Status

Current Version: 20050802

See download for download information. Details of this release are part of the changelog. This release focused on infrastructure, organization, and initial design rather than comprehensive policy coverage or security improvements. Currently only the strict policy is supported, with targeted policy support planned for the future.
Warning:This is a prototype release, not meant to be used on real systems. It is targeted towards developers, to show the direction of the policy's development and to solicit feedback.

 

Status and Tasks

Reference Policy Status
Task/ComponentStatusDescription
Policy Structure Complete The policy is converted over to new Reference Policy structure
TE Policy Conversion Ongoing Conversion of old policy to Reference Policy modules is ongoing
Loadable Policy Modules Major improvements Infrastructure is in place to support both source policy and loadable policy modules. Makefile support planned.
Documentation Infrastructure Interfaces complete Tools to create webpages from the module interface documentation is complete. Adding tunables to the webpages is planned.
Policy Documentation Ongoing Most kernel layer modules are documented.
Unused Modules Complete Modules can be disabled by using modules.conf.
MLS Infrastructure Minor improvements MLS infrastructure added to support easy conversion between MLS and non-MLS policy. Policy is compilable, but untested.
Network Infrastructure Minor improvements All network ports, nodes, and interfaces moved to corenetwork module, interfaces generated automatically. Plan to add more infrastructure for configuration of ports, nodes, and interfaces.
User domains and roles Minor improvements Some infrastructure added to support per-user domain policy, e.g., to create types and policy for ssh, for each user. Plan to add infrastructure to easily configure userdomains and roles.
Labeling Minor improvements All labeling moved to modules, consistent with Reference Policy structure.
Tunables Minor improvements Tunables are documented, and in the future will be included in the webpage policy documentation.
Users Unchanged Assignment of users to roles
Constraints Unchanged Plan to split up into relevant modules. There are ordering problems with source policies.
Flask Unchanged Headers for the policy, describing object classes, and their permissions. No planned changes
Genhomedircon Unchanged Tool to properly label users' home directories. No planned changes

 

Roadmap

Reference Policy Roadmap
Version Date Description
0.1 June 2005 Initial public release, basic policy restructuring, some infrastructure, few modules, and minimal documentation.
0.2 July 2005 Restructuring complete, additional modules, and improved infrastructure.
0.3 August 2005 Additional modules, documentation, and base module configuration support.
0.4 September 2005 Additional modules, documentation, and tested loadable module support.
0.5 October 2005 Additional modules, documentation, targeted policy, and tested MLS support
0.6 December 2005 Additional modules, documentation, and module variations

 

Policy Conversion

This phase of reference policy development involves the conversion of policies from the example strict policy. We have been using the Fedora strict policy version 1.23.2-1 as a baseline for policy conversion, which is available on the download page. Then after these policies are added to reference policy, it can be updated to be in line with current versions of the NSA example policy. For those who wish to contribute, here is a listing of modules which need to be converted:

Testing Status

A very minimal RedHat Enterprise Linux 4 system with the following RPMs has can be successfully booted in enforcing mode, and users can log in locally, with Reference Policy: