Status

Current Version: 20050701

Karl MacMillan

9f945b

Chris PeBenito

	See download for download

Chris PeBenito

	information.  This release focused on infrastructure, organization, and

Chris PeBenito

	initial design rather than comprehensive policy coverage or security

Chris PeBenito

	improvements.  Currently only the strict policy is supported, with

Chris PeBenito

	targeted policy support planned for the future.

Chris PeBenito

Chris PeBenito

Chris PeBenito

	This is a prototype release, not meant to be used on real systems.  It

Chris PeBenito

	is targeted towards developers, to show the direction of the policy's

Chris PeBenito

9a453f

	development and to solicit feedback.

Chris PeBenito

Karl MacMillan

Karl MacMillan

Chris PeBenito

Karl MacMillan

	Reference Policy Status

Karl MacMillan

Karl MacMillan

Karl MacMillan

Karl MacMillan

	Task/ComponentStatusDescription

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Policy Structure

Chris PeBenito

		Complete

Chris PeBenito

		The policy is converted over to new Reference Policy structure

Chris PeBenito

Chris PeBenito

Chris PeBenito

		TE Policy

Chris PeBenito

		Conversion Ongoing

Chris PeBenito

		Conversion of old policy to Reference Policy modules is ongoing

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Loadable Policy Modules

Chris PeBenito

		Major improvements

Chris PeBenito

		Infrastructure is in place to support both source policy and

Chris PeBenito

			loadable policy modules.  Makefile support planned.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Documentation Infrastructure

Chris PeBenito

		Interfaces complete

Chris PeBenito

		Tools to create webpages from the module interface documentation

Chris PeBenito

			is complete. Adding tunables to the webpages is planned.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Policy Documentation

Chris PeBenito

		Ongoing

Chris PeBenito

		Most kernel layer modules are documented.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Unused Modules

Chris PeBenito

		Complete

Chris PeBenito

		Modules can be disabled by using modules.conf.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		MLS Infrastructure

Chris PeBenito

		Minor improvements

Chris PeBenito

		MLS infrastructure added to support easy conversion between

Chris PeBenito

			MLS and non-MLS policy.  Policy is compilable, but

Chris PeBenito

			untested.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Network Infrastructure

Chris PeBenito

		Minor improvements

Chris PeBenito

		All network ports, nodes, and interfaces moved to

Chris PeBenito

			corenetwork module, interfaces generated automatically.

Chris PeBenito

			Plan to add more infrastructure for configuration of

Chris PeBenito

			ports, nodes, and interfaces.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		User domains and roles

Chris PeBenito

		Minor improvements

Chris PeBenito

		Some infrastructure added to support per-user domain policy,

Chris PeBenito

			e.g., to create types and policy for ssh,

Chris PeBenito

			for each user.  Plan to add infrastructure to easily

Chris PeBenito

			configure userdomains and roles.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Labeling

Chris PeBenito

		Minor improvements

Chris PeBenito

		All labeling moved to modules, consistent with Reference

Chris PeBenito

			Policy structure.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Tunables

Chris PeBenito

		Minor improvements

Chris PeBenito

		Tunables are documented, and in the future will be included

Chris PeBenito

			in the webpage policy documentation.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Users

Chris PeBenito

		Unchanged

Chris PeBenito

		Assignment of users to roles

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Constraints

Chris PeBenito

		Unchanged

Chris PeBenito

		Plan to split up into relevant modules.  There are ordering

Chris PeBenito

			problems with source policies.

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Flask

Chris PeBenito

		Unchanged

Chris PeBenito

		Headers for the policy, describing object classes, and

Chris PeBenito

			their permissions.  No planned changes

Chris PeBenito

Chris PeBenito

Chris PeBenito

		Genhomedircon

Chris PeBenito

		Unchanged

Chris PeBenito

		Tool to properly label users' home directories.

Chris PeBenito

			No planned changes

Chris PeBenito

Chris PeBenito

Chris PeBenito

Policy Conversion

Chris PeBenito

Chris PeBenito

This phase of reference policy development involves the conversion of policies

Chris PeBenito

from the example strict policy.  We have been using the Fedora strict policy

Chris PeBenito

version 1.23.2-1 as a baseline for policy conversion, which is available

Chris PeBenito

on the download page.  Then after these policies

Chris PeBenito

are added to reference policy, it can be updated to be in line with current

Chris PeBenito

versions of the NSA example policy. For those who wish to contribute, here

Chris PeBenito

is a listing of modules which need to be converted:

Chris PeBenito

Chris PeBenito

acct

Chris PeBenito

arpwatch

Chris PeBenito

automount

Chris PeBenito

bind

Chris PeBenito

bluetooth

Chris PeBenito

cdrecord

Chris PeBenito

comsat

Chris PeBenito

cyrus

Chris PeBenito

dictd

Chris PeBenito

dovecot

Chris PeBenito

fetchmail

Chris PeBenito

fingerd

Chris PeBenito

firstboot

Chris PeBenito

ftpd

Chris PeBenito

games

Chris PeBenito

gpm

Chris PeBenito

howl

Chris PeBenito

inn

Chris PeBenito

ipsec

Chris PeBenito

irqbalance

Chris PeBenito

ktalkd

Chris PeBenito

kudzu

Chris PeBenito

loadkeys

Chris PeBenito

lockdev

Chris PeBenito

mrtg

Chris PeBenito

mysql

Chris PeBenito

ntpd

Chris PeBenito

pcmcia (was cardmgr)

Chris PeBenito

portmap

Chris PeBenito

postfix

Chris PeBenito

postgresql

Chris PeBenito

prelink

Chris PeBenito

procmail

Chris PeBenito

quota

Chris PeBenito

radius

Chris PeBenito

radvd

Chris PeBenito

raid (was mdadm)

Chris PeBenito

rlogin

Chris PeBenito

rsync

Chris PeBenito

samba

Chris PeBenito

sasl

Chris PeBenito

screen

Chris PeBenito

slocate

Chris PeBenito

slrnpull

Chris PeBenito

snmp

Chris PeBenito

spamassassin

Chris PeBenito

squid

Chris PeBenito

stunnel

Chris PeBenito

sysstat

Chris PeBenito

tcpd

Chris PeBenito

telnet

Chris PeBenito

tftp

Chris PeBenito

tmpreaper

Chris PeBenito

uml

Chris PeBenito

updfstab

Chris PeBenito

userhelper

Chris PeBenito

vpnc

Chris PeBenito

zebra

Chris PeBenito

Chris PeBenito

Testing Status

Chris PeBenito

Chris PeBenito

A very minimal RedHat Enterprise Linux 4 system with the following RPMs has

Chris PeBenito

can be successfully booted in enforcing mode, and users can log in locally,

Chris PeBenito

with Reference Policy:

Chris PeBenito

Chris PeBenito

Chris PeBenito

libgcc-3.4.3-9.EL4

Chris PeBenito

rootfiles-8-1

Chris PeBenito

filesystem-2.3.0-1

Chris PeBenito

termcap-5.4-3

Chris PeBenito

glibc-common-2.3.4-2

Chris PeBenito

bzip2-libs-1.0.2-13

Chris PeBenito

device-mapper-1.00.19-2

Chris PeBenito

elfutils-libelf-0.97-5

Chris PeBenito

expat-1.95.7-4

Chris PeBenito

glib2-2.4.7-1

Chris PeBenito

libattr-2.4.16-3

Chris PeBenito

libcap-1.10-20

Chris PeBenito

libsepol-1.1.1-2

Chris PeBenito

db4-4.2.52-7.1

Chris PeBenito

libtermcap-2.0.8-39

Chris PeBenito

mktemp-1.5-20

Chris PeBenito

iproute-2.6.9-3

Chris PeBenito

less-382-4

Chris PeBenito

pcre-4.5-3

Chris PeBenito

usbutils-0.11-6.1

Chris PeBenito

vim-minimal-6.3.046-0.40E.4

Chris PeBenito

info-4.7-5

Chris PeBenito

diffutils-2.8.1-12

Chris PeBenito

gawk-3.1.3-10.1

Chris PeBenito

coreutils-5.2.1-31

Chris PeBenito

gzip-1.3.3-13

Chris PeBenito

module-init-tools-3.1-0.pre5.3

Chris PeBenito

procps-3.2.3-7EL

Chris PeBenito

sed-4.1.2-4

Chris PeBenito

MAKEDEV-3.15-2

Chris PeBenito

sysklogd-1.4.1-26_EL

Chris PeBenito

cracklib-2.7-29

Chris PeBenito

pam-0.77-65.1

Chris PeBenito

SysVinit-2.85-34

Chris PeBenito

lvm2-2.00.31-1.0.RHEL4

Chris PeBenito

kernel-2.6.9-5.0.5.EL

Chris PeBenito

libuser-0.52.5-1

Chris PeBenito

crontabs-1.10-7

Chris PeBenito

tmpwatch-2.9.1-1

Chris PeBenito

m4-1.4.1-16

Chris PeBenito

mgetty-1.1.31-2

Chris PeBenito

time-1.7-25

Chris PeBenito

dhclient-3.0.1-12_EL

Chris PeBenito

samhain-2.0.6-1

Chris PeBenito

hwdata-0.146.1.EL-1

Chris PeBenito

redhat-logos-1.1.25-1

Chris PeBenito

setup-2.5.37-1.1

Chris PeBenito

basesystem-8.0-4

Chris PeBenito

tzdata-2004e-2

Chris PeBenito

glibc-2.3.4-2

Chris PeBenito

beecrypt-3.1.0-6

Chris PeBenito

chkconfig-1.3.11.2-1

Chris PeBenito

e2fsprogs-1.35-11.6.EL4

Chris PeBenito

ethtool-1.8-4

Chris PeBenito

gdbm-1.8.0-24

Chris PeBenito

iputils-20020927-16

Chris PeBenito

libacl-2.2.23-5

Chris PeBenito

libselinux-1.19.1-7

Chris PeBenito

libstdc++-3.4.3-9.EL4

Chris PeBenito

mingetty-1.07-3

Chris PeBenito

bash-3.0-19.2

Chris PeBenito

ncurses-5.4-13

Chris PeBenito

net-tools-1.60-37

Chris PeBenito

popt-1.9.1-7_nonptl

Chris PeBenito

redhat-release-4AS-2

Chris PeBenito

hotplug-2004_04_01-7.2

Chris PeBenito

zlib-1.2.1.2-1

Chris PeBenito

cpio-2.5-7.EL4.1

Chris PeBenito

findutils-4.1.20-7

Chris PeBenito

grep-2.5.1-31

Chris PeBenito

grub-0.95-3.1

Chris PeBenito

readline-4.3-13

Chris PeBenito

rpm-libs-4.3.3-7_nonptl

Chris PeBenito

shadow-utils-4.0.3-41.1

Chris PeBenito

rpm-4.3.3-7_nonptl

Chris PeBenito

tar-1.14-4

Chris PeBenito

cracklib-dicts-2.7-29

Chris PeBenito

policycoreutils-1.18.1-4

Chris PeBenito

util-linux-2.12a-16.EL4.6

Chris PeBenito

udev-039-10.8.EL4

Chris PeBenito

initscripts-7.93.11.EL-1

Chris PeBenito

mkinitrd-4.1.18-2

Chris PeBenito

passwd-0.68-10

Chris PeBenito

bzip2-1.0.2-13

Chris PeBenito

logrotate-3.7.1-2

Chris PeBenito

libxml2-2.6.16-6

Chris PeBenito

make-3.80-5

Chris PeBenito

iptables-1.2.11-3.1.RHEL4

Chris PeBenito

vixie-cron-4.1-20_EL

Chris PeBenito

comps-4AS-0.20050107

Chris PeBenito