
#
|
||||
install-docs: $(tmpdir)/html
|
||||
@mkdir -p $(docsdir)/html
|
||||
@echo "Installing policy documentation"
|
||||
$(verbose) $(INSTALL) -m 644 $(docfiles) $(docsdir)
|
||||
$(verbose) $(INSTALL) -m 644 $(wildcard $(htmldir)/*) $(docsdir)/html
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install policy sources
|
||||
#
|
||||
install-src:
|
||||
rm -rf $(srcpath)/policy.old
|
||||
-mv $(srcpath)/policy $(srcpath)/policy.old
|
||||
mkdir -p $(srcpath)/policy
|
||||
cp -R . $(srcpath)/policy
|
||||
|
||||
########################################
|
||||
#
|
||||
# Generate tags file
|
||||
#
|
||||
tags: $(tags)
|
||||
$(tags):
|
||||
@($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
|
||||
@LC_ALL=C $(CTAGS) -f $(tags) --langdef=te --langmap=te:..te.if.spt \
|
||||
--regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
|
||||
--regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
|
||||
--regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
|
||||
--regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
|
||||
--regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
|
||||
--regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \
|
||||
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
|
||||
|
||||
########################################
|
||||
#
|
||||
# Filesystem labeling
|
||||
#
|
||||
checklabels:
|
||||
@echo "Checking labels on filesystem types: $(fs_names)"
|
||||
@if test -z "$(filesystems)"; then \
|
||||
echo "No filesystems with extended attributes found!" ;\
|
||||
false ;\
|
||||
fi
|
||||
$(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
|
||||
|
||||
restorelabels:
|
||||
@echo "Restoring labels on filesystem types: $(fs_names)"
|
||||
@if test -z "$(filesystems)"; then \
|
||||
echo "No filesystems with extended attributes found!" ;\
|
||||
false ;\
|
||||
fi
|
||||
$(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
|
||||
|
||||
relabel:
|
||||
@echo "Relabeling filesystem types: $(fs_names)"
|
||||
@if test -z "$(filesystems)"; then \
|
||||
echo "No filesystems with extended attributes found!" ;\
|
||||
false ;\
|
||||
fi
|
||||
$(verbose) $(SETFILES) $(fcpath) $(filesystems)
|
||||
|
||||
resetlabels:
|
||||
@echo "Resetting labels on filesystem types: $(fs_names)"
|
||||
@if test -z "$(filesystems)"; then \
|
||||
echo "No filesystems with extended attributes found!" ;\
|
||||
false ;\
|
||||
fi
|
||||
$(verbose) $(SETFILES) -F $(fcpath) $(filesystems)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Clean everything
|
||||
#
|
||||
bare: clean
|
||||
rm -f $(polxml)
|
||||
rm -f $(layerxml)
|
||||
rm -f $(modxml)
|
||||
rm -f $(tunxml)
|
||||
rm -f $(boolxml)
|
||||
rm -f $(mod_conf)
|
||||
rm -f $(booleans)
|
||||
rm -fR $(htmldir)
|
||||
rm -f $(tags)
|
||||
# don't remove these files if we're given a local root
|
||||
ifndef LOCAL_ROOT
|
||||
rm -f $(fcsort)
|
||||
rm -f $(support)/*.pyc
|
||||
ifneq ($(generated_te),)
|
||||
rm -f $(generated_te)
|
||||
endif
|
||||
ifneq ($(generated_if),)
|
||||
rm -f $(generated_if)
|
||||
endif
|
||||
ifneq ($(generated_fc),)
|
||||
rm -f $(generated_fc)
|
||||
endif
|
||||
endif
|
||||
|
||||
.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
|
||||
.SUFFIXES:
|
||||
.SUFFIXES: .c
|
269
README
Normal file
269
README
Normal file
@ -0,0 +1,269 @@
|
||||
1) Reference Policy make targets:
|
||||
|
||||
General Make targets:
|
||||
|
||||
install-src Install the policy sources into
|
||||
/etc/selinux/NAME/src/policy, where NAME is defined in
|
||||
the Makefile. If not defined, the TYPE, as defined in
|
||||
the Makefile, is used. The default NAME is refpolicy.
|
||||
A pre-existing source policy will be moved to
|
||||
/etc/selinux/NAME/src/policy.bak.
|
||||
|
||||
conf Regenerate policy.xml, and update/create modules.conf
|
||||
and booleans.conf. This should be done after adding
|
||||
or removing modules, or after running the bare target.
|
||||
If the configuration files exist, their settings will
|
||||
be preserved. This must be ran on policy sources that
|
||||
are checked out from the CVS repository before they can
|
||||
be used.
|
||||
|
||||
clean Delete all temporary files, compiled policies,
|
||||
and file_contexts. Configuration files are left intact.
|
||||
|
||||
bare Do the clean make target and also delete configuration
|
||||
files, web page documentation, and policy.xml.
|
||||
|
||||
html Regenerate policy.xml and create web page documentation
|
||||
in the doc/html directory.
|
||||
|
||||
Make targets specific to modular (loadable modules) policies:
|
||||
|
||||
base Compile and package the base module. This is the
|
||||
default target for modular policies.
|
||||
|
||||
modules Compile and package all Reference Policy modules
|
||||
configured to be built as loadable modules.
|
||||
|
||||
MODULENAME.pp Compile and package the MODULENAME Reference Policy
|
||||
module.
|
||||
|
||||
all Compile and package the base module and all Reference
|
||||
Policy modules configured to be built as loadable
|
||||
modules.
|
||||
|
||||
install Compile, package, and install the base module and
|
||||
Reference Policy modules configured to be built as
|
||||
loadable modules.
|
||||
|
||||
load Compile, package, and install the base module and
|
||||
Reference Policy modules configured to be built as
|
||||
loadable modules, then insert them into the module
|
||||
store.
|
||||
|
||||
validate Validate if the configured modules can successfully
|
||||
link and expand.
|
||||
|
||||
install-headers Install the policy headers into /usr/share/selinux/NAME.
|
||||
The headers are sufficient for building a policy
|
||||
module locally, without requiring the complete
|
||||
Reference Policy sources. The build.conf settings
|
||||
for this policy configuration should be set before
|
||||
using this target.
|
||||
|
||||
Make targets specific to monolithic policies:
|
||||
|
||||
policy Compile a policy locally for development and testing.
|
||||
This is the default target for monolithic policies.
|
||||
|
||||
install Compile and install the policy and file contexts.
|
||||
|
||||
load Compile and install the policy and file contexts, then
|
||||
load the policy.
|
||||
|
||||
enableaudit Remove all dontaudit rules from policy.conf.
|
||||
|
||||
relabel Relabel the filesystem.
|
||||
|
||||
checklabels Check the labels on the filesystem, and report when
|
||||
a file would be relabeled, but do not change its label.
|
||||
|
||||
restorelabels Relabel the filesystem and report each file that is
|
||||
relabeled.
|
||||
|
||||
|
||||
2) Reference Policy Build Options (build.conf)
|
||||
|
||||
TYPE String. Available options are standard, mls, and mcs.
|
||||
For a type enforcement only system, set standard.
|
||||
This optionally enables multi-level security (MLS) or
|
||||
multi-category security (MCS) features. This option
|
||||
controls enable_mls, and enable_mcs policy blocks.
|
||||
|
||||
NAME String (optional). Sets the name of the policy; the
|
||||
NAME is used when installing files to e.g.,
|
||||
/etc/selinux/NAME and /usr/share/selinux/NAME. If not
|
||||
set, the policy type (TYPE) is used.
|
||||
|
||||
DISTRO String (optional). Enable distribution-specific policy.
|
||||
Available options are redhat, rhel4, gentoo, debian,
|
||||
and suse. This option controls distro_redhat,
|
||||
distro_rhel4, distro_gentoo, distro_debian, and
|
||||
distro_suse policy blocks.
|
||||
|
||||
MONOLITHIC Boolean. If set, a monolithic policy is built,
|
||||
otherwise a modular policy is built.
|
||||
|
||||
DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
|
||||
run init scripts, instead of requiring the run_init
|
||||
tool. This is a build option instead of a tunable since
|
||||
role transitions do not work in conditional policy.
|
||||
This option controls direct_sysadm_daemon policy
|
||||
blocks.
|
||||
|
||||
OUTPUT_POLICY Integer. Set the version of the policy created when
|
||||
building a monolithic policy. This option has no effect
|
||||
on modular policy.
|
||||
|
||||
UNK_PERMS String. Set the kernel behavior for handling of
|
||||
permissions defined in the kernel but missing from the
|
||||
policy. The permissions can either be allowed, denied,
|
||||
or the policy loading can be rejected.
|
||||
|
||||
UBAC Boolean. If set, the SELinux user will be used
|
||||
additionally for approximate role separation.
|
||||
|
||||
MLS_SENS Integer. Set the number of sensitivities in the MLS
|
||||
policy. Ignored on standard and MCS policies.
|
||||
|
||||
MLS_CATS Integer. Set the number of categories in the MLS
|
||||
policy. Ignored on standard and MCS policies.
|
||||
|
||||
MCS_CATS Integer. Set the number of categories in the MCS
|
||||
policy. Ignored on standard and MLS policies.
|
||||
|
||||
QUIET Boolean. If set, the build system will only display
|
||||
status messages and error messages. This option has no
|
||||
effect on policy.
|
||||
|
||||
|
||||
3) Reference Policy Files and Directories
|
||||
All directories relative to the root of the Reference Policy sources directory.
|
||||
|
||||
Makefile General rules for building the policy.
|
||||
|
||||
Rules.modular Makefile rules specific to building loadable module
|
||||
policies.
|
||||
|
||||
Rules.monolithic Makefile rules specific to building monolithic policies.
|
||||
|
||||
build.conf Options which influence the building of the policy,
|
||||
such as the policy type and distribution.
|
||||
|
||||
config/appconfig-* Application configuration files for all configurations
|
||||
of the Reference Policy (targeted/strict with or without
|
||||
MLS or MCS). These are used by SELinux-aware programs.
|
||||
|
||||
config/local.users The file read by load policy for adding SELinux users
|
||||
to the policy on the fly.
|
||||
|
||||
doc/html/* This contains the contents of the in-policy XML
|
||||
documentation, presented in web page form.
|
||||
|
||||
doc/policy.dtd The doc/policy.xml file is validated against this DTD.
|
||||
|
||||
doc/policy.xml This file is generated/updated by the conf and html make
|
||||
targets. It contains the complete XML documentation
|
||||
included in the policy.
|
||||
|
||||
doc/templates/* Templates used for documentation web pages.
|
||||
|
||||
policy/booleans.conf This file is generated/updated by the conf make target.
|
||||
It contains the booleans in the policy, and their
|
||||
default values. If tunables are implemented as
|
||||
booleans, tunables will also be included. This file
|
||||
will be installed as the /etc/selinux/NAME/booleans
|
||||
file.
|
||||
|
||||
policy/constraints This file defines additional constraints on permissions
|
||||
in the form of boolean expressions that must be
|
||||
satisfied in order for specified permissions to be
|
||||
granted. These constraints are used to further refine
|
||||
the type enforcement rules and the role allow rules.
|
||||
Typically, these constraints are used to restrict
|
||||
changes in user identity or role to certain domains.
|
||||
|
||||
policy/global_booleans This file defines all booleans that have a global scope,
|
||||
their default value, and documentation.
|
||||
|
||||
policy/global_tunables This file defines all tunables that have a global scope,
|
||||
their default value, and documentation.
|
||||
|
||||
policy/flask/initial_sids This file has declarations for each initial SID.
|
||||
|
||||
policy/flask/security_classes This file has declarations for each security class.
|
||||
|
||||
policy/flask/access_vectors This file defines the access vectors. Common
|
||||
prefixes for access vectors may be defined at the
|
||||
beginning of the file. After the common prefixes are
|
||||
defined, an access vector may be defined for each
|
||||
security class.
|
||||
|
||||
policy/mcs The multi-category security (MCS) configuration.
|
||||
|
||||
policy/mls The multi-level security (MLS) configuration.
|
||||
|
||||
policy/modules/* Each directory represents a layer in Reference Policy
|
||||
all of the modules are contained in one of these layers.
|
||||
|
||||
policy/modules.conf This file contains a listing of available modules, and
|
||||
how they will be used when building Reference Policy. To
|
||||
prevent a module from being used, set the module to
|
||||
"off". For monolithic policies, modules set to "base"
|
||||
and "module" will be included in the policy. For
|
||||
modular policies, modules set to "base" will be included
|
||||
in the base module; those set to "module" will be
|
||||
compiled as individual loadable modules.
|
||||
|
||||
policy/rolemap This file contains prefix and user domain type that
|
||||
corresponds to each user role. The contents of this
|
||||
file will be used to expand the per-user domain
|
||||
templates for each module.
|
||||
|
||||
policy/support/* Support macros.
|
||||
|
||||
policy/users This file defines the users included in the policy.
|
||||
|
||||
support/* Tools used in the build process.
|
||||
|
||||
|
||||
4) Building policy modules using Reference Policy headers:
|
||||
|
||||
The system must first have the Reference Policy headers installed, typically
|
||||
by the distribution. Otherwise, the headers can be installed using the
|
||||
install-headers target from the full Reference Policy sources.
|
||||
|
||||
To set up a directory to build a local module, one must simply place a .te
|
||||
file in a directory. A sample Makefile to use in the directory is the
|
||||
Makefile.example in the doc directory. This may be installed in
|
||||
/usr/share/doc, under the directory for the distribution's policy.
|
||||
Alternatively, the primary Makefile in the headers directory (typically
|
||||
/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
|
||||
option.
|
||||
|
||||
Larger projects can set up a structure of layers, just as in Reference
|
||||
Policy, by creating policy/modules/LAYERNAME directories. Each layer also
|
||||
must have a metadata.xml file which is an XML file with a summary tag and
|
||||
optional desc (long description) tag. This should describe the purpose of
|
||||
the layer.
|
||||
|
||||
Metadata.xml example:
|
||||
|
||||
<summary>ABC modules for the XYZ components.</summary>
|
||||
|
||||
Make targets for modules built from headers:
|
||||
|
||||
MODULENAME.pp Compile and package the MODULENAME local module.
|
||||
|
||||
all Compile and package the modules in the current
|
||||
directory.
|
||||
|
||||
load Compile and package the modules in the current
|
||||
directory, then insert them into the module store.
|
||||
|
||||
refresh Attempts to reinsert all modules that are currently
|
||||
in the module store from the local and system module
|
||||
packages.
|
||||
|
||||
xml Build a policy.xml from the XML included with the
|
||||
base policy headers and any XML in the modules in
|
||||
the current directory.
|
223
Rules.modular
Normal file
223
Rules.modular
Normal file
@ -0,0 +1,223 @@
|
||||
########################################
|
||||
#
|
||||
# Rules and Targets for building modular policies
|
||||
#
|
||||
|
||||
all_modules := $(base_mods) $(mod_mods) $(off_mods)
|
||||
all_interfaces := $(all_modules:.te=.if)
|
||||
|
||||
base_pkg := $(builddir)base.pp
|
||||
base_fc := $(builddir)base.fc
|
||||
base_conf := $(builddir)base.conf
|
||||
base_mod := $(tmpdir)/base.mod
|
||||
|
||||
users_extra := $(tmpdir)/users_extra
|
||||
|
||||
base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
||||
|
||||
base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
|
||||
base_te_files := $(base_mods)
|
||||
base_post_te_files := $(user_files) $(poldir)/constraints
|
||||
base_fc_files := $(base_mods:.te=.fc)
|
||||
|
||||
mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
|
||||
|
||||
# policy packages to install
|
||||
instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
|
||||
|
||||
# search layer dirs for source files
|
||||
vpath %.te $(all_layers)
|
||||
vpath %.if $(all_layers)
|
||||
vpath %.fc $(all_layers)
|
||||
|
||||
.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
|
||||
|
||||
########################################
|
||||
#
|
||||
# default action: create all module packages
|
||||
#
|
||||
default: policy
|
||||
|
||||
all policy: base modules
|
||||
|
||||
base: $(base_pkg)
|
||||
|
||||
modules: $(mod_pkgs)
|
||||
|
||||
install: $(instpkg) $(appfiles)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Load all configured modules
|
||||
#
|
||||
load: $(instpkg) $(appfiles)
|
||||
# make sure two directories exist since they are not
|
||||
# created by semanage
|
||||
@mkdir -p $(policypath) $(dir $(fcpath))
|
||||
@echo "Loading configured modules."
|
||||
$(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install policy packages
|
||||
#
|
||||
$(modpkgdir)/%.pp: $(builddir)%.pp
|
||||
@mkdir -p $(modpkgdir)
|
||||
@echo "Installing $(NAME) $(@F) policy package."
|
||||
$(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Build module packages
|
||||
#
|
||||
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
|
||||
@echo "Compliling $(NAME) $(@F) module"
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(call perrole-expansion,$(basename $(@F)),$@.role)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
|
||||
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
||||
|
||||
$(tmpdir)/%.mod.fc: $(m4support) %.fc
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
|
||||
|
||||
$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
|
||||
@echo "Creating $(NAME) $(@F) policy package"
|
||||
@test -d $(builddir) || mkdir -p $(builddir)
|
||||
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
|
||||
|
||||
########################################
|
||||
#
|
||||
# Create a base module package
|
||||
#
|
||||
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
|
||||
@echo "Creating $(NAME) base module package"
|
||||
@test -d $(builddir) || mkdir -p $(builddir)
|
||||
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
|
||||
|
||||
ifneq "$(UNK_PERMS)" ""
|
||||
$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
|
||||
endif
|
||||
$(base_mod): $(base_conf)
|
||||
@echo "Compiling $(NAME) base module"
|
||||
$(verbose) $(CHECKMODULE) $^ -o $@
|
||||
|
||||
$(tmpdir)/seusers: $(seusers)
|
||||
@mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
|
||||
|
||||
$(users_extra): $(m4support) $(user_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
|
||||
$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Construct a base.conf
|
||||
#
|
||||
$(base_conf): $(base_sections)
|
||||
@echo "Creating $(NAME) base module $(@F)"
|
||||
@test -d $(@D) || mkdir -p $(@D)
|
||||
$(verbose) cat $^ > $@
|
||||
|
||||
$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(tmpdir)/generated_definitions.conf:
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
# define all available object classes
|
||||
$(verbose) $(genperm) $(avs) $(secclass) > $@
|
||||
$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
|
||||
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
|
||||
|
||||
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
@echo "divert(-1)" > $@
|
||||
$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
|
||||
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
|
||||
@echo "divert" >> $@
|
||||
|
||||
$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/rolemap.conf: $(rolemap)
|
||||
$(verbose) echo "" > $@
|
||||
$(call parse-rolemap,base,$@)
|
||||
|
||||
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
|
||||
ifeq "$(strip $(base_te_files))" ""
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
|
||||
|
||||
$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
# extract attributes and put them first. extract post te stuff
|
||||
# like genfscon and put last.
|
||||
$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
|
||||
$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
|
||||
$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
|
||||
# these have to run individually because order matters:
|
||||
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
|
||||
|
||||
########################################
|
||||
#
|
||||
# Construct a base.fc
|
||||
#
|
||||
$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort)
|
||||
$(verbose) $(fcsort) $< $@
|
||||
|
||||
$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
|
||||
ifeq ($(base_fc_files),)
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
@echo "Creating $(NAME) base module file contexts."
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Appconfig files
|
||||
#
|
||||
$(appdir)/customizable_types: $(base_conf)
|
||||
@mkdir -p $(appdir)
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
|
||||
$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Validate linking and expanding of modules
|
||||
#
|
||||
validate: $(base_pkg) $(mod_pkgs)
|
||||
@echo "Validating policy linking."
|
||||
$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
|
||||
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
|
||||
@echo "Success."
|
||||
|
||||
########################################
|
||||
#
|
||||
# Clean the sources
|
||||
#
|
||||
clean:
|
||||
rm -f $(base_conf)
|
||||
rm -f $(base_fc)
|
||||
rm -f $(builddir)*.pp
|
||||
rm -f $(net_contexts)
|
||||
rm -fR $(tmpdir)
|
||||
|
||||
.PHONY: default all policy base modules install load clean validate
|
258
Rules.monolithic
Normal file
258
Rules.monolithic
Normal file
@ -0,0 +1,258 @@
|
||||
########################################
|
||||
#
|
||||
# Rules and Targets for building monolithic policies
|
||||
#
|
||||
|
||||
# determine the policy version and current kernel version if possible
|
||||
pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
|
||||
kv := $(shell cat /selinux/policyvers)
|
||||
|
||||
# dont print version warnings if we are unable to determine
|
||||
# the currently running kernel's policy version
|
||||
ifeq "$(kv)" ""
|
||||
kv := $(pv)
|
||||
endif
|
||||
|
||||
policy_conf = $(builddir)policy.conf
|
||||
fc = $(builddir)file_contexts
|
||||
polver = $(builddir)policy.$(pv)
|
||||
homedir_template = $(builddir)homedir_template
|
||||
|
||||
M4PARAM += -D self_contained_policy
|
||||
|
||||
# install paths
|
||||
loadpath = $(policypath)/$(notdir $(polver))
|
||||
|
||||
appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users
|
||||
|
||||
# for monolithic policy use all base and module to create policy
|
||||
all_modules := $(strip $(base_mods) $(mod_mods))
|
||||
# off module interfaces included to make sure all interfaces are expanded.
|
||||
all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
|
||||
all_te_files := $(all_modules)
|
||||
all_fc_files := $(all_modules:.te=.fc)
|
||||
|
||||
pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
|
||||
post_te_files := $(user_files) $(poldir)/constraints
|
||||
|
||||
policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
|
||||
|
||||
# search layer dirs for source files
|
||||
vpath %.te $(all_layers)
|
||||
vpath %.if $(all_layers)
|
||||
vpath %.fc $(all_layers)
|
||||
|
||||
########################################
|
||||
#
|
||||
# default action: build policy locally
|
||||
#
|
||||
default: policy
|
||||
|
||||
policy: $(polver)
|
||||
|
||||
install: $(loadpath) $(fcpath) $(appfiles)
|
||||
|
||||
load: $(tmpdir)/load
|
||||
|
||||
checklabels: $(fcpath)
|
||||
restorelabels: $(fcpath)
|
||||
relabel: $(fcpath)
|
||||
resetlabels: $(fcpath)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Build a binary policy locally
|
||||
#
|
||||
ifneq "$(UNK_PERMS)" ""
|
||||
$(polver): CHECKPOLICY += -U $(UNK_PERMS)
|
||||
endif
|
||||
$(polver): $(policy_conf)
|
||||
@echo "Compiling $(NAME) $(polver)"
|
||||
ifneq ($(pv),$(kv))
|
||||
@echo
|
||||
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
|
||||
@echo
|
||||
endif
|
||||
$(verbose) $(CHECKPOLICY) $^ -o $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install a binary policy
|
||||
#
|
||||
ifneq "$(UNK_PERMS)" ""
|
||||
$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
|
||||
endif
|
||||
$(loadpath): $(policy_conf)
|
||||
@mkdir -p $(policypath)
|
||||
@echo "Compiling and installing $(NAME) $(loadpath)"
|
||||
ifneq ($(pv),$(kv))
|
||||
@echo
|
||||
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
|
||||
@echo
|
||||
endif
|
||||
$(verbose) $(CHECKPOLICY) $^ -o $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Load the binary policy
|
||||
#
|
||||
reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
|
||||
@echo "Loading $(NAME) $(loadpath)"
|
||||
$(verbose) $(LOADPOLICY) -q $(loadpath)
|
||||
@touch $(tmpdir)/load
|
||||
|
||||
########################################
|
||||
#
|
||||
# Construct a monolithic policy.conf
|
||||
#
|
||||
$(policy_conf): $(policy_sections)
|
||||
@echo "Creating $(NAME) $(@F)"
|
||||
@test -d $(@D) || mkdir -p $(@D)
|
||||
$(verbose) cat $^ > $@
|
||||
|
||||
$(tmpdir)/pre_te_files.conf: $(pre_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(tmpdir)/generated_definitions.conf: $(all_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
# define all available object classes
|
||||
$(verbose) $(genperm) $(avs) $(secclass) > $@
|
||||
$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
|
||||
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
|
||||
|
||||
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
@echo "divert(-1)" > $@
|
||||
$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
|
||||
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
|
||||
@echo "divert" >> $@
|
||||
|
||||
$(tmpdir)/rolemap.conf: $(rolemap)
|
||||
$(verbose) echo "" > $@
|
||||
$(call parse-rolemap,base,$@)
|
||||
|
||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
|
||||
ifeq "$(strip $(all_te_files))" ""
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
|
||||
|
||||
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
# extract attributes and put them first. extract post te stuff
|
||||
# like genfscon and put last.
|
||||
$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
|
||||
$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
|
||||
$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
|
||||
# these have to run individually because order matters:
|
||||
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
|
||||
$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
|
||||
|
||||
########################################
|
||||
#
|
||||
# Remove the dontaudit rules from the policy.conf
|
||||
#
|
||||
enableaudit: $(policy_conf)
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
|
||||
$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
|
||||
$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Construct file_contexts
|
||||
#
|
||||
$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
|
||||
$(verbose) $(fcsort) $< $@
|
||||
$(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
|
||||
$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
|
||||
|
||||
$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
|
||||
ifeq ($(all_fc_files),)
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
@echo "Creating $(NAME) file_contexts."
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $^ > $@
|
||||
|
||||
$(homedir_template): $(fc)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Install file_contexts
|
||||
#
|
||||
$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
|
||||
@echo "Validating $(NAME) file_contexts."
|
||||
$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
|
||||
@echo "Installing file_contexts."
|
||||
@mkdir -p $(contextpath)/files
|
||||
$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
|
||||
$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
|
||||
$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
|
||||
ifeq "$(DISTRO)" "rhel4"
|
||||
# Setfiles in RHEL4 does not look at file_contexts.homedirs.
|
||||
$(verbose) cat $@.homedirs >> $@
|
||||
# Delete the file_contexts.homedirs in case the toolchain has
|
||||
# been updated, to prevent duplicate match errors.
|
||||
$(verbose) rm -f $@.homedirs
|
||||
endif
|
||||
|
||||
########################################
|
||||
#
|
||||
# Intall netfilter_contexts
|
||||
#
|
||||
$(ncpath): $(net_contexts)
|
||||
@echo "Installing $(NAME) netfilter_contexts."
|
||||
$(verbose) $(INSTALL) -m 0644 $^ $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Run policy source checks
|
||||
#
|
||||
check: $(builddir)check.res
|
||||
$(builddir)check.res: $(policy_conf) $(fc)
|
||||
$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
|
||||
|
||||
longcheck: $(builddir)longcheck.res
|
||||
$(builddir)longcheck.res: $(policy_conf) $(fc)
|
||||
$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Appconfig files
|
||||
#
|
||||
$(appdir)/customizable_types: $(policy_conf)
|
||||
@mkdir -p $(appdir)
|
||||
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
|
||||
$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
|
||||
|
||||
$(installdir)/seusers: $(seusers)
|
||||
@mkdir -p $(installdir)
|
||||
$(verbose) $(INSTALL) -m 644 $^ $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Clean the sources
|
||||
#
|
||||
clean:
|
||||
rm -f $(policy_conf)
|
||||
rm -f $(polver)
|
||||
rm -f $(fc)
|
||||
rm -f $(homedir_template)
|
||||
rm -f $(net_contexts)
|
||||
rm -f *.res
|
||||
rm -fR $(tmpdir)
|
||||
|
||||
.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
|
71
build.conf
Normal file
71
build.conf
Normal file
@ -0,0 +1,71 @@
|
||||
########################################
|
||||
#
|
||||
# Policy build options
|
||||
#
|
||||
|
||||
# Policy version
|
||||
# By default, checkpolicy will create the highest
|
||||
# version policy it supports. Setting this will
|
||||
# override the version. This only has an
|
||||
# effect for monolithic policies.
|
||||
#OUTPUT_POLICY = 18
|
||||
|
||||
# Policy Type
|
||||
# standard, mls, mcs
|
||||
TYPE = standard
|
||||
|
||||
# Policy Name
|
||||
# If set, this will be used as the policy
|
||||
# name. Otherwise the policy type will be
|
||||
# used for the name.
|
||||
NAME = refpolicy
|
||||
|
||||
# Distribution
|
||||
# Some distributions have portions of policy
|
||||
# for programs or configurations specific to the
|
||||
# distribution. Setting this will enable options
|
||||
# for the distribution.
|
||||
# redhat, gentoo, debian, suse, and rhel4 are current options.
|
||||
# Fedora users should enable redhat.
|
||||
#DISTRO = redhat
|
||||
|
||||
# Unknown Permissions Handling
|
||||
# The behavior for handling permissions defined in the
|
||||
# kernel but missing from the policy. The permissions
|
||||
# can either be allowed, denied, or the policy loading
|
||||
# can be rejected.
|
||||
# allow, deny, and reject are current options.
|
||||
#UNK_PERMS = deny
|
||||
|
||||
# Direct admin init
|
||||
# Setting this will allow sysadm to directly
|
||||
# run init scripts, instead of requring run_init.
|
||||
# This is a build option, as role transitions do
|
||||
# not work in conditional policy.
|
||||
DIRECT_INITRC = n
|
||||
|
||||
# Build monolithic policy. Putting n here
|
||||
# will build a loadable module policy.
|
||||
MONOLITHIC = y
|
||||
|
||||
# User-based access control (UBAC)
|
||||
# Enable UBAC for role separations.
|
||||
UBAC = y
|
||||
|
||||
# Number of MLS Sensitivities
|
||||
# The sensitivities will be s0 to s(MLS_SENS-1).
|
||||
# Dominance will be in increasing numerical order
|
||||
# with s0 being lowest.
|
||||
MLS_SENS = 16
|
||||
|
||||
# Number of MLS Categories
|
||||
# The categories will be c0 to c(MLS_CATS-1).
|
||||
MLS_CATS = 1024
|
||||
|
||||
# Number of MCS Categories
|
||||
# The categories will be c0 to c(MLS_CATS-1).
|
||||
MCS_CATS = 1024
|
||||
|
||||
# Set this to y to only display status messages
|
||||
# during build.
|
||||
QUIET = n
|
6
config/appconfig-mcs/dbus_contexts
Normal file
6
config/appconfig-mcs/dbus_contexts
Normal file
@ -0,0 +1,6 @@
|
||||
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
<busconfig>
|
||||
<selinux>
|
||||
</selinux>
|
||||
</busconfig>
|
15
config/appconfig-mcs/default_contexts
Normal file
15
config/appconfig-mcs/default_contexts
Normal file
@ -0,0 +1,15 @@
|
||||
system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
|
||||
staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
|
||||
sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
|
||||
|
||||
user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
|
6
config/appconfig-mcs/default_type
Normal file
6
config/appconfig-mcs/default_type
Normal file
@ -0,0 +1,6 @@
|
||||
auditadm_r:auditadm_t
|
||||
secadm_r:secadm_t
|
||||
sysadm_r:sysadm_t
|
||||
staff_r:staff_t
|
||||
unconfined_r:unconfined_t
|
||||
user_r:user_t
|
1
config/appconfig-mcs/failsafe_context
Normal file
1
config/appconfig-mcs/failsafe_context
Normal file
@ -0,0 +1 @@
|
||||
sysadm_r:sysadm_t:s0
|
6
config/appconfig-mcs/guest_u_default_contexts
Normal file
6
config/appconfig-mcs/guest_u_default_contexts
Normal file
@ -0,0 +1,6 @@
|
||||
guest_r:guest_t:s0 guest_r:guest_t:s0
|
||||
system_r:crond_t:s0 guest_r:guest_t:s0
|
||||
system_r:initrc_su_t:s0 guest_r:guest_t:s0
|
||||
system_r:local_login_t:s0 guest_r:guest_t:s0
|
||||
system_r:remote_login_t:s0 guest_r:guest_t:s0
|
||||
system_r:sshd_t:s0 guest_r:guest_t:s0
|
1
config/appconfig-mcs/initrc_context
Normal file
1
config/appconfig-mcs/initrc_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:system_r:initrc_t:s0
|
3
config/appconfig-mcs/media
Normal file
3
config/appconfig-mcs/media
Normal file
@ -0,0 +1,3 @@
|
||||
cdrom system_u:object_r:removable_device_t:s0
|
||||
floppy system_u:object_r:removable_device_t:s0
|
||||
disk system_u:object_r:fixed_disk_device_t:s0
|
1
config/appconfig-mcs/removable_context
Normal file
1
config/appconfig-mcs/removable_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:object_r:removable_t:s0
|
11
config/appconfig-mcs/root_default_contexts
Normal file
11
config/appconfig-mcs/root_default_contexts
Normal file
@ -0,0 +1,11 @@
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
|
||||
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
|
||||
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
|
||||
#
|
||||
# Uncomment if you want to automatically login as sysadm_r
|
||||
#
|
||||
#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
1
config/appconfig-mcs/securetty_types
Normal file
1
config/appconfig-mcs/securetty_types
Normal file
@ -0,0 +1 @@
|
||||
user_tty_device_t
|
3
config/appconfig-mcs/seusers
Normal file
3
config/appconfig-mcs/seusers
Normal file
@ -0,0 +1,3 @@
|
||||
system_u:system_u:s0-mcs_systemhigh
|
||||
root:root:s0-mcs_systemhigh
|
||||
__default__:user_u:s0
|
10
config/appconfig-mcs/staff_u_default_contexts
Normal file
10
config/appconfig-mcs/staff_u_default_contexts
Normal file
@ -0,0 +1,10 @@
|
||||
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:crond_t:s0 staff_r:cronjob_t:s0
|
||||
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
|
||||
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
|
||||
|
9
config/appconfig-mcs/unconfined_u_default_contexts
Normal file
9
config/appconfig-mcs/unconfined_u_default_contexts
Normal file
@ -0,0 +1,9 @@
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:rshd_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
|
8
config/appconfig-mcs/user_u_default_contexts
Normal file
8
config/appconfig-mcs/user_u_default_contexts
Normal file
@ -0,0 +1,8 @@
|
||||
system_r:local_login_t:s0 user_r:user_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0
|
||||
system_r:crond_t:s0 user_r:cronjob_t:s0
|
||||
system_r:xdm_t:s0 user_r:user_t:s0
|
||||
user_r:user_su_t:s0 user_r:user_t:s0
|
||||
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||
|
1
config/appconfig-mcs/userhelper_context
Normal file
1
config/appconfig-mcs/userhelper_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:sysadm_r:sysadm_t:s0
|
105
config/appconfig-mcs/x_contexts
Normal file
105
config/appconfig-mcs/x_contexts
Normal file
@ -0,0 +1,105 @@
|
||||
#
|
||||
# Config file for XSELinux extension
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Clients
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# The default client rule defines a context to be used for all clients
|
||||
# connecting to the server from a remote host.
|
||||
#
|
||||
client * system_u:object_r:remote_t:s0
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Properties
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# Property rules map a property name to a context. A default property
|
||||
# rule indicated by an asterisk should follow all other property rules.
|
||||
#
|
||||
# Properties that normal clients may only read
|
||||
property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
|
||||
|
||||
# Clipboard and selection properties
|
||||
property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
|
||||
|
||||
# Default fallback type
|
||||
property * system_u:object_r:xproperty_t:s0
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Extensions
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# Extension rules map an extension name to a context. A default extension
|
||||
# rule indicated by an asterisk should follow all other extension rules.
|
||||
#
|
||||
# Restricted extensions
|
||||
extension SELinux system_u:object_r:security_xextension_t:s0
|
||||
|
||||
# Standard extensions
|
||||
extension * system_u:object_r:xextension_t:s0
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Selections
|
||||
##
|
||||
#
|
||||
|
||||
# Selection rules map a selection name to a context. A default selection
|
||||
# rule indicated by an asterisk should follow all other selection rules.
|
||||
#
|
||||
# Standard selections
|
||||
selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
|
||||
selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
|
||||
|
||||
# Default fallback type
|
||||
selection * system_u:object_r:xselection_t:s0
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Events
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# Event rules map an event protocol name to a context. A default event
|
||||
# rule indicated by an asterisk should follow all other event rules.
|
||||
#
|
||||
# Input events
|
||||
event X11:KeyPress system_u:object_r:input_xevent_t:s0
|
||||
event X11:KeyRelease system_u:object_r:input_xevent_t:s0
|
||||
event X11:ButtonPress system_u:object_r:input_xevent_t:s0
|
||||
event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
|
||||
event X11:MotionNotify system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
|
||||
|
||||
# Client message events
|
||||
event X11:ClientMessage system_u:object_r:client_xevent_t:s0
|
||||
event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
|
||||
event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
|
||||
event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
|
||||
|
||||
# Default fallback type
|
||||
event * system_u:object_r:xevent_t:s0
|
7
config/appconfig-mcs/xguest_u_default_contexts
Normal file
7
config/appconfig-mcs/xguest_u_default_contexts
Normal file
@ -0,0 +1,7 @@
|
||||
system_r:crond_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:local_login_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:remote_login_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:sshd_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:xdm_t:s0 xguest_r:xguest_t:s0
|
||||
xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
|
6
config/appconfig-mls/dbus_contexts
Normal file
6
config/appconfig-mls/dbus_contexts
Normal file
@ -0,0 +1,6 @@
|
||||
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
<busconfig>
|
||||
<selinux>
|
||||
</selinux>
|
||||
</busconfig>
|
15
config/appconfig-mls/default_contexts
Normal file
15
config/appconfig-mls/default_contexts
Normal file
@ -0,0 +1,15 @@
|
||||
system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
|
||||
|
||||
staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
|
||||
|
||||
sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
|
||||
|
||||
user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
|
6
config/appconfig-mls/default_type
Normal file
6
config/appconfig-mls/default_type
Normal file
@ -0,0 +1,6 @@
|
||||
auditadm_r:auditadm_t
|
||||
secadm_r:secadm_t
|
||||
sysadm_r:sysadm_t
|
||||
staff_r:staff_t
|
||||
unconfined_r:unconfined_t
|
||||
user_r:user_t
|
1
config/appconfig-mls/failsafe_context
Normal file
1
config/appconfig-mls/failsafe_context
Normal file
@ -0,0 +1 @@
|
||||
sysadm_r:sysadm_t:s0
|
5
config/appconfig-mls/guest_u_default_contexts
Normal file
5
config/appconfig-mls/guest_u_default_contexts
Normal file
@ -0,0 +1,5 @@
|
||||
guest_r:guest_t:s0 guest_r:guest_t:s0
|
||||
system_r:crond_t:s0 guest_r:guest_t:s0
|
||||
system_r:local_login_t:s0 guest_r:guest_t:s0
|
||||
system_r:remote_login_t:s0 guest_r:guest_t:s0
|
||||
system_r:sshd_t:s0 guest_r:guest_t:s0
|
1
config/appconfig-mls/initrc_context
Normal file
1
config/appconfig-mls/initrc_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:system_r:initrc_t:s0-mls_systemhigh
|
3
config/appconfig-mls/media
Normal file
3
config/appconfig-mls/media
Normal file
@ -0,0 +1,3 @@
|
||||
cdrom system_u:object_r:removable_device_t:s0
|
||||
floppy system_u:object_r:removable_device_t:s0
|
||||
disk system_u:object_r:fixed_disk_device_t:s0
|
1
config/appconfig-mls/removable_context
Normal file
1
config/appconfig-mls/removable_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:object_r:removable_t:s0
|
11
config/appconfig-mls/root_default_contexts
Normal file
11
config/appconfig-mls/root_default_contexts
Normal file
@ -0,0 +1,11 @@
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
|
||||
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
|
||||
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
||||
|
||||
#
|
||||
# Uncomment if you want to automatically login as sysadm_r
|
||||
#
|
||||
#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
|
1
config/appconfig-mls/securetty_types
Normal file
1
config/appconfig-mls/securetty_types
Normal file
@ -0,0 +1 @@
|
||||
user_tty_device_t
|
3
config/appconfig-mls/seusers
Normal file
3
config/appconfig-mls/seusers
Normal file
@ -0,0 +1,3 @@
|
||||
system_u:system_u:s0-mls_systemhigh
|
||||
root:root:s0-mls_systemhigh
|
||||
__default__:user_u:s0
|
10
config/appconfig-mls/staff_u_default_contexts
Normal file
10
config/appconfig-mls/staff_u_default_contexts
Normal file
@ -0,0 +1,10 @@
|
||||
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:remote_login_t:s0 staff_r:staff_t:s0
|
||||
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
|
||||
system_r:crond_t:s0 staff_r:cronjob_t:s0
|
||||
system_r:xdm_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_su_t:s0 staff_r:staff_t:s0
|
||||
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
|
||||
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
|
||||
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
|
||||
|
9
config/appconfig-mls/unconfined_u_default_contexts
Normal file
9
config/appconfig-mls/unconfined_u_default_contexts
Normal file
@ -0,0 +1,9 @@
|
||||
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
|
||||
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:rshd_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
|
||||
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
|
8
config/appconfig-mls/user_u_default_contexts
Normal file
8
config/appconfig-mls/user_u_default_contexts
Normal file
@ -0,0 +1,8 @@
|
||||
system_r:local_login_t:s0 user_r:user_t:s0
|
||||
system_r:remote_login_t:s0 user_r:user_t:s0
|
||||
system_r:sshd_t:s0 user_r:user_t:s0
|
||||
system_r:crond_t:s0 user_r:cronjob_t:s0
|
||||
system_r:xdm_t:s0 user_r:user_t:s0
|
||||
user_r:user_su_t:s0 user_r:user_t:s0
|
||||
user_r:user_sudo_t:s0 user_r:user_t:s0
|
||||
|
1
config/appconfig-mls/userhelper_context
Normal file
1
config/appconfig-mls/userhelper_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:sysadm_r:sysadm_t:s0
|
105
config/appconfig-mls/x_contexts
Normal file
105
config/appconfig-mls/x_contexts
Normal file
@ -0,0 +1,105 @@
|
||||
#
|
||||
# Config file for XSELinux extension
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Clients
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# The default client rule defines a context to be used for all clients
|
||||
# connecting to the server from a remote host.
|
||||
#
|
||||
client * system_u:object_r:remote_t:s0
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Properties
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# Property rules map a property name to a context. A default property
|
||||
# rule indicated by an asterisk should follow all other property rules.
|
||||
#
|
||||
# Properties that normal clients may only read
|
||||
property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
|
||||
|
||||
# Clipboard and selection properties
|
||||
property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
|
||||
|
||||
# Default fallback type
|
||||
property * system_u:object_r:xproperty_t:s0
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Extensions
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# Extension rules map an extension name to a context. A default extension
|
||||
# rule indicated by an asterisk should follow all other extension rules.
|
||||
#
|
||||
# Restricted extensions
|
||||
extension SELinux system_u:object_r:security_xextension_t:s0
|
||||
|
||||
# Standard extensions
|
||||
extension * system_u:object_r:xextension_t:s0
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Selections
|
||||
##
|
||||
#
|
||||
|
||||
# Selection rules map a selection name to a context. A default selection
|
||||
# rule indicated by an asterisk should follow all other selection rules.
|
||||
#
|
||||
# Standard selections
|
||||
selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
|
||||
selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
|
||||
|
||||
# Default fallback type
|
||||
selection * system_u:object_r:xselection_t:s0
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Events
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# Event rules map an event protocol name to a context. A default event
|
||||
# rule indicated by an asterisk should follow all other event rules.
|
||||
#
|
||||
# Input events
|
||||
event X11:KeyPress system_u:object_r:input_xevent_t:s0
|
||||
event X11:KeyRelease system_u:object_r:input_xevent_t:s0
|
||||
event X11:ButtonPress system_u:object_r:input_xevent_t:s0
|
||||
event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
|
||||
event X11:MotionNotify system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
|
||||
event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
|
||||
|
||||
# Client message events
|
||||
event X11:ClientMessage system_u:object_r:client_xevent_t:s0
|
||||
event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
|
||||
event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
|
||||
event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
|
||||
|
||||
# Default fallback type
|
||||
event * system_u:object_r:xevent_t:s0
|
7
config/appconfig-mls/xguest_u_default_contexts
Normal file
7
config/appconfig-mls/xguest_u_default_contexts
Normal file
@ -0,0 +1,7 @@
|
||||
system_r:crond_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:local_login_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:remote_login_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:sshd_t:s0 xguest_r:xguest_t:s0
|
||||
system_r:xdm_t:s0 xguest_r:xguest_t:s0
|
||||
xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
|
6
config/appconfig-standard/dbus_contexts
Normal file
6
config/appconfig-standard/dbus_contexts
Normal file
@ -0,0 +1,6 @@
|
||||
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
<busconfig>
|
||||
<selinux>
|
||||
</selinux>
|
||||
</busconfig>
|
15
config/appconfig-standard/default_contexts
Normal file
15
config/appconfig-standard/default_contexts
Normal file
@ -0,0 +1,15 @@
|
||||
system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t
|
||||
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
|
||||
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
|
||||
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
|
||||
system_r:sulogin_t sysadm_r:sysadm_t
|
||||
system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
|
||||
|
||||
staff_r:staff_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
|
||||
staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
|
||||
|
||||
sysadm_r:sysadm_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
|
||||
sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
|
||||
|
||||
user_r:user_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
|
||||
user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
|
6
config/appconfig-standard/default_type
Normal file
6
config/appconfig-standard/default_type
Normal file
@ -0,0 +1,6 @@
|
||||
auditadm_r:auditadm_t
|
||||
secadm_r:secadm_t
|
||||
sysadm_r:sysadm_t
|
||||
staff_r:staff_t
|
||||
unconfined_r:unconfined_t
|
||||
user_r:user_t
|
1
config/appconfig-standard/failsafe_context
Normal file
1
config/appconfig-standard/failsafe_context
Normal file
@ -0,0 +1 @@
|
||||
sysadm_r:sysadm_t
|
7
config/appconfig-standard/guest_u_default_contexts
Normal file
7
config/appconfig-standard/guest_u_default_contexts
Normal file
@ -0,0 +1,7 @@
|
||||
guest_r:guest_t guest_r:guest_t
|
||||
system_r:crond_t guest_r:guest_t
|
||||
system_r:initrc_su_t guest_r:guest_t
|
||||
system_r:local_login_t guest_r:guest_t
|
||||
system_r:remote_login_t guest_r:guest_t
|
||||
system_r:sshd_t guest_r:guest_t
|
||||
|
1
config/appconfig-standard/initrc_context
Normal file
1
config/appconfig-standard/initrc_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:system_r:initrc_t
|
3
config/appconfig-standard/media
Normal file
3
config/appconfig-standard/media
Normal file
@ -0,0 +1,3 @@
|
||||
cdrom system_u:object_r:removable_device_t
|
||||
floppy system_u:object_r:removable_device_t
|
||||
disk system_u:object_r:fixed_disk_device_t
|
1
config/appconfig-standard/removable_context
Normal file
1
config/appconfig-standard/removable_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:object_r:removable_t
|
11
config/appconfig-standard/root_default_contexts
Normal file
11
config/appconfig-standard/root_default_contexts
Normal file
@ -0,0 +1,11 @@
|
||||
system_r:crond_t unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
|
||||
system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
|
||||
|
||||
staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
|
||||
sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
|
||||
user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
|
||||
|
||||
#
|
||||
# Uncomment if you want to automatically login as sysadm_r
|
||||
#
|
||||
#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
|
1
config/appconfig-standard/securetty_types
Normal file
1
config/appconfig-standard/securetty_types
Normal file
@ -0,0 +1 @@
|
||||
user_tty_device_t
|
3
config/appconfig-standard/seusers
Normal file
3
config/appconfig-standard/seusers
Normal file
@ -0,0 +1,3 @@
|
||||
system_u:system_u
|
||||
root:root
|
||||
__default__:user_u
|
10
config/appconfig-standard/staff_u_default_contexts
Normal file
10
config/appconfig-standard/staff_u_default_contexts
Normal file
@ -0,0 +1,10 @@
|
||||
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
|
||||
system_r:remote_login_t staff_r:staff_t
|
||||
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
|
||||
system_r:crond_t staff_r:cronjob_t
|
||||
system_r:xdm_t staff_r:staff_t
|
||||
staff_r:staff_su_t staff_r:staff_t
|
||||
staff_r:staff_sudo_t staff_r:staff_t
|
||||
sysadm_r:sysadm_su_t sysadm_r:sysadm_t
|
||||
sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
|
||||
|
9
config/appconfig-standard/unconfined_u_default_contexts
Normal file
9
config/appconfig-standard/unconfined_u_default_contexts
Normal file
@ -0,0 +1,9 @@
|
||||
system_r:crond_t unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
|
||||
system_r:initrc_t unconfined_r:unconfined_t
|
||||
system_r:local_login_t unconfined_r:unconfined_t
|
||||
system_r:remote_login_t unconfined_r:unconfined_t
|
||||
system_r:rshd_t unconfined_r:unconfined_t
|
||||
system_r:sshd_t unconfined_r:unconfined_t
|
||||
system_r:sysadm_su_t unconfined_r:unconfined_t
|
||||
system_r:unconfined_t unconfined_r:unconfined_t
|
||||
system_r:xdm_t unconfined_r:unconfined_t
|
8
config/appconfig-standard/user_u_default_contexts
Normal file
8
config/appconfig-standard/user_u_default_contexts
Normal file
@ -0,0 +1,8 @@
|
||||
system_r:local_login_t user_r:user_t
|
||||
system_r:remote_login_t user_r:user_t
|
||||
system_r:sshd_t user_r:user_t
|
||||
system_r:crond_t user_r:cronjob_t
|
||||
system_r:xdm_t user_r:user_t
|
||||
user_r:user_su_t user_r:user_t
|
||||
user_r:user_sudo_t user_r:user_t
|
||||
|
1
config/appconfig-standard/userhelper_context
Normal file
1
config/appconfig-standard/userhelper_context
Normal file
@ -0,0 +1 @@
|
||||
system_u:sysadm_r:sysadm_t
|
105
config/appconfig-standard/x_contexts
Normal file
105
config/appconfig-standard/x_contexts
Normal file
@ -0,0 +1,105 @@
|
||||
#
|
||||
# Config file for XSELinux extension
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Clients
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# The default client rule defines a context to be used for all clients
|
||||
# connecting to the server from a remote host.
|
||||
#
|
||||
client * system_u:object_r:remote_t
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Properties
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# Property rules map a property name to a context. A default property
|
||||
# rule indicated by an asterisk should follow all other property rules.
|
||||
#
|
||||
# Properties that normal clients may only read
|
||||
property _SELINUX_* system_u:object_r:seclabel_xproperty_t
|
||||
|
||||
# Clipboard and selection properties
|
||||
property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t
|
||||
|
||||
# Default fallback type
|
||||
property * system_u:object_r:xproperty_t
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Extensions
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# Extension rules map an extension name to a context. A default extension
|
||||
# rule indicated by an asterisk should follow all other extension rules.
|
||||
#
|
||||
# Restricted extensions
|
||||
extension SELinux system_u:object_r:security_xextension_t
|
||||
|
||||
# Standard extensions
|
||||
extension * system_u:object_r:xextension_t
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Selections
|
||||
##
|
||||
#
|
||||
|
||||
# Selection rules map a selection name to a context. A default selection
|
||||
# rule indicated by an asterisk should follow all other selection rules.
|
||||
#
|
||||
# Standard selections
|
||||
selection PRIMARY system_u:object_r:clipboard_xselection_t
|
||||
selection CLIPBOARD system_u:object_r:clipboard_xselection_t
|
||||
|
||||
# Default fallback type
|
||||
selection * system_u:object_r:xselection_t
|
||||
|
||||
|
||||
#
|
||||
##
|
||||
### Rules for X Events
|
||||
##
|
||||
#
|
||||
|
||||
#
|
||||
# Event rules map an event protocol name to a context. A default event
|
||||
# rule indicated by an asterisk should follow all other event rules.
|
||||
#
|
||||
# Input events
|
||||
event X11:KeyPress system_u:object_r:input_xevent_t
|
||||
event X11:KeyRelease system_u:object_r:input_xevent_t
|
||||
event X11:ButtonPress system_u:object_r:input_xevent_t
|
||||
event X11:ButtonRelease system_u:object_r:input_xevent_t
|
||||
event X11:MotionNotify system_u:object_r:input_xevent_t
|
||||
event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t
|
||||
event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t
|
||||
event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t
|
||||
event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t
|
||||
event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t
|
||||
event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t
|
||||
event XInputExtension:ProximityIn system_u:object_r:input_xevent_t
|
||||
event XInputExtension:ProximityOut system_u:object_r:input_xevent_t
|
||||
|
||||
# Client message events
|
||||
event X11:ClientMessage system_u:object_r:client_xevent_t
|
||||
event X11:SelectionNotify system_u:object_r:client_xevent_t
|
||||
event X11:UnmapNotify system_u:object_r:client_xevent_t
|
||||
event X11:ConfigureNotify system_u:object_r:client_xevent_t
|
||||
|
||||
# Default fallback type
|
||||
event * system_u:object_r:xevent_t
|
7
config/appconfig-standard/xguest_u_default_contexts
Normal file
7
config/appconfig-standard/xguest_u_default_contexts
Normal file
@ -0,0 +1,7 @@
|
||||
system_r:crond_t xguest_r:xguest_t
|
||||
system_r:initrc_su_t xguest_r:xguest_t
|
||||
system_r:local_login_t xguest_r:xguest_t
|
||||
system_r:remote_login_t xguest_r:xguest_t
|
||||
system_r:sshd_t xguest_r:xguest_t
|
||||
system_r:xdm_t xguest_r:xguest_t
|
||||
xguest_r:xguest_t xguest_r:xguest_t
|
21
config/local.users
Normal file
21
config/local.users
Normal file
@ -0,0 +1,21 @@
|
||||
##################################
|
||||
#
|
||||
# User configuration.
|
||||
#
|
||||
# This file defines additional users recognized by the system security policy.
|
||||
# Only the user identities defined in this file and the system.users file
|
||||
# may be used as the user attribute in a security context.
|
||||
#
|
||||
# Each user has a set of roles that may be entered by processes
|
||||
# with the users identity. The syntax of a user declaration is:
|
||||
#
|
||||
# user username roles role_set [ level default_level range allowed_range ];
|
||||
#
|
||||
# The MLS default level and allowed range should only be specified if
|
||||
# MLS was enabled in the policy.
|
||||
|
||||
# sample for administrative user
|
||||
# user jadmin roles { staff_r sysadm_r };
|
||||
|
||||
# sample for regular user
|
||||
#user jdoe roles { user_r };
|
8
doc/Makefile.example
Normal file
8
doc/Makefile.example
Normal file
@ -0,0 +1,8 @@
|
||||
|
||||
AWK ?= gawk
|
||||
|
||||
NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
|
||||
SHAREDIR ?= /usr/share/selinux
|
||||
HEADERDIR := $(SHAREDIR)/$(NAME)/include
|
||||
|
||||
include $(HEADERDIR)/Makefile
|
6
doc/example.fc
Normal file
6
doc/example.fc
Normal file
@ -0,0 +1,6 @@
|
||||
# myapp executable will have:
|
||||
# label: system_u:object_r:myapp_exec_t
|
||||
# MLS sensitivity: s0
|
||||
# MCS categories: <none>
|
||||
|
||||
/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
|
54
doc/example.if
Normal file
54
doc/example.if
Normal file
@ -0,0 +1,54 @@
|
||||
## <summary>Myapp example policy</summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## More descriptive text about myapp. The desc
|
||||
## tag can also use p, ul, and ol
|
||||
## html tags for formatting.
|
||||
## </p>
|
||||
## <p>
|
||||
## This policy supports the following myapp features:
|
||||
## <ul>
|
||||
## <li>Feature A</li>
|
||||
## <li>Feature B</li>
|
||||
## <li>Feature C</li>
|
||||
## </ul>
|
||||
## </p>
|
||||
## </desc>
|
||||
#
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run myapp.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`myapp_domtrans',`
|
||||
gen_require(`
|
||||
type myapp_t, myapp_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1,myapp_exec_t,myapp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read myapp log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to read the log files.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`myapp_read_log',`
|
||||
gen_require(`
|
||||
type myapp_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 myapp_log_t:file read_file_perms;
|
||||
')
|
28
doc/example.te
Normal file
28
doc/example.te
Normal file
@ -0,0 +1,28 @@
|
||||
|
||||
policy_module(myapp,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type myapp_t;
|
||||
type myapp_exec_t;
|
||||
domain_type(myapp_t)
|
||||
domain_entry_file(myapp_t, myapp_exec_t)
|
||||
|
||||
type myapp_log_t;
|
||||
logging_log_file(myapp_log_t)
|
||||
|
||||
type myapp_tmp_t;
|
||||
files_tmp_file(myapp_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Myapp local policy
|
||||
#
|
||||
|
||||
allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
|
||||
|
||||
allow myapp_t myapp_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
|
44
doc/policy.dtd
Normal file
44
doc/policy.dtd
Normal file
@ -0,0 +1,44 @@
|
||||
<!ENTITY % inline.class "pre|p|ul|ol|li">
|
||||
|
||||
<!ELEMENT policy (layer+,(tunable|bool)*)>
|
||||
<!ELEMENT layer (summary,module+)>
|
||||
<!ATTLIST layer
|
||||
name CDATA #REQUIRED>
|
||||
<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
|
||||
<!ATTLIST module
|
||||
name CDATA #REQUIRED
|
||||
filename CDATA #REQUIRED>
|
||||
<!ELEMENT required (#PCDATA)>
|
||||
<!ATTLIST required
|
||||
val (true|false) "false">
|
||||
<!ELEMENT tunable (desc)>
|
||||
<!ATTLIST tunable
|
||||
name CDATA #REQUIRED
|
||||
dftval CDATA #REQUIRED>
|
||||
<!ELEMENT bool (desc)>
|
||||
<!ATTLIST bool
|
||||
name CDATA #REQUIRED
|
||||
dftval CDATA #REQUIRED>
|
||||
<!ELEMENT summary (#PCDATA)>
|
||||
<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
|
||||
<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
|
||||
<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
|
||||
<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
|
||||
<!ELEMENT desc (#PCDATA|%inline.class;)*>
|
||||
<!ELEMENT param (summary)>
|
||||
<!ATTLIST param
|
||||
name CDATA #REQUIRED
|
||||
optional (true|false) "false"
|
||||
unused (true|false) "false">
|
||||
<!ELEMENT infoflow EMPTY>
|
||||
<!ATTLIST infoflow
|
||||
type CDATA #REQUIRED
|
||||
weight CDATA #IMPLIED>
|
||||
<!ELEMENT rolebase EMPTY>
|
||||
<!ELEMENT rolecap EMPTY>
|
||||
|
||||
<!ATTLIST pre caption CDATA #IMPLIED>
|
||||
<!ELEMENT p (#PCDATA|%inline.class;)*>
|
||||
<!ELEMENT ul (li+)>
|
||||
<!ELEMENT ol (li+)>
|
||||
<!ELEMENT li (#PCDATA|%inline.class;)*>
|
23
doc/templates/bool_list.html
vendored
Normal file
23
doc/templates/bool_list.html
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
<h3>Master boolean index:</h3>
|
||||
|
||||
[[for bool in booleans]]
|
||||
<div id="interfacesmall">
|
||||
[[if bool.has_key('mod_layer')]]
|
||||
Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'>
|
||||
[[bool['mod_name']]]</a><p/>
|
||||
Layer: <a href='[[bool['mod_layer']]].html'>
|
||||
[[bool['mod_layer']]]</a><p/>
|
||||
[[else]]
|
||||
Global
|
||||
[[end]]
|
||||
<div id="codeblock">
|
||||
[[bool['bool_name']]]
|
||||
<small>(Default: [[bool['def_val']]])</small>
|
||||
</div>
|
||||
[[if bool['desc']]]
|
||||
<div id="description">
|
||||
[[bool['desc']]]
|
||||
</div>
|
||||
[[end]]
|
||||
</div>
|
||||
[[end]]
|
13
doc/templates/boolean.html
vendored
Normal file
13
doc/templates/boolean.html
vendored
Normal file
@ -0,0 +1,13 @@
|
||||
[[for bool in booleans]]
|
||||
<a name="link_[[bool['bool_name']]]"></a>
|
||||
<div id="interface">
|
||||
<div id="codeblock">[[bool['bool_name']]]</div>
|
||||
<div id="description">
|
||||
<h5>Default value</h5>
|
||||
<p>[[bool['def_val']]]</p>
|
||||
[[if bool['desc']]]
|
||||
<h5>Description</h5>
|
||||
[[bool['desc']]]
|
||||
[[end]]
|
||||
</div></div>
|
||||
[[end]]
|
14
doc/templates/global_bool_list.html
vendored
Normal file
14
doc/templates/global_bool_list.html
vendored
Normal file
@ -0,0 +1,14 @@
|
||||
<h3>Global booleans:</h3>
|
||||
|
||||
[[for bool in booleans]]
|
||||
<div id="interface">
|
||||
<div id="codeblock">[[bool['bool_name']]]</div>
|
||||
<div id="description">
|
||||
<h5>Default value</h5>
|
||||
<p>[[bool['def_val']]]</p>
|
||||
[[if bool['desc']]]
|
||||
<h5>Description</h5>
|
||||
[[bool['desc']]]
|
||||
[[end]]
|
||||
</div></div>
|
||||
[[end]]
|
14
doc/templates/global_tun_list.html
vendored
Normal file
14
doc/templates/global_tun_list.html
vendored
Normal file
@ -0,0 +1,14 @@
|
||||
<h3>Global tunables:</h3>
|
||||
|
||||
[[for tun in tunables]]
|
||||
<div id="interface">
|
||||
<div id="codeblock">[[tun['tun_name']]]</div>
|
||||
<div id="description">
|
||||
<h5>Default value</h5>
|
||||
<p>[[tun['def_val']]]</p>
|
||||
[[if tun['desc']]]
|
||||
<h5>Description</h5>
|
||||
[[tun['desc']]]
|
||||
[[end]]
|
||||
</div></div>
|
||||
[[end]]
|
15
doc/templates/header.html
vendored
Normal file
15
doc/templates/header.html
vendored
Normal file
@ -0,0 +1,15 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>
|
||||
Security Enhanced Linux Reference Policy
|
||||
</title>
|
||||
<style type="text/css" media="all">@import "style.css";</style>
|
||||
</head>
|
||||
<body>
|
||||
<div id="Header">Security Enhanced Linux Reference Policy</div>
|
||||
[[menu]]
|
||||
<div id="Content">
|
||||
[[content]]
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
33
doc/templates/int_list.html
vendored
Normal file
33
doc/templates/int_list.html
vendored
Normal file
@ -0,0 +1,33 @@
|
||||
<h3>Master interface index:</h3>
|
||||
|
||||
[[for int in interfaces]]
|
||||
<div id="interfacesmall">
|
||||
Module: <a href='[[int['mod_layer']+ "_" + int['mod_name'] + ".html#link_" + int['interface_name']]]'>
|
||||
[[int['mod_name']]]</a><p/>
|
||||
Layer: <a href='[[int['mod_layer']]].html'>
|
||||
[[int['mod_layer']]]</a><p/>
|
||||
<div id="codeblock">
|
||||
[[exec i = 0]]
|
||||
<b>[[int['interface_name']]]</b>(
|
||||
[[for arg in int['interface_parameters']]]
|
||||
[[if i != 0]]
|
||||
,
|
||||
[[end]]
|
||||
[[exec i = 1]]
|
||||
[[if arg['optional'] == 'yes']]
|
||||
[
|
||||
[[end]]
|
||||
[[arg['name']]]
|
||||
[[if arg['optional'] == 'yes']]
|
||||
]
|
||||
[[end]]
|
||||
[[end]]
|
||||
)<br>
|
||||
</div>
|
||||
[[if int['interface_summary']]]
|
||||
<div id="description">
|
||||
[[int['interface_summary']]]
|
||||
</div>
|
||||
[[end]]
|
||||
</div>
|
||||
[[end]]
|
50
doc/templates/interface.html
vendored
Normal file
50
doc/templates/interface.html
vendored
Normal file
@ -0,0 +1,50 @@
|
||||
[[for int in interfaces]]
|
||||
<a name="link_[[int['interface_name']]]"></a>
|
||||
<div id="interface">
|
||||
[[if int.has_key("mod_layer")]]
|
||||
Layer: [[mod_layer]]<br>
|
||||
[[end]]
|
||||
[[if int.has_key("mod_name")]]
|
||||
Module: [[mod_name]]<br>
|
||||
[[end]]
|
||||
<div id="codeblock">
|
||||
[[exec i = 0]]
|
||||
<b>[[int['interface_name']]]</b>(
|
||||
[[for arg in int['interface_parameters']]]
|
||||
[[if i != 0]]
|
||||
,
|
||||
[[end]]
|
||||
[[exec i = 1]]
|
||||
[[if arg['optional'] == 'yes']]
|
||||
[
|
||||
[[end]]
|
||||
[[arg['name']]]
|
||||
[[if arg['optional'] == 'yes']]
|
||||
]
|
||||
[[end]]
|
||||
[[end]]
|
||||
)<br>
|
||||
</div>
|
||||
<div id="description">
|
||||
[[if int['interface_summary']]]
|
||||
<h5>Summary</h5>
|
||||
[[int['interface_summary']]]
|
||||
[[end]]
|
||||
[[if int['interface_desc']]]
|
||||
<h5>Description</h5>
|
||||
[[int['interface_desc']]]
|
||||
[[end]]
|
||||
<h5>Parameters</h5>
|
||||
<table border="1" cellspacing="0" cellpadding="3" width="65%">
|
||||
<tr><th >Parameter:</th><th >Description:</th></tr>
|
||||
[[for arg in int['interface_parameters']]]
|
||||
<tr><td>
|
||||
[[arg['name']]]
|
||||
</td><td>
|
||||
[[arg['desc']]]
|
||||
</td></tr>
|
||||
[[end]]
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
[[end]]
|
26
doc/templates/menu.html
vendored
Normal file
26
doc/templates/menu.html
vendored
Normal file
@ -0,0 +1,26 @@
|
||||
<div id='Menu'>
|
||||
[[for layer_name, layer_mods in menulist]]
|
||||
<a href="[[layer_name]].html">+
|
||||
[[layer_name]]</a></br/>
|
||||
<div id='subitem'>
|
||||
[[for module, s in layer_mods]]
|
||||
- <a href='[[layer_name + "_" + module]].html'>
|
||||
[[module]]</a><br/>
|
||||
[[end]]
|
||||
</div>
|
||||
[[end]]
|
||||
<br/><p/>
|
||||
<a href="global_booleans.html">* Global Booleans </a>
|
||||
<br/><p/>
|
||||
<a href="global_tunables.html">* Global Tunables </a>
|
||||
<p/><br/><p/>
|
||||
<a href="index.html">* Layer Index</a>
|
||||
<br/><p/>
|
||||
<a href="booleans.html">* Boolean Index</a>
|
||||
<br/><p/>
|
||||
<a href="tunables.html">* Tunable Index</a>
|
||||
<br/><p/>
|
||||
<a href="interfaces.html">* Interface Index</a>
|
||||
<br/><p/>
|
||||
<a href="templates.html">* Template Index</a>
|
||||
</div>
|
52
doc/templates/module.html
vendored
Normal file
52
doc/templates/module.html
vendored
Normal file
@ -0,0 +1,52 @@
|
||||
<a name="top":></a>
|
||||
<h1>Layer: [[mod_layer]]</h1><p/>
|
||||
<h2>Module: [[mod_name]]</h2><p/>
|
||||
[[if booleans]]
|
||||
<a href=#booleans>Booleans</a>
|
||||
[[end]]
|
||||
[[if tunables]]
|
||||
<a href=#tunables>Tunables</a>
|
||||
[[end]]
|
||||
[[if interfaces]]
|
||||
<a href=#interfaces>Interfaces</a>
|
||||
[[end]]
|
||||
[[if templates]]
|
||||
<a href=#templates>Templates</a>
|
||||
[[end]]
|
||||
<h3>Description:</h3>
|
||||
[[if mod_desc]]
|
||||
<p>[[mod_desc]]</p>
|
||||
[[else]]
|
||||
<p>[[mod_summary]]</p>
|
||||
[[end]]
|
||||
[[if mod_req]]
|
||||
<p>This module is required to be included in all policies.</p>
|
||||
[[end]]
|
||||
<hr>
|
||||
[[if booleans]]
|
||||
<a name="booleans"></a>
|
||||
<h3>Booleans: </h3>
|
||||
[[booleans]]
|
||||
<a href=#top>Return</a>
|
||||
[[end]]
|
||||
[[if tunables]]
|
||||
<a name="tunables"></a>
|
||||
<h3>Tunables: </h3>
|
||||
[[tunables]]
|
||||
<a href=#top>Return</a>
|
||||
[[end]]
|
||||
[[if interfaces]]
|
||||
<a name="interfaces"></a>
|
||||
<h3>Interfaces: </h3>
|
||||
[[interfaces]]
|
||||
<a href=#top>Return</a>
|
||||
[[end]]
|
||||
[[if templates]]
|
||||
<a name="templates"></a>
|
||||
<h3>Templates: </h3>
|
||||
[[templates]]
|
||||
<a href=#top>Return</a>
|
||||
[[end]]
|
||||
[[if not templates and not interfaces and not tunables]]
|
||||
<h3>No booleans, tunables, interfaces, or templates.</h3>
|
||||
[[end]]
|
19
doc/templates/module_list.html
vendored
Normal file
19
doc/templates/module_list.html
vendored
Normal file
@ -0,0 +1,19 @@
|
||||
[[if mod_layer]]
|
||||
<h1>Layer: [[mod_layer]]</h1><p/>
|
||||
[[if layer_summary]]
|
||||
<p>[[layer_summary]]</p><br/>
|
||||
[[end]]
|
||||
[[end]]
|
||||
<table border="1" cellspacing="0" cellpadding="3" width="75%">
|
||||
<tr><td class="title">Module:</td><td class="title">Description:</td></tr>
|
||||
[[for layer_name, layer_mods in menulist]]
|
||||
[[for module, s in layer_mods]]
|
||||
<tr><td>
|
||||
<a href='[[layer_name + "_" + module]].html'>
|
||||
[[module]]</a></td>
|
||||
<td>[[s]]</td>
|
||||
[[end]]
|
||||
</td></tr>
|
||||
[[end]]
|
||||
</table>
|
||||
<p/><br/><br/>
|
216
doc/templates/style.css
vendored
Normal file
216
doc/templates/style.css
vendored
Normal file
@ -0,0 +1,216 @@
|
||||
body {
|
||||
margin:0px;
|
||||
padding:0px;
|
||||
font-family:verdana, arial, helvetica, sans-serif;
|
||||
color:#333;
|
||||
background-color:white;
|
||||
}
|
||||
h1 {
|
||||
margin:0px 0px 5px 0px;
|
||||
padding:0px;
|
||||
font-size:150%
|
||||
line-height:28px;
|
||||
font-weight:900;
|
||||
color:#ccc;
|
||||
}
|
||||
h2 {
|
||||
font-size:125%;
|
||||
margin:0px;
|
||||
padding:5px 0px 10px 0px;
|
||||
}
|
||||
h3 {
|
||||
font-size:110%;
|
||||
margin:0px;
|
||||
padding:5px 0px 10px 5px;
|
||||
}
|
||||
h4 {
|
||||
font-size:100%;
|
||||
margin:0px;
|
||||
padding:5px 0px 10px 5px;
|
||||
}
|
||||
h5 {
|
||||
font-size:100%;
|
||||
margin:0px;
|
||||
font-weight:600;
|
||||
padding:0px 0px 5px 0px;
|
||||
margin:0px 0px 0px 5px;
|
||||
}
|
||||
li {
|
||||
font:11px/20px verdana, arial, helvetica, sans-serif;
|
||||
margin:0px 0px 0px 10px;
|
||||
padding:0px;
|
||||
}
|
||||
p {
|
||||
/* normal */
|
||||
font:11px/20px verdana, arial, helvetica, sans-serif;
|
||||
margin:0px 0px 0px 10px;
|
||||
padding:0px;
|
||||
}
|
||||
|
||||
tt {
|
||||
/* inline code */
|
||||
font-family: monospace;
|
||||
}
|
||||
|
||||
table {
|
||||
background-color:#efefef;
|
||||
/*background-color: white;*/
|
||||
border-style:solid;
|
||||
border-color:black;
|
||||
border-width:0px 1px 1px 0px;
|
||||
color: black;
|
||||
text-align: left;
|
||||
font:11px/20px verdana, arial, helvetica, sans-serif;
|
||||
margin-left: 5%;
|
||||
margin-right: 5%;
|
||||
}
|
||||
|
||||
th {
|
||||
font-weight:500;
|
||||
background-color: #eaeaef;
|
||||
text-align: center;
|
||||
}
|
||||
|
||||
td.header {
|
||||
font-weight: bold;
|
||||
}
|
||||
|
||||
#Content>p {margin:0px;}
|
||||
#Content>p+p {text-indent:30px;}
|
||||
a {
|
||||
color:#09c;
|
||||
font-size:11px;
|
||||
text-decoration:none;
|
||||
font-weight:600;
|
||||
font-family:verdana, arial, helvetica, sans-serif;
|
||||
}
|
||||
a:link {color:#09c;}
|
||||
a:visited {color:#07a;}
|
||||
a:hover {background-color:#eee;}
|
||||
|
||||
#Codeblock {
|
||||
margin:5px 50px 5px 10px;
|
||||
padding:5px 0px 5px 15px;
|
||||
border-style:solid;
|
||||
border-color:lightgrey;
|
||||
border-width:1px 1px 1px 1px;
|
||||
background-color:#f5f5ff;
|
||||
font-size:100%;
|
||||
font-weight:600;
|
||||
text-decoration:none;
|
||||
font-family:monospace;
|
||||
}
|
||||
#Interface {
|
||||
margin:5px 0px 25px 5px;
|
||||
padding:5px 0px 5px 5px;
|
||||
border-style:solid;
|
||||
border-color:black;
|
||||
border-width:1px 1px 1px 1px;
|
||||
background-color:#fafafa;
|
||||
font-size:14px;
|
||||
font-weight:400;
|
||||
text-decoration:none;
|
||||
font-family:verdana, arial, helvetica, sans-serif;
|
||||
}
|
||||
#Interfacesmall {
|
||||
margin:0px 0px 5px 0px;
|
||||
padding:5px 0px 0px 5px;
|
||||
border-style:solid;
|
||||
border-color:black;
|
||||
border-width:1px 1px 1px 1px;
|
||||
background-color:#fafafa;
|
||||
font-size:14px;
|
||||
font-weight:400;
|
||||
text-decoration:none;
|
||||
font-family:verdana, arial, helvetica, sans-serif;
|
||||
}
|
||||
#Template {
|
||||
margin:5px 0px 25px 5px;
|
||||
padding:5px 0px 5px 5px;
|
||||
border-style:solid;
|
||||
border-color:black;
|
||||
border-width:1px 1px 1px 1px;
|
||||
background-color:#fafafa;
|
||||
font-size:14px;
|
||||
font-weight:400;
|
||||
text-decoration:none;
|
||||
font-family:verdana, arial, helvetica, sans-serif;
|
||||
}
|
||||
#Templatesmall {
|
||||
margin:0px 0px 5px 0px;
|
||||
padding:5px 0px 0px 5px;
|
||||
border-style:solid;
|
||||
border-color:black;
|
||||
border-width:1px 1px 1px 1px;
|
||||
background-color:#fafafa;
|
||||
font-size:14px;
|
||||
font-weight:400;
|
||||
text-decoration:none;
|
||||
font-family:verdana, arial, helvetica, sans-serif;
|
||||
}
|
||||
#Description {
|
||||
margin:0px 0px 0px 5px;
|
||||
padding:0px 0px 0px 5px;
|
||||
text-decoration:none;
|
||||
font-family:verdana, arial, helvetica, sans-serif;
|
||||
font-size:12px;
|
||||
font-weight:400;
|
||||
}
|
||||
pre {
|
||||
margin:0px;
|
||||
padding:0px;
|
||||
font-size:14px;
|
||||
text-decoration:none;
|
||||
font-family:verdana, arial, helvetica, sans-serif;
|
||||
}
|
||||
dl {
|
||||
/* definition text block */
|
||||
font:11px/20px verdana, arial, helvetica, sans-serif;
|
||||
margin:0px 0px 16px 0px;
|
||||
padding:0px;
|
||||
}
|
||||
dt {
|
||||
/* definition term */
|
||||
font-weight: bold;
|
||||
}
|
||||
|
||||
#Header {
|
||||
margin:50px 0px 10px 0px;
|
||||
padding:17px 0px 0px 20px;
|
||||
/* For IE5/Win's benefit height = [correct height] + [top padding] + [top and bottom border widths] */
|
||||
height:33px; /* 14px + 17px + 2px = 33px */
|
||||
border-style:solid;
|
||||
border-color:black;
|
||||
border-width:1px 0px; /* top and bottom borders: 1px; left and right borders: 0px */
|
||||
line-height:11px;
|
||||
font-size:110%;
|
||||
background-color:#eee;
|
||||
voice-family: "\"}\"";
|
||||
voice-family:inherit;
|
||||
height:14px; /* the correct height */
|
||||
}
|
||||
body>#Header {height:14px;}
|
||||
#Content {
|
||||
margin:0px 50px 0px 200px;
|
||||
padding:10px;
|
||||
}
|
||||
|
||||
#Menu {
|
||||
position:absolute;
|
||||
top:100px;
|
||||
left:20px;
|
||||
width:162px;
|
||||
padding:10px;
|
||||
background-color:#eee;
|
||||
border:1px solid #aaa;
|
||||
line-height:17px;
|
||||
text-align:left;
|
||||
voice-family: "\"}\"";
|
||||
voice-family:inherit;
|
||||
width:160px;
|
||||
}
|
||||
#Menu subitem {
|
||||
font-size: 5px;
|
||||
}
|
||||
|
||||
body>#Menu {width:160px;}
|
33
doc/templates/temp_list.html
vendored
Normal file
33
doc/templates/temp_list.html
vendored
Normal file
@ -0,0 +1,33 @@
|
||||
<h3>Master template index:</h3>
|
||||
|
||||
[[for temp in templates]]
|
||||
<div id="templatesmall">
|
||||
Module: <a href='[[temp['mod_layer']+ "_" + temp['mod_name'] + ".html#link_" + temp['template_name']]]'>
|
||||
[[temp['mod_name']]]</a><p/>
|
||||
Layer: <a href='[[temp['mod_layer']]].html'>
|
||||
[[temp['mod_layer']]]</a><p/>
|
||||
<div id="codeblock">
|
||||
[[exec i = 0]]
|
||||
<b>[[temp['template_name']]]</b>(
|
||||
[[for arg in temp['template_parameters']]]
|
||||
[[if i != 0]]
|
||||
,
|
||||
[[end]]
|
||||
[[exec i = 1]]
|
||||
[[if arg['optional'] == 'yes']]
|
||||
[
|
||||
[[end]]
|
||||
[[arg['name']]]
|
||||
[[if arg['optional'] == 'yes']]
|
||||
]
|
||||
[[end]]
|
||||
[[end]]
|
||||
)<br>
|
||||
</div>
|
||||
[[if temp['template_summary']]]
|
||||
<div id="description">
|
||||
[[temp['template_summary']]]
|
||||
</div>
|
||||
[[end]]
|
||||
</div>
|
||||
[[end]]
|
50
doc/templates/template.html
vendored
Normal file
50
doc/templates/template.html
vendored
Normal file
@ -0,0 +1,50 @@
|
||||
[[for temp in templates]]
|
||||
<a name="link_[[temp['template_name']]]"></a>
|
||||
<div id="template">
|
||||
[[if temp.has_key("mod_layer")]]
|
||||
Layer: [[mod_layer]]<br>
|
||||
[[end]]
|
||||
[[if temp.has_key("mod_name")]]
|
||||
Module: [[mod_name]]<br>
|
||||
[[end]]
|
||||
<div id="codeblock">
|
||||
[[exec i = 0]]
|
||||
<b>[[temp['template_name']]]</b>(
|
||||
[[for arg in temp['template_parameters']]]
|
||||
[[if i != 0]]
|
||||
,
|
||||
[[end]]
|
||||
[[exec i = 1]]
|
||||
[[if arg['optional'] == 'yes']]
|
||||
[
|
||||
[[end]]
|
||||
[[arg['name']]]
|
||||
[[if arg['optional'] == 'yes']]
|
||||
]
|
||||
[[end]]
|
||||
[[end]]
|
||||
)<br>
|
||||
</div>
|
||||
<div id="description">
|
||||
[[if temp['template_summary']]]
|
||||
<h5>Summary</h5>
|
||||
[[temp['template_summary']]]
|
||||
[[end]]
|
||||
[[if temp['template_desc']]]
|
||||
<h5>Description</h5>
|
||||
[[temp['template_desc']]]
|
||||
[[end]]
|
||||
<h5>Parameters</h5>
|
||||
<table border="1" cellspacing="0" cellpadding="3" width="65%">
|
||||
<tr><th >Parameter:</th><th >Description:</th></tr>
|
||||
[[for arg in temp['template_parameters']]]
|
||||
<tr><td>
|
||||
[[arg['name']]]
|
||||
</td><td>
|
||||
[[arg['desc']]]
|
||||
</td></tr>
|
||||
[[end]]
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
[[end]]
|
23
doc/templates/tun_list.html
vendored
Normal file
23
doc/templates/tun_list.html
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
<h3>Master tunable index:</h3>
|
||||
|
||||
[[for tun in tunables]]
|
||||
<div id="interfacesmall">
|
||||
[[if tun.has_key('mod_layer')]]
|
||||
Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'>
|
||||
[[tun['mod_name']]]</a><p/>
|
||||
Layer: <a href='[[tun['mod_layer']]].html'>
|
||||
[[tun['mod_layer']]]</a><p/>
|
||||
[[else]]
|
||||
Global
|
||||
[[end]]
|
||||
<div id="codeblock">
|
||||
[[tun['tun_name']]]
|
||||
<small>(Default: [[tun['def_val']]])</small>
|
||||
</div>
|
||||
[[if tun['desc']]]
|
||||
<div id="description">
|
||||
[[tun['desc']]]
|
||||
</div>
|
||||
[[end]]
|
||||
</div>
|
||||
[[end]]
|
13
doc/templates/tunable.html
vendored
Normal file
13
doc/templates/tunable.html
vendored
Normal file
@ -0,0 +1,13 @@
|
||||
[[for tun in tunables]]
|
||||
<a name="link_[[tun['tun_name']]]"></a>
|
||||
<div id="interface">
|
||||
<div id="codeblock">[[tun['tun_name']]]</div>
|
||||
<div id="description">
|
||||
<h5>Default value</h5>
|
||||
<p>[[tun['def_val']]]</p>
|
||||
[[if tun['desc']]]
|
||||
<h5>Description</h5>
|
||||
[[tun['desc']]]
|
||||
[[end]]
|
||||
</div></div>
|
||||
[[end]]
|
65
man/man8/ftpd_selinux.8
Normal file
65
man/man8/ftpd_selinux.8
Normal file
@ -0,0 +1,65 @@
|
||||
.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
|
||||
.SH "NAME"
|
||||
.PP
|
||||
ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
|
||||
.SH FILE_CONTEXTS
|
||||
.PP
|
||||
SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
|
||||
.TP
|
||||
Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
|
||||
.PP
|
||||
.B
|
||||
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
|
||||
.TP
|
||||
.B
|
||||
restorecon -F -R -v /var/ftp
|
||||
.TP
|
||||
Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
|
||||
.PP
|
||||
.B
|
||||
semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
|
||||
.TP
|
||||
.B
|
||||
restorecon -F -R -v /var/ftp/incoming
|
||||
|
||||
.SH BOOLEANS
|
||||
.PP
|
||||
SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
|
||||
.TP
|
||||
Allow ftp servers to read and write files with the public_content_rw_t file type.
|
||||
.PP
|
||||
.B
|
||||
setsebool -P allow_ftpd_anon_write on
|
||||
.TP
|
||||
Allow ftp servers to read or write files in the user home directories.
|
||||
.PP
|
||||
.B
|
||||
setsebool -P ftp_home_dir on
|
||||
.TP
|
||||
Allow ftp servers to read or write all files on the system.
|
||||
.PP
|
||||
.B
|
||||
setsebool -P allow_ftpd_full_access on
|
||||
.TP
|
||||
Allow ftp servers to use cifs for public file transfer services.
|
||||
.PP
|
||||
.B
|
||||
setsebool -P allow_ftpd_use_cifs on
|
||||
.TP
|
||||
Allow ftp servers to use nfs for public file transfer services.
|
||||
.PP
|
||||
.B
|
||||
setsebool -P allow_ftpd_use_nfs on
|
||||
.TP
|
||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
.PP
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
|
||||
selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
|
109
man/man8/git_selinux.8
Normal file
109
man/man8/git_selinux.8
Normal file
@ -0,0 +1,109 @@
|
||||
.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "NAME"
|
||||
git_selinux \- Security Enhanced Linux Policy for the Git daemon.
|
||||
.SH "DESCRIPTION"
|
||||
Security-Enhanced Linux secures the Git server via flexible mandatory access
|
||||
control.
|
||||
.SH FILE_CONTEXTS
|
||||
SELinux requires files to have an extended attribute to define the file type.
|
||||
Policy governs the access daemons have to these files.
|
||||
SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
|
||||
.PP
|
||||
The following file contexts types are by default defined for Git:
|
||||
.EX
|
||||
git_system_content_t
|
||||
.EE
|
||||
- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
|
||||
.EX
|
||||
git_session_content_t
|
||||
.EE
|
||||
- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
|
||||
.SH BOOLEANS
|
||||
SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
|
||||
.PP
|
||||
Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
|
||||
.EX
|
||||
sudo setsebool -P git_system_enable_homedirs 1
|
||||
.EE
|
||||
.PP
|
||||
Allow the Git system daemon to read system shared repositories on NFS shares.
|
||||
.EX
|
||||
sudo setsebool -P git_system_use_nfs 1
|
||||
.EE
|
||||
.PP
|
||||
Allow the Git system daemon to read system shared repositories on Samba shares.
|
||||
.EX
|
||||
sudo setsebool -P git_system_use_cifs 1
|
||||
.EE
|
||||
.PP
|
||||
Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
|
||||
.EX
|
||||
sudo setsebool -P use_nfs_home_dirs 1
|
||||
.EE
|
||||
.PP
|
||||
Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
|
||||
.EX
|
||||
sudo setsebool -P use_samba_home_dirs 1
|
||||
.EE
|
||||
.PP
|
||||
To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
|
||||
.EX
|
||||
sudo setsebool -P git_system_enable_homedirs 1
|
||||
.EE
|
||||
.PP
|
||||
To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
|
||||
.EX
|
||||
sudo setsebool -P git_session_bind_all_unreserved_ports 1
|
||||
.EE
|
||||
.SH GIT_SHELL
|
||||
The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
|
||||
.PP
|
||||
To add a new Linux user and map him to this Git shell user domain automatically:
|
||||
.EX
|
||||
sudo useradd -Z git_shell_u joe
|
||||
.EE
|
||||
.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
|
||||
Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
|
||||
.PP
|
||||
To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
|
||||
.EX
|
||||
policy_module(project1, 1.0.0)
|
||||
git_content_template(project1)
|
||||
.EE
|
||||
Next create a file named project1.fc and add a file context specification for the new repository type to it:
|
||||
.EX
|
||||
/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
|
||||
.EE
|
||||
Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
|
||||
.EX
|
||||
make -f /usr/share/selinux/devel/Makefile project.pp
|
||||
sudo semodule -i project1.pp
|
||||
sudo restorecon -R -v /srv/git/project1
|
||||
.EE
|
||||
To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
|
||||
.EX
|
||||
policy_module(project1user, 1.0.0)
|
||||
git_role_template(project1user)
|
||||
git_content_delegation(project1user_t, git_project1_content_t)
|
||||
gen_user(project1user_u, user, project1user_r, s0, s0)
|
||||
.EE
|
||||
Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
|
||||
.EX
|
||||
make -f /usr/share/selinux/devel/Makefile project1user.pp
|
||||
sudo semodule -i project1user.pp
|
||||
sudo useradd -Z project1user_u jane
|
||||
.EE
|
||||
.PP
|
||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dominick Grift <domg472@gmail.com>.
|
||||
.SH "SEE ALSO"
|
||||
selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
|
120
man/man8/httpd_selinux.8
Normal file
120
man/man8/httpd_selinux.8
Normal file
@ -0,0 +1,120 @@
|
||||
.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "NAME"
|
||||
httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
Security-Enhanced Linux secures the httpd server via flexible mandatory access
|
||||
control.
|
||||
.SH FILE_CONTEXTS
|
||||
SELinux requires files to have an extended attribute to define the file type.
|
||||
Policy governs the access daemons have to these files.
|
||||
SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
|
||||
.PP
|
||||
The following file contexts types are defined for httpd:
|
||||
.EX
|
||||
httpd_sys_content_t
|
||||
.EE
|
||||
- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
|
||||
.EX
|
||||
httpd_sys_script_exec_t
|
||||
.EE
|
||||
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
|
||||
.EX
|
||||
httpd_sys_content_rw_t
|
||||
.EE
|
||||
- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
|
||||
.EX
|
||||
httpd_sys_content_ra_t
|
||||
.EE
|
||||
- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
|
||||
.EX
|
||||
httpd_unconfined_script_exec_t
|
||||
.EE
|
||||
- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
|
||||
|
||||
.SH NOTE
|
||||
With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
|
||||
|
||||
.SH SHARING FILES
|
||||
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
|
||||
|
||||
.EX
|
||||
setsebool -P allow_httpd_anon_write=1
|
||||
.EE
|
||||
|
||||
or
|
||||
|
||||
.EX
|
||||
setsebool -P allow_httpd_sys_script_anon_write=1
|
||||
.EE
|
||||
|
||||
.SH BOOLEANS
|
||||
SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
|
||||
.PP
|
||||
httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_enable_cgi 1
|
||||
.EE
|
||||
|
||||
.PP
|
||||
SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_enable_homedirs 1
|
||||
chcon -R -t httpd_sys_content_t ~user/public_html
|
||||
.EE
|
||||
|
||||
.PP
|
||||
SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_tty_comm 1
|
||||
.EE
|
||||
|
||||
.PP
|
||||
httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_unified 0
|
||||
.EE
|
||||
|
||||
.PP
|
||||
SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_can_sendmail 1
|
||||
.PP
|
||||
httpd can be configured to turn off internal scripting (PHP). PHP and other
|
||||
loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_builtin_scripting 0
|
||||
.EE
|
||||
|
||||
.PP
|
||||
SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
|
||||
This would prevent a hacker from breaking into you httpd server and attacking
|
||||
other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_can_network_connect 1
|
||||
.EE
|
||||
|
||||
.PP
|
||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
selinux(8), httpd(8), chcon(1), setsebool(8)
|
||||
|
||||
|
28
man/man8/kerberos_selinux.8
Normal file
28
man/man8/kerberos_selinux.8
Normal file
@ -0,0 +1,28 @@
|
||||
.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "NAME"
|
||||
kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
Security-Enhanced Linux secures the system via flexible mandatory access
|
||||
control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
|
||||
.SH BOOLEANS
|
||||
.PP
|
||||
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
|
||||
.EX
|
||||
setsebool -P allow_kerberos 1
|
||||
.EE
|
||||
.PP
|
||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
selinux(8), kerberos(1), chcon(1), setsebool(8)
|
30
man/man8/named_selinux.8
Normal file
30
man/man8/named_selinux.8
Normal file
@ -0,0 +1,30 @@
|
||||
.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "NAME"
|
||||
named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
Security-Enhanced Linux secures the named server via flexible mandatory access
|
||||
control.
|
||||
.SH BOOLEANS
|
||||
SELinux policy is customizable based on least access required. So by
|
||||
default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
|
||||
.EX
|
||||
setsebool -P named_write_master_zones 1
|
||||
.EE
|
||||
.PP
|
||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
selinux(8), named(8), chcon(1), setsebool(8)
|
||||
|
||||
|
31
man/man8/nfs_selinux.8
Normal file
31
man/man8/nfs_selinux.8
Normal file
@ -0,0 +1,31 @@
|
||||
.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
|
||||
.SH "NAME"
|
||||
nfs_selinux \- Security Enhanced Linux Policy for NFS
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
Security Enhanced Linux secures the NFS server via flexible mandatory access
|
||||
control.
|
||||
.SH BOOLEANS
|
||||
SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
|
||||
|
||||
.TP
|
||||
setsebool -P nfs_export_all_ro 1
|
||||
.TP
|
||||
If you want to share files read/write you must set the nfs_export_all_rw boolean.
|
||||
.TP
|
||||
setsebool -P nfs_export_all_rw 1
|
||||
|
||||
.TP
|
||||
These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
|
||||
|
||||
.TP
|
||||
If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
|
||||
.TP
|
||||
setsebool -P use_nfs_home_dirs 1
|
||||
.TP
|
||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
selinux(8), chcon(1), setsebool(8)
|
1
man/man8/nis_selinux.8
Normal file
1
man/man8/nis_selinux.8
Normal file
@ -0,0 +1 @@
|
||||
.so man8/ypbind_selinux.8
|
52
man/man8/rsync_selinux.8
Normal file
52
man/man8/rsync_selinux.8
Normal file
@ -0,0 +1,52 @@
|
||||
.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "NAME"
|
||||
rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
Security-Enhanced Linux secures the rsync server via flexible mandatory access
|
||||
control.
|
||||
.SH FILE_CONTEXTS
|
||||
SELinux requires files to have an extended attribute to define the file type.
|
||||
Policy governs the access daemons have to these files.
|
||||
If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
|
||||
would need to label the directory with the chcon tool.
|
||||
.TP
|
||||
chcon -t public_content_t /var/rsync
|
||||
.TP
|
||||
.TP
|
||||
To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
|
||||
.TP
|
||||
semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
|
||||
.TP
|
||||
This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
|
||||
.TP
|
||||
/var/rsync(/.*)? system_u:object_r:publix_content_t:s0
|
||||
.TP
|
||||
Run the restorecon command to apply the changes:
|
||||
.TP
|
||||
restorecon -R -v /var/rsync/
|
||||
.EE
|
||||
|
||||
.SH SHARING FILES
|
||||
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
|
||||
|
||||
.EX
|
||||
setsebool -P allow_rsync_anon_write=1
|
||||
.EE
|
||||
|
||||
.SH BOOLEANS
|
||||
.TP
|
||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)
|
56
man/man8/samba_selinux.8
Normal file
56
man/man8/samba_selinux.8
Normal file
@ -0,0 +1,56 @@
|
||||
.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
|
||||
.SH "NAME"
|
||||
samba_selinux \- Security Enhanced Linux Policy for Samba
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
Security-Enhanced Linux secures the Samba server via flexible mandatory access
|
||||
control.
|
||||
.SH FILE_CONTEXTS
|
||||
SELinux requires files to have an extended attribute to define the file type.
|
||||
Policy governs the access daemons have to these files.
|
||||
If you want to share files other than home directories, those files must be
|
||||
labeled samba_share_t. So if you created a special directory /var/eng, you
|
||||
would need to label the directory with the chcon tool.
|
||||
.TP
|
||||
chcon -t samba_share_t /var/eng
|
||||
.TP
|
||||
To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
|
||||
.TP
|
||||
semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
|
||||
.TP
|
||||
This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
|
||||
.TP
|
||||
/var/eng(/.*)? system_u:object_r:samba_share_t:s0
|
||||
.TP
|
||||
Run the restorecon command to apply the changes:
|
||||
.TP
|
||||
restorecon -R -v /var/eng/
|
||||
|
||||
.SH SHARING FILES
|
||||
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
|
||||
|
||||
setsebool -P allow_smbd_anon_write=1
|
||||
|
||||
.SH BOOLEANS
|
||||
.br
|
||||
SELinux policy is customizable based on least access required. So by
|
||||
default SElinux policy turns off SELinux sharing of home directories and
|
||||
the use of Samba shares from a remote machine as a home directory.
|
||||
.TP
|
||||
If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
|
||||
.br
|
||||
|
||||
setsebool -P samba_enable_home_dirs 1
|
||||
.TP
|
||||
If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
|
||||
.br
|
||||
|
||||
setsebool -P use_samba_home_dirs 1
|
||||
.TP
|
||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
|
19
man/man8/ypbind_selinux.8
Normal file
19
man/man8/ypbind_selinux.8
Normal file
@ -0,0 +1,19 @@
|
||||
.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
|
||||
.SH "NAME"
|
||||
ypbind_selinux \- Security Enhanced Linux Policy for NIS.
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
Security-Enhanced Linux secures the system via flexible mandatory access
|
||||
control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
|
||||
.SH BOOLEANS
|
||||
.TP
|
||||
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
|
||||
.TP
|
||||
setsebool -P allow_ypbind 1
|
||||
.TP
|
||||
system-config-selinux is a GUI tool available to customize SELinux policy settings.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
selinux(8), ypbind(8), chcon(1), setsebool(8)
|
57
man/ru/man8/ftpd_selinux.8
Normal file
57
man/ru/man8/ftpd_selinux.8
Normal file
@ -0,0 +1,57 @@
|
||||
.TH "ftpd_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
|
||||
.SH "НАЗВАНИЕ"
|
||||
ftpd_selinux \- Политика Security Enhanced Linux для демона ftp
|
||||
.SH "ОПИСАНИЕ"
|
||||
|
||||
Security-Enhanced Linux обеспечивает защиту сервера ftpd при помощи гибко настраиваемого мандатного контроля доступа.
|
||||
.SH КОНТЕКСТ ФАЙЛОВ
|
||||
SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
|
||||
Политика управляет видом доступа демона к этим файлам. Если вы хотите организовать анонимный
|
||||
доступ к файлам, вы должны присвоить этим файлам и директориям контекст public_content_t.
|
||||
Таким образом, если вы создаете специальную директорию /var/ftp, то вам необходимо установить контекст для этой директории при помощи утилиты chcon.
|
||||
.TP
|
||||
chcon -R -t public_content_t /var/ftp
|
||||
.TP
|
||||
Если вы хотите задать директорию, в которую вы собираетесь загружать файлы, то вы должны
|
||||
установить контекст ftpd_anon_rw_t. Таким образом, если вы создаете специальную директорию /var/ftp/incoming, то вам необходимо установить контекст для этой директории при помощи утилиты chcon.
|
||||
.TP
|
||||
chcon -t public_content_rw_t /var/ftp/incoming
|
||||
.TP
|
||||
Вы также должны включить переключатель allow_ftpd_anon_write.
|
||||
.TP
|
||||
setsebool -P allow_ftpd_anon_write=1
|
||||
.TP
|
||||
Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
|
||||
при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
|
||||
.TP
|
||||
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
|
||||
.br
|
||||
/var/ftp(/.*)? system_u:object_r:public_content_t
|
||||
/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
|
||||
|
||||
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
|
||||
Политика SELinux для демона ftp настроена исходя из принципа наименьших привелегий. Таким
|
||||
образом, по умолчанию политика SELinux не позволяет пользователям заходить на сервер и
|
||||
читать содержимое их домашних директорий.
|
||||
.br
|
||||
Если вы настраиваете данную машину как ftpd-сервер и хотите, чтобы пользователи могли получать
|
||||
доступ к своим домашним директориям, то вам необходимо установить переключатель ftp_home_dir.
|
||||
.TP
|
||||
setsebool -P ftp_home_dir 1
|
||||
.TP
|
||||
ftpd может функционировать как самостоятельный демон, а также как часть домена xinetd. Если вы
|
||||
хотите, чтобы ftpd работал как демон, вы должны установить переключатель ftpd_is_daemon.
|
||||
.TP
|
||||
setsebool -P ftpd_is_daemon 1
|
||||
.br
|
||||
service vsftpd restart
|
||||
.TP
|
||||
Для управления настройками SELinux существует графическая утилита system-config-selinux.
|
||||
.SH АВТОРЫ
|
||||
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
|
||||
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
|
||||
|
||||
.SH "СМОТРИ ТАКЖЕ"
|
||||
selinux(8), ftpd(8), chcon(1), setsebool(8)
|
||||
|
||||
|
137
man/ru/man8/httpd_selinux.8
Normal file
137
man/ru/man8/httpd_selinux.8
Normal file
@ -0,0 +1,137 @@
|
||||
.TH "httpd_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "НАЗВАНИЕ"
|
||||
httpd_selinux \- Политика Security Enhanced Linux для демона httpd
|
||||
.SH "ОПИСАНИЕ"
|
||||
|
||||
Security-Enhanced Linux обеспечивает защиту сервера httpd при помощи гибко настраиваемого мандатного контроля доступа.
|
||||
.SH КОНТЕКСТ ФАЙЛОВ
|
||||
SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
|
||||
Политика управляет видом доступа демона к этим файлам.
|
||||
Политика SELinux для демона httpd позволяет пользователям настроить web-службы максимально безопасным методом с высокой степенью гибкости.
|
||||
.PP
|
||||
Для httpd определены следующие контексты файлов:
|
||||
.EX
|
||||
httpd_sys_content_t
|
||||
.EE
|
||||
- Установите контекст httpd_sys_content_t для содержимого, которое должно быть доступно для всех скриптов httpd и для самого демона.
|
||||
.EX
|
||||
httpd_sys_script_exec_t
|
||||
.EE
|
||||
- Установите контекст httpd_sys_script_exec_t для cgi-скриптов, чтобы разрешить им доступ ко всем sys-типам.
|
||||
.EX
|
||||
httpd_sys_script_ro_t
|
||||
.EE
|
||||
- Установите на файлы контекст httpd_sys_script_ro_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать данные, и при этом нужно запретить доступ другим не-sys скриптам.
|
||||
.EX
|
||||
httpd_sys_script_rw_t
|
||||
.EE
|
||||
- Установите на файлы контекст httpd_sys_script_rw_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и писать данные, и при этом нужно запретить доступ другим не-sys скриптам.
|
||||
.EX
|
||||
httpd_sys_script_ra_t
|
||||
.EE
|
||||
- Установите на файлы контекст httpd_sys_script_ra_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и добавлять данные, и при этом нужно запретить доступ другим не-sys скриптам.
|
||||
.EX
|
||||
httpd_unconfined_script_exec_t
|
||||
.EE
|
||||
- Установите на cgi-скрипты контекст httpd_unconfined_script_exec_t если вы хотите разрешить
|
||||
им исполняться без какой-либо защиты SELinux. Такой способ должен использоваться только для
|
||||
скриптов с очень комплексными требованиями, и только в случае, если все остальные варианты настройки не дали результата. Лучше использовать скрипты с контекстом httpd_unconfined_script_exec_t, чем выключать защиту SELinux для httpd.
|
||||
|
||||
.SH ЗАМЕЧАНИЕ
|
||||
Вместе с некоторыми политиками, вы можете определить дополнительные контексты файлов, основанные
|
||||
на ролях, таких как user или staff. Может быть определен контекст httpd_user_script_exec_t, который будет иметь доступ только к "пользовательским" контекстам.
|
||||
|
||||
.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
|
||||
Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
|
||||
доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
|
||||
Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
|
||||
Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
|
||||
установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для httpd вы должны выполнить команду:
|
||||
|
||||
.EX
|
||||
setsebool -P allow_httpd_anon_write=1
|
||||
.EE
|
||||
|
||||
или
|
||||
|
||||
.EX
|
||||
setsebool -P allow_httpd_sys_script_anon_write=1
|
||||
.EE
|
||||
|
||||
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
|
||||
Политика SELinux настроена исходя из принципа наименьших привилегий. Таким образом,
|
||||
по умолчанию SELinux препятствует работе некоторых http-скриптов. Политика httpd весьма
|
||||
гибка, и существующие переключатели управляют политикой, позволяя httpd выполняться
|
||||
с наименее возможными правами доступа.
|
||||
.PP
|
||||
Если вы хотите, чтобы httpd мог исполнять cgi-скрипты, установите переключатель httpd_enable_cgi
|
||||
.EX
|
||||
setsebool -P httpd_enable_cgi 1
|
||||
.EE
|
||||
|
||||
.PP
|
||||
По умолчанию демону httpd не разрешен доступ в домашние дерикториии пользователей. Если вы хотите разрешить доступ, вам необходимо установить переключатель httpd_enable_homedirs и изменить контекст
|
||||
тех файлов в домашних директориях пользователей, к которым должен быть разрешен доступ.
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_enable_homedirs 1
|
||||
chcon -R -t httpd_sys_content_t ~user/public_html
|
||||
.EE
|
||||
|
||||
.PP
|
||||
По умолчанию демон httpd не имеет доступ к управляющему терминалу. В большинстве случаев такое
|
||||
поведение является предпочтительным. Это связанно с тем, что злоумышленник может попытаться
|
||||
использовать доступ к терминалу для получения привилегий. Однако, в некоторых ситуациях демон
|
||||
httpd должен выводить запрос пароля для открытия файла сертификата и в таких случаях нужен доступ
|
||||
к терминалу. Для того, чтобы разрешить доступ к терминалу, установите переключатель httpd_tty_comm.
|
||||
.EX
|
||||
setsebool -P httpd_tty_comm 1
|
||||
.EE
|
||||
|
||||
.PP
|
||||
httpd может быть настроен так, чтобы не разграничивать тип доступа к файлу на основании контекста.
|
||||
Иными словами, ко всем файлам, имеющим контекст httpd разрешен доступ на чтение/запись/исполнение.
|
||||
Установка этого переключателя в false, позволяет настроить политику безопасности таким образом,
|
||||
что одина служба httpd не конфликтует с другой.
|
||||
.EX
|
||||
setsebool -P httpd_unified 0
|
||||
.EE
|
||||
|
||||
.PP
|
||||
Имеется возможность настроить httpd таким образом, чтобы отключить встроенную поддержку
|
||||
скриптов (PHP). PHP и другие загружаемые модули работают в том же контексте, что и httpd.
|
||||
Таким образом, если используются только внешние cgi-скрипты, некоторые из правил политики
|
||||
разрешают httpd больший доступ к системе, чем необходимо.
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_builtin_scripting 0
|
||||
.EE
|
||||
|
||||
.PP
|
||||
По умолчанию httpd-скриптам запрещено устанавливать внешние сетевые подключения.
|
||||
Это не позволит хакеру, взломавшему ваш httpd-сервер, атаковать другие машины.
|
||||
Если вашим скриптам необходимо иметь возможность подключения, установите переключатель
|
||||
httpd_can_network_connect
|
||||
|
||||
.EX
|
||||
setsebool -P httpd_can_network_connect 1
|
||||
.EE
|
||||
|
||||
.PP
|
||||
Для управления настройками SELinux существует графическая утилита system-config-selinux.
|
||||
.SH АВТОРЫ
|
||||
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
|
||||
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
|
||||
|
||||
.SH "СМОТРИ ТАКЖЕ"
|
||||
selinux(8), httpd(8), chcon(1), setsebool(8)
|
||||
|
||||
|
30
man/ru/man8/kerberos_selinux.8
Normal file
30
man/ru/man8/kerberos_selinux.8
Normal file
@ -0,0 +1,30 @@
|
||||
.TH "kerberos_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "НАЗВАНИЕ"
|
||||
kerberos_selinux \- Политика Security Enhanced Linux для Kerberos.
|
||||
.SH "ОПИСАНИЕ"
|
||||
|
||||
Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию Kerberos запрещен, поскольку требуется функционирование демонов,
|
||||
которым предоставляется слишком обширный доступ к сети и некоторым чувствительным в плане безопасности файлам.
|
||||
|
||||
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
|
||||
.PP
|
||||
Для того, чтобы система могла корректно работать в окружении Kerberos, вы должны установить переключатель allow_kerberos.
|
||||
.EX
|
||||
setsebool -P allow_kerberos 1
|
||||
.EE
|
||||
.PP
|
||||
Для управления настройками SELinux существует графическая утилита system-config-selinux.
|
||||
.SH АВТОРЫ
|
||||
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
|
||||
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
|
||||
|
||||
.SH "СМОТРИ ТАКЖЕ"
|
||||
selinux(8), kerberos(1), chcon(1), setsebool(8)
|
31
man/ru/man8/named_selinux.8
Normal file
31
man/ru/man8/named_selinux.8
Normal file
@ -0,0 +1,31 @@
|
||||
.TH "named_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "НАЗВАНИЕ"
|
||||
named_selinux \- Политика Security Enhanced Linux для демона Internet Name server (named)
|
||||
.SH "ОПИСАНИЕ"
|
||||
|
||||
Security-Enhanced Linux обеспечивает защиту сервера named при помощи гибко настраиваемого мандатного контроля доступа.
|
||||
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
|
||||
Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом,
|
||||
по умолчанию политика SELinux не позволяет демону named осуществлять изменения файлов мастер-зоны.
|
||||
Если вам необходимо, чтобы named мог обновлять файлы мастер-зоны, вы должны установить переключатель named_write_master_zones boolean.
|
||||
.EX
|
||||
setsebool -P named_write_master_zones 1
|
||||
.EE
|
||||
.PP
|
||||
Для управления настройками SELinux существует графическая утилита system-config-selinux.
|
||||
.SH АВТОРЫ
|
||||
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
|
||||
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
|
||||
|
||||
.SH "СМОТРИ ТАКЖЕ"
|
||||
selinux(8), named(8), chcon(1), setsebool(8)
|
||||
|
||||
|
33
man/ru/man8/nfs_selinux.8
Normal file
33
man/ru/man8/nfs_selinux.8
Normal file
@ -0,0 +1,33 @@
|
||||
.TH "nfs_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
|
||||
.SH "НАЗВАНИЕ"
|
||||
nfs_selinux \- Политика Security Enhanced Linux для NFS
|
||||
.SH "ОПИСАНИЕ"
|
||||
|
||||
Security-Enhanced Linux защищает сервер nfs при помощи гибко настраиваемого мандатного контроля доступа.
|
||||
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
|
||||
Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом,
|
||||
по умолчанию политика SELinux не позволяет предоставлять доступ к файлам по nfs. Если вы хотите
|
||||
разрешить доступ только на чтение к файлам этой машины по nfs, вы должны установить переключатель
|
||||
nfs_export_all_ro.
|
||||
|
||||
.TP
|
||||
setsebool -P nfs_export_all_ro 1
|
||||
.TP
|
||||
Если вы хотите разрешить доступ на чтение/запись, вы должны установить переключатель nfs_export_all_rw.
|
||||
.TP
|
||||
setsebool -P nfs_export_all_rw 1
|
||||
|
||||
.TP
|
||||
Если вы хотите использовать удаленный NFS сервер для хранения домашних директорий этой машины,
|
||||
то вы должны установить переключатель use_nfs_home_dir boolean.
|
||||
.TP
|
||||
setsebool -P use_nfs_home_dirs 1
|
||||
.TP
|
||||
Для управления настройками SELinux существует графическая утилита
|
||||
system-config-selinux.
|
||||
.SH АВТОРЫ
|
||||
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
|
||||
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
|
||||
|
||||
.SH "СМОТРИ ТАКЖЕ"
|
||||
selinux(8), chcon(1), setsebool(8)
|
50
man/ru/man8/rsync_selinux.8
Normal file
50
man/ru/man8/rsync_selinux.8
Normal file
@ -0,0 +1,50 @@
|
||||
.TH "rsync_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
|
||||
.de EX
|
||||
.nf
|
||||
.ft CW
|
||||
..
|
||||
.de EE
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.SH "НАЗВАНИЕ"
|
||||
rsync_selinux \- Политика Security Enhanced Linux для демона rsync
|
||||
.SH "ОПИСАНИЕ"
|
||||
|
||||
Security-Enhanced Linux обеспечивает защиту сервера rsync при помощи гибко настраиваемого мандатного контроля доступа.
|
||||
.SH КОНТЕКСТ ФАЙЛОВ
|
||||
SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
|
||||
Политика управляет видом доступа демона к этим файлам. Если вы хотите предоставить доступ к файлам
|
||||
при помощи демона rsync, вы должны присвоить этим файлам и директориям контекст
|
||||
public_content_t. Таким образом, если вы создаете специальную директорию /var/rsync, то вам
|
||||
необходимо установить контекст для этой директории при помощи утилиты chcon.
|
||||
.TP
|
||||
chcon -t public_content_t /var/rsync
|
||||
.TP
|
||||
Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
|
||||
при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
|
||||
.EX
|
||||
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
|
||||
/var/rsync(/.*)? system_u:object_r:public_content_t
|
||||
.EE
|
||||
|
||||
.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
|
||||
Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
|
||||
доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
|
||||
Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
|
||||
Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
|
||||
установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для rsync вы должны выполнить команду:
|
||||
|
||||
.EX
|
||||
setsebool -P allow_rsync_anon_write=1
|
||||
.EE
|
||||
|
||||
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
|
||||
.TP
|
||||
Для управления настройками SELinux существует графическая утилита system-config-selinux.
|
||||
.SH АВТОРЫ
|
||||
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
|
||||
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
|
||||
|
||||
.SH "СМОТРИ ТАКЖЕ"
|
||||
selinux(8), rsync(1), chcon(1), setsebool(8)
|
60
man/ru/man8/samba_selinux.8
Normal file
60
man/ru/man8/samba_selinux.8
Normal file
@ -0,0 +1,60 @@
|
||||
.TH "samba_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
|
||||
.SH "НАЗВАНИЕ"
|
||||
samba_selinux \- Политика Security Enhanced Linux для Samba
|
||||
.SH "ОПИСАНИЕ"
|
||||
|
||||
Security-Enhanced Linux обеспечивает защиту сервера Samba при помощи гибко настраиваемого мандатного контроля доступа.
|
||||
.SH КОНТЕКСТ ФАЙЛОВ
|
||||
SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
|
||||
Политика управляет видом доступа демона к этим файлам.
|
||||
Если вы хотите предоставить доступ к файлам вовне домашних директорий, этим файлам необходимо
|
||||
присвоить контекст samba_share_t.
|
||||
Таким образом, если вы создаете специальную директорию /var/eng, то вам необходимо
|
||||
установить контекст для этой директории при помощи утилиты chcon.
|
||||
.TP
|
||||
chcon -t samba_share_t /var/eng
|
||||
.TP
|
||||
|
||||
Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
|
||||
при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
|
||||
.TP
|
||||
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
|
||||
.br
|
||||
/var/eng(/.*)? system_u:object_r:samba_share_t
|
||||
|
||||
.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
|
||||
Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
|
||||
доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
|
||||
Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
|
||||
Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
|
||||
установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для samba вы должны выполнить команду:
|
||||
|
||||
setsebool -P allow_smbd_anon_write=1
|
||||
|
||||
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
|
||||
.br
|
||||
Политика SELinux настраивается исходя из принципа наименьших привилегий.
|
||||
Таким образом, по умолчанию политика SELinux не позволяет предоставлять удаленный доступ
|
||||
к домашним директориям и не позволяет использовать удаленный сервер Samba для хранения
|
||||
домашних директорий.
|
||||
.TP
|
||||
Если вы настроили эту машину как сервер Samba и желаете предоставить доступ к домашним
|
||||
директориям, вы должны установить переключатель samba_enable_home_dirs.
|
||||
.br
|
||||
|
||||
setsebool -P samba_enable_home_dirs 1
|
||||
.TP
|
||||
Если вы хотите для хранения домашних директорий пользователей этой машины использовать удаленный
|
||||
сервер Samba, вы должны установить переключатель use_samba_home_dirs.
|
||||
.br
|
||||
|
||||
setsebool -P use_samba_home_dirs 1
|
||||
.TP
|
||||
Для управления настройками SELinux существует графическая утилита system-config-selinux.
|
||||
|
||||
.SH АВТОРЫ
|
||||
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
|
||||
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
|
||||
|
||||
.SH "СМОТРИ ТАКЖЕ"
|
||||
selinux(8), samba(7), chcon(1), setsebool(8)
|
19
man/ru/man8/ypbind_selinux.8
Normal file
19
man/ru/man8/ypbind_selinux.8
Normal file
@ -0,0 +1,19 @@
|
||||
.TH "ypbind_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
|
||||
.SH "НАЗВАНИЕ"
|
||||
ypbind_selinux \- Политика Security Enhanced Linux для NIS.
|
||||
.SH "ОПИСАНИЕ"
|
||||
|
||||
Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию работа NIS запрещена. Это является следствием того, что демоны NIS требуют слишком обширного доступа к сети.
|
||||
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
|
||||
.TP
|
||||
Для того, чтобы система могла работать в окружении NIS, вы должны установить переключатель allow_ypbind.
|
||||
.TP
|
||||
setsebool -P allow_ypbind 1
|
||||
.TP
|
||||
Для управления настройками SELinux существует графическая утилита system-config-selinux.
|
||||
.SH АВТОРЫ
|
||||
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
|
||||
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
|
||||
|
||||
.SH "СМОТРИ ТАКЖЕ"
|
||||
selinux(8), ypbind(8), chcon(1), setsebool(8)
|
245
policy/constraints
Normal file
245
policy/constraints
Normal file
@ -0,0 +1,245 @@
|
||||
|
||||
#
|
||||
# Define the constraints
|
||||
#
|
||||
# constrain class_set perm_set expression ;
|
||||
#
|
||||
# expression : ( expression )
|
||||
# | not expression
|
||||
# | expression and expression
|
||||
# | expression or expression
|
||||
# | u1 op u2
|
||||
# | r1 role_op r2
|
||||
# | t1 op t2
|
||||
# | u1 op names
|
||||
# | u2 op names
|
||||
# | r1 op names
|
||||
# | r2 op names
|
||||
# | t1 op names
|
||||
# | t2 op names
|
||||
#
|
||||
# op : == | !=
|
||||
# role_op : == | != | eq | dom | domby | incomp
|
||||
#
|
||||
# names : name | { name_list }
|
||||
# name_list : name | name_list name
|
||||
#
|
||||
|
||||
define(`basic_ubac_conditions',`
|
||||
ifdef(`enable_ubac',`
|
||||
u1 == u2
|
||||
or u1 == system_u
|
||||
or u2 == system_u
|
||||
or t1 != ubac_constrained_type
|
||||
or t2 != ubac_constrained_type
|
||||
')
|
||||
')
|
||||
|
||||
define(`basic_ubac_constraint',`
|
||||
ifdef(`enable_ubac',`
|
||||
constrain $1 all_$1_perms
|
||||
(
|
||||
basic_ubac_conditions
|
||||
);
|
||||
')
|
||||
')
|
||||
|
||||
define(`exempted_ubac_constraint',`
|
||||
ifdef(`enable_ubac',`
|
||||
constrain $1 all_$1_perms
|
||||
(
|
||||
basic_ubac_conditions
|
||||
or t1 == $2
|
||||
);
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# File rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(dir, ubacfile)
|
||||
exempted_ubac_constraint(file, ubacfile)
|
||||
exempted_ubac_constraint(lnk_file, ubacfile)
|
||||
exempted_ubac_constraint(fifo_file, ubacfile)
|
||||
exempted_ubac_constraint(sock_file, ubacfile)
|
||||
exempted_ubac_constraint(chr_file, ubacfile)
|
||||
exempted_ubac_constraint(blk_file, ubacfile)
|
||||
|
||||
# SELinux object identity change constraint:
|
||||
constrain dir_file_class_set { create relabelto relabelfrom }
|
||||
(
|
||||
u1 == u2
|
||||
or t1 == can_change_object_identity
|
||||
);
|
||||
|
||||
########################################
|
||||
#
|
||||
# Process rules
|
||||
#
|
||||
|
||||
ifdef(`enable_ubac',`
|
||||
constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
|
||||
(
|
||||
basic_ubac_conditions
|
||||
or t1 == ubacproc
|
||||
);
|
||||
')
|
||||
|
||||
constrain process { transition noatsecure siginh rlimitinh }
|
||||
(
|
||||
u1 == u2
|
||||
or ( t1 == can_change_process_identity and t2 == process_user_target )
|
||||
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
|
||||
or ( t1 == can_system_change and u2 == system_u )
|
||||
or ( t1 == process_uncond_exempt )
|
||||
);
|
||||
|
||||
constrain process { transition noatsecure siginh rlimitinh }
|
||||
(
|
||||
r1 == r2
|
||||
or ( t1 == can_change_process_role and t2 == process_user_target )
|
||||
or ( t1 == cron_source_domain and t2 == cron_job_domain )
|
||||
or ( t1 == can_system_change and r2 == system_r )
|
||||
or ( t1 == process_uncond_exempt )
|
||||
);
|
||||
|
||||
constrain process dyntransition
|
||||
(
|
||||
u1 == u2 and r1 == r2
|
||||
);
|
||||
|
||||
# These permissions do not have ubac constraints:
|
||||
# fork
|
||||
# setexec
|
||||
# setfscreate
|
||||
# setcurrent
|
||||
# execmem
|
||||
# execstack
|
||||
# execheap
|
||||
# setkeycreate
|
||||
# setsockcreate
|
||||
|
||||
########################################
|
||||
#
|
||||
# File descriptor rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(fd, ubacfd)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Socket rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(socket, ubacsock)
|
||||
exempted_ubac_constraint(tcp_socket, ubacsock)
|
||||
exempted_ubac_constraint(udp_socket, ubacsock)
|
||||
exempted_ubac_constraint(rawip_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_socket, ubacsock)
|
||||
exempted_ubac_constraint(packet_socket, ubacsock)
|
||||
exempted_ubac_constraint(key_socket, ubacsock)
|
||||
exempted_ubac_constraint(unix_stream_socket, ubacsock)
|
||||
exempted_ubac_constraint(unix_dgram_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_route_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_audit_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
|
||||
exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
|
||||
exempted_ubac_constraint(appletalk_socket, ubacsock)
|
||||
exempted_ubac_constraint(dccp_socket, ubacsock)
|
||||
|
||||
constrain socket_class_set { create relabelto relabelfrom }
|
||||
(
|
||||
u1 == u2
|
||||
or t1 == can_change_object_identity
|
||||
);
|
||||
|
||||
########################################
|
||||
#
|
||||
# SysV IPC rules
|
||||
|
||||
exempted_ubac_constraint(sem, ubacipc)
|
||||
exempted_ubac_constraint(msg, ubacipc)
|
||||
exempted_ubac_constraint(msgq, ubacipc)
|
||||
exempted_ubac_constraint(shm, ubacipc)
|
||||
exempted_ubac_constraint(ipc, ubacipc)
|
||||
|
||||
########################################
|
||||
#
|
||||
# SE-X Windows rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(x_drawable, ubacxwin)
|
||||
exempted_ubac_constraint(x_screen, ubacxwin)
|
||||
exempted_ubac_constraint(x_gc, ubacxwin)
|
||||
exempted_ubac_constraint(x_font, ubacxwin)
|
||||
exempted_ubac_constraint(x_colormap, ubacxwin)
|
||||
exempted_ubac_constraint(x_property, ubacxwin)
|
||||
exempted_ubac_constraint(x_selection, ubacxwin)
|
||||
exempted_ubac_constraint(x_cursor, ubacxwin)
|
||||
exempted_ubac_constraint(x_client, ubacxwin)
|
||||
exempted_ubac_constraint(x_device, ubacxwin)
|
||||
exempted_ubac_constraint(x_server, ubacxwin)
|
||||
exempted_ubac_constraint(x_extension, ubacxwin)
|
||||
exempted_ubac_constraint(x_resource, ubacxwin)
|
||||
exempted_ubac_constraint(x_event, ubacxwin)
|
||||
exempted_ubac_constraint(x_synthetic_event, ubacxwin)
|
||||
exempted_ubac_constraint(x_application_data, ubacxwin)
|
||||
|
||||
########################################
|
||||
#
|
||||
# D-BUS rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(dbus, ubacdbus)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Key rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(key, ubackey)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Database rules
|
||||
#
|
||||
|
||||
exempted_ubac_constraint(db_database, ubacdb)
|
||||
exempted_ubac_constraint(db_table, ubacdb)
|
||||
exempted_ubac_constraint(db_procedure, ubacdb)
|
||||
exempted_ubac_constraint(db_column, ubacdb)
|
||||
exempted_ubac_constraint(db_tuple, ubacdb)
|
||||
exempted_ubac_constraint(db_blob, ubacdb)
|
||||
|
||||
|
||||
|
||||
basic_ubac_constraint(association)
|
||||
basic_ubac_constraint(peer)
|
||||
|
||||
|
||||
# these classes have no UBAC restrictions
|
||||
#class security
|
||||
#class system
|
||||
#class capability
|
||||
#class memprotect
|
||||
#class passwd # userspace
|
||||
#class node
|
||||
#class netif
|
||||
#class packet
|
||||
#class capability2
|
||||
#class nscd # userspace
|
||||
#class context # userspace
|
||||
|
||||
|
||||
|
||||
undefine(`basic_ubac_constraint')
|
||||
undefine(`basic_ubac_conditions')
|
||||
undefine(`exempted_ubac_constraint')
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user