See download for download information. Details of this release are part of the changelog. This release focused on improving the consistency of interface names in an effort to stabilize the Reference Policy interfaces. Currently both strict and targeted policies can be built. MLS policies can be built, but the policy is still undergoing testing on running systems.
| Reference Policy Status | ||
|---|---|---|
| Task/Component | Status | Description |
| Policy Structure | Complete | The policy is converted over to new Reference Policy structure |
| TE Policy | Conversion Ongoing | Conversion of old policy to Reference Policy modules is ongoing |
| Loadable Policy Modules | Major improvements | Infrastructure is in place to support both source policy and loadable policy modules. Makefile support completed. |
| Documentation Infrastructure | Interfaces, templates, Booleans, and tunables complete | Tools to create webpages from the module interface and template documentation is complete. Global Booleans and tunables are supported. Booleans and tunables local to policies are planned. |
| Policy Documentation | Ongoing | Most modules are documented. |
| Unused Modules | Complete | Modules can be disabled by using modules.conf. |
| MLS Infrastructure | Minor improvements | MLS infrastructure added to support easy conversion between MLS and non-MLS policy. Policy is compilable, but only lightly tested. |
| MCS Support | Minor improvements | MLS infrastructure has been extended to support MCS categories in users and all contexts. MCS constraints have been added. Policy has been tested in the targeted-mcs policy configuration. |
| Network Infrastructure | Minor improvements | All network ports, nodes, and interfaces moved to corenetwork module, interfaces generated automatically. Plan to add more infrastructure for configuration of ports, nodes, and interfaces. |
| User domains and roles | Minor improvements | Some infrastructure added to support per-user domain policy, e.g., to create types and policy for ssh, for each user. Plan to add infrastructure to easily configure userdomains and roles. |
| Labeling | Minor improvements | All labeling moved to modules, consistent with Reference Policy structure. Levels can be added to the labels without changes to the policy. |
| Tunables | Minor improvements | Tunables are documented and included in the webpage policy documentation. |
| Users | Unchanged | Assignment of users to roles. |
| Constraints | Unchanged | Plan to split up into relevant modules when loadable modules support this. There are ordering problems with source policies. |
| Flask | Unchanged | Headers for the policy, describing object classes, and their permissions. No planned changes. |
This phase of reference policy development involves the conversion of policies from the example strict policy. Please use the current NSA example policy in NSA SourceForge CVS. We ask that modules that are in the targeted policy be given the first priority, and then modules in the strict policy but not in targeted policy given second priority. For those who wish to contribute, here is a listing of modules which need to be converted:
| Policy Module Status | ||
|---|---|---|
| Module Name | Previous Policy Files | Assigned To |
| asterisk | asterisk.te asterisk.fc | |
| audio-entropy | audio-entropyd.te audio-entropyd.fc | |
| authbind | authbind.te authbind.fc | |
| backup | backup.te backup.fc | |
| bonobo + | bonobo.te bonobo.fc bonobo_macros.te | |
| calamaris | calabaris.te calamaris.fc | |
| cipe | ciped.te ciped.fc | |
| courier | courier.te courier.fc | |
| dante | dante.te dante.fc | |
| dcc | dcc.te dcc.fc | |
| ddclient | ddclient.te ddclient.fc | |
| dnsmasq | dnsmasq.te dnsmasq.fc | |
| dpkg | dpkg.te dpkg.fc | |
| ethereal + | ethereal.te ethereal.fc ethereal_macros.te | Tresys |
| evolution + | evolution.te evolution.fc evolution_macros.te | Tresys |
| fontconfig + | fontconfig.te fontconfig.fc | Tresys |
| gatekeeper | gatekeeper.te gatekeeper.fc | |
| gconf + | gconf.te gconf.fc gconf_macros.te | Tresys |
| games + | games.te games.fc games_domain.te | |
| gift | gift.te gift.fc gift_macros.te | |
| gnome + | gnome.te gnome.fc gnome_macros.te gnome_vfs.te gnome_vfs.fc gnome_vfs_macros.te gnome-pty-helper.te gnome-pty-helper.fc gph_macros.te | Tresys |
| imazesrv | imazesrv.te imazesrv.fc | |
| ircd | ircd.te ircd.fc | |
| jabber | jabberd.te jabberd.fc | |
| lcd | lcd.te lcd.fc | |
| lrr | lrrd.te lrrd.fc | |
| monop | monopd.te monopd.fc | |
| mozilla + | mozilla.te mozilla.fc mozilla_macros.te | Tresys |
| mplayer + | mplayer.te mplayer.fc mplayer_macros.te | Tresys |
| nagios | nagios.te nagios.fc nrpe.te nrpe.fc | |
| nessus | nessusd.te nessusd.fc | |
| nsd | nsd.te nsd.fc | |
| nx | nx_server.te nx_server.fc | |
| oav-update | oav-update.te oav-update.fc | |
| openca | openca-ca.te openca-ca.fc | |
| orbit + | orbit.te orbit.fc orbit_macros.te | |
| perdition | perdition.te perdition.fc | |
| portslave | portslave.te portslave.fc | |
| pxe | pxe.te pxe.fc | |
| pyzor | pyzor.te pyzor.fc pyzor_macros.te | |
| razor | razor.te razor.fc razor_macros.te | |
| resmgr | resmgrd.te resmgrd.fc | |
| rhgb + | rhgb.te rhgb.fc rhgb_macros.te | Tresys |
| rssh | rssh.te rssh.fc rssh_macros.te | |
| scannerdaemon | scannerdaemon.te scannerdaemon.fc | |
| snort | snort.te snort.fc | |
| sound-server + | sound-server.te sound-server.fc | |
| speedtouch | speedmgmt.te speedmgmt.fc | |
| sxid | sxid.te sxid.fc | |
| transproxy | transproxy.te transproxy.fc | |
| tripwire | tripwire.te tripwire.fc | |
| uptimed | uptimed.te uptimed.fc | |
| uwimap | uwimapd.te uwimapd.fc | |
| vmware + | vmware.te vmware.fc vmware_macros.te | Tresys |
| watchdog | watchdog.te watchdog.fc | |
| xprint | xprint.te xprint.fc | |
| yam | yam.te yam.fc | |
| (*) Modules in the Fedora targeted policy | ||
| (+) Modules in the Fedora strict policy | ||
Reference policy is now included in the Fedora Core 5 distribution.