From ddc0446829be34c2d41680965b11e96eda376d7a Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Sun, 4 Apr 2021 13:15:10 +0200 Subject: [PATCH] Remove most config files from dist-git and take them from sources The content of these files is more or less tied to the policy source code. Therefore, moving these files to the source repo rather than dist-git will make it easier to do changes that would formerly need coordinated modification both in the sources and in dist-git (e.g. adding or removing a module). It will also make it easier for other distributions seeking to package a Fedora-like SELinux policy. [skip changelog] Signed-off-by: Ondrej Mosnacek Related: RHEL-54303 --- booleans-minimum.conf | 248 --- booleans-mls.conf | 6 - booleans-targeted.conf | 25 - booleans.subs_dist | 54 - customizable_types | 14 - file_contexts.subs_dist | 23 - modules-minimum.conf | 1 - modules-mls.conf | 1952 ------------------------ modules-targeted.conf | 3071 -------------------------------------- securetty_types-minimum | 4 - securetty_types-mls | 6 - securetty_types-targeted | 4 - selinux-policy.spec | 68 +- setrans-minimum.conf | 19 - setrans-mls.conf | 52 - setrans-targeted.conf | 19 - users-minimum | 39 - users-mls | 40 - users-targeted | 41 - 19 files changed, 22 insertions(+), 5664 deletions(-) delete mode 100644 booleans-minimum.conf delete mode 100644 booleans-mls.conf delete mode 100644 booleans-targeted.conf delete mode 100644 booleans.subs_dist delete mode 100644 customizable_types delete mode 100644 file_contexts.subs_dist delete mode 120000 modules-minimum.conf delete mode 100644 modules-mls.conf delete mode 100644 modules-targeted.conf delete mode 100644 securetty_types-minimum delete mode 100644 securetty_types-mls delete mode 100644 securetty_types-targeted delete mode 100644 setrans-minimum.conf delete mode 100644 setrans-mls.conf delete mode 100644 setrans-targeted.conf delete mode 100644 users-minimum delete mode 100644 users-mls delete mode 100644 users-targeted diff --git a/booleans-minimum.conf b/booleans-minimum.conf deleted file mode 100644 index 59dac1f6..00000000 --- a/booleans-minimum.conf +++ /dev/null @@ -1,248 +0,0 @@ -# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. -# -allow_execmem = false - -# Allow making a modified private filemapping executable (text relocation). -# -allow_execmod = false - -# Allow making the stack executable via mprotect.Also requires allow_execmem. -# -allow_execstack = true - -# Allow ftpd to read cifs directories. -# -allow_ftpd_use_cifs = false - -# Allow ftpd to read nfs directories. -# -allow_ftpd_use_nfs = false - -# Allow ftp servers to modify public filesused for public file transfer services. -# -allow_ftpd_anon_write = false - -# Allow gssd to read temp directory. -# -allow_gssd_read_tmp = true - -# Allow Apache to modify public filesused for public file transfer services. -# -allow_httpd_anon_write = false - -# Allow Apache to use mod_auth_pam module -# -allow_httpd_mod_auth_pam = false - -# Allow system to run with kerberos -# -allow_kerberos = true - -# Allow rsync to modify public filesused for public file transfer services. -# -allow_rsync_anon_write = false - -# Allow sasl to read shadow -# -allow_saslauthd_read_shadow = false - -# Allow samba to modify public filesused for public file transfer services. -# -allow_smbd_anon_write = false - -# Allow system to run with NIS -# -allow_ypbind = false - -# Allow zebra to write it own configuration files -# -allow_zebra_write_config = false - -# Enable extra rules in the cron domainto support fcron. -# -fcron_crond = false - -# -# allow httpd to connect to mysql/posgresql -httpd_can_network_connect_db = false - -# -# allow httpd to send dbus messages to avahi -httpd_dbus_avahi = true - -# -# allow httpd to network relay -httpd_can_network_relay = false - -# Allow httpd to use built in scripting (usually php) -# -httpd_builtin_scripting = true - -# Allow http daemon to tcp connect -# -httpd_can_network_connect = false - -# Allow httpd cgi support -# -httpd_enable_cgi = true - -# Allow httpd to act as a FTP server bylistening on the ftp port. -# -httpd_enable_ftp_server = false - -# Allow httpd to read home directories -# -httpd_enable_homedirs = false - -# Run SSI execs in system CGI script domain. -# -httpd_ssi_exec = false - -# Allow http daemon to communicate with the TTY -# -httpd_tty_comm = false - -# Run CGI in the main httpd domain -# -httpd_unified = false - -# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. -# -named_write_master_zones = false - -# Allow nfs to be exported read/write. -# -nfs_export_all_rw = true - -# Allow nfs to be exported read only -# -nfs_export_all_ro = true - -# Allow pppd to load kernel modules for certain modems -# -pppd_can_insmod = false - -# Allow reading of default_t files. -# -read_default_t = false - -# Allow samba to export user home directories. -# -samba_enable_home_dirs = false - -# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. -# -squid_connect_any = false - -# Support NFS home directories -# -use_nfs_home_dirs = true - -# Support SAMBA home directories -# -use_samba_home_dirs = false - -# Control users use of ping and traceroute -# -user_ping = false - -# allow host key based authentication -# -allow_ssh_keysign = false - -# Allow pppd to be run for a regular user -# -pppd_for_user = false - -# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted -# -read_untrusted_content = false - -# Allow spamd to write to users homedirs -# -spamd_enable_home_dirs = false - -# Allow regular users direct mouse access -# -user_direct_mouse = false - -# Allow users to read system messages. -# -user_dmesg = false - -# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) -# -user_rw_noexattrfile = false - -# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. -# -user_tcp_server = false - -# Allow w to display everyone -# -user_ttyfile_stat = false - -# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. -# -write_untrusted_content = false - -# Allow all domains to talk to ttys -# -allow_daemons_use_tty = false - -# Allow login domains to polyinstatiate directories -# -allow_polyinstantiation = false - -# Allow all domains to dump core -# -allow_daemons_dump_core = true - -# Allow samba to act as the domain controller -# -samba_domain_controller = false - -# Allow samba to export user home directories. -# -samba_run_unconfined = false - -# Allows XServer to execute writable memory -# -allow_xserver_execmem = false - -# disallow guest accounts to execute files that they can create -# -allow_guest_exec_content = false -allow_xguest_exec_content = false - -# Only allow browser to use the web -# -browser_confine_xguest=false - -# Allow postfix locat to write to mail spool -# -allow_postfix_local_write_mail_spool=false - -# Allow common users to read/write noexattrfile systems -# -user_rw_noexattrfile=true - -# Allow qemu to connect fully to the network -# -qemu_full_network=true - -# Allow nsplugin execmem/execstack for bad plugins -# -allow_nsplugin_execmem=true - -# Allow unconfined domain to transition to confined domain -# -allow_unconfined_nsplugin_transition=true - -# System uses init upstart program -# -init_upstart = true - -# Allow mount to mount any file/dir -# -allow_mount_anyfile = true diff --git a/booleans-mls.conf b/booleans-mls.conf deleted file mode 100644 index 65ccfa4a..00000000 --- a/booleans-mls.conf +++ /dev/null @@ -1,6 +0,0 @@ -kerberos_enabled = true -mount_anyfile = true -polyinstantiation_enabled = true -ftpd_is_daemon = true -selinuxuser_ping = true -xserver_object_manager = true diff --git a/booleans-targeted.conf b/booleans-targeted.conf deleted file mode 100644 index 8789a08b..00000000 --- a/booleans-targeted.conf +++ /dev/null @@ -1,25 +0,0 @@ -gssd_read_tmp = true -httpd_builtin_scripting = true -httpd_enable_cgi = true -kerberos_enabled = true -mount_anyfile = true -nfs_export_all_ro = true -nfs_export_all_rw = true -nscd_use_shm = true -openvpn_enable_homedirs = true -postfix_local_write_mail_spool=true -pppd_can_insmod = false -privoxy_connect_any = true -selinuxuser_direct_dri_enabled = true -selinuxuser_execmem = true -selinuxuser_execmod = true -selinuxuser_execstack = true -selinuxuser_rw_noexattrfile=true -selinuxuser_ping = true -squid_connect_any = true -telepathy_tcp_connect_generic_network_ports=true -unconfined_chrome_sandbox_transition=true -unconfined_mozilla_plugin_transition=true -xguest_exec_content = true -mozilla_plugin_can_network_connect = true -use_virtualbox = true diff --git a/booleans.subs_dist b/booleans.subs_dist deleted file mode 100644 index fed7d8cf..00000000 --- a/booleans.subs_dist +++ /dev/null @@ -1,54 +0,0 @@ -allow_auditadm_exec_content auditadm_exec_content -allow_console_login login_console_enabled -allow_cvs_read_shadow cvs_read_shadow -allow_daemons_dump_core daemons_dump_core -allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper -allow_daemons_use_tty daemons_use_tty -allow_domain_fd_use domain_fd_use -allow_execheap selinuxuser_execheap -allow_execmod selinuxuser_execmod -allow_execstack selinuxuser_execstack -allow_ftpd_anon_write ftpd_anon_write -allow_ftpd_full_access ftpd_full_access -allow_ftpd_use_cifs ftpd_use_cifs -allow_ftpd_use_nfs ftpd_use_nfs -allow_gssd_read_tmp gssd_read_tmp -allow_guest_exec_content guest_exec_content -allow_httpd_anon_write httpd_anon_write -allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind -allow_httpd_mod_auth_pam httpd_mod_auth_pam -allow_httpd_sys_script_anon_write httpd_sys_script_anon_write -allow_kerberos kerberos_enabled -allow_mplayer_execstack mplayer_execstack -allow_mount_anyfile mount_anyfile -allow_nfsd_anon_write nfsd_anon_write -allow_polyinstantiation polyinstantiation_enabled -allow_postfix_local_write_mail_spool postfix_local_write_mail_spool -allow_rsync_anon_write rsync_anon_write -allow_saslauthd_read_shadow saslauthd_read_shadow -allow_secadm_exec_content secadm_exec_content -allow_smbd_anon_write smbd_anon_write -allow_ssh_keysign ssh_keysign -allow_staff_exec_content staff_exec_content -allow_sysadm_exec_content sysadm_exec_content -allow_user_exec_content user_exec_content -allow_user_mysql_connect selinuxuser_mysql_connect_enabled -allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled -allow_write_xshm xserver_clients_write_xshm -allow_xguest_exec_content xguest_exec_content -allow_xserver_execmem xserver_execmem -allow_ypbind nis_enabled -allow_zebra_write_config zebra_write_config -user_direct_dri selinuxuser_direct_dri_enabled -user_ping selinuxuser_ping -user_share_music selinuxuser_share_music -user_tcp_server selinuxuser_tcp_server -sepgsql_enable_pitr_implementation postgresql_can_rsync -sepgsql_enable_users_ddl postgresql_selinux_users_ddl -sepgsql_transmit_client_label postgresql_selinux_transmit_client_label -sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm -clamd_use_jit antivirus_use_jit -amavis_use_jit antivirus_use_jit -logwatch_can_sendmail logwatch_can_network_connect_mail -puppet_manage_all_files puppetagent_manage_all_files -virt_sandbox_use_nfs virt_use_nfs diff --git a/customizable_types b/customizable_types deleted file mode 100644 index b3f6cb08..00000000 --- a/customizable_types +++ /dev/null @@ -1,14 +0,0 @@ -container_file_t -sandbox_file_t -svirt_image_t -svirt_home_t -svirt_sandbox_file_t -virt_content_t -httpd_user_htaccess_t -httpd_user_script_exec_t -httpd_user_rw_content_t -httpd_user_ra_content_t -httpd_user_content_t -git_session_content_t -home_bin_t -user_tty_device_t diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist deleted file mode 100644 index 41e3b70d..00000000 --- a/file_contexts.subs_dist +++ /dev/null @@ -1,23 +0,0 @@ -/var/run /run -/var/lock /run/lock -/run/systemd/system /usr/lib/systemd/system -/run/systemd/generator.early /run/systemd/generator -/run/systemd/generator.late /run/systemd/generator -/lib /usr/lib -/lib64 /usr/lib -/usr/lib64 /usr/lib -/usr/local/lib64 /usr/lib -/usr/local/lib32 /usr/lib -/etc/systemd/system /usr/lib/systemd/system -/var/lib/xguest/home /home -/var/named/chroot/usr/lib64 /usr/lib -/var/named/chroot/lib64 /usr/lib -/var/named/chroot/var /var -/home-inst /home -/home/home-inst /home -/var/roothome /root -/sbin /usr/sbin -/sysroot/tmp /tmp -/var/usrlocal /usr/local -/var/mnt /mnt -/bin /usr/bin diff --git a/modules-minimum.conf b/modules-minimum.conf deleted file mode 120000 index f6016594..00000000 --- a/modules-minimum.conf +++ /dev/null @@ -1 +0,0 @@ -modules-targeted.conf \ No newline at end of file diff --git a/modules-mls.conf b/modules-mls.conf deleted file mode 100644 index a92a5339..00000000 --- a/modules-mls.conf +++ /dev/null @@ -1,1952 +0,0 @@ -# Layer: kernel -# Module: bootloader -# -# Policy for the kernel modules, kernel image, and bootloader. -# -bootloader = module - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: admin -# Module: dmesg -# -# Policy for dmesg. -# -dmesg = module - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = module - -# Layer: admin -# Module: sudo -# -# Execute a command with a substitute user -# -sudo = module - -# Layer: admin -# Module: su -# -# Run shells with substitute user and group -# -su = module - -# Layer: admin -# Module: usermanage -# -# Policy for managing user accounts. -# -usermanage = module - -# Layer: apps -# Module: seunshare -# -# seunshare executable -# -seunshare = module - -# Layer: kernel -# Module: corecommands -# Required in base -# -# Core policy for shells, and generic programs -# in /bin, /sbin, /usr/bin, and /usr/sbin. -# -corecommands = base - -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Module: domain -# Required in base -# -# Core policy for domains. -# -domain = base - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = module - -# Module: files -# Required in base -# -# Basic filesystem types and interfaces. -# -files = base - -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Module: mcs -# Required in base -# -# MultiCategory security policy -# -mcs = base - -# Module: mls -# Required in base -# -# Multilevel security policy -# -mls = base - -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = base - -# Module: terminal -# Required in base -# -# Policy for terminals. -# -terminal = base - -# Layer: kernel -# Module: ubac -# -# -# -ubac = base - -# Layer: kernel -# Module: unlabelednet -# -# The unlabelednet module. -# -unlabelednet = module - -# Layer: role -# Module: auditadm -# -# auditadm account on tty logins -# -auditadm = module - -# Layer: role -# Module: logadm -# -# Minimally prived root role for managing logging system -# -logadm = module - -# Layer: role -# Module: secadm -# -# secadm account on tty logins -# -secadm = module - -# Layer:role -# Module: staff -# -# admin account -# -staff = module - -# Layer:role -# Module: sysadm_secadm -# -# System Administrator with Security Admin rules -# -sysadm_secadm = module - -# Layer:role -# Module: sysadm -# -# System Administrator -# -sysadm = module - -# Layer: role -# Module: unprivuser -# -# Minimally privs guest account on tty logins -# -unprivuser = module - -# Layer: services -# Module: postgresql -# -# PostgreSQL relational database -# -postgresql = module - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = module - -# Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = module - -# Module: application -# Required in base -# -# Defines attributs and interfaces for all user applications -# -application = module - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = module - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = module - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = module - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = module - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = module - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = module - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = module - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = module - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = module - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = module - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = module - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = module - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = module - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = module - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = module - -# Layer: system -# Module: netlabel -# -# Basic netlabel types and interfaces. -# -netlabel = module - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = module - -# Module: setrans -# Required in base -# -# Policy for setrans -# -setrans = module - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = module - -# Layer: system -# Module: systemd -# -# Policy for systemd components -# -systemd = module - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = module -# Layer: services -# Module: accountsd -# -# An application to view and modify user accounts information -# -accountsd = module - -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = module - -# Layer: services -# Module: afs -# -# Andrew Filesystem server -# -afs = module - -# Layer: services -# Module: aide -# -# Policy for aide -# -aide = module - -# Layer: admin -# Module: alsa -# -# Ainit ALSA configuration tool -# -alsa = module - -# Layer: admin -# Module: amanda -# -# Automated backup program. -# -amanda = module - -# Layer: contrib -# Module: antivirus -# -# Anti-virus -# -antivirus = module - -# Layer: admin -# Module: amtu -# -# Abstract Machine Test Utility (AMTU) -# -amtu = module - -# Layer: admin -# Module: anaconda -# -# Policy for the Anaconda installer. -# -anaconda = module - -# Layer: services -# Module: apache -# -# Apache web server -# -apache = module - -# Layer: services -# Module: apcupsd -# -# daemon for most APC’s UPS for Linux -# -apcupsd = module - -# Layer: services -# Module: apm -# -# Advanced power management daemon -# -apm = module - -# Layer: services -# Module: arpwatch -# -# Ethernet activity monitor. -# -arpwatch = module - -# Layer: services -# Module: automount -# -# Filesystem automounter service. -# -automount = module - -# Layer: services -# Module: avahi -# -# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture -# -avahi = module - -# Layer: modules -# Module: awstats -# -# awstats executable -# -awstats = module - -# Layer: services -# Module: bind -# -# Berkeley internet name domain DNS server. -# -bind = module - -# Layer: services -# Module: bitlbee -# -# An IRC to other chat networks gateway -# -bitlbee = module - -# Layer: services -# Module: bluetooth -# -# Bluetooth tools and system services. -# -bluetooth = module - -# Layer: services -# Module: boinc -# -# Berkeley Open Infrastructure for Network Computing -# -boinc = module - -# Layer: system -# Module: brctl -# -# Utilities for configuring the linux ethernet bridge -# -brctl = module - -# Layer: services -# Module: bugzilla -# -# Bugzilla server -# -bugzilla = module - -# Layer: services -# Module: cachefilesd -# -# CacheFiles userspace management daemon -# -cachefilesd = module - -# Module: calamaris -# -# -# Squid log analysis -# -calamaris = module - -# Layer: services -# Module: canna -# -# Canna - kana-kanji conversion server -# -canna = module - -# Layer: services -# Module: ccs -# -# policy for ccs -# -ccs = module - -# Layer: apps -# Module: cdrecord -# -# Policy for cdrecord -# -cdrecord = module - -# Layer: admin -# Module: certmaster -# -# Digital Certificate master -# -certmaster = module - -# Layer: services -# Module: certmonger -# -# Certificate status monitor and PKI enrollment client -# -certmonger = module - -# Layer: admin -# Module: certwatch -# -# Digital Certificate Tracking -# -certwatch = module - -# Layer: services -# Module: cgroup -# -# Tools and libraries to control and monitor control groups -# -cgroup = module - -# Layer: apps -# Module: chrome -# -# chrome sandbox -# -chrome = module - -# Layer: services -# Module: chronyd -# -# Daemon for maintaining clock time -# -chronyd = module - -# Layer: services -# Module: cipe -# -# Encrypted tunnel daemon -# -cipe = module - -# Layer: services -# Module: clogd -# -# clogd - clustered mirror log server -# -clogd = module - -# Layer: services -# Module: cmirrord -# -# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster -# -cmirrord = module - -# Layer: services -# Module: colord -# -# color device daemon -# -colord = module - -# Layer: services -# Module: comsat -# -# Comsat, a biff server. -# -comsat = module - -# Layer: services -# Module: courier -# -# IMAP and POP3 email servers -# -courier = module - -# Layer: services -# Module: cpucontrol -# -# Services for loading CPU microcode and CPU frequency scaling. -# -cpucontrol = module - -# Layer: apps -# Module: cpufreqselector -# -# cpufreqselector executable -# -cpufreqselector = module - -# Layer: services -# Module: cron -# -# Periodic execution of scheduled commands. -# -cron = module - -# Layer: services -# Module: cups -# -# Common UNIX printing system -# -cups = module - -# Layer: services -# Module: cvs -# -# Concurrent versions system -# -cvs = module - -# Layer: services -# Module: cyphesis -# -# cyphesis game server -# -cyphesis = module - -# Layer: services -# Module: cyrus -# -# Cyrus is an IMAP service intended to be run on sealed servers -# -cyrus = module - -# Layer: system -# Module: daemontools -# -# Collection of tools for managing UNIX services -# -daemontools = module - -# Layer: role -# Module: dbadm -# -# Minimally prived root role for managing databases -# -dbadm = module - -# Layer: services -# Module: dbskk -# -# Dictionary server for the SKK Japanese input method system. -# -dbskk = module - -# Layer: services -# Module: dbus -# -# Desktop messaging bus -# -dbus = module - -# Layer: services -# Module: dcc -# -# A distributed, collaborative, spam detection and filtering network. -# -dcc = module - -# Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information -# -ddcprobe = off - -# Layer: services -# Module: devicekit -# -# devicekit-daemon -# -devicekit = module - -# Layer: services -# Module: dhcp -# -# Dynamic host configuration protocol (DHCP) server -# -dhcp = module - -# Layer: services -# Module: dictd -# -# Dictionary daemon -# -dictd = module - -# Layer: services -# Module: distcc -# -# Distributed compiler daemon -# -distcc = off - -# Layer: admin -# Module: dmidecode -# -# Decode DMI data for x86/ia64 bioses. -# -dmidecode = module - -# Layer: services -# Module: dnsmasq -# -# A lightweight DHCP and caching DNS server. -# -dnsmasq = module - -# Layer: services -# Module: dnssec -# -# A dnssec server application -# -dnssec = module - -# Layer: services -# Module: dovecot -# -# Dovecot POP and IMAP mail server -# -dovecot = module - -# Layer: services -# Module: entropy -# -# Generate entropy from audio input -# -entropyd = module - -# Layer: services -# Module: exim -# -# exim mail server -# -exim = module - -# Layer: services -# Module: fail2ban -# -# daiemon that bans IP that makes too many password failures -# -fail2ban = module - -# Layer: services -# Module: fetchmail -# -# Remote-mail retrieval and forwarding utility -# -fetchmail = module - -# Layer: services -# Module: finger -# -# Finger user information service. -# -finger = module - -# Layer: services -# Module: firewalld -# -# firewalld is firewall service daemon that provides dynamic customizable -# -firewalld = module - -# Layer: apps -# Module: firewallgui -# -# policy for system-config-firewall -# -firewallgui = module - -# Module: firstboot -# -# Final system configuration run during the first boot -# after installation of Red Hat/Fedora systems. -# -firstboot = module - -# Layer: services -# Module: fprintd -# -# finger print server -# -fprintd = module - -# Layer: services -# Module: ftp -# -# File transfer protocol service -# -ftp = module - -# Layer: apps -# Module: games -# -# The Open Group Pegasus CIM/WBEM Server. -# -games = module - -# Layer: apps -# Module: gitosis -# -# Policy for gitosis -# -gitosis = module - -# Layer: services -# Module: git -# -# Policy for the stupid content tracker -# -git = module - -# Layer: services -# Module: glance -# -# Policy for glance -# -glance = module - -# Layer: apps -# Module: gnome -# -# gnome session and gconf -# -gnome = module - -# Layer: apps -# Module: gnome_remote_desktop -# -# gnome-remote-desktop -# -gnome_remote_desktop = module - -# Layer: apps -# Module: gpg -# -# Policy for Mozilla and related web browsers -# -gpg = module - -# Layer: services -# Module: gpm -# -# General Purpose Mouse driver -# -gpm = module - -# Module: gpsd -# -# gpsd monitor daemon -# -# -gpsd = module - -# Module: gssproxy -# -# A proxy for GSSAPI credential handling -# -# -gssproxy = module - -# Layer: role -# Module: guest -# -# Minimally privs guest account on tty logins -# -guest = module - -# Layer: services -# Module: i18n_input -# -# IIIMF htt server -# -i18n_input = off - -# Layer: services -# Module: inetd -# -# Internet services daemon. -# -inetd = module - -# Layer: services -# Module: inn -# -# Internet News NNTP server -# -inn = module - -# Layer: apps -# Module: irc -# -# IRC client policy -# -irc = module - -# Layer: services -# Module: irqbalance -# -# IRQ balancing daemon -# -irqbalance = module - -# Layer: system -# Module: iscsi -# -# Open-iSCSI daemon -# -iscsi = module - -# Layer: services -# Module: jabber -# -# Jabber instant messaging server -# -jabber = module - -# Layer: apps -# Module: kdumpgui -# -# system-config-kdump policy -# -kdumpgui = module - -# Layer: admin -# Module: kdump -# -# kdump is kernel crash dumping mechanism -# -kdump = module - -# Layer: services -# Module: kerberos -# -# MIT Kerberos admin and KDC -# -kerberos = module - -# Layer: services -# Module: kismet -# -# Wireless sniffing and monitoring -# -kismet = module - -# Layer: services -# Module: ktalk -# -# KDE Talk daemon -# -ktalk = module - -# Layer: services -# Module: ldap -# -# OpenLDAP directory server -# -ldap = module - -# Layer: services -# Module: lircd -# -# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. -# -lircd = module - -# Layer: apps -# Module: loadkeys -# -# Load keyboard mappings. -# -loadkeys = module - -# Layer: apps -# Module: lockdev -# -# device locking policy for lockdev -# -lockdev = module - -# Layer: admin -# Module: logrotate -# -# Rotate and archive system logs -# -logrotate = module - -# Layer: services -# Module: logwatch -# -# logwatch executable -# -logwatch = module - -# Layer: services -# Module: lpd -# -# Line printer daemon -# -lpd = module - -# Layer: services -# Module: lsm -# -# lsm policy -# -lsm = module - -# Layer: services -# Module: mailman -# -# Mailman is for managing electronic mail discussion and e-newsletter lists -# -mailman = module - -# Layer: admin -# Module: mcelog -# -# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. -# -mcelog = module - -# Layer: services -# Module: memcached -# -# high-performance memory object caching system -# -memcached = module - -# Layer: services -# Module: milter -# -# -# -milter = module - -# Layer: services -# Module: modemmanager -# -# Manager for dynamically switching between modems. -# -modemmanager = module - -# Layer: services -# Module: mojomojo -# -# Wiki server -# -mojomojo = module - -# Layer: apps -# Module: mozilla -# -# Policy for Mozilla and related web browsers -# -mozilla = module - -# Layer: apps -# Module: mplayer -# -# Policy for Mozilla and related web browsers -# -mplayer = module - -# Layer: admin -# Module: mrtg -# -# Network traffic graphing -# -mrtg = module - -# Layer: services -# Module: mta -# -# Policy common to all email tranfer agents. -# -mta = module - -# Layer: services -# Module: munin -# -# Munin -# -munin = module - -# Layer: services -# Module: mysql -# -# Policy for MySQL -# -mysql = module - -# Layer: services -# Module: nagios -# -# policy for nagios Host/service/network monitoring program -# -nagios = module - -# Layer: apps -# Module: namespace -# -# policy for namespace.init script -# -namespace = module - -# Layer: admin -# Module: ncftool -# -# Tool to modify the network configuration of a system -# -ncftool = module - -# Layer: services -# Module: networkmanager -# -# Manager for dynamically switching between networks. -# -networkmanager = module - -# Layer: services -# Module: nis -# -# Policy for NIS (YP) servers and clients -# -nis = module - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = module - -# Layer: services -# Module: nslcd -# -# Policy for nslcd -# -nslcd = module - -# Layer: services -# Module: ntop -# -# Policy for ntop -# -ntop = module - -# Layer: services -# Module: ntp -# -# Network time protocol daemon -# -ntp = module - -# Layer: services -# Module: nx -# -# NX Remote Desktop -# -nx = module - -# Layer: services -# Module: oddjob -# -# policy for oddjob -# -oddjob = module - -# Layer: services -# Module: openct -# -# Service for handling smart card readers. -# -openct = off - -# Layer: service -# Module: openct -# -# Middleware framework for smart card terminals -# -openct = module - -# Layer: services -# Module: openvpn -# -# Policy for OPENVPN full-featured SSL VPN solution -# -openvpn = module - -# Layer: contrib -# Module: prelude -# -# SELinux policy for prelude -# -prelude = module - -# Layer: contrib -# Module: prosody -# -# SELinux policy for prosody flexible communications server for Jabber/XMPP -# -prosody = module - -# Layer: services -# Module: pads -# -pads = module - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = module - -# Layer: service -# Module: pcscd -# -# PC/SC Smart Card Daemon -# -pcscd = module - -# Layer: services -# Module: pegasus -# -# The Open Group Pegasus CIM/WBEM Server. -# -pegasus = module - - -# Layer: services -# Module: pingd -# -# -pingd = module - -# Layer: services -# Module: plymouthd -# -# Plymouth -# -plymouthd = module - -# Layer: apps -# Module: podsleuth -# -# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. -# -podsleuth = module - -# Layer: services -# Module: policykit -# -# Hardware abstraction layer -# -policykit = module - -# Layer: services -# Module: polipo -# -# polipo -# -polipo = module - -# Layer: services -# Module: portmap -# -# RPC port mapping service. -# -portmap = module - -# Layer: services -# Module: portreserve -# -# reserve ports to prevent portmap mapping them -# -portreserve = module - -# Layer: services -# Module: postfix -# -# Postfix email server -# -postfix = module - -o# Layer: services -# Module: postgrey -# -# email scanner -# -postgrey = module - -# Layer: services -# Module: ppp -# -# Point to Point Protocol daemon creates links in ppp networks -# -ppp = module - -# Layer: admin -# Module: prelink -# -# Manage temporary directory sizes and file ages -# -prelink = module - -# Layer: services -# Module: privoxy -# -# Privacy enhancing web proxy. -# -privoxy = module - -# Layer: services -# Module: procmail -# -# Procmail mail delivery agent -# -procmail = module - -# Layer: services -# Module: psad -# -# Analyze iptables log for hostile traffic -# -psad = module - -# Layer: apps -# Module: ptchown -# -# helper function for grantpt(3), changes ownship and permissions of pseudotty -# -ptchown = module - -# Layer: apps -# Module: pulseaudio -# -# The PulseAudio Sound System -# -pulseaudio = module - -# Layer: services -# Module: qmail -# -# Policy for qmail -# -qmail = module - -# Layer: services -# Module: qpidd -# -# Policy for qpidd -# -qpid = module - -# Layer: admin -# Module: quota -# -# File system quota management -# -quota = module - -# Layer: services -# Module: radius -# -# RADIUS authentication and accounting server. -# -radius = module - -# Layer: services -# Module: radvd -# -# IPv6 router advertisement daemon -# -radvd = module - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = module - -# Layer: services -# Module: rdisc -# -# Network router discovery daemon -# -rdisc = module - -# Layer: admin -# Module: readahead -# -# Readahead, read files into page cache for improved performance -# -readahead = module - -# Layer: services -# Module: remotelogin -# -# Policy for rshd, rlogind, and telnetd. -# -remotelogin = module - -# Layer: services -# Module: rhcs -# -# RHCS - Red Hat Cluster Suite -# -rhcs = module - -# Layer: services -# Module: rhgb -# -# X windows login display manager -# -rhgb = module - -# Layer: services -# Module: ricci -# -# policy for ricci -# -ricci = module - -# Layer: services -# Module: rlogin -# -# Remote login daemon -# -rlogin = module - -# Layer: services -# Module: roundup -# -# Roundup Issue Tracking System policy -# -roundup = module - -# Layer: services -# Module: rpcbind -# -# universal addresses to RPC program number mapper -# -rpcbind = module - -# Layer: services -# Module: rpc -# -# Remote Procedure Call Daemon for managment of network based process communication -# -rpc = module - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = module - -# Layer: services -# Module: rshd -# -# Remote shell service. -# -rshd = module - -# Layer: services -# Module: rsync -# -# Fast incremental file transfer for synchronization -# -rsync = module - -# Layer: services -# Module: rtkit -# -# Real Time Kit Daemon -# -rtkit = module - -# Layer: services -# Module: rwho -# -# who is logged in on local machines -# -rwho = module - -# Layer: apps -# Module: sambagui -# -# policy for system-config-samba -# -sambagui = module - -# -# SMB and CIFS client/server programs for UNIX and -# name Service Switch daemon for resolving names -# from Windows NT servers. -# -samba = module - -# Layer: services -# Module: sasl -# -# SASL authentication server -# -sasl = module - -# Layer: apps -# Module: screen -# -# GNU terminal multiplexer -# -screen = module - -# Layer: services -# Module: sendmail -# -# Policy for sendmail. -# -sendmail = module - -# Layer: services -# Module: setroubleshoot -# -# Policy for the SELinux troubleshooting utility -# -setroubleshoot = module - -# Layer: admin -# Module: shorewall -# -# Policy for shorewall -# -shorewall = module - -# Layer: apps -# Module: slocate -# -# Update database for mlocate -# -slocate = module - -# Layer: services -# Module: slrnpull -# -# Service for downloading news feeds the slrn newsreader. -# -slrnpull = off - -# Layer: services -# Module: smartmon -# -# Smart disk monitoring daemon policy -# -smartmon = module - -# Layer: services -# Module: snmp -# -# Simple network management protocol services -# -snmp = module - -# Layer: services -# Module: snort -# -# Snort network intrusion detection system -# -snort = module - -# Layer: admin -# Module: sosreport -# -# sosreport debuggin information generator -# -sosreport = module - -# Layer: services -# Module: soundserver -# -# sound server for network audio server programs, nasd, yiff, etc -# -soundserver = module - -# Layer: services -# Module: spamassassin -# -# Filter used for removing unsolicited email. -# -spamassassin = module - -# Layer: services -# Module: squid -# -# Squid caching http proxy server -# -squid = module - -# Layer: services -# Module: sssd -# -# System Security Services Daemon -# -sssd = module - -# Layer: services -# Module: stunnel -# -# SSL Tunneling Proxy -# -stunnel = module - -# Layer: services -# Module: sysstat -# -# Policy for sysstat. Reports on various system states -# -sysstat = module - -# Layer: services -# Module: tcpd -# -# Policy for TCP daemon. -# -tcpd = module - -# Layer: services -# Module: tcsd -# -# tcsd - daemon that manages Trusted Computing resources -# -tcsd = module - -# Layer: apps -# Module: telepathy -# -# telepathy - Policy for Telepathy framework -# -telepathy = module - -# Layer: services -# Module: telnet -# -# Telnet daemon -# -telnet = module - -# Layer: services -# Module: tftp -# -# Trivial file transfer protocol daemon -# -tftp = module - -# Layer: services -# Module: tgtd -# -# Linux Target Framework Daemon. -# -tgtd = module - -# Layer: apps -# Module: thumb -# -# Thumbnailer confinement -# -thumb = module - -# Layer: services -# Module: timidity -# -# MIDI to WAV converter and player configured as a service -# -timidity = off - -# Layer: admin -# Module: tmpreaper -# -# Manage temporary directory sizes and file ages -# -tmpreaper = module - -# Layer: services -# Module: tor -# -# TOR, the onion router -# -tor = module - -# Layer: services -# Module: ksmtuned -# -# Kernel Samepage Merging (KSM) Tuning Daemon -# -ksmtuned = module - -# Layer: services -# Module: tuned -# -# Dynamic adaptive system tuning daemon -# -tuned = module - -# Layer: apps -# Module: tvtime -# -# tvtime - a high quality television application -# -tvtime = module - -# Layer: services -# Module: ulogd -# -# -# -ulogd = module - -# Layer: apps -# Module: uml -# -# Policy for UML -# -uml = module - -# Layer: admin -# Module: updfstab -# -# Red Hat utility to change /etc/fstab. -# -updfstab = module - -# Layer: admin -# Module: usbmodules -# -# List kernel modules of USB devices -# -usbmodules = module - -# Layer: apps -# Module: userhelper -# -# A helper interface to pam. -# -userhelper = module - -# Layer: apps -# Module: usernetctl -# -# User network interface configuration helper -# -usernetctl = module - -# Layer: services -# Module: uucp -# -# Unix to Unix Copy -# -uucp = module - -# Layer: services -# Module: virt -# -# Virtualization libraries -# -virt = module - -# Layer: apps -# Module: vmware -# -# VMWare Workstation virtual machines -# -vmware = module - -# Layer: contrib -# Module: openvswitch -# -# SELinux policy for openvswitch programs -# -openvswitch = module - -# Layer: admin -# Module: vpn -# -# Virtual Private Networking client -# -vpn = module - -# Layer: services -# Module: w3c -# -# w3c -# -w3c = module - -# Layer: role -# Module: webadm -# -# Minimally prived root role for managing apache -# -webadm = module - -# Layer: apps -# Module: webalizer -# -# Web server log analysis -# -webalizer = module - -# Layer: apps -# Module: wine -# -# wine executable -# -wine = module - -# Layer: apps -# Module: wireshark -# -# wireshark executable -# -wireshark = module - -# Layer: apps -# Module: wm -# -# X windows window manager -# -wm = module - -# Layer: system -# Module: xen -# -# virtualization software -# -xen = module - -# Layer: role -# Module: xguest -# -# Minimally privs guest account on X Windows logins -# -xguest = module - -# Layer: services -# Module: zabbix -# -# Open-source monitoring solution for your IT infrastructure -# -zabbix = module - -# Layer: services -# Module: zebra -# -# Zebra border gateway protocol network routing service -# -zebra = module - -# Layer: services -# Module: zosremote -# -# policy for z/OS Remote-services Audit dispatcher plugin -# -zosremote = module - -# Layer: contrib -# Module: mandb -# -# Policy for mandb -# -mandb = module diff --git a/modules-targeted.conf b/modules-targeted.conf deleted file mode 100644 index a84cf14e..00000000 --- a/modules-targeted.conf +++ /dev/null @@ -1,3071 +0,0 @@ -# Layer: kernel -# Module: bootloader -# -# Policy for the kernel modules, kernel image, and bootloader. -# -bootloader = module - -# Layer: kernel -# Module: corecommands -# Required in base -# -# Core policy for shells, and generic programs -# in /bin, /sbin, /usr/bin, and /usr/sbin. -# -corecommands = base - -# Layer: kernel -# Module: corenetwork -# Required in base -# -# Policy controlling access to network objects -# -corenetwork = base - -# Layer: admin -# Module: dmesg -# -# Policy for dmesg. -# -dmesg = module - -# Layer: admin -# Module: netutils -# -# Network analysis utilities -# -netutils = module - -# Layer: admin -# Module: sudo -# -# Execute a command with a substitute user -# -sudo = module - -# Layer: admin -# Module: su -# -# Run shells with substitute user and group -# -su = module - -# Layer: admin -# Module: usermanage -# -# Policy for managing user accounts. -# -usermanage = module - -# Layer: apps -# Module: seunshare -# -# seunshare executable -# -seunshare = module - -# Module: devices -# Required in base -# -# Device nodes and interfaces for many basic system devices. -# -devices = base - -# Module: domain -# Required in base -# -# Core policy for domains. -# -domain = base - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = module - -# Module: files -# Required in base -# -# Basic filesystem types and interfaces. -# -files = base - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = module - -# Module: filesystem -# Required in base -# -# Policy for filesystems. -# -filesystem = base - -# Module: kernel -# Required in base -# -# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. -# -kernel = base - -# Module: mcs -# Required in base -# -# MultiCategory security policy -# -mcs = base - -# Module: mls -# Required in base -# -# Multilevel security policy -# -mls = base - -# Module: selinux -# Required in base -# -# Policy for kernel security interface, in particular, selinuxfs. -# -selinux = base - -# Layer: kernel -# Module: storage -# -# Policy controlling access to storage devices -# -storage = base - -# Module: terminal -# Required in base -# -# Policy for terminals. -# -terminal = base - -# Layer: kernel -# Module: ubac -# -# -# -ubac = base - -# Layer: kernel -# Module: unconfined -# -# The unlabelednet module. -# -unlabelednet = module - -# Layer: role -# Module: auditadm -# -# auditadm account on tty logins -# -auditadm = module - -# Layer: role -# Module: logadm -# -# Minimally prived root role for managing logging system -# -logadm = module - -# Layer: role -# Module: secadm -# -# secadm account on tty logins -# -secadm = module - -# Layer:role -# Module: sysadm_secadm -# -# System Administrator with Security Admin rules -# -sysadm_secadm = module - -# Module: staff -# -# admin account -# -staff = module - -# Layer:role -# Module: sysadm -# -# System Administrator -# -sysadm = module - -# Layer: role -# Module: unconfineduser -# -# The unconfined user domain. -# -unconfineduser = module - -# Layer: role -# Module: unprivuser -# -# Minimally privs guest account on tty logins -# -unprivuser = module - -# Layer: services -# Module: postgresql -# -# PostgreSQL relational database -# -postgresql = module - -# Layer: services -# Module: ssh -# -# Secure shell client and server policy. -# -ssh = module - -# Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = module - -# Module: application -# Required in base -# -# Defines attributs and interfaces for all user applications -# -application = module - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = module - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = module - -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = module - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = module - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = module - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = module - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = module - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = module - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = module - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = module - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = module - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = module - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = module - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = module - -# Layer: system -# Module: netlabel -# -# Basic netlabel types and interfaces. -# -netlabel = module - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = module - -# Module: setrans -# Required in base -# -# Policy for setrans -# -setrans = module - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = module - -# Layer: system -# Module: systemd -# -# Policy for systemd components -# -systemd = module - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = module - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = module -# Layer: services -# Module: abrt -# -# Automatic bug detection and reporting tool -# -abrt = module - -# Layer: services -# Module: accountsd -# -# An application to view and modify user accounts information -# -accountsd = module - -# Layer: admin -# Module: acct -# -# Berkeley process accounting -# -acct = module - -# Layer: services -# Module: afs -# -# Andrew Filesystem server -# -afs = module - -# Layer: services -# Module: aiccu -# -# SixXS Automatic IPv6 Connectivity Client Utility -# -aiccu = module - -# Layer: services -# Module: aide -# -# Policy for aide -# -aide = module - -# Layer: admin -# Module: alsa -# -# Ainit ALSA configuration tool -# -alsa = module - -# Layer: admin -# Module: amanda -# -# Automated backup program. -# -amanda = module - -# Layer: admin -# Module: amtu -# -# Abstract Machine Test Utility (AMTU) -# -amtu = module - -# Layer: admin -# Module: anaconda -# -# Policy for the Anaconda installer. -# -anaconda = module - -# Layer: contrib -# Module: antivirus -# -# SELinux policy for antivirus programs -# -antivirus = module - -# Layer: services -# Module: apache -# -# Apache web server -# -apache = module - -# Layer: services -# Module: apcupsd -# -# daemon for most APC’s UPS for Linux -# -apcupsd = module - -# Layer: services -# Module: apm -# -# Advanced power management daemon -# -apm = module - -# Layer: services -# Module: arpwatch -# -# Ethernet activity monitor. -# -arpwatch = module - -# Layer: services -# Module: asterisk -# -# Asterisk IP telephony server -# -asterisk = module - -# Layer: services -# Module: automount -# -# Filesystem automounter service. -# -automount = module - -# Layer: services -# Module: avahi -# -# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture -# -avahi = module - -# Layer: module -# Module: awstats -# -# awstats executable -# -awstats = module - -# Layer: services -# Module: bcfg2 -# -# Configuration management server -# -bcfg2 = module - -# Layer: services -# Module: bind -# -# Berkeley internet name domain DNS server. -# -bind = module - -# Layer: contrib -# Module: rngd -# -# Daemon used to feed random data from hardware device to kernel random device -# -rngd = module - -# Layer: services -# Module: bitlbee -# -# An IRC to other chat networks gateway -# -bitlbee = module - -# Layer: services -# Module: blueman -# -# Blueman tools and system services. -# -blueman = module - -# Layer: services -# Module: bluetooth -# -# Bluetooth tools and system services. -# -bluetooth = module - -# Layer: services -# Module: boinc -# -# Berkeley Open Infrastructure for Network Computing -# -boinc = module - -# Layer: system -# Module: brctl -# -# Utilities for configuring the linux ethernet bridge -# -brctl = module - -# Layer: services -# Module: bugzilla -# -# Bugzilla server -# -bugzilla = module - -# Layer: services -# Module: cachefilesd -# -# CacheFiles userspace management daemon -# -cachefilesd = module - -# Module: calamaris -# -# -# Squid log analysis -# -calamaris = module - -# Layer: services -# Module: callweaver -# -# callweaver telephony sever -# -callweaver = module - -# Layer: services -# Module: canna -# -# Canna - kana-kanji conversion server -# -canna = module - -# Layer: services -# Module: ccs -# -# policy for ccs -# -ccs = module - -# Layer: apps -# Module: cdrecord -# -# Policy for cdrecord -# -cdrecord = module - -# Layer: admin -# Module: certmaster -# -# Digital Certificate master -# -certmaster = module - -# Layer: services -# Module: certmonger -# -# Certificate status monitor and PKI enrollment client -# -certmonger = module - -# Layer: admin -# Module: certwatch -# -# Digital Certificate Tracking -# -certwatch = module - -# Layer: services -# Module: cfengine -# -# cfengine -# -cfengine = module - -# Layer: services -# Module: cgroup -# -# Tools and libraries to control and monitor control groups -# -cgroup = module - -# Layer: apps -# Module: chrome -# -# chrome sandbox -# -chrome = module - -# Layer: services -# Module: chronyd -# -# Daemon for maintaining clock time -# -chronyd = module - -# Layer: services -# Module: cipe -# -# Encrypted tunnel daemon -# -cipe = module - - -# Layer: services -# Module: clogd -# -# clogd - clustered mirror log server -# -clogd = module - -# Layer: services -# Module: cloudform -# -# cloudform daemons -# -cloudform = module - -# Layer: services -# Module: cmirrord -# -# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster -# -cmirrord = module - -# Layer: services -# Module: cobbler -# -# cobbler -# -cobbler = module - -# Layer: services -# Module: collectd -# -# Statistics collection daemon for filling RRD files -# -collectd = module - -# Layer: services -# Module: colord -# -# color device daemon -# -colord = module - -# Layer: services -# Module: comsat -# -# Comsat, a biff server. -# -comsat = module - -# Layer: services -# Module: condor -# -# policy for condor -# -condor = module - -# Layer: services -# Module: conman -# -# Conman is a program for connecting to remote consoles being managed by conmand -# -conman = module - -# Layer: services -# Module: consolekit -# -# ConsoleKit is a system daemon for tracking what users are logged -# -consolekit = module - -# Layer: services -# Module: couchdb -# -# Apache CouchDB database server -# -couchdb = module - -# Layer: services -# Module: courier -# -# IMAP and POP3 email servers -# -courier = module - -# Layer: services -# Module: cpucontrol -# -# Services for loading CPU microcode and CPU frequency scaling. -# -cpucontrol = module - -# Layer: apps -# Module: cpufreqselector -# -# cpufreqselector executable -# -cpufreqselector = module - -# Layer: services -# Module: cron -# -# Periodic execution of scheduled commands. -# -cron = module - -# Layer: services -# Module: ctdbd -# -# Cluster Daemon -# -ctdb = module - -# Layer: services -# Module: cups -# -# Common UNIX printing system -# -cups = module - -# Layer: services -# Module: cvs -# -# Concurrent versions system -# -cvs = module - -# Layer: services -# Module: cyphesis -# -# cyphesis game server -# -cyphesis = module - -# Layer: services -# Module: cyrus -# -# Cyrus is an IMAP service intended to be run on sealed servers -# -cyrus = module - -# Layer: system -# Module: daemontools -# -# Collection of tools for managing UNIX services -# -daemontools = module - -# Layer: role -# Module: dbadm -# -# Minimally prived root role for managing databases -# -dbadm = module - -# Layer: services -# Module: dbskk -# -# Dictionary server for the SKK Japanese input method system. -# -dbskk = module - -# Layer: services -# Module: dbus -# -# Desktop messaging bus -# -dbus = module - -# Layer: services -# Module: dcc -# -# A distributed, collaborative, spam detection and filtering network. -# -dcc = module - -# Layer: services -# Module: ddclient -# -# Update dynamic IP address at DynDNS.org -# -ddclient = module - -# Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information -# -ddcprobe = off - -# Layer: services -# Module: denyhosts -# -# script to help thwart ssh server attacks -# -denyhosts = module - -# Layer: services -# Module: devicekit -# -# devicekit-daemon -# -devicekit = module - -# Layer: services -# Module: dhcp -# -# Dynamic host configuration protocol (DHCP) server -# -dhcp = module - -# Layer: services -# Module: dictd -# -# Dictionary daemon -# -dictd = module - -# Layer: services -# Module: dirsrv -# -# An 309 directory server -# -dirsrv = module - -# Layer: services -# Module: distcc -# -# Distributed compiler daemon -# -distcc = off - -# Layer: admin -# Module: dmidecode -# -# Decode DMI data for x86/ia64 bioses. -# -dmidecode = module - -# Layer: services -# Module: dnsmasq -# -# A lightweight DHCP and caching DNS server. -# -dnsmasq = module - -# Layer: services -# Module: dnssec -# -# A dnssec server application -# -dnssec = module - -# Layer: services -# Module: dovecot -# -# Dovecot POP and IMAP mail server -# -dovecot = module - -# Layer: services -# Module: drbd -# -# DRBD mirrors a block device over the network to another machine. -# -drbd = module - -# Layer: services -# Module: dspam -# -# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering -# -dspam = module - -# Layer: services -# Module: entropy -# -# Generate entropy from audio input -# -entropyd = module - -# Layer: services -# Module: exim -# -# exim mail server -# -exim = module - -# Layer: services -# Module: fail2ban -# -# daiemon that bans IP that makes too many password failures -# -fail2ban = module - -# Layer: services -# Module: fcoe -# -# fcoe -# -fcoe = module - -# Layer: services -# Module: fetchmail -# -# Remote-mail retrieval and forwarding utility -# -fetchmail = module - -# Layer: services -# Module: finger -# -# Finger user information service. -# -finger = module - -# Layer: services -# Module: firewalld -# -# firewalld is firewall service daemon that provides dynamic customizable -# -firewalld = module - -# Layer: apps -# Module: firewallgui -# -# policy for system-config-firewall -# -firewallgui = module - -# Module: firstboot -# -# Final system configuration run during the first boot -# after installation of Red Hat/Fedora systems. -# -firstboot = module - -# Layer: services -# Module: fprintd -# -# finger print server -# -fprintd = module - -# Layer: services -# Module: freqset -# -# Utility for CPU frequency scaling -# -freqset = module - -# Layer: services -# Module: ftp -# -# File transfer protocol service -# -ftp = module - -# Layer: apps -# Module: games -# -# The Open Group Pegasus CIM/WBEM Server. -# -games = module - -# Layer: apps -# Module: gitosis -# -# Policy for gitosis -# -gitosis = module - -# Layer: services -# Module: git -# -# Policy for the stupid content tracker -# -git = module - -# Layer: services -# Module: glance -# -# Policy for glance -# -glance = module - -# Layer: contrib -# Module: glusterd -# -# policy for glusterd service -# -glusterd = module - -# Layer: apps -# Module: gnome -# -# gnome session and gconf -# -gnome = module - -# Layer: apps -# Module: gpg -# -# Policy for GNU Privacy Guard and related programs. -# -gpg = module - -# Layer: services -# Module: gpm -# -# General Purpose Mouse driver -# -gpm = module - -# Module: gpsd -# -# gpsd monitor daemon -# -# -gpsd = module - -# Module: gssproxy -# -# A proxy for GSSAPI credential handling -# -# -gssproxy = module - -# Layer: role -# Module: guest -# -# Minimally privs guest account on tty logins -# -guest = module - -# Layer: role -# Module: xguest -# -# Minimally privs guest account on X Windows logins -# -xguest = module - -# Layer: services -# Module: hddtemp -# -# hddtemp hard disk temperature tool running as a daemon -# -hddtemp = module - -# Layer: services -# Module: hostapd -# -# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator -# -hostapd = module - -# Layer: services -# Module: i18n_input -# -# IIIMF htt server -# -i18n_input = off - -# Layer: services -# Module: icecast -# -# ShoutCast compatible streaming media server -# -icecast = module - -# Layer: services -# Module: inetd -# -# Internet services daemon. -# -inetd = module - -# Layer: services -# Module: inn -# -# Internet News NNTP server -# -inn = module - -# Layer: services -# Module: lircd -# -# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. -# -lircd = module - -# Layer: apps -# Module: irc -# -# IRC client policy -# -irc = module - -# Layer: services -# Module: irqbalance -# -# IRQ balancing daemon -# -irqbalance = module - -# Layer: system -# Module: iscsi -# -# Open-iSCSI daemon -# -iscsi = module - -# Layer: system -# Module: isnsd -# -# -# -isns = module - -# Layer: services -# Module: jabber -# -# Jabber instant messaging server -# -jabber = module - -# Layer: services -# Module: jetty -# -# Java based http server -# -jetty = module - -# Layer: apps -# Module: jockey -# -# policy for jockey-backend -# -jockey = module - -# Layer: apps -# Module: kdumpgui -# -# system-config-kdump policy -# -kdumpgui = module - -# Layer: admin -# Module: kdump -# -# kdump is kernel crash dumping mechanism -# -kdump = module - -# Layer: services -# Module: kerberos -# -# MIT Kerberos admin and KDC -# -kerberos = module - -# Layer: services -# Module: keepalived -# -# keepalived - load-balancing and high-availability service -# -keepalived = module - -# Module: keyboardd -# -# system-setup-keyboard is a keyboard layout daemon that monitors -# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet -# -keyboardd = module - -# Layer: services -# Module: keystone -# -# openstack-keystone -# -keystone = module - -# Layer: services -# Module: kismet -# -# Wireless sniffing and monitoring -# -kismet = module - -# Layer: services -# Module: ksmtuned -# -# Kernel Samepage Merging (KSM) Tuning Daemon -# -ksmtuned = module - -# Layer: services -# Module: ktalk -# -# KDE Talk daemon -# -ktalk = module - -# Layer: services -# Module: l2ltpd -# -# Layer 2 Tunnelling Protocol Daemon -# -l2tp = module - -# Layer: services -# Module: ldap -# -# OpenLDAP directory server -# -ldap = module - -# Layer: services -# Module: likewise -# -# Likewise Active Directory support for UNIX -# -likewise = module - -# Layer: apps -# Module: livecd -# -# livecd creator -# -livecd = module - -# Layer: services -# Module: lldpad -# -# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon -# -lldpad = module - -# Layer: apps -# Module: loadkeys -# -# Load keyboard mappings. -# -loadkeys = module - -# Layer: apps -# Module: lockdev -# -# device locking policy for lockdev -# -lockdev = module - -# Layer: admin -# Module: logrotate -# -# Rotate and archive system logs -# -logrotate = module - -# Layer: services -# Module: logwatch -# -# logwatch executable -# -logwatch = module - -# Layer: services -# Module: lpd -# -# Line printer daemon -# -lpd = module - -# Layer: services -# Module: mailman -# -# Mailman is for managing electronic mail discussion and e-newsletter lists -# -mailman = module - -# Layer: services -# Module: mailman -# -# Policy for mailscanner -# -mailscanner = module - -# Layer: apps -# Module: man2html -# -# policy for man2html apps -# -man2html = module - -# Layer: admin -# Module: mcelog -# -# Policy for mcelog. -# -mcelog = module - -# Layer: apps -# Module: mediawiki -# -# mediawiki -# -mediawiki = module - -# Layer: services -# Module: memcached -# -# high-performance memory object caching system -# -memcached = module - -# Layer: services -# Module: milter -# -# -# -milter = module - -# Layer: services -# Module: mock -# -# Policy for mock rpm builder -# -mock = module - -# Layer: services -# Module: modemmanager -# -# Manager for dynamically switching between modems. -# -modemmanager = module - -# Layer: services -# Module: mojomojo -# -# Wiki server -# -mojomojo = module - -# Layer: apps -# Module: mozilla -# -# Policy for Mozilla and related web browsers -# -mozilla = module - -# Layer: services -# Module: mpd -# -# mpd - daemon for playing music -# -mpd = module - -# Layer: apps -# Module: mplayer -# -# Policy for Mozilla and related web browsers -# -mplayer = module - -# Layer: admin -# Module: mrtg -# -# Network traffic graphing -# -mrtg = module - -# Layer: services -# Module: mta -# -# Policy common to all email tranfer agents. -# -mta = module - -# Layer: services -# Module: munin -# -# Munin -# -munin = module - -# Layer: services -# Module: mysql -# -# Policy for MySQL -# -mysql = module - -# Layer: contrib -# Module: mythtv -# -# Policy for Mythtv (Web Server) -# -mythtv = module - -# Layer: services -# Module: nagios -# -# policy for nagios Host/service/network monitoring program -# -nagios = module - -# Layer: apps -# Module: namespace -# -# policy for namespace.init script -# -namespace = module - -# Layer: admin -# Module: ncftool -# -# Tool to modify the network configuration of a system -# -ncftool = module - -# Layer: services -# Module: networkmanager -# -# Manager for dynamically switching between networks. -# -networkmanager = module - -# Layer: services -# Module: ninfod -# -# Respond to IPv6 Node Information Queries -# -ninfod = module - -# Layer: services -# Module: nis -# -# Policy for NIS (YP) servers and clients -# -nis = module - -# Layer: services -# Module: nova -# -# openstack-nova -# -nova = module - -# Layer: services -# Module: nscd -# -# Name service cache daemon -# -nscd = module - -# Layer: services -# Module: nslcd -# -# Policy for nslcd -# -nslcd = module - -# Layer: services -# Module: ntop -# -# Policy for ntop -# -ntop = module - -# Layer: services -# Module: ntp -# -# Network time protocol daemon -# -ntp = module - -# Layer: services -# Module: numad -# -# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology -# -numad = module - -# Layer: services -# Module: nut -# -# nut - Network UPS Tools -# -nut = module - -# Layer: services -# Module: nx -# -# NX Remote Desktop -# -nx = module - -# Layer: services -# Module: obex -# -# policy for obex-data-server -# -obex = module - -# Layer: services -# Module: oddjob -# -# policy for oddjob -# -oddjob = module - -# Layer: services -# Module: openct -# -# Service for handling smart card readers. -# -openct = off - -# Layer: service -# Module: openct -# -# Middleware framework for smart card terminals -# -openct = module - -# Layer: contrib -# Module: openshift-origin -# -# Origin version of openshift policy -# -openshift-origin = module -# Layer: contrib -# Module: openshift -# -# Core openshift policy -# -openshift = module - -# Layer: services -# Module: opensm -# -# InfiniBand subnet manager and administration (SM/SA) -# -opensm = module - -# Layer: services -# Module: openvpn -# -# Policy for OPENVPN full-featured SSL VPN solution -# -openvpn = module - -# Layer: contrib -# Module: openvswitch -# -# SELinux policy for openvswitch programs -# -openvswitch = module - -# Layer: services -# Module: openwsman -# -# WS-Management Server -# -openwsman = module - -# Layer: services -# Module: osad -# -# Client-side service written in Python that responds to pings -# -osad = module - -# Layer: contrib -# Module: prelude -# -# SELinux policy for prelude -# -prelude = module - -# Layer: contrib -# Module: prosody -# -# SELinux policy for prosody flexible communications server for Jabber/XMPP -# -prosody = module - -# Layer: services -# Module: pads -# -pads = module - -# Layer: services -# Module: passenger -# -# Passenger -# -passenger = module - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = module - -# Layer: service -# Module: pcscd -# -# PC/SC Smart Card Daemon -# -pcscd = module - -# Layer: services -# Module: pdns -# -# PowerDNS DNS server -# -pdns = module - -# Layer: services -# Module: pegasus -# -# The Open Group Pegasus CIM/WBEM Server. -# -pegasus = module - -# Layer: services -# Module: pingd -# -# -pingd = module - -# Layer: contrib -# Module: pkcs -# -# daemon manages PKCS#11 objects between PKCS#11-enabled applications -# -pkcs = module - -# Layer: services -# Module: plymouthd -# -# Plymouth -# -plymouthd = module - -# Layer: apps -# Module: podsleuth -# -# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. -# -podsleuth = module - -# Layer: services -# Module: policykit -# -# Hardware abstraction layer -# -policykit = module - -# Layer: services -# Module: polipo -# -# polipo -# -polipo = module - -# Layer: services -# Module: portmap -# -# RPC port mapping service. -# -portmap = module - -# Layer: services -# Module: portreserve -# -# reserve ports to prevent portmap mapping them -# -portreserve = module - -# Layer: services -# Module: postfix -# -# Postfix email server -# -postfix = module - -# Layer: services -# Module: postgrey -# -# email scanner -# -postgrey = module - -# Layer: services -# Module: ppp -# -# Point to Point Protocol daemon creates links in ppp networks -# -ppp = module - -# Layer: admin -# Module: prelink -# -# Manage temporary directory sizes and file ages -# -prelink = module - -# Layer: services -# Module: privoxy -# -# Privacy enhancing web proxy. -# -privoxy = module - -# Layer: services -# Module: procmail -# -# Procmail mail delivery agent -# -procmail = module - -# Layer: services -# Module: psad -# -# Analyze iptables log for hostile traffic -# -psad = module - -# Layer: apps -# Module: ptchown -# -# helper function for grantpt(3), changes ownship and permissions of pseudotty -# -ptchown = module - -# Layer: apps -# Module: pulseaudio -# -# The PulseAudio Sound System -# -pulseaudio = module - -# Layer: services -# Module: puppet -# -# A network tool for managing many disparate systems -# -puppet = module - -# Layer: apps -# Module: pwauth -# -# External plugin for mod_authnz_external authenticator -# -pwauth = module - -# Layer: services -# Module: qmail -# -# Policy for qmail -# -qmail = module - -# Layer: services -# Module: qpidd -# -# Policy for qpidd -# -qpid = module - -# Layer: services -# Module: quantum -# -# Quantum is a virtual network service for Openstack -# -quantum = module - -# Layer: admin -# Module: quota -# -# File system quota management -# -quota = module - -# Layer: services -# Module: rabbitmq -# -# rabbitmq daemons -# -rabbitmq = module - -# Layer: services -# Module: radius -# -# RADIUS authentication and accounting server. -# -radius = module - -# Layer: services -# Module: radvd -# -# IPv6 router advertisement daemon -# -radvd = module - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = module - -# Layer: services -# Module: rasdaemon -# -# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing -# -rasdaemon = module - -# Layer: services -# Module: rdisc -# -# Network router discovery daemon -# -rdisc = module - -# Layer: admin -# Module: readahead -# -# Readahead, read files into page cache for improved performance -# -readahead = module - -# Layer: contrib -# Module: stapserver -# -# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA -# -realmd = module - -# Layer: services -# Module: remotelogin -# -# Policy for rshd, rlogind, and telnetd. -# -remotelogin = module - -# Layer: services -# Module: rhcs -# -# RHCS - Red Hat Cluster Suite -# -rhcs = module - -# Layer: services -# Module: rhev -# -# rhev policy module contains policies for rhev apps -# -rhev = module - -# Layer: services -# Module: rhgb -# -# X windows login display manager -# -rhgb = module - -# Layer: services -# Module: rhsmcertd -# -# Subscription Management Certificate Daemon policy -# -rhsmcertd = module - -# Layer: services -# Module: ricci -# -# policy for ricci -# -ricci = module - -# Layer: services -# Module: rlogin -# -# Remote login daemon -# -rlogin = module - -# Layer: services -# Module: roundup -# -# Roundup Issue Tracking System policy -# -roundup = module - -# Layer: services -# Module: rpcbind -# -# universal addresses to RPC program number mapper -# -rpcbind = module - -# Layer: services -# Module: rpc -# -# Remote Procedure Call Daemon for managment of network based process communication -# -rpc = module - -# Layer: admin -# Module: rpm -# -# Policy for the RPM package manager. -# -rpm = module - -# Layer: services -# Module: rshd -# -# Remote shell service. -# -rshd = module - -# Layer: apps -# Module: rssh -# -# Restricted (scp/sftp) only shell -# -rssh = module - -# Layer: services -# Module: rsync -# -# Fast incremental file transfer for synchronization -# -rsync = module - -# Layer: services -# Module: rtkit -# -# Real Time Kit Daemon -# -rtkit = module - -# Layer: services -# Module: rwho -# -# who is logged in on local machines -# -rwho = module - -# Layer: apps -# Module: sambagui -# -# policy for system-config-samba -# -sambagui = module - -# -# SMB and CIFS client/server programs for UNIX and -# name Service Switch daemon for resolving names -# from Windows NT servers. -# -samba = module - -# Layer: apps -# Module: sandbox -# -# Policy for running apps within a sandbox -# -sandbox = module - -# Layer: apps -# Module: sandbox -# -# Policy for running apps within a X sandbox -# -sandboxX = module - -# Layer: services -# Module: sanlock -# -# sanlock policy -# -sanlock = module - -# Layer: services -# Module: sasl -# -# SASL authentication server -# -sasl = module - -# Layer: services -# Module: sblim -# -# sblim -# -sblim = module - -# Layer: apps -# Module: screen -# -# GNU terminal multiplexer -# -screen = module - -# Layer: admin -# Module: sectoolm -# -# Policy for sectool-mechanism -# -sectoolm = module - -# Layer: services -# Module: sendmail -# -# Policy for sendmail. -# -sendmail = module - -# Layer: contrib -# Module: sensord -# -# Sensor information logging daemon -# -sensord = module - -# Layer: services -# Module: setroubleshoot -# -# Policy for the SELinux troubleshooting utility -# -setroubleshoot = module - -# Layer: admin -# Module: shorewall -# -# Policy for shorewall -# -shorewall = module - -# Layer: apps -# Module: slocate -# -# Update database for mlocate -# -slocate = module - -# Layer: contrib -# Module: slpd -# -# OpenSLP server daemon to dynamically register services -# -slpd = module - -# Layer: services -# Module: slrnpull -# -# Service for downloading news feeds the slrn newsreader. -# -slrnpull = off - -# Layer: services -# Module: smartmon -# -# Smart disk monitoring daemon policy -# -smartmon = module - -# Layer: services -# Module: smokeping -# -# Latency Logging and Graphing System -# -smokeping = module - -# Layer: admin -# Module: smoltclient -# -#The Fedora hardware profiler client -# -smoltclient = module - -# Layer: services -# Module: snmp -# -# Simple network management protocol services -# -snmp = module - -# Layer: services -# Module: snort -# -# Snort network intrusion detection system -# -snort = module - -# Layer: admin -# Module: sosreport -# -# sosreport debuggin information generator -# -sosreport = module - -# Layer: services -# Module: soundserver -# -# sound server for network audio server programs, nasd, yiff, etc -# -soundserver = module - -# Layer: services -# Module: spamassassin -# -# Filter used for removing unsolicited email. -# -spamassassin = module - -# Layer: services -# Module: speech-dispatcher -# -# speech-dispatcher - server process managing speech requests in Speech Dispatcher -# -speech-dispatcher = module - -# Layer: services -# Module: squid -# -# Squid caching http proxy server -# -squid = module - -# Layer: services -# Module: sssd -# -# System Security Services Daemon -# -sssd = module - -# Layer: services -# Module: sslh -# -# Applicative protocol(SSL/SSH) multiplexer -# -sslh = module - -# Layer: contrib -# Module: stapserver -# -# Instrumentation System Server -# -stapserver = module - -# Layer: services -# Module: stunnel -# -# SSL Tunneling Proxy -# -stunnel = module - -# Layer: services -# Module: svnserve -# -# policy for subversion service -# -svnserve = module - -# Layer: services -# Module: swift -# -# openstack-swift -# -swift = module - -# Layer: services -# Module: sysstat -# -# Policy for sysstat. Reports on various system states -# -sysstat = module - -# Layer: services -# Module: tcpd -# -# Policy for TCP daemon. -# -tcpd = module - -# Layer: services -# Module: tcsd -# -# tcsd - daemon that manages Trusted Computing resources -# -tcsd = module - -# Layer: apps -# Module: telepathy -# -# telepathy - Policy for Telepathy framework -# -telepathy = module - -# Layer: services -# Module: telnet -# -# Telnet daemon -# -telnet = module - -# Layer: services -# Module: tftp -# -# Trivial file transfer protocol daemon -# -tftp = module - -# Layer: services -# Module: tgtd -# -# Linux Target Framework Daemon. -# -tgtd = module - -# Layer: apps -# Module: thumb -# -# Thumbnailer confinement -# -thumb = module - -# Layer: services -# Module: timidity -# -# MIDI to WAV converter and player configured as a service -# -timidity = off - -# Layer: admin -# Module: tmpreaper -# -# Manage temporary directory sizes and file ages -# -tmpreaper = module - -# Layer: contrib -# Module: glusterd -# -# policy for tomcat service -# -tomcat = module -# Layer: services -# Module: tor -# -# TOR, the onion router -# -tor = module - -# Layer: services -# Module: tuned -# -# Dynamic adaptive system tuning daemon -# -tuned = module - -# Layer: apps -# Module: tvtime -# -# tvtime - a high quality television application -# -tvtime = module - -# Layer: services -# Module: ulogd -# -# netfilter/iptables ULOG daemon -# -ulogd = module - -# Layer: apps -# Module: uml -# -# Policy for UML -# -uml = module - -# Layer: admin -# Module: updfstab -# -# Red Hat utility to change /etc/fstab. -# -updfstab = module - -# Layer: admin -# Module: usbmodules -# -# List kernel modules of USB devices -# -usbmodules = module - -# Layer: services -# Module: usbmuxd -# -# Daemon for communicating with Apple's iPod Touch and iPhone -# -usbmuxd = module - -# Layer: apps -# Module: userhelper -# -# A helper interface to pam. -# -userhelper = module - -# Layer: apps -# Module: usernetctl -# -# User network interface configuration helper -# -usernetctl = module - -# Layer: services -# Module: uucp -# -# Unix to Unix Copy -# -uucp = module - -# Layer: services -# Module: uuidd -# -# UUID generation daemon -# -uuidd = module - -# Layer: services -# Module: varnishd -# -# Varnishd http accelerator daemon -# -varnishd = module - -# Layer: services -# Module: vdagent -# -# vdagent -# -vdagent = module - -# Layer: services -# Module: vhostmd -# -# vhostmd - spice guest agent daemon. -# -vhostmd = module - -# Layer: services -# Module: virt -# -# Virtualization libraries -# -virt = module - -# Layer: apps -# Module: vhostmd -# -# vlock - Virtual Console lock program -# -vlock = module - -# Layer: services -# Module: vmtools -# -# VMware Tools daemon -# -vmtools = module - -# Layer: apps -# Module: vmware -# -# VMWare Workstation virtual machines -# -vmware = module - -# Layer: services -# Module: vnstatd -# -# Network traffic Monitor -# -vnstatd = module - -# Layer: admin -# Module: vpn -# -# Virtual Private Networking client -# -vpn = module - -# Layer: services -# Module: w3c -# -# w3c -# -w3c = module - -# Layer: services -# Module: wdmd -# -# wdmd policy -# -wdmd = module - -# Layer: role -# Module: webadm -# -# Minimally prived root role for managing apache -# -webadm = module - -# Layer: apps -# Module: webalizer -# -# Web server log analysis -# -webalizer = module - -# Layer: apps -# Module: wine -# -# wine executable -# -wine = module - -# Layer: apps -# Module: wireshark -# -# wireshark executable -# -wireshark = module - -# Layer: system -# Module: xen -# -# virtualization software -# -xen = module - -# Layer: services -# Module: zabbix -# -# Open-source monitoring solution for your IT infrastructure -# -zabbix = module - -# Layer: services -# Module: zarafa -# -# Zarafa Collaboration Platform -# -zarafa = module - -# Layer: services -# Module: zebra -# -# Zebra border gateway protocol network routing service -# -zebra = module - -# Layer: services -# Module: zoneminder -# -# Zoneminder Camera Security Surveillance Solution -# -zoneminder = module - -# Layer: services -# Module: zosremote -# -# policy for z/OS Remote-services Audit dispatcher plugin -# -zosremote = module - -# Layer: contrib -# Module: thin -# -# Policy for thin -# -thin = module - -# Layer: contrib -# Module: mandb -# -# Policy for mandb -# -mandb = module - -# Layer: services -# Module: pki -# -# policy for pki -# -pki = module - -# Layer: contrib -# Module: pesign -# -# policy for pesign -# -pesign = module - -# Layer: contrib -# Module: nsd -# -# Fast and lean authoritative DNS Name Server -# -nsd = module - -# Layer: contrib -# Module: iodine -# -# Fast and lean authoritative DNS Name Server -# -iodine = module - -# Layer: contrib -# Module: openhpid -# -# OpenHPI daemon runs as a background process and accepts connecti -# -openhpid = module - -# Layer: contrib -# Module: watchdog -# -# Watchdog policy -# -watchdog = module - -# Layer: contrib -# Module: oracleasm -# -# oracleasm policy -# -oracleasm = module - -# Layer: contrib -# Module: redis -# -# redis policy -# -redis = module - -# Layer: contrib -# Module: hypervkvp -# -# hypervkvp policy -# -hypervkvp = module - -# Layer: contrib -# Module: lsm -# -# lsm policy -# -lsm = module - -# Layer: contrib -# Module: motion -# -# Daemon for detect motion using a video4linux device -motion = module - -# Layer: contrib -# Module: rtas -# -# rtas policy -# -rtas = module - -# Layer: contrib -# Module: journalctl -# -# journalctl policy -# -journalctl = module - -# Layer: contrib -# Module: gdomap -# -# gdomap policy -# -gdomap = module - -# Layer: contrib -# Module: minidlna -# -# minidlna policy -# -minidlna = module - -# Layer: contrib -# Module: minissdpd -# -# minissdpd policy -# -minissdpd = module - -# Layer: contrib -# Module: freeipmi -# -# Remote-Console (out-of-band) and System Management Software (in-band) -# based on IntelligentPlatform Management Interface specification -# -freeipmi = module - -# Layer: contrib -# Module: snapper -# -# snapper policy -# -snapper = module - -# Layer: contrib -# Module: pcp -# -# pcp policy -# -pcp = module - -# Layer: contrib -# Module: geoclue -# -# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information -# -geoclue = module - -# Layer: contrib -# Module: rkhunter -# -# rkhunter policy for /var/lib/rkhunter -# -rkhunter = module - -# Layer: contrib -# Module: bacula -# -# bacula policy -# -bacula = module - -# Layer: contrib -# Module: rhnsd -# -# rhnsd policy -# -rhnsd = module - -# Layer: contrib -# Module: mongodb -# -# mongodb policy -# - -mongodb = module - -# Layer: contrib -# Module: iotop -# -# iotop policy -# - -iotop = module - -# Layer: contrib -# Module: brltty -# -# brltty policy -# -brltty = module - -# Layer: contrib -# Module: cpuplug -# -# cpuplug policy -# -cpuplug = module - -# Layer: contrib -# Module: mon_statd -# -# mon_statd policy -# -mon_statd = module - -# Layer: contrib -# Module: cinder -# -# openstack-cinder policy -# -cinder = module - -# Layer: contrib -# Module: linuxptp -# -# linuxptp policy -# -linuxptp = module - -# Layer: contrib -# Module: targetd -# -# targetd policy -# -targetd = module - -# Layer: contrib -# Module: hsqldb -# -# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. -# -hsqldb = module - -# Layer: contrib -# Module: blkmapd -# -# The blkmapd daemon performs device discovery and mapping for pNFS block layout client. -# -blkmapd = module - -# Layer: contrib -# Module: ipmievd -# -# IPMI event daemon for sending events to syslog -# -ipmievd = module - -# Layer: contrib -# Module: openfortivpn -# -# Fortinet compatible SSL VPN daemons. -# -openfortivpn = module - -# Layer: contrib -# Module: fwupd -# -# fwupd is a daemon to allow session software to update device firmware. -# -fwupd = module - -# Layer: contrib -# Module: lttng-tools -# -# LTTng 2.x central tracing registry session daemon. -# -lttng-tools = module - -# Layer: contrib -# Module: opendnssec -# -# opendnssec -# -opendnssec = module - -# Layer: contrib -# Module: hwloc -# -# hwloc -# -hwloc = module - -# Layer: contrib -# Module: sbd -# -# sbd -# -sbd = module - -# Layer: contrib -# Module: tlp -# -# tlp -# -tlp = module - -# Layer: contrib -# Module: conntrackd -# -# conntrackd -# -conntrackd = module - -# Layer: contrib -# Module: tangd -# -# tangd -# -tangd = module - -# Layer: contrib -# Module: ibacm -# -# ibacm -# -ibacm = module - -# Layer: contrib -# Module: opafm -# -# opafm -# -opafm = module - -# Layer: contrib -# Module: boltd -# -# boltd -# -boltd = module - -# Layer: contrib -# Module: kpatch -# -# kpatch -# -kpatch = module - -# Layer: contrib -# Module: rrdcached -# -# rrdcached -# -rrdcached = module - -# Layer: contrib -# Module: stratisd -# -# stratisd -# -stratisd = module - -# Layer: contrib -# Module: ica -# -# ica -# -ica = module - -# Layer: contrib -# Module: fedoratp -# -# fedoratp -# -fedoratp = module - -# Layer: contrib -# Module: insights_client -# -# insights_client -# -insights_client = module - -# Layer: contrib -# Module: stalld -# -# stalld -# -stalld = module - -# Layer: contrib -# Module: rhcd -# -# rhcd -# -rhcd = module - -# Layer: contrib -# Module: wireguard -# -# wireguard -# -wireguard = module - -# Layer: contrib -# Module: mptcpd -# -# mptcpd -# -mptcpd = module - -# Layer: contrib -# Module: rshim -# -# rshim -# -rshim = module - -# Layer: contrib -# Module: keyutils -# -# keyutils -# -keyutils = module - -# Layer: contrib -# Module: cifsutils -# -# cifsutils - Utilities for managing CIFS mounts -# -cifsutils = module - -# Layer: contrib -# Module: boothd -# -# boothd - Booth cluster ticket manager -# -boothd = module - -# Layer: contrib -# Module: kafs -# -# kafs - Tools for kAFS -# -kafs = module - -# Layer: contrib -# Module: bootupd -# -# bootupd - bootloader update daemon -# -bootupd = module - -# Layer: contrib -# Module: fdo -# -# fdo - fido device onboard protocol for IoT devices -# -fdo = module - -# Layer: contrib -# Module: qatlib -# -# qatlib - Intel QuickAssist technology library and resources management -# -qatlib = module - -# Layer: services -# Module: virt_supplementary -# -# non-libvirt virtualization libraries -# -virt_supplementary = module - -# Layer: contrib -# Module: nvme_stas -# -# nvme_stas -# -nvme_stas = module - -# Layer: contrib -# Module: coreos_installer -# -# coreos_installer -# -coreos_installer = module - -# Layer: contrib -# Module: afterburn -# -# afterburn -# -afterburn = module - -# Layer: contrib -# Module: sap -# -# sap -# -sap = module diff --git a/securetty_types-minimum b/securetty_types-minimum deleted file mode 100644 index 7055096f..00000000 --- a/securetty_types-minimum +++ /dev/null @@ -1,4 +0,0 @@ -console_device_t -sysadm_tty_device_t -user_tty_device_t -staff_tty_device_t diff --git a/securetty_types-mls b/securetty_types-mls deleted file mode 100644 index 89bf54d7..00000000 --- a/securetty_types-mls +++ /dev/null @@ -1,6 +0,0 @@ -console_device_t -sysadm_tty_device_t -user_tty_device_t -staff_tty_device_t -auditadm_tty_device_t -secureadm_tty_device_t diff --git a/securetty_types-targeted b/securetty_types-targeted deleted file mode 100644 index 7055096f..00000000 --- a/securetty_types-targeted +++ /dev/null @@ -1,4 +0,0 @@ -console_device_t -sysadm_tty_device_t -user_tty_device_t -staff_tty_device_t diff --git a/selinux-policy.spec b/selinux-policy.spec index 20733ab3..f514db3c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,35 +21,19 @@ Version: 40.13.13 Release: 1%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz -Source1: modules-targeted.conf -Source2: booleans-targeted.conf -Source3: Makefile.devel -Source4: setrans-targeted.conf -Source5: modules-mls.conf -Source6: booleans-mls.conf -Source8: setrans-mls.conf -Source14: securetty_types-targeted -Source15: securetty_types-mls -Source16: modules-minimum.lst -Source17: booleans-minimum.conf -Source18: setrans-minimum.conf -Source19: securetty_types-minimum -Source20: customizable_types -Source22: users-mls -Source23: users-targeted -Source25: users-minimum -Source26: file_contexts.subs_dist -Source27: selinux-policy.conf -Source28: permissivedomains.cil -Source30: booleans.subs_dist +Source1: Makefile.devel +Source2: selinux-policy.conf # Tool helps during policy development, to expand system m4 macros to raw allow rules # Git repo: https://github.com/fedora-selinux/macro-expander.git -Source33: macro-expander +Source3: macro-expander # Include SELinux policy for container from separate container-selinux repo # Git repo: https://github.com/containers/container-selinux.git -Source35: container-selinux.tgz +Source4: container-selinux.tgz + +# modules enabled in -minimum policy +Source16: modules-minimum.lst Source36: selinux-check-proper-disable.service @@ -60,7 +44,7 @@ Source38: selinux-policy-targeted.conf Source39: selinux-policy-mls.conf # Provide rpm macros for packages installing SELinux modules -Source102: rpm.macros +Source5: rpm.macros Url: %{giturl} BuildArch: noarch @@ -176,12 +160,11 @@ This package contains manual pages and documentation of the policy modules. %define makeCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ -cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ -cp -f selinux_config/users-%1 ./policy/users \ -#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ +cp -f ./dist/%1/booleans.conf ./policy/booleans.conf \ +cp -f ./dist/%1/users ./policy/users \ %define makeModulesConf() \ -cp -f selinux_config/modules-%1.conf ./policy/modules.conf +cp -f ./dist/%1/modules.conf ./policy/modules.conf \ %define installCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ @@ -191,14 +174,13 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-ap make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ -install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ -install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ -install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ -install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +install -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ -cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ +cp ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \ rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ %{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ @@ -409,12 +391,7 @@ end %prep %autosetup -p 1 -n %{name}-%{commit} -tar -C policy/modules/contrib -xf %{SOURCE35} - -mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do - cp $i selinux_config -done +tar -C policy/modules/contrib -xf %{SOURCE4} %install # Build targeted policy @@ -424,9 +401,9 @@ mkdir -p %{buildroot}%{_sysconfdir}/sysconfig touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ -cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ +cp %{SOURCE2} %{buildroot}%{_usr}/lib/tmpfiles.d/ mkdir -p %{buildroot}%{_bindir} -install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ +install -m 755 %{SOURCE3} %{buildroot}%{_bindir}/ mkdir -p %{buildroot}%{_libexecdir}/selinux install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux @@ -446,7 +423,8 @@ make clean %makeModulesConf targeted %installCmds targeted mcs allow # install permissivedomains.cil -%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28} +%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i \ + ./dist/permissivedomains.cil # recreate sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox %make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp @@ -486,7 +464,7 @@ make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers mkdir %{buildroot}%{_datadir}/selinux/devel/ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include -install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile +install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} @@ -495,15 +473,13 @@ mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d -install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +install -m 644 %{SOURCE5} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy mkdir -p %{buildroot}%{_unitdir} install -m 644 %{SOURCE36} %{buildroot}%{_unitdir} -rm -rf selinux_config - %post %systemd_post selinux-check-proper-disable.service if [ ! -s %{_sysconfdir}/selinux/config ]; then diff --git a/setrans-minimum.conf b/setrans-minimum.conf deleted file mode 100644 index 09a6ce3d..00000000 --- a/setrans-minimum.conf +++ /dev/null @@ -1,19 +0,0 @@ -# -# Multi-Category Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be categorized with 0-1023 categories defined by the admin. -# Objects can be in more than one category at a time. -# Categories are stored in the system as c0-c1023. Users can use this -# table to translate the categories into a more meaningful output. -# Examples: -# s0:c0=CompanyConfidential -# s0:c1=PatientRecord -# s0:c2=Unclassified -# s0:c3=TopSecret -# s0:c1,c3=CompanyConfidentialRedHat -s0=SystemLow -s0-s0:c0.c1023=SystemLow-SystemHigh -s0:c0.c1023=SystemHigh diff --git a/setrans-mls.conf b/setrans-mls.conf deleted file mode 100644 index eb181d2f..00000000 --- a/setrans-mls.conf +++ /dev/null @@ -1,52 +0,0 @@ -# -# Multi-Level Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be labeled with one of 16 levels and be categorized with 0-1023 -# categories defined by the admin. -# Objects can be in more than one category at a time. -# Users can modify this table to translate the MLS labels for different purpose. -# -# Assumptions: using below MLS labels. -# SystemLow -# SystemHigh -# Unclassified -# Secret with compartments A and B. -# -# SystemLow and SystemHigh -s0=SystemLow -s15:c0.c1023=SystemHigh -s0-s15:c0.c1023=SystemLow-SystemHigh - -# Unclassified level -s1=Unclassified - -# Secret level with compartments -s2=Secret -s2:c0=A -s2:c1=B - -# ranges for Unclassified -s0-s1=SystemLow-Unclassified -s1-s2=Unclassified-Secret -s1-s15:c0.c1023=Unclassified-SystemHigh - -# ranges for Secret with compartments -s0-s2=SystemLow-Secret -s0-s2:c0=SystemLow-Secret:A -s0-s2:c1=SystemLow-Secret:B -s0-s2:c0,c1=SystemLow-Secret:AB -s1-s2:c0=Unclassified-Secret:A -s1-s2:c1=Unclassified-Secret:B -s1-s2:c0,c1=Unclassified-Secret:AB -s2-s2:c0=Secret-Secret:A -s2-s2:c1=Secret-Secret:B -s2-s2:c0,c1=Secret-Secret:AB -s2-s15:c0.c1023=Secret-SystemHigh -s2:c0-s2:c0,c1=Secret:A-Secret:AB -s2:c0-s15:c0.c1023=Secret:A-SystemHigh -s2:c1-s2:c0,c1=Secret:B-Secret:AB -s2:c1-s15:c0.c1023=Secret:B-SystemHigh -s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh diff --git a/setrans-targeted.conf b/setrans-targeted.conf deleted file mode 100644 index 09a6ce3d..00000000 --- a/setrans-targeted.conf +++ /dev/null @@ -1,19 +0,0 @@ -# -# Multi-Category Security translation table for SELinux -# -# Uncomment the following to disable translation libary -# disable=1 -# -# Objects can be categorized with 0-1023 categories defined by the admin. -# Objects can be in more than one category at a time. -# Categories are stored in the system as c0-c1023. Users can use this -# table to translate the categories into a more meaningful output. -# Examples: -# s0:c0=CompanyConfidential -# s0:c1=PatientRecord -# s0:c2=Unclassified -# s0:c3=TopSecret -# s0:c1,c3=CompanyConfidentialRedHat -s0=SystemLow -s0-s0:c0.c1023=SystemLow-SystemHigh -s0:c0.c1023=SystemHigh diff --git a/users-minimum b/users-minimum deleted file mode 100644 index 66af8608..00000000 --- a/users-minimum +++ /dev/null @@ -1,39 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls deleted file mode 100644 index 8fad9ea2..00000000 --- a/users-mls +++ /dev/null @@ -1,40 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(guest_u, user, guest_r, s0, s0) -gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/users-targeted b/users-targeted deleted file mode 100644 index a875306f..00000000 --- a/users-targeted +++ /dev/null @@ -1,41 +0,0 @@ -################################## -# -# Core User configuration. -# - -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) -# -# Note: Identities without a prefix wil not be listed -# in the users_extra file used by genhomedircon. - -# -# system_u is the user identity for system processes and objects. -# There should be no corresponding Unix user identity for system, -# and a user process should never be assigned the system user -# identity. -# -gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# user_u is a generic user identity for Linux users who have no -# SELinux user identity defined. The modified daemons will use -# this user identity in the security context if there is no matching -# SELinux user identity for a Linux user. If you do not want to -# permit any access to such users, then remove this entry. -# -gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - -# -# The following users correspond to Unix identities. -# These identities are typically assigned as the user attribute -# when login starts the user shell. Users with access to the sysadm_r -# role should use the staff_r role instead of the user_r role when -# not in the sysadm_r. -# -gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(guest_u, user, guest_r, s0, s0) -gen_user(xguest_u, user, xguest_r, s0, s0)