diff --git a/.cvsignore b/.cvsignore index 0402e86..1d0b915 100644 --- a/.cvsignore +++ b/.cvsignore @@ -28,3 +28,4 @@ serefpolicy-2.1.11.tgz serefpolicy-2.1.12.tgz serefpolicy-2.1.13.tgz serefpolicy-2.2.2.tgz +serefpolicy-2.2.4.tgz diff --git a/booleans-strict.conf b/booleans-strict.conf new file mode 100644 index 0000000..f3803e3 --- /dev/null +++ b/booleans-strict.conf @@ -0,0 +1,208 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +allow_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +allow_execstack = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +allow_gssd_read_tmp = false + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +allow_saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow sysadm to ptrace all processes +# +allow_ptrace = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# Allow ftp to read and write files in the user home directories +# +ftp_home_dir = false + +# Allow ftpd to run directly without inetd +# +ftpd_is_daemon = true + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = false + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = false + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = false + +# Allow nfs to be exported read only +# +nfs_export_all_ro = false + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow ssh to run from inetd instead of as a daemon. +# +run_ssh_inetd = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Allow ssh logins as sysadm_r:sysadm_t +# +ssh_sysadm_login = false + +# Configure stunnel to be a standalone daemon orinetd service. +# +stunnel_is_daemon = false + +# Support NFS home directories +# +use_nfs_home_dirs = false + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# Allow gpg executable stack +# +allow_gpg_execstack = false + +# allow host key based authentication +# +allow_ssh_keysign = false + +# Allow users to connect to mysql +# +allow_user_mysql_connect = false + +# Allow system cron jobs to relabel filesystemfor restoring file contexts. +# +cron_can_relabel = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted +# +read_untrusted_content = false + +# Allow user spamassassin clients to use the network. +# +spamassassin_can_network = false + +# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc) +# +staff_read_sysadm_file = false + +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# Allow users to read system messages. +# +user_dmesg = false + +# Allow users to control network interfaces(also needs USERCTL=true) +# +user_net_control = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = false + +# Allow users to rw usb devices +# +user_rw_usb = false + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow w to display everyone +# +user_ttyfile_stat = false + +# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. +# +write_untrusted_content = false + diff --git a/modules-strict.conf b/modules-strict.conf new file mode 100644 index 0000000..406fd01 --- /dev/null +++ b/modules-strict.conf @@ -0,0 +1,1129 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem, +# and unlabeled processes and objects. +# +kernel = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: kernel +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: admin +# Module: prelink +# +# Prelink ELF shared library mappings. +# +prelink = module + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: admin +# Module: kudzu +# +# Hardware detection and configuration tools +# +kudzu = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: admin +# Module: portage +# +# Portage Package Management System. The primary package management and +# distribution system for Gentoo. +# +portage = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: vbetool +# +# run real-mode video BIOS code to alter hardware state +# +vbetool = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: admin +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: admin +# Module: logwatch +# +# System log analyzer and reporter +# +logwatch = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: apps +# Module: wine +# +# Wine Is Not an Emulator. Run Windows programs in Linux. +# +wine = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: apps +# Module: java +# +# Java virtual machine +# +java = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: userhelper +# +# SELinux utility to run a shell with a new role +# +userhelper = module + +# Layer: apps +# Module: mono +# +# Run .NET server and client applications on Linux. +# +mono = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: services +# Module: samba +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: howl +# +# Port of Apple Rendezvous multicast DNS +# +howl = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: ucspitcp +# +# ucspitcp policy +# +ucspitcp = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: xfs +# +# X Windows Font Server +# +xfs = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: services +# Module: xdm +# +# X windows login display manager +# +xdm = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: hal +# +# Hardware abstraction layer +# +hal = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: services +# Module: xserver +# +# X Windows Server +# +xserver = module + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: djbdns +# +# small and secure DNS daemon +# +djbdns = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + diff --git a/modules-targeted.conf b/modules-targeted.conf index 7edc971..f582754 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -188,7 +188,7 @@ logrotate = base # # ddcprobe retrieves monitor and graphics card information # -ddcprobe = module +ddcprobe = off # Layer: admin # Module: quota @@ -216,7 +216,7 @@ sudo = off # # run real-mode video BIOS code to alter hardware state # -vbetool = module +vbetool = off # Layer: admin # Module: firstboot @@ -329,7 +329,7 @@ canna = base # # IIIMF htt server # -i18n_input = module +i18n_input = off # Layer: services # Module: uucp @@ -394,7 +394,7 @@ howl = base # # MIDI to WAV converter and player configured as a service # -timidity = module +timidity = off # Layer: services # Module: postgresql @@ -408,7 +408,7 @@ postgresql = base # # Service for handling smart card readers. # -openct = module +openct = off # Layer: services # Module: snmp @@ -605,7 +605,7 @@ ppp = base # # Smart disk monitoring daemon policy # -smartmon = module +smartmon = off # Layer: services # Module: ftp @@ -689,7 +689,7 @@ apache = base # # Service for downloading news feeds the slrn newsreader. # -slrnpull = module +slrnpull = off # Layer: services # Module: rsync diff --git a/selinux-policy.spec b/selinux-policy.spec index 892cbf6..0b7de6c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,12 +1,11 @@ %define distro redhat -%define direct_initrc y %define monolithic n %define POLICYVER 20 %define POLICYCOREUTILSVER 1.29.5-1 %define CHECKPOLICYVER 1.28-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 2.2.2 +Version: 2.2.4 Release: 1 License: GPL Group: System Environment/Base @@ -20,6 +19,10 @@ Source5: modules-mls.conf Source6: booleans-mls.conf Source7: seusers-mls Source8: setrans-mls.conf +Source9: modules-strict.conf +Source10: booleans-strict.conf +Source11: seusers-strict +Source12: setrans-strict.conf Url: http://serefpolicy.sourceforge.net BuildRoot: %{_tmppath}/serefpolicy-buildroot @@ -61,10 +64,6 @@ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} enableaudit \ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} base.pp \ install -m0644 base.pp ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1/enableaudit.pp \ -for file in $(ls ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1 | grep -v -e base.pp -e enableaudit.pp ) \ -do \ - rm ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1/$file; \ -done; \ rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/booleans \ touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/config \ touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/seusers \ @@ -80,8 +79,7 @@ install -m0644 ${RPM_SOURCE_DIR}/setrans-%1.conf ${RPM_BUILD_ROOT}%{_sysconfdir} %defattr(-,root,root) \ %dir %{_usr}/share/selinux \ %dir %{_usr}/share/selinux/%1 \ -%{_usr}/share/selinux/%1/base.pp \ -%{_usr}/share/selinux/%1/enableaudit.pp \ +%{_usr}/share/selinux/%1/*.pp \ %dir %{_sysconfdir}/selinux \ %ghost %config(noreplace) %{_sysconfdir}/selinux/config \ %dir %{_sysconfdir}/selinux/%1 \ @@ -146,19 +144,25 @@ make conf mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8/ install -m 644 man/man8/*.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/ -%installCmds targeted targeted-mcs %{direct_initrc} -# Build mls policy + +# Build targeted policy +# Commented out because only targeted ref policy currently builds make clean make conf -%installCmds mls strict-mls n - +%installCmds targeted targeted-mcs y # Build strict policy # Commented out because only targeted ref policy currently builds -# make clean -# make conf -#%#installCmds strict strict-mcs %{direct_initrc} +make clean +make conf +%installCmds strict strict-mcs y + +# Build mls policy +make clean +make conf +%installCmds mls strict-mls n + %clean %{__rm} -fR $RPM_BUILD_ROOT @@ -233,7 +237,6 @@ SELinux Reference policy mls base module. %files mls %fileList mls -%if 0 %package strict Summary: SELinux strict base policy Group: System Environment/Base @@ -259,9 +262,14 @@ SELinux Reference policy strict base module. %files strict %fileList strict -%endif - %changelog +* Mon Jan 23 2006 Dan Walsh 2.2.4-1 +- Update to upstream + +* Wed Jan 18 2006 Dan Walsh 2.2.3-1 +- Update to upstream +- Fixes for booting and logging in on MLS machine + * Wed Jan 18 2006 Dan Walsh 2.2.2-1 - Update to upstream - Turn off execheap execstack for unconfined users diff --git a/setrans-strict.conf b/setrans-strict.conf new file mode 100644 index 0000000..0d8aaeb --- /dev/null +++ b/setrans-strict.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-256 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c255. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0= +s0-s0:c0.c255=SystemLow-SystemHigh +s0:c0.c255=SystemHigh diff --git a/seusers-strict b/seusers-strict new file mode 100644 index 0000000..c400c79 --- /dev/null +++ b/seusers-strict @@ -0,0 +1,2 @@ +root:root:s0-s0:c0.c255 +__default__:user_u:s0 diff --git a/sources b/sources index 99dd6d6..6c64122 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -03fb99f3d053bbf734843c84ba8e3d9b serefpolicy-2.2.2.tgz +f6f9da12a1dd7974c320e8cd31646470 serefpolicy-2.2.4.tgz