From eb5a63439cdfced5a274cb9054a14bed86a00b0f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 10 Mar 2025 14:08:47 +0000 Subject: [PATCH] import CS selinux-policy-38.1.53-2.el9 --- .gitignore | 2 +- .selinux-policy.metadata | 4 +- SOURCES/booleans-automotive.conf | 15 + SOURCES/modules-automotive-base.conf | 604 ++++++ SOURCES/modules-automotive-contrib.conf | 2563 +++++++++++++++++++++++ SOURCES/modules-targeted-contrib.conf | 21 + SOURCES/securetty_types-automotive | 4 + SOURCES/setrans-automotive.conf | 19 + SOURCES/users-automotive | 39 + SPECS/selinux-policy.spec | 270 ++- 10 files changed, 3531 insertions(+), 10 deletions(-) create mode 100644 SOURCES/booleans-automotive.conf create mode 100644 SOURCES/modules-automotive-base.conf create mode 100644 SOURCES/modules-automotive-contrib.conf create mode 100644 SOURCES/securetty_types-automotive create mode 100644 SOURCES/setrans-automotive.conf create mode 100644 SOURCES/users-automotive diff --git a/.gitignore b/.gitignore index 65a0fdc4..1c3e82f6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/container-selinux.tgz -SOURCES/selinux-policy-b98a9aa.tar.gz +SOURCES/selinux-policy-cc59490.tar.gz diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata index 60324da2..76419eea 100644 --- a/.selinux-policy.metadata +++ b/.selinux-policy.metadata @@ -1,2 +1,2 @@ -83e255994e12003389147092377c0b3d5f51f7c3 SOURCES/container-selinux.tgz -045b58e800983c60b5994d3d765544ccfc787c6d SOURCES/selinux-policy-b98a9aa.tar.gz +a6acf76b8744f1607164ec6d69706cd02d618948 SOURCES/container-selinux.tgz +b05ddf5a0fa6d702fd1bbb0f041c19ecda799ea2 SOURCES/selinux-policy-cc59490.tar.gz diff --git a/SOURCES/booleans-automotive.conf b/SOURCES/booleans-automotive.conf new file mode 100644 index 00000000..751bb0e8 --- /dev/null +++ b/SOURCES/booleans-automotive.conf @@ -0,0 +1,15 @@ +gssd_read_tmp = true +httpd_builtin_scripting = true +httpd_enable_cgi = true +kerberos_enabled = true +mount_anyfile = true +nfs_export_all_ro = true +nfs_export_all_rw = true +pppd_can_insmod = false +selinuxuser_direct_dri_enabled = true +selinuxuser_execstack = true +selinuxuser_rw_noexattrfile=true +selinuxuser_ping = true +unconfined_chrome_sandbox_transition=true +unconfined_mozilla_plugin_transition=true +use_virtualbox = true diff --git a/SOURCES/modules-automotive-base.conf b/SOURCES/modules-automotive-base.conf new file mode 100644 index 00000000..4bb4e52a --- /dev/null +++ b/SOURCES/modules-automotive-base.conf @@ -0,0 +1,604 @@ +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: services +# Module: chronyd +# +# Daemon for maintaining clock time +# +chronyd = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: contrib +# Module: fwupd +# +# fwupd is a daemon to allow session software to update device firmware. +# +fwupd = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: contrib +# Module: journalctl +# +# journalctl policy +# +journalctl = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: contrib +# Module: mandb +# +# Policy for mandb +# +mandb = module + +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: apps +# Module: namespace +# +# policy for namespace.init script +# +namespace = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: contrib +# Module: pesign +# +# policy for pesign +# +pesign = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpc = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = module + +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: contrib +# Module: stalld +# +# stalld +# +stalld = module + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +su = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm = module + +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: systemd +# +# Policy for systemd components +# +systemd = module + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# +# +# +ubac = base + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfined = module + +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + +# Layer: kernel +# Module: unconfined +# +# The unlabelednet module. +# +unlabelednet = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: apps +# Module: vhostmd +# +# vlock - Virtual Console lock program +# +vlock = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = module + diff --git a/SOURCES/modules-automotive-contrib.conf b/SOURCES/modules-automotive-contrib.conf new file mode 100644 index 00000000..aa69276e --- /dev/null +++ b/SOURCES/modules-automotive-contrib.conf @@ -0,0 +1,2563 @@ +# Layer: services +# Module: abrt +# +# Automatic bug detection and reporting tool +# +abrt = module + +# Layer: services +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: contrib +# Module: afterburn +# +# afterburn +# +afterburn = module + +# Layer: services +# Module: aiccu +# +# SixXS Automatic IPv6 Connectivity Client Utility +# +aiccu = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: services +# Module: ajaxterm +# +# Web Based Terminal +# +ajaxterm = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: contrib +# Module: antivirus +# +# SELinux policy for antivirus programs +# +antivirus = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: contrib +# Module: authconfig +# +# Authorization configuration tool +# +authconfig = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: module +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: contrib +# Module: bacula +# +# bacula policy +# +bacula = module + +# Layer: services +# Module: bcfg2 +# +# Configuration management server +# +bcfg2 = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: contrib +# Module: blkmapd +# +# The blkmapd daemon performs device discovery and mapping for pNFS block layout client. +# +blkmapd = module + +# Layer: services +# Module: blueman +# +# Blueman tools and system services. +# +blueman = module + +# Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: contrib +# Module: boltd +# +# boltd +# +boltd = module + +# Layer: contrib +# Module: boothd +# +# boothd - Booth cluster ticket manager +# +boothd = module + +# Layer: contrib +# Module: bootupd +# +# bootupd - bootloader update daemon +# +bootupd = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: contrib +# Module: brltty +# +# brltty policy +# +brltty = module + +# Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services +# Module: bumblebee +# +# Support NVIDIA Optimus technology under Linux +# +bumblebee = module + +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: services +# Module: callweaver +# +# callweaver telephony sever +# +callweaver = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: services +# Module: cfengine +# +# cfengine +# +cfengine = module + +# Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + +# Layer: contrib +# Module: cinder +# +# openstack-cinder policy +# +cinder = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: clogd +# +# clogd - clustered mirror log server +# +clogd = module + +# Layer: services +# Module: cloudform +# +# cloudform daemons +# +cloudform = module + +# Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services +# Module: cobbler +# +# cobbler +# +cobbler = module + +# Layer: services +# Module: collectd +# +# Statistics collection daemon for filling RRD files +# +collectd = module + +# Layer: services +# Module: colord +# +# color device daemon +# +colord = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: condor +# +# policy for condor +# +condor = module + +# Layer: services +# Module: conman +# +# Conman is a program for connecting to remote consoles being managed by conmand +# +conman = module + +# Layer: contrib +# Module: conntrackd +# +# conntrackd +# +conntrackd = module + +# Layer: services +# Module: consolekit +# +# ConsoleKit is a system daemon for tracking what users are logged +# +consolekit = module + +# Layer: contrib +# Module: coreos_installer +# +# coreos_installer +# +coreos_installer = module + +# Layer: services +# Module: couchdb +# +# Apache CouchDB database server +# +couchdb = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + +# Layer: contrib +# Module: cpuplug +# +# cpuplug policy +# +cpuplug = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: ctdbd +# +# Cluster Daemon +# +ctdb = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: role +# Module: dbadm +# +# Minimally prived root role for managing databases +# +dbadm = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: services +# Module: denyhosts +# +# script to help thwart ssh server attacks +# +denyhosts = module + +# Layer: services +# Module: devicekit +# +# devicekit-daemon +# +devicekit = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv-admin = module + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: dnssec +# +# A dnssec server application +# +dnssec = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: drbd +# +# DRBD mirrors a block device over the network to another machine. +# +drbd = module + +# Layer: services +# Module: dspam +# +# dspam - library and Mail Delivery Agent for Bayesian SPAM filtering +# +dspam = module + +# Layer: services +# Module: entropy +# +# Generate entropy from audio input +# +entropyd = module + +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fcoe +# +# fcoe +# +fcoe = module + +# Layer: contrib +# Module: fdo +# +# fdo - fido device onboard protocol for IoT devices +# +fdo = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module + +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + +# Layer: contrib +# Module: freeipmi +# +# Remote-Console (out-of-band) and System Management Software (in-band) +# based on IntelligentPlatform Management Interface specification +# +freeipmi = module + +# Layer: services +# Module: freqset +# +# Utility for CPU frequency scaling +# +freqset = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: contrib +# Module: gdomap +# +# gdomap policy +# +gdomap = module + +# Layer: contrib +# Module: geoclue +# +# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information +# +geoclue = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +git = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + +# Layer: services +# Module: glance +# +# Policy for glance +# +glance = module + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Module: gpsd +# +# gpsd monitor daemon +# +# +gpsd = module + +# Module: gssproxy +# +# A proxy for GSSAPI credential handling +# +# +gssproxy = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services +# Module: hostapd +# +# hostapd - IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator +# +hostapd = module + +# Layer: contrib +# Module: hsqldb +# +# Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. +# +hsqldb = module + +# Layer: contrib +# Module: hwloc +# +# hwloc +# +hwloc = module + +# Layer: contrib +# Module: hypervkvp +# +# hypervkvp policy +# +hypervkvp = module + +# Layer: contrib +# Module: ibacm +# +# ibacm +# +ibacm = module + +# Layer: contrib +# Module: ica +# +# ica +# +ica = module + +# Layer: services +# Module: icecast +# +# ShoutCast compatible streaming media server +# +icecast = module + +# Layer: contrib +# Module: iiosensorproxy +# +# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy +# +iiosensorproxy = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: contrib +# Module: insights_client +# +# insights_client +# +insights_client = module + +# Layer: contrib +# Module: iodine +# +# Fast and lean authoritative DNS Name Server +# +iodine = module + +iotop = module + +# Layer: contrib +# Module: ipmievd +# +# IPMI event daemon for sending events to syslog +# +ipmievd = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: system +# Module: isnsd +# +# +# +isns = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: jetty +# +# Java based http server +# +jetty = module + +# Layer: apps +# Module: jockey +# +# policy for jockey-backend +# +jockey = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdump = module + +# Layer: apps +# Module: kdumpgui +# +# system-config-kdump policy +# +kdumpgui = module + +# Layer: services +# Module: keepalived +# +# keepalived - load-balancing and high-availability service +# +keepalived = module + +# Module: keyboardd +# +# system-setup-keyboard is a keyboard layout daemon that monitors +# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet +# +keyboardd = module + +# Layer: services +# Module: keystone +# +# openstack-keystone +# +keystone = module + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +kmscon = module + +# Layer: contrib +# Module: kpatch +# +# kpatch +# +kpatch = module + +# Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: l2ltpd +# +# Layer 2 Tunnelling Protocol Daemon +# +l2tp = module + +# Layer: services +# Module: likewise +# +# Likewise Active Directory support for UNIX +# +likewise = module + +# Layer: contrib +# Module: linuxptp +# +# linuxptp policy +# +linuxptp = module + +# Layer: services +# Module: lircd +# +# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. +# +lircd = module + +# Layer: apps +# Module: livecd +# +# livecd creator +# +livecd = module + +# Layer: services +# Module: lldpad +# +# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon +# +lldpad = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = module + +# Layer: contrib +# Module: lsm +# +# lsm policy +# +lsm = module + +# Layer: contrib +# Module: lttng-tools +# +# LTTng 2.x central tracing registry session daemon. +# +lttng-tools = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: mailman +# +# Policy for mailscanner +# +mailscanner = module + +# Layer: apps +# Module: man2html +# +# policy for man2html apps +# +man2html = module + +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = module + +# Layer: apps +# Module: mediawiki +# +# mediawiki +# +mediawiki = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# +# +milter = module + +# Layer: contrib +# Module: minidlna +# +# minidlna policy +# +minidlna = module + +# Layer: contrib +# Module: minissdpd +# +# minissdpd policy +# +minissdpd = module + +# Layer: services +# Module: mip6d +# +# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation +# +mip6d = module + +# Layer: contrib +# Module: mirrormanager +# +# mirrormanager policy +# +mirrormanager = module + +# Layer: services +# Module: mock +# +# Policy for mock rpm builder +# +mock = module + +# Layer: services +# Module: modemmanager +# +# Manager for dynamically switching between modems. +# +modemmanager = module + +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + +# Layer: contrib +# Module: mon_statd +# +# mon_statd policy +# +mon_statd = module + +mongodb = module + +# Layer: contrib +# Module: motion +# +# Daemon for detect motion using a video4linux device +motion = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: services +# Module: mpd +# +# mpd - daemon for playing music +# +mpd = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: contrib +# Module: mptcpd +# +# mptcpd +# +mptcpd = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: contrib +# Module: mythtv +# +# Policy for Mythtv (Web Server) +# +mythtv = module + +# Layer: contrib +# Module: naemon +# +# naemon policy +# +naemon = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: services +# Module: ninfod +# +# Respond to IPv6 Node Information Queries +# +ninfod = module + +# Layer: services +# Module: nova +# +# openstack-nova +# +nova = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: contrib +# Module: nsd +# +# Fast and lean authoritative DNS Name Server +# +nsd = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: numad +# +# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology +# +numad = module + +# Layer: services +# Module: nut +# +# nut - Network UPS Tools +# +nut = module + +# Layer: contrib +# Module: nvme_stas +# +# nvme_stas +# +nvme_stas = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + +# Layer: services +# Module: obex +# +# policy for obex-data-server +# +obex = module + +# Layer: contrib +# Module: opafm +# +# opafm +# +opafm = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = module + +# Layer: contrib +# Module: opendnssec +# +# opendnssec +# +opendnssec = module + +# Layer: contrib +# Module: openfortivpn +# +# Fortinet compatible SSL VPN daemons. +# +openfortivpn = module + +# Layer: contrib +# Module: openhpid +# +# OpenHPI daemon runs as a background process and accepts connecti +# +openhpid = module + +# Layer: contrib +# Module: openshift-origin +# +# Origin version of openshift policy +# +openshift = module + +# Layer: contrib +# Module: openshift-origin +# +# Origin version of openshift policy +# +openshift-origin = module + +# Layer: services +# Module: opensm +# +# InfiniBand subnet manager and administration (SM/SA) +# +opensm = module + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + +# Layer: contrib +# Module: openvswitch +# +# SELinux policy for openvswitch programs +# +openvswitch = module + +# Layer: services +# Module: openwsman +# +# WS-Management Server +# +openwsman = module + +# Layer: contrib +# Module: oracleasm +# +# oracleasm policy +# +oracleasm = module + +# Layer: services +# Module: osad +# +# Client-side service written in Python that responds to pings +# +osad = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: services +# Module: passenger +# +# Passenger +# +passenger = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: contrib +# Module: pcp +# +# pcp policy +# +pcp = module + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: services +# Module: pdns +# +# PowerDNS DNS server +# +pdns = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: pingd +# +# +pingd = module + +# Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: contrib +# Module: pkcs +# +# daemon manages PKCS#11 objects between PKCS#11-enabled applications +# +pkcs = module + +# Layer: contrib +# Module: pkcs11proxyd +# +# pkcs11proxyd policy +# +pkcs11proxyd = module + +# Layer: services +# Module: pki +# +# policy for pki +# +pki = module + +# Layer: services +# Module: plymouthd +# +# Plymouth +# +plymouthd = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: services +# Module: policykit +# +# Hardware abstraction layer +# +policykit = module + +# Layer: services +# Module: polipo +# +# polipo +# +polipo = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: system +# Module: powerprofiles +# +# Policy for power-profiles-daemon - power profiles handling over D-Bus +# +powerprofiles = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = module + +# Layer: contrib +# Module: prelude +# +# SELinux policy for prelude +# +prelude = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: contrib +# Module: prosody +# +# SELinux policy for prosody flexible communications server for Jabber/XMPP +# +prosody = module + +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: apps +# Module: pulseaudio +# +# The PulseAudio Sound System +# +pulseaudio = module + +# Layer: services +# Module: puppet +# +# A network tool for managing many disparate systems +# +puppet = module + +# Layer: apps +# Module: pwauth +# +# External plugin for mod_authnz_external authenticator +# +pwauth = module + +# Layer: contrib +# Module: qatlib +# +# qatlib - Intel QuickAssist technology library and resources management +# +qatlib = module + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpid = module + +# Layer: services +# Module: quantum +# +# Quantum is a virtual network service for Openstack +# +quantum = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: services +# Module: rabbitmq +# +# rabbitmq daemons +# +rabbitmq = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: services +# Module: rasdaemon +# +# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing +# +rasdaemon = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: contrib +# Module: stapserver +# +# dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA +# +realmd = module + +# Layer: contrib +# Module: redis +# +# redis policy +# +redis = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: contrib +# Module: rhcd +# +# rhcd +# +rhcd = module + +# Layer: services +# Module: rhcs +# +# RHCS - Red Hat Cluster Suite +# +rhcs = module + +# Layer: services +# Module: rhev +# +# rhev policy module contains policies for rhev apps +# +rhev = module + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: contrib +# Module: rhnsd +# +# rhnsd policy +# +rhnsd = module + +# Layer: services +# Module: rhsmcertd +# +# Subscription Management Certificate Daemon policy +# +rhsmcertd = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: contrib +# Module: rkhunter +# +# rkhunter policy for /var/lib/rkhunter +# +rkhunter = module + +# Layer: contrib +# Module: rkt +# +# CLI for running app containers +# +rkt = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: contrib +# Module: rngd +# +# Daemon used to feed random data from hardware device to kernel random device +# +rngd = module + +# Layer: contrib +# Module: rolekit +# +# rolekit policy +# +rolekit = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: contrib +# Module: rrdcached +# +# rrdcached +# +rrdcached = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: contrib +# Module: rshim +# +# rshim +# +rshim = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: contrib +# Module: rtas +# +# rtas policy +# +rtas = module + +# Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +samba = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a X sandbox +# +sandboxX = module + +# Layer: services +# Module: sanlock +# +# sanlock policy +# +sanlock = module + +# Layer: contrib +# Module: sap_unconfined +# +# sap_unconfined +# +sap = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: contrib +# Module: sbd +# +# sbd +# +sbd = module + +# Layer: services +# Module: sblim +# +# sblim +# +sblim = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: admin +# Module: sectoolm +# +# Policy for sectool-mechanism +# +sectoolm = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: contrib +# Module: sensord +# +# Sensor information logging daemon +# +sensord = module + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = module + +# Layer: services +# Module: sge +# +# policy for grindengine MPI jobs +# +sge = module + +# Layer: admin +# Module: shorewall +# +# Policy for shorewall +# +shorewall = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: contrib +# Module: slpd +# +# OpenSLP server daemon to dynamically register services +# +slpd = module + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: smokeping +# +# Latency Logging and Graphing System +# +smokeping = module + +# Layer: admin +# Module: smoltclient +# +#The Fedora hardware profiler client +# +smoltclient = module + +# Layer: services +# Module: smsd +# +# policy for smsd +# +smsd = module + +# Layer: contrib +# Module: snapper +# +# snapper policy +# +snapper = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: admin +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: speech-dispatcher +# +# speech-dispatcher - server process managing speech requests in Speech Dispatcher +# +speech-dispatcher = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: sslh +# +# Applicative protocol(SSL/SSH) multiplexer +# +sslh = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Module: staff +# +# admin account +# +staff = module + +# Layer: contrib +# Module: stapserver +# +# Instrumentation System Server +# +stapserver = module + +# Layer: contrib +# Module: stratisd +# +# stratisd +# +stratisd = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: svnserve +# +# policy for subversion service +# +svnserve = module + +# Layer: services +# Module: swift +# +# openstack-swift +# +swift = module + +# Layer: system +# Module: switcheroo +# +# Policy for switcheroo-control: D-Bus service to check dual GPU availability +# +switcheroo = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: contrib +# Module: tangd +# +# tangd +# +tangd = module + +# Layer: contrib +# Module: targetd +# +# targetd policy +# +targetd = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: tcsd +# +# tcsd - daemon that manages Trusted Computing resources +# +tcsd = module + +# Layer: apps +# Module: telepathy +# +# telepathy - Policy for Telepathy framework +# +telepathy = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: contrib +# Module: thin +# +# Policy for thin +# +thin = module + +# Layer: apps +# Module: thumb +# +# Thumbnailer confinement +# +thumb = module + +# Layer: contrib +# Module: timedatex +# +# timedatex +# +timedatex = module + +# Layer: contrib +# Module: tlp +# +# tlp +# +tlp = module + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: contrib +# Module: glusterd +# +# policy for tomcat service +# +tomcat = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: services +# Module: ulogd +# +# netfilter/iptables ULOG daemon +# +ulogd = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: services +# Module: usbmuxd +# +# Daemon for communicating with Apple's iPod Touch and iPhone +# +usbmuxd = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uuidd +# +# UUID generation daemon +# +uuidd = module + +# Layer: services +# Module: varnishd +# +# Varnishd http accelerator daemon +# +varnishd = module + +# Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module + +# Layer: services +# Module: vhostmd +# +# vhostmd - spice guest agent daemon. +# +vhostmd = module + +# Layer: services +# Module: vmtools +# +# VMware Tools daemon +# +vmtools = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: services +# Module: vnstatd +# +# Network traffic Monitor +# +vnstatd = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: contrib +# Module: watchdog +# +# Watchdog policy +# +watchdog = module + +# Layer: services +# Module: wdmd +# +# wdmd policy +# +wdmd = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: contrib +# Module: wireguard +# +# wireguard +# +wireguard = module + +# Layer: apps +# Module: wireshark +# +# wireshark executable +# +wireshark = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: zarafa +# +# Zarafa Collaboration Platform +# +zarafa = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zoneminder +# +# Zoneminder Camera Security Surveillance Solution +# +zoneminder = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: apps +# Module: sandbox +# +# Policy for running apps within a sandbox +# +sandbox = off + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 9aa8fabd..db0c305b 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2747,3 +2747,24 @@ sap = module # bootupd - bootloader update daemon # bootupd = module + +# Layer: contrib +# Module: iiosensorproxy +# +# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy +# +iiosensorproxy = module + +# Layer: system +# Module: powerprofiles +# +# Policy for power-profiles-daemon - power profiles handling over D-Bus +# +powerprofiles = module + +# Layer: system +# Module: switcheroo +# +# Policy for switcheroo-control: D-Bus service to check dual GPU availability +# +switcheroo = module diff --git a/SOURCES/securetty_types-automotive b/SOURCES/securetty_types-automotive new file mode 100644 index 00000000..7055096f --- /dev/null +++ b/SOURCES/securetty_types-automotive @@ -0,0 +1,4 @@ +console_device_t +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t diff --git a/SOURCES/setrans-automotive.conf b/SOURCES/setrans-automotive.conf new file mode 100644 index 00000000..09a6ce3d --- /dev/null +++ b/SOURCES/setrans-automotive.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/SOURCES/users-automotive b/SOURCES/users-automotive new file mode 100644 index 00000000..8e0da0c6 --- /dev/null +++ b/SOURCES/users-automotive @@ -0,0 +1,39 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix will not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index b2b9c574..1f4e9dd1 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -1,6 +1,6 @@ # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy -%global commit b98a9aa153fa314a437f7f979d06efdb191f5a24 +%global commit cc594909ed91e01158de01b5d43673ba2e5c8967 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat @@ -18,13 +18,16 @@ %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif +%if %{?BUILD_AUTOMOTIVE:0}%{!?BUILD_AUTOMOTIVE:1} +%define BUILD_AUTOMOTIVE 1 +%endif %define POLICYVER 33 %define POLICYCOREUTILSVER 3.4-1 %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 38.1.44 -Release: 1%{?dist} +Version: 38.1.53 +Release: 2%{?dist} License: GPLv2+ Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: modules-targeted-base.conf @@ -61,6 +64,13 @@ Source35: container-selinux.tgz Source36: selinux-check-proper-disable.service +Source37: modules-automotive-base.conf +Source38: modules-automotive-contrib.conf +Source39: booleans-automotive.conf +Source40: users-automotive +Source41: setrans-automotive.conf +Source42: securetty_types-automotive + # Provide rpm macros for packages installing SELinux modules Source102: rpm.macros @@ -169,6 +179,7 @@ This package contains manual pages and documentation of the policy modules. %files doc %{_mandir}/man*/* %{_mandir}/ru/*/* +%exclude %{_mandir}/man8/container_selinux.8.gz %doc %{_datadir}/doc/%{name} %define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -407,7 +418,7 @@ end tar -C policy/modules/contrib -xf %{SOURCE35} mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32} %{SOURCE37} %{SOURCE38} %{SOURCE39} %{SOURCE40} %{SOURCE41} %{SOURCE42};do cp $i selinux_config done @@ -424,8 +435,8 @@ mkdir -p %{buildroot}%{_bindir} install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ # Always create policy module package directories -mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ -mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ +mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,automotive,modules}/ +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,automotive,modules}/ mkdir -p %{buildroot}%{_datadir}/selinux/packages @@ -465,8 +476,17 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox %nonBaseModulesList mls %endif +%if %{BUILD_AUTOMOTIVE} +# Build automotive policy +%makeCmds automotive mcs allow +%makeModulesConf automotive base contrib +%installCmds automotive mcs allow +%modulesList automotive +%nonBaseModulesList automotive +%endif + # remove leftovers when save-previous=true (semanage.conf) is used -rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous +rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls,automotive}/previous mkdir -p %{buildroot}%{_mandir} cp -R man/* %{buildroot}%{_mandir} @@ -738,6 +758,83 @@ exit 0 %fileList minimum %endif +%if %{BUILD_AUTOMOTIVE} +%package automotive +Summary: SELinux automotive policy +Provides: selinux-policy-any = %{version}-%{release} +Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit +Conflicts: container-selinux <= 1.9.0-9 + +%description automotive +SELinux automotive policy package. + +%pretrans automotive -p +%backupConfigLua + +%pre automotive +%preInstall automotive +if [ $1 -ne 1 ]; then + %{_sbindir}/semodule -s automotive --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/automotive/instmodules.lst +fi + +%post automotive +%checkConfigConsistency automotive +contribpackages=`cat %{_datadir}/selinux/automotive/modules-contrib.lst` +basepackages=`cat %{_datadir}/selinux/automotive/modules-base.lst` +if [ ! -d %{_sharedstatedir}/selinux/automotive/active/modules/disabled ]; then + mkdir %{_sharedstatedir}/selinux/automotive/active/modules/disabled +fi +if [ $1 -eq 1 ]; then +for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +for p in $basepackages apache dbus inetd kerberos mta nis; do + rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null +%{_sbindir}/semodule -B -s automotive +else +instpackages=`cat %{_datadir}/selinux/automotive/instmodules.lst` +for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +for p in $instpackages apache dbus inetd kerberos mta nis; do + rm -f %{_sharedstatedir}/selinux/automotive/active/modules/disabled/$p +done +%{_sbindir}/semodule -B -s automotive +%relabel automotive +fi +exit 0 + +%posttrans automotive +%checkConfigConsistency automotive + +%postun automotive +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "automotive" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + +%files automotive -f %{buildroot}%{_datadir}/selinux/automotive/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/automotive/contexts/users/sysadm_u +%fileList automotive +%endif + %if %{BUILD_MLS} %package mls Summary: SELinux MLS policy @@ -809,6 +906,165 @@ exit 0 %endif %changelog +* Fri Feb 07 2025 Zdenek Pytela - 38.1.53-1 +- Allow svirt_t to connect to nbdkit over a unix stream socket +Resolves: RHEL-56029 +- Allow power-profiles-daemon the bpf capability +Resolves: RHEL-61117 +- Allow systemd-machined the kill user-namespace capability +Resolves: RHEL-76352 + +* Fri Jan 31 2025 Zdenek Pytela - 38.1.52-1 +- Add the files_read_root_files() interface +Resolves: RHEL-70849 +- Dontaudit systemd-logind remove all files +Resolves: RHEL-59145 +- Add the files_dontaudit_read_all_dirs() interface +Resolves: RHEL-59145 +- Add the files_dontaudit_delete_all_files() interface +Resolves: RHEL-59145 +- Allow rhsmcertd notify virt-who +Resolves: RHEL-77152 +- Allow irqbalance to run unconfined scripts conditionally +Resolves: RHEL-1556 +- Backport bootupd policy from current Fedora rawhide +Resolves: RHEL-70849 +- Support using systemd containers +Resolves: RHEL-76352 +- Allow svirt_t connect to unconfined_t over a unix domain socket +Resolves: RHEL-37539 +- Allow virt_domain to use pulseaudio - conditional +Resolves: RHEL-1379 +- Allow telnetd read network sysctls +Resolves: RHEL-58825 +- Allow alsa watch generic device directories +Resolves: RHEL-61472 +- Update switcheroo policy +Resolves: RHEL-24268 + +* Wed Jan 15 2025 Zdenek Pytela - 38.1.51-1 +- Allow rsyslog read systemd-logind session files +Resolves: RHEL-73839 +- Allow samba-bgqd connect to cupsd over an unix domain stream socket +Resolves: RHEL-72860 +- Allow svirt_t read sysfs files +Resolves: RHEL-70839 +- Allow xdm dbus chat with power-profiles-daemon +Resolves: RHEL-61117 +- Update power-profiles-daemon policy +Resolves: RHEL-61117 +- Confine power-profiles-daemon +Resolves: RHEL-61117 +- Allow virtqemud domain transition to nbdkit +Resolves: RHEL-56029 +- Add nbdkit interfaces defined conditionally +Resolves: RHEL-56029 +- Confine the switcheroo-control service +Resolves: RHEL-24268 + +* Fri Dec 13 2024 Zdenek Pytela - 38.1.50-1 +- Allow auditctl signal auditd +Resolves: RHEL-68969 +- Fix the cups_read_pid_files() interface to use read_files_pattern +Resolves: RHEL-69517 +- Dontaudit systemd-coredump the sys_resource capability +Resolves: RHEL-46339 +- Allow rpcd read network sysctls +Resolves: RHEL-1558 +- Allow irqbalance setpcap capability in the user namespace +Resolves: RHEL-69564 +- Allow traceroute_t bind rawip sockets to unreserved ports +Resolves: RHEL-54561 +- Allow svirt_t the sys_rawio capability +Resolves: RHEL-56955 +- Change /run/sysctl\.d(/.*)? fc entry to /var/run/sysctl\.d(/.*)? +Resolves: RHEL-56988 +- Exclude container-selinux manpage from selinux-policy-doc +Resolves: RHEL-69916 + +* Fri Dec 06 2024 Zdenek Pytela - 38.1.49-1 +- Update virtlogd policy +Resolves: RHEL-69433 +- Allow svirt_t the sys_rawio capability +Resolves: RHEL-56955 +- Allow qemu-ga the dac_override and dac_read_search capabilities +Resolves: RHEL-52476 +- Allow ip the setexec permission +Resolves: RHEL-62923 +- Allow alsa get attributes filesystems with extended attributes +Resolves: RHEL-61472 +- Allow bacula execute container in the container domain +Resolves: RHEL-21168 +- Allow httpd get attributes of dirsrv unit files +Resolves: RHEL-46808 +- Update samba-bgqd policy +Resolves: RHEL-69517 +- Allow samba-bgqd read cups config files +Resolves: RHEL-69517 +- Update policy for samba-bgqd +Resolves: RHEL-69517 +- Update bootupd policy for the removing-state-file test +Resolves: RHEL-66584 +- Allow qatlib search the content of the kernel debugging filesystem +Resolves: RHEL-53864 +- Allow qatlib connect to systemd-machined over a unix socket +Resolves: RHEL-53864 +- Update qatlib policy for v24.02 with new features +Resolves: RHEL-53864 + +* Tue Nov 12 2024 Zdenek Pytela - 38.1.48-1 +- Revert "Allow unconfined_t execute kmod in the kmod domain" +Resolves: RHEL-65008 +- Add policy for /usr/libexec/samba/samba-bgqd +Resolves: RHEL-53124 + +* Wed Oct 23 2024 Zdenek Pytela - 38.1.47-1 +- Label /etc/sysctl.d and /run/sysctl.d with system_conf_t +Resolves: RHEL-56988 +- Allow lldpad create and use netlink_generic_socket +Resolves: RHEL-61832 +- Allow unconfined_t execute kmod in the kmod domain +Resolves: RHEL-54710 +- Allow confined users r/w to screen unix stream socket +Resolves: RHEL-50379 +- Label /root/.screenrc and /root/.tmux.conf with screen_home_t +Resolves: RHEL-50375 +- Allow iio-sensor-proxy the bpf capability +Resolves: RHEL-17346 + +* Fri Oct 11 2024 Zdenek Pytela - 38.1.46-1 +- Rebuild + +* Thu Oct 10 2024 Zdenek Pytela - 35.1.46-1 +- Label /run/modprobe.d with modules_conf_t +Resolves: RHEL-61453 +- Allow boothd connect to kernel over a unix socket +Resolves: RHEL-57104 +- Allow boothd connect to systemd-userdbd over a unix socket +Resolves: RHEL-57104 +- Additional updates stalld policy for bpf usage +Resolves: RHEL-57075 +- Update stalld policy for bpf usage +Resolves: RHEL-57075 +- Allow ptp4l the sys_admin capability +Resolves: RHEL-55133 +- Label /dev/hfi1_[0-9]+ devices +Resolves: RHEL-54996 +- Confine iio-sensor-proxy +Resolves: RHEL-17346 + +* Mon Sep 16 2024 Zdenek Pytela - 38.1.45-3 +- Rebuild +Resolves: RHEL-55414 + +* Wed Sep 04 2024 Zdenek Pytela - 38.1.45-2 +- Rebuild +Resolves: RHEL-55414 + +* Thu Aug 29 2024 Zdenek Pytela - 38.1.45-1 +- Allow setsebool_t relabel selinux data files +Resolves: RHEL-55414 + * Mon Aug 12 2024 Zdenek Pytela - 38.1.44-1 - Allow coreos-installer-generator work with partitions Resolves: RHEL-38614