packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 11:16:49 -04:00
commit fcfd975340
34 changed files with 6645 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Fix-bug-in-userdom_restricted_xwindows_user_template.patch Normal file
View File

@ -0,0 +1,28 @@
From 0269451c9568aa7939b0fef6708d867fcd2ffd47 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Thu, 21 Feb 2019 16:12:18 +0100
Subject: [PATCH 083/109] Fix bug in
userdom_restricted_xwindows_user_template() template to disallow all user
domains to access admin_home_t
Fixes: #221
---
policy/modules/system/userdomain.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 90a8a7533..4988fdd41 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1345,7 +1345,7 @@ template(`userdom_restricted_xwindows_user_template',`
optional_policy(`
pulseaudio_role($1_r, $1_usertype)
- pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
')
optional_policy(`
--
2.19.1

28
Fix-userdom_admin_user_template-interface-by-adding-.patch Normal file
View File

@ -0,0 +1,28 @@
From a207f43eacab87fc54a175b8dd2db68ca231e965 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Thu, 24 Jan 2019 16:46:39 +0100
Subject: [PATCH 064/109] Fix userdom_admin_user_template() interface by adding
bluetooth,alg,dccp create_stream_socket permissions.
---
policy/modules/system/userdomain.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5059b4a21..8b9abecbd 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1582,8 +1582,8 @@ template(`userdom_admin_user_template',`
allow $1_t self:passwd crontab;
allow $1_t self:bluetooth_socket create_stream_socket_perms;
- allow $1_t self:alg_socket create_socket_perms;
- allow $1_t self:dccp_socket create_socket_perms;
+ allow $1_t self:alg_socket create_stream_socket_perms;
+ allow $1_t self:dccp_socket create_stream_socket_perms;
allow $1_t self:cap_userns sys_ptrace;
--
2.19.1

26
Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch Normal file
View File

@ -0,0 +1,26 @@
From debf07213f1c423a3a6504dd027792b14426f07e Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Wed, 17 Oct 2018 13:24:41 +0200
Subject: [PATCH 003/109] Fix userdom_write_user_tmp_dirs() to allow caller
domain also read/write user_tmp_t dirs
---
policy/modules/system/userdomain.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 44acc0cbc..5059b4a21 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -5332,6 +5332,8 @@ interface(`userdom_write_user_tmp_dirs',`
type user_tmp_t;
')
+ list_dirs_pattern($1, user_tmp_t, user_tmp_t)
+ rw_dirs_pattern($1, user_tmp_t, user_tmp_t)
write_files_pattern($1, user_tmp_t, user_tmp_t)
')
--
2.19.1

33
Fixing-range-for-ephemeral-ports-BZ-1518807.patch Normal file
View File

@ -0,0 +1,33 @@
From f135894a52444d4912050f7b4d449f495241e791 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Wed, 12 Dec 2018 15:55:16 +0100
Subject: [PATCH 043/109] Fixing range for ephemeral ports BZ(1518807)
Range of ephemeral ports is 32768-60999 based on:
# sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768 60999
---
policy/modules/kernel/corenetwork.te.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index ff8ce41e8..b9b1f21e9 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -398,10 +398,10 @@ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
-portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon tcp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
-portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon udp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
########################################
--
2.19.1

22
Makefile.devel Normal file
View File

@ -0,0 +1,22 @@
# installation paths
SHAREDIR := /usr/share/selinux
AWK ?= gawk
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
ifeq ($(MLSENABLED),)
MLSENABLED := 1
endif
ifeq ($(MLSENABLED),1)
NTYPE = mcs
endif
ifeq ($(NAME),mls)
NTYPE = mls
endif
TYPE ?= $(NTYPE)
HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile

15
add_syslogd_t_domtrans_logrotate.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 37a1c06..c524b01 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -696,6 +696,10 @@ optional_policy(`
')
optional_policy(`
+ logrotate_domtrans(syslogd_t)
+')
+
+optional_policy(`
udev_read_db(syslogd_t)
')

52
add_userman_access_run_dir.patch Normal file
View File

@ -0,0 +1,52 @@
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index e069cb5..43fed66 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -250,6 +250,11 @@ files_relabel_etc_files(groupadd_t)
files_read_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
+files_search_pids(groupadd_t)
+files_create_var_run_dirs(groupadd_t)
+files_delete_all_pids(groupadd_t)
+allow groupadd_t var_run_t:file *;
+allow groupadd_t var_run_t:dir *;
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
corecmd_exec_bin(groupadd_t)
@@ -366,6 +371,11 @@ files_read_usr_files(passwd_t)
files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)
+files_search_pids(passwd_t)
+files_create_var_run_dirs(passwd_t)
+files_delete_all_pids(passwd_t)
+allow passwd_t var_run_t:file *;
+allow passwd_t var_run_t:dir *;
term_search_ptys(passwd_t)
@@ -486,6 +496,12 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t)
# on user home dir
userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
+files_search_pids(sysadm_passwd_t)
+files_create_var_run_dirs(sysadm_passwd_t)
+files_delete_all_pids(sysadm_passwd_t)
+allow sysadm_passwd_t var_run_t:file *;
+allow sysadm_passwd_t var_run_t:dir *;
+
optional_policy(`
nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
')
@@ -536,6 +552,10 @@ files_read_etc_runtime_files(useradd_t)
files_manage_etc_files(useradd_t)
files_create_var_lib_dirs(useradd_t)
files_rw_var_lib_dirs(useradd_t)
+files_search_pids(useradd_t)
+files_create_var_run_dirs(useradd_t)
+files_delete_all_pids(useradd_t)
+allow useradd_t var_run_t:file *;
fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)

248
booleans-minimum.conf Normal file
View File

@ -0,0 +1,248 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
allow_execstack = true
# Allow ftpd to read cifs directories.
#
allow_ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
allow_ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
allow_gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
allow_httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
allow_saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
allow_zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
allow_ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
#
read_untrusted_content = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow regular users direct mouse access
#
user_direct_mouse = false
# Allow users to read system messages.
#
user_dmesg = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = false
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow w to display everyone
#
user_ttyfile_stat = false
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
#
write_untrusted_content = false
# Allow all domains to talk to ttys
#
allow_daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
allow_polyinstantiation = false
# Allow all domains to dump core
#
allow_daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
allow_xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
allow_guest_exec_content = false
allow_xguest_exec_content = false
# Only allow browser to use the web
#
browser_confine_xguest=false
# Allow postfix locat to write to mail spool
#
allow_postfix_local_write_mail_spool=false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile=true
# Allow qemu to connect fully to the network
#
qemu_full_network=true
# Allow nsplugin execmem/execstack for bad plugins
#
allow_nsplugin_execmem=true
# Allow unconfined domain to transition to confined domain
#
allow_unconfined_nsplugin_transition=true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
allow_mount_anyfile = true

6
booleans-mls.conf Normal file
View File

@ -0,0 +1,6 @@
kerberos_enabled = true
mount_anyfile = true
polyinstantiation_enabled = true
ftpd_is_daemon = true
selinuxuser_ping = true
xserver_object_manager = true

24
booleans-targeted.conf Normal file
View File

@ -0,0 +1,24 @@
gssd_read_tmp = true
httpd_builtin_scripting = true
httpd_enable_cgi = true
kerberos_enabled = true
mount_anyfile = true
nfs_export_all_ro = true
nfs_export_all_rw = true
nscd_use_shm = true
openvpn_enable_homedirs = true
postfix_local_write_mail_spool=true
pppd_can_insmod = false
privoxy_connect_any = true
selinuxuser_direct_dri_enabled = true
selinuxuser_execmem = true
selinuxuser_execmod = true
selinuxuser_execstack = true
selinuxuser_rw_noexattrfile=true
selinuxuser_ping = true
squid_connect_any = true
telepathy_tcp_connect_generic_network_ports=true
unconfined_chrome_sandbox_transition=true
unconfined_mozilla_plugin_transition=true
xguest_exec_content = true
mozilla_plugin_can_network_connect = true

54
booleans.subs_dist Normal file
View File

@ -0,0 +1,54 @@
allow_auditadm_exec_content auditadm_exec_content
allow_console_login login_console_enabled
allow_cvs_read_shadow cvs_read_shadow
allow_daemons_dump_core daemons_dump_core
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
allow_daemons_use_tty daemons_use_tty
allow_domain_fd_use domain_fd_use
allow_execheap selinuxuser_execheap
allow_execmod selinuxuser_execmod
allow_execstack selinuxuser_execstack
allow_ftpd_anon_write ftpd_anon_write
allow_ftpd_full_access ftpd_full_access
allow_ftpd_use_cifs ftpd_use_cifs
allow_ftpd_use_nfs ftpd_use_nfs
allow_gssd_read_tmp gssd_read_tmp
allow_guest_exec_content guest_exec_content
allow_httpd_anon_write httpd_anon_write
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
allow_httpd_mod_auth_pam httpd_mod_auth_pam
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
allow_kerberos kerberos_enabled
allow_mplayer_execstack mplayer_execstack
allow_mount_anyfile mount_anyfile
allow_nfsd_anon_write nfsd_anon_write
allow_polyinstantiation polyinstantiation_enabled
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
allow_rsync_anon_write rsync_anon_write
allow_saslauthd_read_shadow saslauthd_read_shadow
allow_secadm_exec_content secadm_exec_content
allow_smbd_anon_write smbd_anon_write
allow_ssh_keysign ssh_keysign
allow_staff_exec_content staff_exec_content
allow_sysadm_exec_content sysadm_exec_content
allow_user_exec_content user_exec_content
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
allow_write_xshm xserver_clients_write_xshm
allow_xguest_exec_content xguest_exec_content
allow_xserver_execmem xserver_execmem
allow_ypbind nis_enabled
allow_zebra_write_config zebra_write_config
user_direct_dri selinuxuser_direct_dri_enabled
user_ping selinuxuser_ping
user_share_music selinuxuser_share_music
user_tcp_server selinuxuser_tcp_server
sepgsql_enable_pitr_implementation postgresql_can_rsync
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
clamd_use_jit antivirus_use_jit
amavis_use_jit antivirus_use_jit
logwatch_can_sendmail logwatch_can_network_connect_mail
puppet_manage_all_files puppetagent_manage_all_files
virt_sandbox_use_nfs virt_use_nfs

15
bugfix-add_syslogd_t_domtrans_logrotate.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index c524b01..93c5b94 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -700,6 +700,10 @@ optional_policy(`
')
optional_policy(`
+ logrotate_domtrans(syslogd_t)
+')
+
+optional_policy(`
udev_read_db(syslogd_t)
')

BIN
container-selinux.tgz Normal file
View File

Binary file not shown.

14
customizable_types Normal file
View File

@ -0,0 +1,14 @@
container_file_t
sandbox_file_t
svirt_image_t
svirt_home_t
svirt_sandbox_file_t
virt_content_t
httpd_user_htaccess_t
httpd_user_script_exec_t
httpd_user_rw_content_t
httpd_user_ra_content_t
httpd_user_content_t
git_session_content_t
home_bin_t
user_tty_device_t

20
file_contexts.subs_dist Normal file
View File

@ -0,0 +1,20 @@
/run /var/run
/run/lock /var/lock
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system
/run/systemd/generator.late /usr/lib/systemd/system
/lib /usr/lib
/lib64 /usr/lib
/usr/lib64 /usr/lib
/usr/local/lib64 /usr/lib
/usr/local/lib32 /usr/lib
/etc/systemd/system /usr/lib/systemd/system
/var/lib/xguest/home /home
/var/named/chroot/usr/lib64 /usr/lib
/var/named/chroot/lib64 /usr/lib
/var/home /home
/home-inst /home
/home/home-inst /home
/var/roothome /root
/sbin /usr/sbin
/sysroot/tmp /tmp

380
modules-mls-base.conf Normal file
View File

@ -0,0 +1,380 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unlabelednet
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module

1574
modules-mls-contrib.conf Normal file
View File

File diff suppressed because it is too large Load Diff

400
modules-targeted-base.conf Normal file
View File

@ -0,0 +1,400 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unconfineduser
#
# The unconfined user domain.
#
unconfineduser = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: system
# Module: kdbus
#
# Policy for kdbus.
#
kdbus = module

2644
modules-targeted-contrib.conf Normal file
View File

File diff suppressed because it is too large Load Diff

16
permissivedomains.cil Normal file
View File

@ -0,0 +1,16 @@
(roleattributeset cil_gen_require system_r)
(optional permissivedomains_optional_1
(typeattributeset cil_gen_require tangd_t)
(typepermissive tangd_t)
)
(optional permissivedomains_optional_2
(typeattributeset cil_gen_require opafm_t)
(typepermissive opafm_t)
)
(optional permissivedomains_optional_3
(typeattributeset cil_gen_require boltd_t)
(typepermissive boltd_t)
)

169
rpm.macros Normal file
View File

@ -0,0 +1,169 @@
# Copyright (C) 2017 Red Hat, Inc. All rights reserved.
#
# Author: Petr Lautrbach <plautrba@redhat.com>
# Author: Lukáš Vrabec <lvrabec@redhat.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# RPM macros for packages installing SELinux modules
%_selinux_policy_version SELINUXPOLICYVERSION
%_selinux_store_path SELINUXSTOREPATH
%_selinux_store_policy_path %{_selinux_store_path}/${_policytype}
%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre
%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp
# %selinux_requires
%selinux_requires \
Requires: selinux-policy >= %{_selinux_policy_version} \
BuildRequires: git \
BuildRequires: pkgconfig(systemd) \
BuildRequires: selinux-policy \
BuildRequires: selinux-policy-devel \
Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
Requires(post): libselinux-utils \
Requires(post): policycoreutils \
%if 0%{?fedora} || 0%{?rhel} > 7\
Requires(post): policycoreutils-python-utils \
%else \
Requires(post): policycoreutils-python \
%endif \
%{nil}
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_install("s:p:") \
. /etc/selinux/config \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \
fi \
%{nil}
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_uninstall("s:p:") \
. /etc/selinux/config \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ $1 -eq 0 ]; then \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy \
fi \
fi \
%{nil}
# %selinux_relabel_pre [-s <policytype>]
%selinux_relabel_pre("s:") \
. /etc/selinux/config \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
fi \
%{nil}
# %selinux_relabel_post [-s <policytype>]
%selinux_relabel_post("s:") \
. /etc/selinux/config \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
if [ -f %{_file_context_file_pre} ]; then \
%{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \
rm -f %{_file_context_file_pre} \
fi \
fi \
%{nil}
# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
%selinux_set_booleans("s:") \
. /etc/selinux/config \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ -d "%{_selinux_store_policy_path}" ]; then \
LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
if [ ! -f %_file_custom_defined_booleans ]; then \
/bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
fi \
semanage_import='' \
for boolean in %*; do \
boolean_name=${boolean%=*} \
boolean_value=${boolean#*=} \
boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
if [ -n "$boolean_local_string" ]; then \
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
if [ -n "$boolean_customized_string" ]; then \
/bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
else \
/bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
fi \
else \
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
/bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
fi \
done; \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
fi \
fi \
%{nil}
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
%selinux_unset_booleans("s:") \
. /etc/selinux/config \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ -d "%{_selinux_store_policy_path}" ]; then \
semanage_import='' \
for boolean in %*; do \
boolean_name=${boolean%=*} \
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
if [ -n "$boolean_customized_string" ]; then \
awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \
if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \
semanage_import="${semanage_import}\\n${boolean_customized_string}" \
fi \
fi \
done; \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
fi \
fi \
%{nil}

4
securetty_types-minimum Normal file
View File

@ -0,0 +1,4 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

6
securetty_types-mls Normal file
View File

@ -0,0 +1,6 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t

4
securetty_types-targeted Normal file
View File

@ -0,0 +1,4 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

BIN
selinux-policy-38fa84d.tar.gz Normal file
View File

Binary file not shown.

BIN
selinux-policy-contrib-f9b7466.tar.gz Normal file
View File

Binary file not shown.

4
selinux-policy.conf Normal file
View File

@ -0,0 +1,4 @@
z /sys/devices/system/cpu/online - - -
Z /sys/class/net - - -
z /sys/kernel/uevent_helper - - -
w /sys/fs/selinux/checkreqprot - - - - 0

655
selinux-policy.spec Normal file
View File

@ -0,0 +1,655 @@
%define distro redhat
%define polyinstatiate n
%define monolithic n
%define BUILD_DOC 1
%define BUILD_TARGETED 1
%define BUILD_MINIMUM 1
%define BUILD_MLS 1
%define POLICYVER 31
%define POLICYCOREUTILSVER 2.8
%define CHECKPOLICYVER 2.8
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.14.2
Release: 41
License: GPLv2+
Source0: selinux-policy-38fa84d.tar.gz
Source1: modules-targeted-base.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
Source4: setrans-targeted.conf
Source5: modules-mls-base.conf
Source6: booleans-mls.conf
Source8: setrans-mls.conf
Source14: securetty_types-targeted
Source15: securetty_types-mls
Source17: booleans-minimum.conf
Source18: setrans-minimum.conf
Source19: securetty_types-minimum
Source20: customizable_types
Source22: users-mls
Source23: users-targeted
Source25: users-minimum
Source26: file_contexts.subs_dist
Source27: selinux-policy.conf
Source28: permissivedomains.cil
Source29: selinux-policy-contrib-f9b7466.tar.gz
Source30: booleans.subs_dist
Source31: modules-targeted-contrib.conf
Source32: modules-mls-contrib.conf
Source35: container-selinux.tgz
Source102: rpm.macros
Patch9000: add_userman_access_run_dir.patch
Patch9001: add_syslogd_t_domtrans_logrotate.patch
Patch9002: bugfix-add_syslogd_t_domtrans_logrotate.patch
Patch9003: Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch
Patch9004: Fixing-range-for-ephemeral-ports-BZ-1518807.patch
Patch9005: Fix-userdom_admin_user_template-interface-by-adding-.patch
Patch9006: Fix-bug-in-userdom_restricted_xwindows_user_template.patch
BuildArch: noarch
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(post): /bin/awk /usr/bin/sha512sum
Requires: rpm-plugin-selinux
%description
SELinux Base package for SELinux Reference Policy - modular.
%define makeCmds() \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
cp -f selinux_config/users-%1 ./policy/users \
%define makeModulesConf() \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
if [ %3 == "contrib" ];then \
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
fi; \
%define installCmds() \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
%nil
%define fileList() \
%defattr(-,root,root) \
%{_datadir}/selinux/%1 \
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
%dir %{_sysconfdir}/selinux/%1/logins \
%dir %{_sharedstatedir}/selinux/%1/active \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
%dir %{_sysconfdir}/selinux/%1/policy/ \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
%{_sysconfdir}/selinux/%1/.policy.sha512 \
%dir %{_sysconfdir}/selinux/%1/contexts \
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
%dir %{_sysconfdir}/selinux/%1/contexts/files \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
%{_sharedstatedir}/selinux/%1/active/commit_num \
%{_sharedstatedir}/selinux/%1/active/users_extra \
%{_sharedstatedir}/selinux/%1/active/homedir_template \
%{_sharedstatedir}/selinux/%1/active/seusers \
%{_sharedstatedir}/selinux/%1/active/file_contexts \
%{_sharedstatedir}/selinux/%1/active/policy.kern \
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
%nil
%define relabel() \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
/usr/sbin/selinuxenabled; \
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi; \
if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
continue; \
fi; \
%define preInstall() \
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/ganesha ]; then \
%{_sbindir}/semodule -n -d ganesha; \
fi; \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi; \
touch /etc/selinux/%1/.rebuild; \
if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
POLICY_FILE=`ls /etc/selinux/%1/policy/policy.* | sort | head -1` \
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
if [ "$sha512" == "$checksha512" ] ; then \
rm /etc/selinux/%1/.rebuild; \
fi; \
fi; \
fi;
%define postInstall() \
. %{_sysconfdir}/selinux/config; \
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
/usr/sbin/semodule -B -n -s %2; \
fi; \
[ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \
if [ %1 -eq 1 ]; then \
/sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
else \
%relabel %2 \
fi;
%define modulesList() \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \
if [ -e ./policy/modules-contrib.conf ];then \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
fi;
%define nonBaseModulesList() \
contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \
base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \
for i in $contrib_modules $base_modules; do \
if [ $i != "sandbox" ];then \
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
fi; \
done;
%define installFactoryResetFiles() \
mkdir -p %{buildroot}%{_datadir}/selinux/%1/default \
cp -R --preserve=mode,ownership,timestamps,links %{buildroot}%{_sharedstatedir}/selinux/%1/active %{buildroot}%{_datadir}/selinux/%1/default/ \
find %{buildroot}%{_datadir}/selinux/%1/default/ -name hll | xargs rm \
find %{buildroot}%{_datadir}/selinux/%1/default/ -name lang_ext | xargs sed -i 's/pp/cil/' \
mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
%prep
%setup -n %{name}-contrib-f9b7466780b5250bf94b5d40764277bc9c5b5f62 -q -b 29
tar -xf %{SOURCE35}
contrib_path=`pwd`
%autosetup -n %{name}-38fa84dc715893cab1cc76aa9c43ba325b153e10 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
mkdir selinux_config
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32}; do
cp $i selinux_config
done
%install
%{__rm} -fR %{buildroot}
mkdir -p %{buildroot}%{_sysconfdir}/selinux
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
touch %{buildroot}%{_sysconfdir}/selinux/config
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_usr}/share/selinux/packages
make clean
%if %{BUILD_TARGETED}
cp %{SOURCE28} %{buildroot}/
%makeCmds targeted mcs n allow
%makeModulesConf targeted base contrib
%installCmds targeted mcs n allow
semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil
rm -rf %{buildroot}/permissivedomains.cil
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp
mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp
%modulesList targeted
%nonBaseModulesList targeted
%installFactoryResetFiles targeted
%endif
%if %{BUILD_MINIMUM}
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
%makeCmds minimum mcs n allow
%makeModulesConf targeted base contrib
%installCmds minimum mcs n allow
rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
%modulesList minimum
%nonBaseModulesList minimum
%installFactoryResetFiles minimum
%endif
%if %{BUILD_MLS}
%makeCmds mls mls n deny
%makeModulesConf mls base contrib
%installCmds mls mls n deny
%modulesList mls
%nonBaseModulesList mls
%installFactoryResetFiles mls
%endif
mkdir -p %{buildroot}%{_mandir}
cp -R man/* %{buildroot}%{_mandir}
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-headers
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot}
mkdir %{buildroot}%{_usr}/share/selinux/devel/html
mv %{buildroot}%{_usr}/share/man/man8/*.html %{buildroot}%{_usr}/share/selinux/devel/html
mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
rm -rf selinux_config
%post
if [ ! -s /etc/selinux/config ]; then
echo "
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
" > /etc/selinux/config
ln -sf ../selinux/config /etc/sysconfig/selinux
restorecon /etc/selinux/config 2> /dev/null || :
else
. /etc/selinux/config
fi
exit 0
%postun
if [ $1 = 0 ]; then
setenforce 0 2> /dev/null
if [ ! -s /etc/selinux/config ]; then
echo "SELINUX=disabled" > /etc/selinux/config
else
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
fi
fi
exit 0
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%dir %{_usr}/share/selinux
%dir %{_usr}/share/selinux/packages
%dir %{_sysconfdir}/selinux
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%ghost %{_sysconfdir}/sysconfig/selinux
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
%{_rpmconfigdir}/macros.d/macros.selinux-policy
%package sandbox
Summary: SELinux policy sandbox
Requires(pre): selinux-policy-base = %{version}-%{release} selinux-policy-targeted = %{version}-%{release}
%description sandbox
SELinux sandbox policy used for the policycoreutils-sandbox package
%post sandbox
rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
semodule -n -X 100 -i /usr/share/selinux/packages/sandbox.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
fi;
exit 0
%preun sandbox
if [ $1 -eq 0 ] ; then
semodule -n -d sandbox 2>/dev/null
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
fi;
fi;
exit 0
%files sandbox
%verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp
%package devel
Summary: SELinux policy devel
Requires: selinux-policy = %{version}-%{release} m4 checkpolicy >= %{CHECKPOLICYVER} /usr/bin/make
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
%description devel
SELinux policy development and man page package
%post devel
selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
exit 0
%files devel
%dir %{_usr}/share/selinux/devel
%dir %{_usr}/share/selinux/devel/include
%{_usr}/share/selinux/devel/include/*
%dir %{_usr}/share/selinux/devel/html
%{_usr}/share/selinux/devel/html/*html
%{_usr}/share/selinux/devel/html/*css
%{_usr}/share/selinux/devel/Makefile
%{_usr}/share/selinux/devel/example.*
%{_usr}/share/selinux/devel/policy.*
%ghost %{_sharedstatedir}/sepolgen/interface_info
%package help
Summary: SELinux policy documentation
Requires: selinux-policy = %{version}-%{release}
Provides: selinux-policy-doc
Obsoletes: selinux-policy-doc
%description help
SELinux policy documentation package
%files help
%{_mandir}/man*/*
%{_mandir}/ru/*/*
%doc %{_usr}/share/doc/%{name}
%if %{BUILD_TARGETED}
%package targeted
Summary: SELinux targeted base policy
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
Provides: selinux-policy-base = %{version}-%{release}
Obsoletes: selinux-policy-targeted-sources < 2
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: audispd-plugins <= 1.7.7-1
Conflicts: seedit
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
Conflicts: container-selinux < 2:1.12.1-22
%description targeted
SELinux Reference policy targeted base module.
%pre targeted
%preInstall targeted
%post targeted
%postInstall $1 targeted
exit 0
%postun targeted
if [ $1 = 0 ]; then
source /etc/selinux/config
if [ "$SELINUXTYPE" = "targeted" ]; then
setenforce 0 2> /dev/null
if [ ! -s /etc/selinux/config ]; then
echo "SELINUX=disabled" > /etc/selinux/config
else
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
fi
fi
fi
exit 0
%triggerin -- pcre
selinuxenabled && semodule -nB
exit 0
%triggerpostun -- selinux-policy-targeted < 3.12.1-74
rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
exit 0
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
CR=$'\n'
INPUT=""
for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*disabled`; do
module=`basename $i | sed 's/.pp.disabled//'`
if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then
touch /var/lib/selinux/targeted/active/modules/disabled/$p
fi
done
for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*.pp`; do
INPUT="${INPUT}${CR}module -N -a $i"
done
for i in $(find /etc/selinux/targeted/modules/active -name \*.local); do
cp $i /var/lib/selinux/targeted/active
done
echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
fi
exit 0
%files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
%fileList targeted
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
%endif
%if %{BUILD_MINIMUM}
%package minimum
Summary: SELinux minimum base policy
Requires(pre): coreutils selinux-policy = %{version}-%{release}
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
Requires: selinux-policy = %{version}-%{release}
Provides: selinux-policy-base = %{version}-%{release}
Conflicts: seedit
Conflicts: container-selinux <= 1.9.0-9
%description minimum
SELinux Reference policy minimum base module.
%pre minimum
%preInstall minimum
if [ $1 -ne 1 ]; then
/usr/sbin/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > /usr/share/selinux/minimum/instmodules.lst
fi
%post minimum
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
mkdir /var/lib/selinux/minimum/active/modules/disabled
fi
if [ $1 -eq 1 ]; then
for p in $contribpackages; do
touch /var/lib/selinux/minimum/active/modules/disabled/$p
done
for p in $basepackages apache dbus inetd kerberos mta nis; do
rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
done
/usr/sbin/semanage import -S minimum -f - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
/usr/sbin/semodule -B -s minimum
else
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
for p in $contribpackages; do
touch /var/lib/selinux/minimum/active/modules/disabled/$p
done
for p in $instpackages apache dbus inetd kerberos mta nis; do
rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
done
/usr/sbin/semodule -B -s minimum
%relabel minimum
fi
exit 0
%postun minimum
if [ $1 = 0 ]; then
source /etc/selinux/config
if [ "$SELINUXTYPE" = "minimum" ]; then
setenforce 0 2> /dev/null
if [ ! -s /etc/selinux/config ]; then
echo "SELINUX=disabled" > /etc/selinux/config
else
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
fi
fi
fi
exit 0
%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
if [ `ls -A /var/lib/selinux/minimum/active/modules/disabled/` ]; then
rm -f /var/lib/selinux/minimum/active/modules/disabled/*
fi
CR=$'\n'
INPUT=""
for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*disabled`; do
module=`basename $i | sed 's/.pp.disabled//'`
if [ -d /var/lib/selinux/minimum/active/modules/100/$module ]; then
touch /var/lib/selinux/minimum/active/modules/disabled/$p
fi
done
for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*.pp`; do
INPUT="${INPUT}${CR}module -N -a $i"
done
echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
fi
exit 0
%files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
%fileList minimum
%endif
%if %{BUILD_MLS}
%package mls
Summary: SELinux mls base policy
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd selinux-policy = %{version}-%{release}
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils
Provides: selinux-policy-base = %{version}-%{release}
Obsoletes: selinux-policy-mls-sources < 2
Conflicts: seedit
Conflicts: container-selinux <= 1.9.0-9
%description mls
SELinux Reference policy mls base module.
%pre mls
%preInstall mls
%post mls
%postInstall $1 mls
exit 0
%postun mls
if [ $1 = 0 ]; then
source /etc/selinux/config
if [ "$SELINUXTYPE" = "mls" ]; then
setenforce 0 2> /dev/null
if [ ! -s /etc/selinux/config ]; then
echo "SELINUX=disabled" > /etc/selinux/config
else
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
fi
fi
fi
exit 0
%triggerpostun mls -- selinux-policy-mls < 3.13.1-138
CR=$'\n'
INPUT=""
for i in `find /etc/selinux/mls/modules/active/modules/ -name \*disabled`; do
module=`basename $i | sed 's/.pp.disabled//'`
if [ -d /var/lib/selinux/mls/active/modules/100/$module ]; then
touch /var/lib/selinux/mls/active/modules/disabled/$p
fi
done
for i in `find /etc/selinux/mls/modules/active/modules/ -name \*.pp`; do
INPUT="${INPUT}${CR}module -N -a $i"
done
echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
fi
exit 0
%files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
%fileList mls
%endif
%changelog
* Thu Sep 12 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-41
- Package init

19
setrans-minimum.conf Normal file
View File

@ -0,0 +1,19 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

52
setrans-mls.conf Normal file
View File

@ -0,0 +1,52 @@
#
# Multi-Level Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
#
# Assumptions: using below MLS labels.
# SystemLow
# SystemHigh
# Unclassified
# Secret with compartments A and B.
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh
# Unclassified level
s1=Unclassified
# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B
# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh
# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s0-s2:c0=SystemLow-Secret:A
s0-s2:c1=SystemLow-Secret:B
s0-s2:c0,c1=SystemLow-Secret:AB
s1-s2:c0=Unclassified-Secret:A
s1-s2:c1=Unclassified-Secret:B
s1-s2:c0,c1=Unclassified-Secret:AB
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
s2-s15:c0.c1023=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
s2:c0-s15:c0.c1023=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

19
setrans-targeted.conf Normal file
View File

@ -0,0 +1,19 @@
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh

38
users-minimum Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

38
users-mls Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

38
users-targeted Normal file
View File

@ -0,0 +1,38 @@
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)