See download for download information. This release focused on infrastructure, organization, and initial design rather than comprehensive policy coverage or security improvements. Currently only the strict policy is supported, with targeted policy support planned for the future.
This is a prototype release, not meant to be used on real systems. It is targeted towards developers, to show the direction of the policy's development and to solicit feedback.
Reference Policy Status | ||
---|---|---|
Task/Component | Status | Description |
Policy Structure | Complete | The policy is converted over to new Reference Policy structure |
TE Policy | Conversion Ongoing | Conversion of old policy to Reference Policy modules is ongoing |
Loadable Policy Modules | Major improvements | Infrastructure is in place to support both source policy and loadable policy modules. Makefile support planned. | Documentation Infrastructure | Interfaces complete | Tools to create webpages from the module interface documentation is complete. Adding tunables to the webpages is planned. |
Policy Documentation | Ongoing | Most kernel layer modules are documented. |
Unused Modules | Complete | Modules can be disabled by using modules.conf. |
MLS Infrastructure | Minor improvements | MLS infrastructure added to support easy conversion between MLS and non-MLS policy. Policy is compilable, but untested. |
Network Infrastructure | Minor improvements | All network ports, nodes, and interfaces moved to corenetwork module, interfaces generated automatically. Plan to add more infrastructure for configuration of ports, nodes, and interfaces. |
User domains and roles | Minor improvements | Some infrastructure added to support per-user domain policy, e.g., to create types and policy for ssh, for each user. Plan to add infrastructure to easily configure userdomains and roles. |
Labeling | Minor improvements | All labeling moved to modules, consistent with Reference Policy structure. |
Tunables | Minor improvements | Tunables are documented, and in the future will be included in the webpage policy documentation. |
Users | Unchanged | Assignment of users to roles |
Constraints | Unchanged | Plan to split up into relevant modules. There are ordering problems with source policies. |
Flask | Unchanged | Headers for the policy, describing object classes, and their permissions. No planned changes |
Genhomedircon | Unchanged | Tool to properly label users' home directories. No planned changes |
This phase of reference policy development involves the conversion of policies from the example strict policy. We have been using the Fedora strict policy version 1.23.2-1 as a baseline for policy conversion, which is available on the download page. Then after these policies are added to reference policy, it can be updated to be in line with current versions of the NSA example policy. For those who wish to contribute, here is a listing of modules which need to be converted:
A very minimal RedHat Enterprise Linux 4 system with the following RPMs has can be successfully booted in enforcing mode, and users can log in locally, with Reference Policy: