diff --git a/booleans-minimum.conf b/booleans-minimum.conf new file mode 100644 index 0000000..8c33d07 --- /dev/null +++ b/booleans-minimum.conf @@ -0,0 +1,252 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +allow_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +allow_execstack = true + +# Allow ftpd to read cifs directories. +# +allow_ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +allow_ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +allow_gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +allow_httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +allow_saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +allow_zebra_write_config = true + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# Allow ftp to read and write files in the user home directories +# +ftp_home_dir = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = true + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = true + +# Run CGI in the main httpd domain +# +httpd_unified = true + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = true + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = true + +# allow host key based authentication +# +allow_ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted +# +read_untrusted_content = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = true + +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# Allow users to read system messages. +# +user_dmesg = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = false + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow w to display everyone +# +user_ttyfile_stat = false + +# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. +# +write_untrusted_content = false + +# Allow all domains to talk to ttys +# +allow_daemons_use_tty = true + +# Allow login domains to polyinstatiate directories +# +allow_polyinstantiation = false + +# Allow all domains to dump core +# +allow_daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = true + +# Allows XServer to execute writable memory +# +allow_xserver_execmem = true + +# disallow guest accounts to execute files that they can create +# +allow_guest_exec_content = false +allow_xguest_exec_content = false + +# Only allow browser to use the web +# +browser_confine_xguest=false + +# Allow postfix locat to write to mail spool +# +allow_postfix_local_write_mail_spool=true + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile=true + +# Allow qemu to connect fully to the network +# +qemu_full_network=true + +# Allow nsplugin execmem/execstack for bad plugins +# +allow_nsplugin_execmem=true + +# Allow unconfined domain to transition to confined domain +# +allow_unconfined_nsplugin_transition=true + +# Allow unconfined domains mmap low kernel memory +# +allow_unconfined_mmap_low = false + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# +allow_mount_anyfile = true diff --git a/modules-minimum.conf b/modules-minimum.conf new file mode 100644 index 0000000..8776a41 --- /dev/null +++ b/modules-minimum.conf @@ -0,0 +1,1707 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = base + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = base + +# Layer: apps +# Module: ada +# +# ada executable +# +ada = module + +# Layer: modules +# Module: awstats +# +# awstats executable +# +awstats = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: services +# Module: amavis +# +# Anti-virus +# +amavis = module + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = base + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = base + +# Layer: system +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = base + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: audioentropy +# +# Generate entropy from audio input +# +audioentropy = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: dnsmasq +# +# A lightweight DHCP and caching DNS server. +# +dnsmasq = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = base + + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# policy for ccs +# +ccs = module + +# Layer: apps +# Module: calamaris +# +# +# Squid log analysis +# +calamaris = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: admin +# Module: certmaster +# +# Digital Certificate master +# +certmaster = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: clamav +# +# ClamAV Virus Scanner +# +clamav = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + +# Layer: services +# Module: consolekit +# +# ConsoleKit is a system daemon for tracking what users are logged +# +consolekit = module + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = base + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = base + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = base + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# cyphesis game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = base + +# Layer: services +# Module: dcc +# +# A distributed, collaborative, spam detection and filtering network. +# +dcc = module + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = base + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = base + +# Layer: system +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = off + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Layer: apps +# Module: ethereal +# +# Ethereal packet capture tool. +# +ethereal = module + +# Layer: services +# Module: fail2ban +# +# daiemon that bans IP that makes too many password failures +# +fail2ban = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: admin +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = base + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: apps +# Module: games +# +# The Open Group Pegasus CIM/WBEM Server. +# +games = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = base + +# Layer: apps +# Module: gnome +# +# gnome session and gconf +# +gnome = module + +# Layer: services +# Module: gnomeclock +# +# gnomeclock used by dbus/polkit to set time +# +gnomeclock = module + +# Layer: services +# Module: hal +# +# Hardware abstraction layer +# +hal = module + +# Layer: services +# Module: polkit +# +# Hardware abstraction layer +# +polkit = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = base + + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = base + +# Layer: services +# Module: howl +# +# Port of Apple Rendezvous multicast DNS +# +howl = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = base + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = base + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = base + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = base + +# Layer: system +# Module: iscsi +# +# Open-iSCSI daemon +# +iscsi = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = off + + +# Layer: apps +# Module: java +# +# java executable +# +java = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: admin +# Module: kudzu +# +# Hardware detection and configuration tools +# +kudzu = base + + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = base + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = base + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = base + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = base + +# Layer: services +# Module: logwatch +# +# logwatch executable +# +logwatch = base + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = base + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: mailscanner +# +# Anti-Virus and Anti-Spam Filter +# +mailscanner = module + +# Layer: kernel +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = base + +# Layer: apps +# Module: mono +# +# mono executable +# +mono = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = base + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: apps +# Module: nsplugin +# +# Policy for nspluginwrapper +# +nsplugin = module + +# Layer: apps +# Module: mplayer +# +# Policy for Mozilla and related web browsers +# +mplayer = module + +# Layer: apps +# Module: gpg +# +# Policy for Mozilla and related web browsers +# +gpg = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = base + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: services +# Module: nagios +# +# policy for nagios Host/service/network monitoring program +# +nagios = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = base + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = base + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = base + + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: nx +# +# NX Remote Desktop +# +nx = module + + +# Layer: services +# Module: oddjob +# +# policy for oddjob +# +oddjob = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: services +# Module: openvpn +# +# Policy for OPENVPN full-featured SSL VPN solution +# +openvpn = module + + +# Layer: service +# Module: pcscd +# +# PC/SC Smart Card Daemon +# +pcscd = module + +# Layer: service +# Module: openct +# +# Middleware framework for smart card terminals +# +openct = module + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = base + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +o# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = base + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: services +# Module: pyzor +# +# Spam Blocker +# +pyzor = module + + +# Layer: services +# Module: qmail +# +# Policy for qmail +# +qmail = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = base + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = base + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: services +# Module: razor +# +# A distributed, collaborative, spam detection and filtering network. +# +razor = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = base + +# Layer: services +# Module: rhgb +# +# X windows login display manager +# +rhgb = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: ricci +# +# policy for ricci +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = base + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = base + + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rwho +# +# who is logged in on local machines +# +rwho = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = base + +# Layer: services +# Module: samba +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: apps +# Module: sambagui +# +# policy for system-config-samba +# +sambagui = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = base + +# Layer: system +# Module: setrans +# Required in base +# +# Policy for setrans +# +setrans = base + +# Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = base + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = base + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = base + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = base + + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: services +# Module: ulogd +# +# +# +ulogd = module + +# Layer: apps +# Module: wine +# +# wine executable +# +wine = module + +# Layer: admin +# Module: tzdata +# +# Policy for tzdata-update +# +tzdata = base + +# Layer: apps +# Module: userhelper +# +# A helper interface to pam. +# +userhelper = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: system +# Module: xen +# +# virtualization software +# +xen = module + +# Layer: services +# Module: virt +# +# Virtualization libraries +# +virt = module + +# Layer: apps +# Module: qemu +# +# Virtualization emulator +# +qemu = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = base + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = off + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: vbetool +# +# run real-mode video BIOS code to alter hardware state +# +vbetool = base + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: services +# Module: xfs +# +# X Windows Font Server +# +xfs = module + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = base + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = base + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = base + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: admin +# Module: vbetool +# +# run real-mode video BIOS code to alter hardware state +# +vbetool = base + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility (AMTU) +# +amtu = module + +# Layer: services +# Module: zabbix +# +# Open-source monitoring solution for your IT infrastructure +# +zabbix = module + +# Layer: services +# Module: apcupsd +# +# daemon for most APC’s UPS for Linux +# +apcupsd = module + +# Layer: services +# Module: aide +# +# Policy for aide +# +aide = module + +# Layer: services +# Module: w3c +# +# w3c +# +w3c = module + +# Layer: services +# Module: portreserve +# +# reserve ports to prevent portmap mapping them +# +portreserve = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: role +# Module: logadm +# +# Minimally prived root role for managing logging system +# +logadm = module + +# Layer: role +# Module: webadm +# +# Minimally prived root role for managing apache +# +webadm = module + +# +# Layer: services +# Module: exim +# +# exim mail server +# +exim = module + + +# Layer: services +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + +# Layer: services +# Module: munin +# +# Munin +# +munin = module + +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer:role +# Module: staff +# +# admin account +# +staff = module + +# Layer:role +# Module: sysadm +# +# System Administrator +# +sysadm = base + +# Layer: role +# Module: unprivuser +# +# Minimally privs guest account on tty logins +# +unprivuser = module + +# Layer: services +# Module: prelude +# +prelude = module + +# Layer: services +# Module: pads +# +pads = module + +# Layer: services +# Module: kerneloops +# +# program to collect and submit kernel oopses to kerneloops.org +# +kerneloops = module + +# Layer: apps +# Module: openoffice +# +# openoffice executable +# +openoffice = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods. +# +podsleuth = module + +# Layer: role +# Module: guest +# +# Minimally privs guest account on tty logins +# +guest = module + +# Layer: role +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: services +# Module: courier +# +# IMAP and POP3 email servers +# +courier = module + +# Layer: apps +# Module: livecd +# +# livecd creator +# +livecd = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: system +# Module: netlabel +# +# Basic netlabel types and interfaces. +# +netlabel = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + diff --git a/policy-20071130.patch b/policy-20071130.patch index 5e61c36..c73adea 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2260,8 +2260,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.3.1/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/admin/logwatch.te 2008-11-03 16:14:53.000000000 -0500 -@@ -54,15 +54,15 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/logwatch.te 2008-11-24 11:55:37.000000000 -0500 +@@ -43,6 +43,8 @@ + kernel_read_fs_sysctls(logwatch_t) + kernel_read_kernel_sysctls(logwatch_t) + kernel_read_system_state(logwatch_t) ++kernel_read_net_sysctls(logwatch_t) ++kernel_read_network_state(logwatch_t) + + corecmd_exec_bin(logwatch_t) + corecmd_exec_shell(logwatch_t) +@@ -54,15 +56,15 @@ domain_read_all_domains_state(logwatch_t) files_list_var(logwatch_t) @@ -2280,17 +2289,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc fs_getattr_all_fs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) -@@ -88,9 +88,6 @@ +@@ -87,9 +89,7 @@ + selinux_dontaudit_getattr_dir(logwatch_t) sysnet_dns_name_resolve(logwatch_t) - +- -userdom_dontaudit_search_sysadm_home_dirs(logwatch_t) -userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t) -- ++sysnet_exec_ifconfig(logwatch_t) + mta_send_mail(logwatch_t) +@@ -97,9 +97,7 @@ + apache_read_log(logwatch_t) + ') + +-optional_policy(` +- auth_use_nsswitch(logwatch_t) +-') ++auth_use_nsswitch(logwatch_t) + optional_policy(` -@@ -132,4 +129,5 @@ + avahi_dontaudit_search_pid(logwatch_t) +@@ -132,4 +130,5 @@ optional_policy(` samba_read_log(logwatch_t) @@ -35222,7 +35243,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-11-21 16:14:31.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-11-24 14:40:12.000000000 -0500 +@@ -27,7 +27,7 @@ + allow iptables_t self:process { sigchld sigkill sigstop signull signal }; + allow iptables_t self:rawip_socket create_socket_perms; + +-allow iptables_t iptables_var_run_t:dir rw_dir_perms; ++manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) + files_pid_filetrans(iptables_t,iptables_var_run_t,file) + + can_exec(iptables_t,iptables_exec_t) @@ -48,10 +48,12 @@ fs_getattr_xattr_fs(iptables_t) diff --git a/securetty_types-minimum b/securetty_types-minimum new file mode 100644 index 0000000..fe7ce17 --- /dev/null +++ b/securetty_types-minimum @@ -0,0 +1,3 @@ +sysadm_tty_device_t +user_tty_device_t +staff_tty_device_t diff --git a/selinux-policy.spec b/selinux-policy.spec index a8caa3e..b3730dc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -4,6 +4,9 @@ %if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} %define BUILD_TARGETED 1 %endif +%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} +%define BUILD_MINIMUM 1 +%endif %if %{?BUILD_OLPC:0}%{!?BUILD_OLPC:1} %define BUILD_OLPC 0 %endif @@ -17,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 112%{?dist} +Release: 114%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -36,6 +39,10 @@ Source12: securetty_types-olpc Source13: policygentool Source14: securetty_types-targeted Source15: securetty_types-mls +Source16: modules-minimum.conf +Source17: booleans-minimum.conf +Source18: setrans-minimum.conf +Source19: securetty_types-minimum Url: http://serefpolicy.sourceforge.net BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -48,7 +55,6 @@ SELinux Base package %files %{_mandir}/* -%doc %{_usr}/share/doc/%{name}-%{version} %dir %{_usr}/share/selinux %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config @@ -71,6 +77,17 @@ SELinux Policy development package %{_usr}/share/selinux/devel/policygentool %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* + +%package doc +Summary: SELinux policy documentation +Group: System Environment/Base +Requires(pre): selinux-policy = %{version}-%{release} + +%description doc +SELinux policy documentation package + +%files doc +%doc %{_usr}/share/doc/%{name}-%{version} %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp %check @@ -207,6 +224,13 @@ make clean %installCmds mls mls n y deny %endif +%if %{BUILD_MINIMUM} +# Build minimum policy +# Commented out because only minimum ref policy currently builds +%setupCmds minimum mcs n y allow +%installCmds minimum mcs n y allow +%endif + %if %{BUILD_OLPC} # Build targeted policy # Commented out because only targeted ref policy currently builds @@ -323,6 +347,43 @@ exit 0 %fileList targeted %endif +%if %{BUILD_MINIMUM} +%package minimum +Summary: SELinux minimum base policy +Provides: selinux-policy-base +Group: System Environment/Base +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} + +%description minimum +SELinux Reference policy minimum base module. + +%pre minimum +%saveFileContext minimum + +%post minimum +if [ $1 -eq 1 ]; then +%loadminpolicy minimum +semanage -S minimum -i - << __eof +user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u +__eof +semanage -S minimum -i - << __eof +login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ +login -m -s unconfined_u -r s0-s0:c0.c1023 root +__eof +restorecon -R /root /var/log /var/run 2> /dev/null +else +%loadminpolicy minimum +%relabel minimum +fi +exit 0 + +%files minimum +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u +%fileList minimum +%endif + %if %{BUILD_OLPC} %package olpc Summary: SELinux olpc base policy @@ -382,6 +443,13 @@ exit 0 %endif %changelog +* Mon Nov 24 2008 Dan Walsh 3.3.1-114 +- Add minimum policy +- Split out doc package + +* Mon Nov 24 2008 Dan Walsh 3.3.1-113 +- Allow logwatch to report on network information + * Thu Nov 20 2008 Dan Walsh 3.3.1-112 - Allow automount to read nfs diff --git a/setrans-minimum.conf b/setrans-minimum.conf new file mode 100644 index 0000000..9b46bbd --- /dev/null +++ b/setrans-minimum.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0= +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh