Remove most config files from dist-git and take them from sources

The content of these files is more or less tied to the policy source
code. Therefore, moving these files to the source repo rather than
dist-git will make it easier to do changes that would formerly need
coordinated modification both in the sources and in dist-git (e.g.
adding or removing a module). It will also make it easier for other
distributions seeking to package a Fedora-like SELinux policy.

[skip changelog]

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Related: RHEL-54303

booleans-minimum.conf

@@ -1,248 +0,0 @@
-# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-# 
-allow_execmem = false
-
-# Allow making a modified private filemapping executable (text relocation).
-# 
-allow_execmod = false
-
-# Allow making the stack executable via mprotect.Also requires allow_execmem.
-# 
-allow_execstack = true
-
-# Allow ftpd to read cifs directories.
-# 
-allow_ftpd_use_cifs = false
-
-# Allow ftpd to read nfs directories.
-# 
-allow_ftpd_use_nfs = false
-
-# Allow ftp servers to modify public filesused for public file transfer services.
-# 
-allow_ftpd_anon_write = false
-
-# Allow gssd to read temp directory.
-# 
-allow_gssd_read_tmp = true
-
-# Allow Apache to modify public filesused for public file transfer services.
-# 
-allow_httpd_anon_write = false
-
-# Allow Apache to use mod_auth_pam module
-# 
-allow_httpd_mod_auth_pam = false
-
-# Allow system to run with kerberos
-# 
-allow_kerberos = true
-
-# Allow rsync to modify public filesused for public file transfer services.
-# 
-allow_rsync_anon_write = false
-
-# Allow sasl to read shadow
-# 
-allow_saslauthd_read_shadow = false
-
-# Allow samba to modify public filesused for public file transfer services.
-# 
-allow_smbd_anon_write = false
-
-# Allow system to run with NIS
-# 
-allow_ypbind = false
-
-# Allow zebra to write it own configuration files
-# 
-allow_zebra_write_config = false
-
-# Enable extra rules in the cron domainto support fcron.
-# 
-fcron_crond = false
-
-#
-# allow httpd to connect to mysql/posgresql 
-httpd_can_network_connect_db = false
-
-#
-# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
-
-#
-# allow httpd to network relay
-httpd_can_network_relay = false
-
-# Allow httpd to use built in scripting (usually php)
-# 
-httpd_builtin_scripting = true
-
-# Allow http daemon to tcp connect
-# 
-httpd_can_network_connect = false
-
-# Allow httpd cgi support
-# 
-httpd_enable_cgi = true
-
-# Allow httpd to act as a FTP server bylistening on the ftp port.
-# 
-httpd_enable_ftp_server = false
-
-# Allow httpd to read home directories
-# 
-httpd_enable_homedirs = false
-
-# Run SSI execs in system CGI script domain.
-# 
-httpd_ssi_exec = false
-
-# Allow http daemon to communicate with the TTY
-# 
-httpd_tty_comm = false
-
-# Run CGI in the main httpd domain
-# 
-httpd_unified = false
-
-# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
-# 
-named_write_master_zones = false
-
-# Allow nfs to be exported read/write.
-# 
-nfs_export_all_rw = true
-
-# Allow nfs to be exported read only
-# 
-nfs_export_all_ro = true
-
-# Allow pppd to load kernel modules for certain modems
-# 
-pppd_can_insmod = false
-
-# Allow reading of default_t files.
-# 
-read_default_t = false
-
-# Allow samba to export user home directories.
-# 
-samba_enable_home_dirs = false
-
-# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
-# 
-squid_connect_any = false
-
-# Support NFS home directories
-# 
-use_nfs_home_dirs = true
-
-# Support SAMBA home directories
-# 
-use_samba_home_dirs = false
-
-# Control users use of ping and traceroute
-# 
-user_ping = false
-
-# allow host key based authentication
-# 
-allow_ssh_keysign = false
-
-# Allow pppd to be run for a regular user
-# 
-pppd_for_user = false
-
-# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
-# 
-read_untrusted_content = false
-
-# Allow spamd to write to users homedirs
-# 
-spamd_enable_home_dirs = false
-
-# Allow regular users direct mouse access
-# 
-user_direct_mouse = false
-
-# Allow users to read system messages.
-# 
-user_dmesg = false
-
-# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
-# 
-user_rw_noexattrfile = false
-
-# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
-# 
-user_tcp_server = false
-
-# Allow w to display everyone
-# 
-user_ttyfile_stat = false
-
-# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
-# 
-write_untrusted_content = false
-
-# Allow all domains to talk to ttys
-# 
-allow_daemons_use_tty = false
-
-# Allow login domains to polyinstatiate directories
-# 
-allow_polyinstantiation = false
-
-# Allow all domains to dump core
-# 
-allow_daemons_dump_core = true
-
-# Allow samba to act as the domain controller
-# 
-samba_domain_controller = false
-
-# Allow samba to export user home directories.
-# 
-samba_run_unconfined = false
-
-# Allows XServer to execute writable memory
-# 
-allow_xserver_execmem = false
-
-# disallow guest accounts to execute files that they can create 
-# 
-allow_guest_exec_content = false
-allow_xguest_exec_content = false
-
-# Only allow browser to use the web
-# 
-browser_confine_xguest=false
-
-# Allow postfix locat to write to mail spool
-# 
-allow_postfix_local_write_mail_spool=false
-
-# Allow common users to read/write noexattrfile systems
-# 
-user_rw_noexattrfile=true
-
-# Allow qemu to connect fully to the network
-# 
-qemu_full_network=true
-
-# Allow nsplugin execmem/execstack for bad plugins
-# 
-allow_nsplugin_execmem=true
-
-# Allow unconfined domain to transition to confined domain
-# 
-allow_unconfined_nsplugin_transition=true
-
-# System uses init upstart program
-# 
-init_upstart = true
-
-# Allow mount to mount any file/dir
-# 
-allow_mount_anyfile = true

booleans-mls.conf

@@ -1,6 +0,0 @@
-kerberos_enabled = true
-mount_anyfile = true
-polyinstantiation_enabled = true
-ftpd_is_daemon = true
-selinuxuser_ping = true
-xserver_object_manager = true

booleans-targeted.conf

@@ -1,25 +0,0 @@
-gssd_read_tmp = true
-httpd_builtin_scripting = true
-httpd_enable_cgi = true
-kerberos_enabled = true
-mount_anyfile = true
-nfs_export_all_ro = true
-nfs_export_all_rw = true
-nscd_use_shm = true
-openvpn_enable_homedirs = true
-postfix_local_write_mail_spool=true
-pppd_can_insmod = false
-privoxy_connect_any = true
-selinuxuser_direct_dri_enabled = true
-selinuxuser_execmem = true
-selinuxuser_execmod = true
-selinuxuser_execstack = true
-selinuxuser_rw_noexattrfile=true
-selinuxuser_ping = true
-squid_connect_any = true
-telepathy_tcp_connect_generic_network_ports=true
-unconfined_chrome_sandbox_transition=true
-unconfined_mozilla_plugin_transition=true
-xguest_exec_content = true
-mozilla_plugin_can_network_connect = true
-use_virtualbox = true

booleans.subs_dist

@@ -1,54 +0,0 @@
-allow_auditadm_exec_content auditadm_exec_content
-allow_console_login login_console_enabled
-allow_cvs_read_shadow cvs_read_shadow
-allow_daemons_dump_core daemons_dump_core
-allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
-allow_daemons_use_tty daemons_use_tty
-allow_domain_fd_use domain_fd_use
-allow_execheap selinuxuser_execheap
-allow_execmod selinuxuser_execmod
-allow_execstack selinuxuser_execstack
-allow_ftpd_anon_write ftpd_anon_write
-allow_ftpd_full_access ftpd_full_access
-allow_ftpd_use_cifs ftpd_use_cifs
-allow_ftpd_use_nfs ftpd_use_nfs
-allow_gssd_read_tmp gssd_read_tmp
-allow_guest_exec_content guest_exec_content
-allow_httpd_anon_write httpd_anon_write
-allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
-allow_httpd_mod_auth_pam httpd_mod_auth_pam
-allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
-allow_kerberos kerberos_enabled
-allow_mplayer_execstack mplayer_execstack
-allow_mount_anyfile mount_anyfile
-allow_nfsd_anon_write nfsd_anon_write
-allow_polyinstantiation polyinstantiation_enabled
-allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
-allow_rsync_anon_write rsync_anon_write
-allow_saslauthd_read_shadow saslauthd_read_shadow
-allow_secadm_exec_content secadm_exec_content
-allow_smbd_anon_write smbd_anon_write
-allow_ssh_keysign ssh_keysign
-allow_staff_exec_content staff_exec_content
-allow_sysadm_exec_content sysadm_exec_content
-allow_user_exec_content user_exec_content
-allow_user_mysql_connect selinuxuser_mysql_connect_enabled
-allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
-allow_write_xshm xserver_clients_write_xshm
-allow_xguest_exec_content xguest_exec_content
-allow_xserver_execmem xserver_execmem
-allow_ypbind nis_enabled
-allow_zebra_write_config zebra_write_config
-user_direct_dri selinuxuser_direct_dri_enabled
-user_ping selinuxuser_ping
-user_share_music selinuxuser_share_music
-user_tcp_server selinuxuser_tcp_server
-sepgsql_enable_pitr_implementation postgresql_can_rsync
-sepgsql_enable_users_ddl  postgresql_selinux_users_ddl 
-sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
-sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
-clamd_use_jit antivirus_use_jit
-amavis_use_jit antivirus_use_jit
-logwatch_can_sendmail logwatch_can_network_connect_mail
-puppet_manage_all_files puppetagent_manage_all_files
-virt_sandbox_use_nfs virt_use_nfs

customizable_types

@@ -1,14 +0,0 @@
-container_file_t
-sandbox_file_t
-svirt_image_t
-svirt_home_t
-svirt_sandbox_file_t
-virt_content_t
-httpd_user_htaccess_t
-httpd_user_script_exec_t
-httpd_user_rw_content_t
-httpd_user_ra_content_t
-httpd_user_content_t
-git_session_content_t
-home_bin_t
-user_tty_device_t

file_contexts.subs_dist

@@ -1,23 +0,0 @@
-/var/run /run
-/var/lock /run/lock
-/run/systemd/system /usr/lib/systemd/system
-/run/systemd/generator.early /run/systemd/generator
-/run/systemd/generator.late /run/systemd/generator
-/lib /usr/lib
-/lib64 /usr/lib
-/usr/lib64 /usr/lib
-/usr/local/lib64 /usr/lib
-/usr/local/lib32 /usr/lib
-/etc/systemd/system /usr/lib/systemd/system
-/var/lib/xguest/home /home
-/var/named/chroot/usr/lib64 /usr/lib
-/var/named/chroot/lib64 /usr/lib
-/var/named/chroot/var  /var
-/home-inst            /home
-/home/home-inst            /home
-/var/roothome        /root
-/sbin                /usr/sbin
-/sysroot/tmp         /tmp
-/var/usrlocal        /usr/local
-/var/mnt             /mnt
-/bin                 /usr/bin

modules-minimum.conf

@@ -1 +0,0 @@
-modules-targeted.conf

securetty_types-minimum

@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t

securetty_types-mls

@@ -1,6 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t
-auditadm_tty_device_t
-secureadm_tty_device_t

securetty_types-targeted

@@ -1,4 +0,0 @@
-console_device_t
-sysadm_tty_device_t
-user_tty_device_t
-staff_tty_device_t

selinux-policy.spec

@@ -21,35 +21,19 @@ Version: 40.13.13
 Release: 1%{?dist}
 License: GPL-2.0-or-later
 Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
-Source1: modules-targeted.conf
-Source2: booleans-targeted.conf
-Source3: Makefile.devel
-Source4: setrans-targeted.conf
-Source5: modules-mls.conf
-Source6: booleans-mls.conf
-Source8: setrans-mls.conf
-Source14: securetty_types-targeted
-Source15: securetty_types-mls
-Source16: modules-minimum.lst
-Source17: booleans-minimum.conf
-Source18: setrans-minimum.conf
-Source19: securetty_types-minimum
-Source20: customizable_types
-Source22: users-mls
-Source23: users-targeted
-Source25: users-minimum
-Source26: file_contexts.subs_dist
-Source27: selinux-policy.conf
-Source28: permissivedomains.cil
-Source30: booleans.subs_dist
+Source1: Makefile.devel
+Source2: selinux-policy.conf
 
 # Tool helps during policy development, to expand system m4 macros to raw allow rules
 # Git repo: https://github.com/fedora-selinux/macro-expander.git
-Source33: macro-expander
+Source3: macro-expander
 
 # Include SELinux policy for container from separate container-selinux repo
 # Git repo: https://github.com/containers/container-selinux.git
-Source35: container-selinux.tgz
+Source4: container-selinux.tgz
+
+# modules enabled in -minimum policy
+Source16: modules-minimum.lst
 
 Source36: selinux-check-proper-disable.service
 
@@ -60,7 +44,7 @@ Source38: selinux-policy-targeted.conf
 Source39: selinux-policy-mls.conf
 
 # Provide rpm macros for packages installing SELinux modules
-Source102: rpm.macros
+Source5: rpm.macros
 
 Url: %{giturl}
 BuildArch: noarch
@@ -176,12 +160,11 @@ This package contains manual pages and documentation of the policy modules.
 %define makeCmds() \
 %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
 %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
-cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
-cp -f selinux_config/users-%1 ./policy/users \
-#cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
+cp -f ./dist/%1/booleans.conf ./policy/booleans.conf \
+cp -f ./dist/%1/users ./policy/users \
 
 %define makeModulesConf() \
-cp -f selinux_config/modules-%1.conf  ./policy/modules.conf
+cp -f ./dist/%1/modules.conf ./policy/modules.conf \
 
 %define installCmds() \
 %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
@@ -191,14 +174,13 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-ap
 make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
 %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
-install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
-install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
-install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
-install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
+install -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
+install -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
+install -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
-cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
+cp ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \
 rm -f %{buildroot}%{_datadir}/selinux/%1/*pp*  \
 %{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
@@ -409,12 +391,7 @@ end
 
 %prep
 %autosetup -p 1 -n %{name}-%{commit}
-tar -C policy/modules/contrib -xf %{SOURCE35}
-
-mkdir selinux_config
-for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do
- cp $i selinux_config
-done
+tar -C policy/modules/contrib -xf %{SOURCE4}
 
 %install
 # Build targeted policy
@@ -424,9 +401,9 @@ mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
 touch %{buildroot}%{_sysconfdir}/selinux/config
 touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
 mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
-cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
+cp %{SOURCE2} %{buildroot}%{_usr}/lib/tmpfiles.d/
 mkdir -p %{buildroot}%{_bindir}
-install -m 755  %{SOURCE33} %{buildroot}%{_bindir}/
+install -m 755 %{SOURCE3} %{buildroot}%{_bindir}/
 mkdir -p %{buildroot}%{_libexecdir}/selinux
 install -m 755  %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
 
@@ -446,7 +423,8 @@ make clean
 %makeModulesConf targeted
 %installCmds targeted mcs allow
 # install permissivedomains.cil
-%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28}
+%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i \
+    ./dist/permissivedomains.cil
 # recreate sandbox.pp
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
 %make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
@@ -486,7 +464,7 @@ make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot}
 make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
 mkdir %{buildroot}%{_datadir}/selinux/devel/
 mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
-install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
+install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/Makefile
 install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
 install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
 %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
@@ -495,15 +473,13 @@ mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel
 mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
 
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
-install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
+install -m 644 %{SOURCE5} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 
 mkdir -p %{buildroot}%{_unitdir}
 install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
 
-rm -rf selinux_config
-
 %post
 %systemd_post selinux-check-proper-disable.service
 if [ ! -s %{_sysconfdir}/selinux/config ]; then

setrans-minimum.conf

@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023.  Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh

setrans-mls.conf

@@ -1,52 +0,0 @@
-#
-# Multi-Level Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be labeled with one of 16 levels and be categorized with 0-1023 
-# categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Users can modify this table to translate the MLS labels for different purpose.
-#
-# Assumptions: using below MLS labels.
-#  SystemLow
-#  SystemHigh
-#  Unclassified 
-#  Secret with compartments A and B.
-# 
-# SystemLow and SystemHigh
-s0=SystemLow
-s15:c0.c1023=SystemHigh
-s0-s15:c0.c1023=SystemLow-SystemHigh
-
-# Unclassified level
-s1=Unclassified
-
-# Secret level with compartments
-s2=Secret
-s2:c0=A
-s2:c1=B
-
-# ranges for Unclassified
-s0-s1=SystemLow-Unclassified
-s1-s2=Unclassified-Secret
-s1-s15:c0.c1023=Unclassified-SystemHigh
-
-# ranges for Secret with compartments
-s0-s2=SystemLow-Secret
-s0-s2:c0=SystemLow-Secret:A
-s0-s2:c1=SystemLow-Secret:B
-s0-s2:c0,c1=SystemLow-Secret:AB
-s1-s2:c0=Unclassified-Secret:A
-s1-s2:c1=Unclassified-Secret:B
-s1-s2:c0,c1=Unclassified-Secret:AB
-s2-s2:c0=Secret-Secret:A
-s2-s2:c1=Secret-Secret:B
-s2-s2:c0,c1=Secret-Secret:AB
-s2-s15:c0.c1023=Secret-SystemHigh
-s2:c0-s2:c0,c1=Secret:A-Secret:AB
-s2:c0-s15:c0.c1023=Secret:A-SystemHigh
-s2:c1-s2:c0,c1=Secret:B-Secret:AB
-s2:c1-s15:c0.c1023=Secret:B-SystemHigh
-s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

setrans-targeted.conf

@@ -1,19 +0,0 @@
-#
-# Multi-Category Security translation table for SELinux
-# 
-# Uncomment the following to disable translation libary
-# disable=1
-#
-# Objects can be categorized with 0-1023 categories defined by the admin.
-# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c1023.  Users can use this
-# table to translate the categories into a more meaningful output.
-# Examples:
-# s0:c0=CompanyConfidential
-# s0:c1=PatientRecord
-# s0:c2=Unclassified
-# s0:c3=TopSecret
-# s0:c1,c3=CompanyConfidentialRedHat
-s0=SystemLow
-s0-s0:c0.c1023=SystemLow-SystemHigh
-s0:c0.c1023=SystemHigh

users-minimum

@@ -1,39 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

users-mls

@@ -1,40 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)

users-targeted

@@ -1,41 +0,0 @@
-##################################
-#
-# Core User configuration.
-#
-
-#
-# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
-#
-# Note: Identities without a prefix wil not be listed
-# in the users_extra file used by genhomedircon.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system,
-# and a user process should never be assigned the system user
-# identity.
-#
-gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined.  The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user.  If you do not want to
-# permit any access to such users, then remove this entry.
-#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell.  Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(guest_u, user, guest_r, s0, s0)
-gen_user(xguest_u, user, xguest_r, s0, s0)