Status

Current Version: 20050922

See download for download information. Details of this release are part of the changelog. This release focused on updating the policy to bring it in line with the NSA example policy in sourceforge CVS. Currently both strict and targeted policies can be built. MLS policies can be built, but the policy has not been tested on running systems. MCS support has also been added, but it is still experimental.

 

Status and Tasks

Reference Policy Status
Task/ComponentStatusDescription
Policy Structure Complete The policy is converted over to new Reference Policy structure
TE Policy Conversion Ongoing Conversion of old policy to Reference Policy modules is ongoing
Loadable Policy Modules Major improvements Infrastructure is in place to support both source policy and loadable policy modules. Makefile support completed. Almost all policy modules can be compiled; however, there are compiler issues which prevent all modules from compiling.
Documentation Infrastructure Interfaces, templates, Booleans, and tunables complete Tools to create webpages from the module interface and template documentation is complete. Global Booleans and tunables are supported. Booleans and tunables local to policies are planned.
Policy Documentation Ongoing Most modules are documented.
Unused Modules Complete Modules can be disabled by using modules.conf.
MLS Infrastructure Minor improvements MLS infrastructure added to support easy conversion between MLS and non-MLS policy. Policy is compilable, but untested. Need further investigations to ensure the levels in the policy are correct.
MCS Support Minor improvements MLS infrastructure has been extended to support MCS categories in users and all contexts. MCS constraints have been added. Policy is compilable, but untested.
Network Infrastructure Minor improvements All network ports, nodes, and interfaces moved to corenetwork module, interfaces generated automatically. Plan to add more infrastructure for configuration of ports, nodes, and interfaces.
User domains and roles Minor improvements Some infrastructure added to support per-user domain policy, e.g., to create types and policy for ssh, for each user. Plan to add infrastructure to easily configure userdomains and roles.
Labeling Minor improvements All labeling moved to modules, consistent with Reference Policy structure. Levels can be added to the labels without changes to the policy.
Tunables Minor improvements Tunables are documented and included in the webpage policy documentation.
Users Unchanged Assignment of users to roles.
Constraints Unchanged Plan to split up into relevant modules when loadable modules support this. There are ordering problems with source policies.
Flask Unchanged Headers for the policy, describing object classes, and their permissions. No planned changes.
Genhomedircon Unchanged Tool to properly label users' home directories. No planned changes

 

Roadmap

Reference Policy Roadmap
Version Date Description
0.1 June 2005 Initial public release, basic policy restructuring, some infrastructure, few modules, and minimal documentation.
0.2 July 2005 Restructuring complete, additional modules, and improved infrastructure.
0.3 August 2005 Additional modules, documentation, and base module configuration support.
0.4 September 2005 Additional modules, documentation, and tested loadable module support.
0.5 October 2005 Additional modules, documentation, targeted policy, and tested MLS support
0.6 December 2005 Additional modules, documentation, and module variations

 

Policy Conversion

This phase of reference policy development involves the conversion of policies from the example strict policy. Please use the current NSA example policy in NSA SourceForge CVS. We ask that modules that are in the targeted policy be given the first priority, and then modules in the strict policy but not in targeted policy given second priority. For those who wish to contribute, here is a listing of modules which need to be converted:

Policy Module Status
Module Name Previous Policy Files Assigned To
amanda *+ amanda.te amanda.fc
amavis amavis.te amavis.fc
apache *+ apache.te apache.fc apache_macros.te Tresys
arpwatch *+ arpwatch.te arpwatch.fc Tresys
asterisk asterisk.te asterisk.fc
audio-entropy audio-entropyd.te audio-entropyd.fc
authbind authbind.te authbind.fc
automount + automount.te automount.fc
backup backup.te backup.fc
bluetooth *+ bluetooth.te bluetooth.fc
bonobo + bonobo.te bonobo.fc bonobo_macros.te
browser + mozilla.te mozilla.fc mozilla_macros.te
calamaris calabaris.te calamaris.fc
cdrecord + cdrecord.te cdrecord.fc cdrecord_macros.te
certwatch + certwatch.te certwatch.fc
cipe ciped.te ciped.fc
clamav clamav.te clamav.fc clamav_macros.te
courier courier.te courier.fc
cyrus *+ cyrus.te cyrus.fc
daemontools daemontools.te daemontools.fc daemontools_macros.te Tresys
dante dante.te dante.fc
dcc dcc.te dcc.fc
ddclient ddclient.te ddclient.fc
ddcprobe + ddcprobe.te ddcprobe.fc
distcc distcc.te distcc.fc Tresys
djbdns djbdns.te djbdns.fc
dnsmasq dnsmasq.te dnsmasq.fc
dpkg dpkg.te dpkg.fc
dovecot *+ dovecot.te dovecot.fc
ethereal + ethereal.te ethereal.fc ethereal_macros.te
evolution + evolution.te evolution.fc evolution_macros.te
fetchmail + fetchmail.te fetchmail.fc
finger *+ fingerd.te fingerd.fc fingerd_macros.te
fontconfig + fontconfig.te fontconfig.fc
gatekeeper gatekeeper.te gatekeeper.fc
gconf + gconf.te gconf.fc gconf_macros.te
games + games.te games.fc games_domain.te
gift gift.te gift.fc gift_macros.te
gnome + gnome.te gnome.fc gnome_macros.te gnome_vfs.te gnome_vfs.fc gnome_vfs_macros.te gnome-pty-helper.te gnome-pty-helper.fc gph_macros.te
iceauth + iceauth.te iceauth.fc iceauth_macros ice_macros.te(?)
imazesrv imazesrv.te imazesrv.fc
irc + irc.te irc.fc irc_macros.te
ircd ircd.te ircd.fc
irqbalance + irqbalance.te irqbalance.fc
jabber jabberd.te jabberd.fc
java + java.te java.fc java_macros.te
kudzu *+ kudzu.te kudzu.fc Tresys
lcd lcd.te lcd.fc
lockdev + lockdev.te lockdev.fc lockdev_macros.te
lrr lrrd.te lrrd.fc
mailman *+ mailman.te mailman.fc Tresys
monop monopd.te monopd.fc
mplayer + mplayer.te mplayer.fc mplayer_macros.te
mrtg + mrtg.te mrtg.fc
nagios nagios.te nagios.fc nrpe.te nrpe.fc
nessus nessusd.te nessusd.fc
networkmanager *+ NetworkManager.te NetworkManager.fc
nsd nsd.te nsd.fc
nx nx_server.te nx_server.fc
oav-update oav-update.te oav-update.fc
openca openca-ca.te openca-ca.fc
openct + openct.te openct.fc
orbit + orbit.te orbit.fc orbit_macros.te
perdition perdition.te perdition.fc
portslave portslave.te portslave.fc
postfix + postfix.te postfix.fc
ppp *+ pppd.te pppd.fc Tresys
prelink + prelink.te prelink.fc
print *+ cups.te cups.fc lpd.te lpd.fc lpr_macros.te Tresys
procmail + procmail.te procmail.fc
publicfile publicfile.te publicfile.fc
pxe pxe.te pxe.fc
pyzor pyzor.te pyzor.fc pyzor_macros.te
radius *+ radius.te radius.fc Tresys
radvd *+ radvd.te radvd.fc Tresys
razor razor.te razor.fc razor_macros.te
rdisc rdisc.te rdisc.fc
resmgr resmgrd.te resmgrd.fc
rhgb + rhgb.te rhgb.fc rhgb_macros.te
rpc *+ rpcd.te rpcd.fc
rssh rssh.te rssh.fc rssh_macros.te
sasl *+ saslauthd.te saslauthd.fc Tresys
scannerdaemon scannerdaemon.te scannerdaemon.fc
screen + screen.te screen.fc screen_macros.te
slocate + slocate.te slocate.fc slocate_macros.te
slrnpull + slrnpull.te slrnpull.fc
snort snort.te snort.fc
sound + alsa.te alsa.fc sound.te sound.fc sound-server.te sound-server.fc
spamassassin + spamassassin.te spamc.te spamd.te spamassassin.fc spamc.fc spamd.fc spamassassin_macros.te
speedtouch speedmgmt.te speedmgmt.fc
sxid sxid.te sxid.fc
sysstat + sysstat.te sysstat.fc
thunderbird + thunderbird.te thunderbird.fc thunderbird_macros.te mail_client_macros.te
timidity + timidity.te timidity.fc
tinydns tinydns.te tinydns.fc
transproxy transproxy.te transproxy.fc
tripwire tripwire.te tripwire.fc
tvtime + tvtime.te tvtime.fc tvtime_macros.te
ucspi-tcp ucspi-tcp.te ucspi-tcp.fc
uml + uml.te uml.fc uml_macros.te uml_net.te uml_net.fc
uptimed uptimed.te uptimed.fc
userhelper + userhelper.te userhelper.fc userhelper_macros.te
usernetctl + usernetctl.te usernetctl.fc
uwimap uwimapd.te uwimapd.fc
vmware + vmware.te vmware.fc vmware_macros.te
watchdog watchdog.te watchdog.fc
webalizer *+ webalizer.te webalizer.fc Tresys
xdm *+ xdm.te xdm.fc xdm_macros.te
xfs + xfs.te xfs.fc
xprint xprint.te xprint.fc
xserver + xserver.te xserver.fc xserver_macros.te xauth.te xauth.fc xauth_macros.te
yam yam.te yam.fc
(*) Modules in the Fedora targeted policy
(+) Modules in the Fedora strict policy