- Update to upstream

This commit is contained in:
Daniel J Walsh 2005-11-21 21:49:31 +00:00
parent 3e930b80c0
commit e568731790
9 changed files with 2249 additions and 2 deletions

208
booleans-mls.conf Normal file
View File

@ -0,0 +1,208 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
allow_execstack = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
allow_gssd_read_tmp = false
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
allow_saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow sysadm to ptrace all processes
#
allow_ptrace = false
# Allow system to run with NIS
#
allow_ypbind = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
# Allow ftp to read and write files in the user home directories
#
ftp_home_dir = false
# Allow ftpd to run directly without inetd
#
ftpd_is_daemon = true
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = false
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = false
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = false
# Allow nfs to be exported read only
#
nfs_export_all_ro = false
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow ssh to run from inetd instead of as a daemon.
#
run_ssh_inetd = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Allow ssh logins as sysadm_r:sysadm_t
#
ssh_sysadm_login = false
# Configure stunnel to be a standalone daemon orinetd service.
#
stunnel_is_daemon = false
# Support NFS home directories
#
use_nfs_home_dirs = false
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# Allow gpg executable stack
#
allow_gpg_execstack = false
# allow host key based authentication
#
allow_ssh_keysign = false
# Allow users to connect to mysql
#
allow_user_mysql_connect = false
# Allow system cron jobs to relabel filesystemfor restoring file contexts.
#
cron_can_relabel = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
#
read_untrusted_content = false
# Allow user spamassassin clients to use the network.
#
spamassassin_can_network = false
# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
#
staff_read_sysadm_file = false
# Allow regular users direct mouse access
#
user_direct_mouse = false
# Allow users to read system messages.
#
user_dmesg = false
# Allow users to control network interfaces(also needs USERCTL=true)
#
user_net_control = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = false
# Allow users to rw usb devices
#
user_rw_usb = false
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow w to display everyone
#
user_ttyfile_stat = false
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
#
write_untrusted_content = false

208
booleans-targeted.conf Normal file
View File

@ -0,0 +1,208 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = true
# Allow making a modified private filemapping executable (text relocation).
#
allow_execmod = true
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
allow_execstack = true
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
allow_gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
allow_saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow sysadm to ptrace all processes
#
allow_ptrace = false
# Allow system to run with NIS
#
allow_ypbind = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
# Allow ftp to read and write files in the user home directories
#
ftp_home_dir = false
# Allow ftpd to run directly without inetd
#
ftpd_is_daemon = true
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = true
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = true
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = true
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = true
# Allow ssh to run from inetd instead of as a daemon.
#
run_ssh_inetd = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Allow ssh logins as sysadm_r:sysadm_t
#
ssh_sysadm_login = false
# Configure stunnel to be a standalone daemon orinetd service.
#
stunnel_is_daemon = false
# Support NFS home directories
#
use_nfs_home_dirs = false
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = true
# Allow gpg executable stack
#
allow_gpg_execstack = false
# allow host key based authentication
#
allow_ssh_keysign = false
# Allow users to connect to mysql
#
allow_user_mysql_connect = false
# Allow system cron jobs to relabel filesystemfor restoring file contexts.
#
cron_can_relabel = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
#
read_untrusted_content = false
# Allow user spamassassin clients to use the network.
#
spamassassin_can_network = false
# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
#
staff_read_sysadm_file = false
# Allow regular users direct mouse access
#
user_direct_mouse = false
# Allow users to read system messages.
#
user_dmesg = false
# Allow users to control network interfaces(also needs USERCTL=true)
#
user_net_control = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = false
# Allow users to rw usb devices
#
user_rw_usb = false
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow w to display everyone
#
user_ttyfile_stat = false
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
#
write_untrusted_content = false

875
modules-mls.conf Normal file
View File

@ -0,0 +1,875 @@
#
# This file contains a listing of available modules.
# To prevent a module from being used in policy
# creation, set the module name to "off".
#
# For monolithic policies, modules set to "base" and "module"
# will be built into the policy.
#
# For modular policies, modules set to "base" will be
# included in the base module. "module" will be compiled
# as individual loadable modules.
#
# Layer: kernel
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Layer: kernel
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Layer: kernel
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: kernel
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Layer: kernel
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: system
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: admin
# Module: acct
#
# Berkeley process accounting
#
acct = base
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = base
# Layer: admin
# Module: rpm
#
# Policy for the RPM package manager.
#
rpm = base
# Layer: admin
# Module: kudzu
#
# Hardware detection and configuration tools
#
kudzu = base
# Layer: admin
# Module: updfstab
#
# Red Hat utility to change /etc/fstab.
#
updfstab = base
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = base
# Layer: admin
# Module: vpn
#
# Virtual Private Networking client
#
vpn = off
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = base
# Layer: admin
# Module: anaconda
#
# Policy for the Anaconda installer.
#
anaconda = base
# Layer: admin
# Module: amanda
#
# Automated backup program.
#
amanda = base
# Layer: admin
# Module: logrotate
#
# Rotate and archive system logs
#
logrotate = off
# Layer: admin
# Module: quota
#
# File system quota management
#
quota = off
# Layer: admin
# Module: consoletype
#
# Determine of the console connected to the controlling terminal.
#
consoletype = base
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = off
# Layer: admin
# Module: firstboot
#
# Final system configuration run during the first boot
# after installation of Red Hat/Fedora systems.
#
firstboot = off
# Layer: admin
# Module: tmpreaper
#
# Manage temporary directory sizes and file ages
#
tmpreaper = off
# Layer: admin
# Module: dmidecode
#
# Decode DMI data for x86/ia64 bioses.
#
dmidecode = base
# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
#
gpg = off
# Layer: apps
# Module: loadkeys
#
# Load keyboard mappings.
#
loadkeys = base
# Layer: apps
# Module: webalizer
#
# Web server log analysis
#
webalizer = base
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Layer: services
# Module: nis
#
# Policy for NIS (YP) servers and clients
#
nis = base
# Layer: services
# Module: distcc
#
# Distributed compiler daemon
#
distcc = off
# Layer: services
# Module: rshd
#
# Remote shell service.
#
rshd = base
# Layer: services
# Module: cpucontrol
#
# Services for loading CPU microcode and CPU frequency scaling.
#
cpucontrol = base
# Layer: services
# Module: bind
#
# Berkeley internet name domain DNS server.
#
bind = base
# Layer: services
# Module: canna
#
# Canna - kana-kanji conversion server
#
canna = base
# Layer: services
# Module: uucp
#
# Unix to Unix Copy
#
uucp = base
# Layer: services
# Module: sasl
#
# SASL authentication server
#
sasl = base
# Layer: services
# Module: pegasus
#
# The Open Group Pegasus CIM/WBEM Server.
#
pegasus = base
# Layer: services
# Module: cron
#
# Periodic execution of scheduled commands.
#
cron = base
# Layer: services
# Module: sendmail
#
# Policy for sendmail.
#
sendmail = base
# Layer: services
# Module: samba
#
# SMB and CIFS client/server programs for UNIX and
# name Service Switch daemon for resolving names
# from Windows NT servers.
#
samba = base
# Layer: services
# Module: dbus
#
# Desktop messaging bus
#
dbus = base
# Layer: services
# Module: howl
#
# Port of Apple Rendezvous multicast DNS
#
howl = base
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = base
# Layer: services
# Module: snmp
#
# Simple network management protocol services
#
snmp = base
# Layer: services
# Module: remotelogin
#
# Policy for rshd, rlogind, and telnetd.
#
remotelogin = base
# Layer: services
# Module: telnet
#
# Telnet daemon
#
telnet = base
# Layer: services
# Module: mailman
#
# Mailman is for managing electronic mail discussion and e-newsletter lists
#
mailman = base
# Layer: services
# Module: dbskk
#
# Dictionary server for the SKK Japanese input method system.
#
dbskk = base
# Layer: services
# Module: ldap
#
# OpenLDAP directory server
#
ldap = base
# Layer: services
# Module: tftp
#
# Trivial file transfer protocol daemon
#
tftp = base
# Layer: services
# Module: portmap
#
# RPC port mapping service.
#
portmap = base
# Layer: services
# Module: arpwatch
#
# Ethernet activity monitor.
#
arpwatch = base
# Layer: services
# Module: dovecot
#
# Dovecot POP and IMAP mail server
#
dovecot = base
# Layer: services
# Module: cups
#
# Common UNIX printing system
#
cups = base
# Layer: services
# Module: networkmanager
#
# Manager for dynamically switching between networks.
#
networkmanager = base
# Layer: services
# Module: inn
#
# Internet News NNTP server
#
inn = base
# Layer: services
# Module: comsat
#
# Comsat, a biff server.
#
comsat = base
# Layer: services
# Module: squid
#
# Squid caching http proxy server
#
squid = base
# Layer: services
# Module: zebra
#
# Zebra border gateway protocol network routing service
#
zebra = base
# Layer: services
# Module: ktalk
#
# KDE Talk daemon
#
ktalk = base
# Layer: services
# Module: procmail
#
# Procmail mail delivery agent
#
procmail = base
# Layer: services
# Module: lpd
#
# Line printer daemon
#
lpd = base
# Layer: services
# Module: cyrus
#
# Cyrus is an IMAP service intended to be run on sealed servers
#
cyrus = base
# Layer: services
# Module: xdm
#
# X windows login display manager
#
xdm = off
# Layer: services
# Module: nscd
#
# Name service cache daemon
#
nscd = base
# Layer: services
# Module: ppp
#
# Point to Point Protocol daemon creates links in ppp networks
#
ppp = base
# Layer: services
# Module: ftp
#
# File transfer protocol service
#
ftp = base
# Layer: services
# Module: gpm
#
# General Purpose Mouse driver
#
gpm = off
# Layer: services
# Module: mta
#
# Policy common to all email tranfer agents.
#
mta = base
# Layer: services
# Module: postfix
#
# Postfix email server
#
postfix = base
# Layer: services
# Module: ntp
#
# Network time protocol daemon
#
ntp = base
# Layer: services
# Module: bluetooth
#
# Bluetooth tools and system services.
#
bluetooth = off
# Layer: services
# Module: hal
#
# Hardware abstraction layer
#
hal = base
# Layer: services
# Module: avahi
#
# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
#
avahi = base
# Layer: services
# Module: rpc
#
# Remote Procedure Call Daemon for managment of network based process communication
#
rpc = base
# Layer: services
# Module: apache
#
# Apache web server
#
apache = base
# Layer: services
# Module: rsync
#
# Fast incremental file transfer for synchronization
#
rsync = base
# Layer: services
# Module: kerberos
#
# MIT Kerberos admin and KDC
#
kerberos = base
# Layer: services
# Module: dhcp
#
# Dynamic host configuration protocol (DHCP) server
#
dhcp = base
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = base
# Layer: services
# Module: inetd
#
# Internet services daemon.
#
inetd = base
# Layer: services
# Module: mysql
#
# Policy for MySQL
#
mysql = base
# Layer: services
# Module: dictd
#
# Dictionary daemon
#
dictd = base
# Layer: services
# Module: finger
#
# Finger user information service.
#
finger = base
# Layer: services
# Module: radius
#
# RADIUS authentication and accounting server.
#
radius = base
# Layer: services
# Module: spamassassin
#
# Filter used for removing unsolicited email.
#
spamassassin = base
# Layer: services
# Module: radvd
#
# IPv6 router advertisement daemon
#
radvd = base
# Layer: services
# Module: apm
#
# Advanced power management daemon
#
apm = base
# Layer: services
# Module: tcpd
#
# Policy for TCP daemon.
#
tcpd = off
# Layer: services
# Module: stunnel
#
# SSL Tunneling Proxy
#
stunnel = base
# Layer: services
# Module: privoxy
#
# Privacy enhancing web proxy.
#
privoxy = base
# Layer: services
# Module: cvs
#
# Concurrent versions system
#
cvs = base
# Layer: services
# Module: rlogin
#
# Remote login daemon
#
rlogin = base
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = base
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = base
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = base
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = base
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = off
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = base
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = base
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = base
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = base
# Layer: system
# Module: pcmcia
#
# PCMCIA card management services
#
pcmcia = base
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = base
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = base
# Layer: system
# Module: raid
#
# RAID array management tools
#
raid = off
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = base
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = base
# Layer: system
# Module: hotplug
#
# Policy for hotplug system, for supporting the
# connection and disconnection of devices at runtime.
#
hotplug = base
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = base
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = base
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = off
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = base
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = base
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = off

875
modules-targeted.conf Normal file
View File

@ -0,0 +1,875 @@
#
# This file contains a listing of available modules.
# To prevent a module from being used in policy
# creation, set the module name to "off".
#
# For monolithic policies, modules set to "base" and "module"
# will be built into the policy.
#
# For modular policies, modules set to "base" will be
# included in the base module. "module" will be compiled
# as individual loadable modules.
#
# Layer: kernel
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Layer: kernel
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Layer: kernel
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: kernel
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Layer: kernel
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: system
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: admin
# Module: acct
#
# Berkeley process accounting
#
acct = base
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = base
# Layer: admin
# Module: rpm
#
# Policy for the RPM package manager.
#
rpm = base
# Layer: admin
# Module: kudzu
#
# Hardware detection and configuration tools
#
kudzu = base
# Layer: admin
# Module: updfstab
#
# Red Hat utility to change /etc/fstab.
#
updfstab = base
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = base
# Layer: admin
# Module: vpn
#
# Virtual Private Networking client
#
vpn = off
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = base
# Layer: admin
# Module: anaconda
#
# Policy for the Anaconda installer.
#
anaconda = base
# Layer: admin
# Module: amanda
#
# Automated backup program.
#
amanda = base
# Layer: admin
# Module: logrotate
#
# Rotate and archive system logs
#
logrotate = off
# Layer: admin
# Module: quota
#
# File system quota management
#
quota = off
# Layer: admin
# Module: consoletype
#
# Determine of the console connected to the controlling terminal.
#
consoletype = base
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = off
# Layer: admin
# Module: firstboot
#
# Final system configuration run during the first boot
# after installation of Red Hat/Fedora systems.
#
firstboot = base
# Layer: admin
# Module: tmpreaper
#
# Manage temporary directory sizes and file ages
#
tmpreaper = off
# Layer: admin
# Module: dmidecode
#
# Decode DMI data for x86/ia64 bioses.
#
dmidecode = base
# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
#
gpg = off
# Layer: apps
# Module: loadkeys
#
# Load keyboard mappings.
#
loadkeys = base
# Layer: apps
# Module: webalizer
#
# Web server log analysis
#
webalizer = base
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Layer: services
# Module: nis
#
# Policy for NIS (YP) servers and clients
#
nis = base
# Layer: services
# Module: distcc
#
# Distributed compiler daemon
#
distcc = off
# Layer: services
# Module: rshd
#
# Remote shell service.
#
rshd = base
# Layer: services
# Module: cpucontrol
#
# Services for loading CPU microcode and CPU frequency scaling.
#
cpucontrol = base
# Layer: services
# Module: bind
#
# Berkeley internet name domain DNS server.
#
bind = base
# Layer: services
# Module: canna
#
# Canna - kana-kanji conversion server
#
canna = base
# Layer: services
# Module: uucp
#
# Unix to Unix Copy
#
uucp = base
# Layer: services
# Module: sasl
#
# SASL authentication server
#
sasl = base
# Layer: services
# Module: pegasus
#
# The Open Group Pegasus CIM/WBEM Server.
#
pegasus = base
# Layer: services
# Module: cron
#
# Periodic execution of scheduled commands.
#
cron = base
# Layer: services
# Module: sendmail
#
# Policy for sendmail.
#
sendmail = base
# Layer: services
# Module: samba
#
# SMB and CIFS client/server programs for UNIX and
# name Service Switch daemon for resolving names
# from Windows NT servers.
#
samba = base
# Layer: services
# Module: dbus
#
# Desktop messaging bus
#
dbus = base
# Layer: services
# Module: howl
#
# Port of Apple Rendezvous multicast DNS
#
howl = base
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = base
# Layer: services
# Module: snmp
#
# Simple network management protocol services
#
snmp = base
# Layer: services
# Module: remotelogin
#
# Policy for rshd, rlogind, and telnetd.
#
remotelogin = base
# Layer: services
# Module: telnet
#
# Telnet daemon
#
telnet = base
# Layer: services
# Module: mailman
#
# Mailman is for managing electronic mail discussion and e-newsletter lists
#
mailman = base
# Layer: services
# Module: dbskk
#
# Dictionary server for the SKK Japanese input method system.
#
dbskk = base
# Layer: services
# Module: ldap
#
# OpenLDAP directory server
#
ldap = base
# Layer: services
# Module: tftp
#
# Trivial file transfer protocol daemon
#
tftp = base
# Layer: services
# Module: portmap
#
# RPC port mapping service.
#
portmap = base
# Layer: services
# Module: arpwatch
#
# Ethernet activity monitor.
#
arpwatch = base
# Layer: services
# Module: dovecot
#
# Dovecot POP and IMAP mail server
#
dovecot = base
# Layer: services
# Module: cups
#
# Common UNIX printing system
#
cups = base
# Layer: services
# Module: networkmanager
#
# Manager for dynamically switching between networks.
#
networkmanager = base
# Layer: services
# Module: inn
#
# Internet News NNTP server
#
inn = base
# Layer: services
# Module: comsat
#
# Comsat, a biff server.
#
comsat = base
# Layer: services
# Module: squid
#
# Squid caching http proxy server
#
squid = base
# Layer: services
# Module: zebra
#
# Zebra border gateway protocol network routing service
#
zebra = base
# Layer: services
# Module: ktalk
#
# KDE Talk daemon
#
ktalk = base
# Layer: services
# Module: procmail
#
# Procmail mail delivery agent
#
procmail = base
# Layer: services
# Module: lpd
#
# Line printer daemon
#
lpd = base
# Layer: services
# Module: cyrus
#
# Cyrus is an IMAP service intended to be run on sealed servers
#
cyrus = base
# Layer: services
# Module: xdm
#
# X windows login display manager
#
xdm = base
# Layer: services
# Module: nscd
#
# Name service cache daemon
#
nscd = base
# Layer: services
# Module: ppp
#
# Point to Point Protocol daemon creates links in ppp networks
#
ppp = base
# Layer: services
# Module: ftp
#
# File transfer protocol service
#
ftp = base
# Layer: services
# Module: gpm
#
# General Purpose Mouse driver
#
gpm = off
# Layer: services
# Module: mta
#
# Policy common to all email tranfer agents.
#
mta = base
# Layer: services
# Module: postfix
#
# Postfix email server
#
postfix = base
# Layer: services
# Module: ntp
#
# Network time protocol daemon
#
ntp = base
# Layer: services
# Module: bluetooth
#
# Bluetooth tools and system services.
#
bluetooth = base
# Layer: services
# Module: hal
#
# Hardware abstraction layer
#
hal = base
# Layer: services
# Module: avahi
#
# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
#
avahi = base
# Layer: services
# Module: rpc
#
# Remote Procedure Call Daemon for managment of network based process communication
#
rpc = base
# Layer: services
# Module: apache
#
# Apache web server
#
apache = base
# Layer: services
# Module: rsync
#
# Fast incremental file transfer for synchronization
#
rsync = base
# Layer: services
# Module: kerberos
#
# MIT Kerberos admin and KDC
#
kerberos = base
# Layer: services
# Module: dhcp
#
# Dynamic host configuration protocol (DHCP) server
#
dhcp = base
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = base
# Layer: services
# Module: inetd
#
# Internet services daemon.
#
inetd = base
# Layer: services
# Module: mysql
#
# Policy for MySQL
#
mysql = base
# Layer: services
# Module: dictd
#
# Dictionary daemon
#
dictd = base
# Layer: services
# Module: finger
#
# Finger user information service.
#
finger = base
# Layer: services
# Module: radius
#
# RADIUS authentication and accounting server.
#
radius = base
# Layer: services
# Module: spamassassin
#
# Filter used for removing unsolicited email.
#
spamassassin = base
# Layer: services
# Module: radvd
#
# IPv6 router advertisement daemon
#
radvd = base
# Layer: services
# Module: apm
#
# Advanced power management daemon
#
apm = base
# Layer: services
# Module: tcpd
#
# Policy for TCP daemon.
#
tcpd = off
# Layer: services
# Module: stunnel
#
# SSL Tunneling Proxy
#
stunnel = base
# Layer: services
# Module: privoxy
#
# Privacy enhancing web proxy.
#
privoxy = base
# Layer: services
# Module: cvs
#
# Concurrent versions system
#
cvs = base
# Layer: services
# Module: rlogin
#
# Remote login daemon
#
rlogin = base
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = base
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = base
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = base
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = base
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = off
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = base
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = base
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = base
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = base
# Layer: system
# Module: pcmcia
#
# PCMCIA card management services
#
pcmcia = base
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = base
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = base
# Layer: system
# Module: raid
#
# RAID array management tools
#
raid = off
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = base
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = base
# Layer: system
# Module: hotplug
#
# Policy for hotplug system, for supporting the
# connection and disconnection of devices at runtime.
#
hotplug = base
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = base
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = base
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = off
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = base
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = base
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = off

View File

@ -117,15 +117,19 @@ SELinux Reference Policy - modular.
%patch0 -p1
%install
# Build targeted policy
make conf
%{__rm} -fR $RPM_BUILD_ROOT
%installCmds %{polname1} %{type1} %{direct_initrc}
# Build strict policy
# Commented out because only targeted ref policy currently builds
# make clean
# make conf
#%#installCmds %{polname2} %{type2} %{direct_initrc}
#%patch2 -p1
# Commented out because only targeted ref policy currently builds
# Build mls policy
make clean
make conf
%installCmds %{polname3} %{type3} n

53
setrans-mls.conf Normal file
View File

@ -0,0 +1,53 @@
#
# Multi-Level Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-256
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
# SystemLow
# SystemHigh
# Unclassified
# Secret with compartments A and B.
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c255=SystemHigh
s0-s15:c0.c255=SystemLow-SystemHigh
# Unclassified level
s1=Unclassified
# Secret level with compartments
s2=Secret
s2:c0=Secret:A
s2:c1=Secret:B
s2:c0,c1=Secret:AB
# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c255=Unclassified-SystemHigh
# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c255=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c255=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c255=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c255=Secret:AB-SystemHigh

19
setrans-targeted.conf Normal file
View File

@ -0,0 +1,19 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-256 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c255. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=
s0-s0:c0.c255=SystemLow-SystemHigh
s0:c0.c255=SystemHigh

3
seusers-mls Normal file
View File

@ -0,0 +1,3 @@
root:root:s0-s15:c0.c255
__default__:user_u:s0

2
seusers-targeted Normal file
View File

@ -0,0 +1,2 @@
root:root:s0-s0:c0.c255
__default__:user_u:s0