Karl MacMillan 9f945b

Status

Chris PeBenito 1fe082

Current Version: 20050701

Karl MacMillan 9f945b

Chris PeBenito 2dda6a
	See download for download
Chris PeBenito 2dda6a
	information.  This release focused on infrastructure, organization, and
Chris PeBenito 2dda6a
	initial design rather than comprehensive policy coverage or security
Chris PeBenito 2dda6a
	improvements.  Currently only the strict policy is supported, with
Chris PeBenito 2dda6a
	targeted policy support planned for the future.
Chris PeBenito 2dda6a

Chris PeBenito faf0db

Chris PeBenito faf0db
	This is a prototype release, not meant to be used on real systems.  It
Chris PeBenito faf0db
	is targeted towards developers, to show the direction of the policy's
Chris PeBenito 9a453f
	development and to solicit feedback.
Chris PeBenito faf0db

Karl MacMillan 1c5008

Karl MacMillan 1c5008
Chris PeBenito faf0db
	
Karl MacMillan 1c5008
	Reference Policy Status
Karl MacMillan 1c5008
	
Karl MacMillan 1c5008
	
Karl MacMillan 1c5008
	
Karl MacMillan 1c5008
	Task/ComponentStatusDescription
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Policy Structure
Chris PeBenito faf0db
		Complete
Chris PeBenito faf0db
		The policy is converted over to new Reference Policy structure
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		TE Policy
Chris PeBenito faf0db
		Conversion Ongoing
Chris PeBenito faf0db
		Conversion of old policy to Reference Policy modules is ongoing
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Loadable Policy Modules
Chris PeBenito faf0db
		Major improvements
Chris PeBenito faf0db
		Infrastructure is in place to support both source policy and
Chris PeBenito faf0db
			loadable policy modules.  Makefile support planned.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Documentation Infrastructure
Chris PeBenito faf0db
		Interfaces complete
Chris PeBenito faf0db
		Tools to create webpages from the module interface documentation
Chris PeBenito faf0db
			is complete. Adding tunables to the webpages is planned.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Policy Documentation
Chris PeBenito faf0db
		Ongoing
Chris PeBenito faf0db
		Most kernel layer modules are documented.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Unused Modules
Chris PeBenito faf0db
		Complete
Chris PeBenito faf0db
		Modules can be disabled by using modules.conf.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		MLS Infrastructure
Chris PeBenito faf0db
		Minor improvements
Chris PeBenito faf0db
		MLS infrastructure added to support easy conversion between
Chris PeBenito faf0db
			MLS and non-MLS policy.  Policy is compilable, but
Chris PeBenito faf0db
			untested.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Network Infrastructure
Chris PeBenito faf0db
		Minor improvements
Chris PeBenito faf0db
		All network ports, nodes, and interfaces moved to
Chris PeBenito faf0db
			corenetwork module, interfaces generated automatically.
Chris PeBenito faf0db
			Plan to add more infrastructure for configuration of
Chris PeBenito faf0db
			ports, nodes, and interfaces.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		User domains and roles
Chris PeBenito faf0db
		Minor improvements
Chris PeBenito faf0db
		Some infrastructure added to support per-user domain policy,
Chris PeBenito faf0db
			e.g., to create types and policy for ssh,
Chris PeBenito faf0db
			for each user.  Plan to add infrastructure to easily
Chris PeBenito faf0db
			configure userdomains and roles.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Labeling
Chris PeBenito faf0db
		Minor improvements
Chris PeBenito faf0db
		All labeling moved to modules, consistent with Reference
Chris PeBenito faf0db
			Policy structure.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Tunables
Chris PeBenito faf0db
		Minor improvements
Chris PeBenito faf0db
		Tunables are documented, and in the future will be included
Chris PeBenito faf0db
			in the webpage policy documentation.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Users
Chris PeBenito faf0db
		Unchanged
Chris PeBenito faf0db
		Assignment of users to roles
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Constraints
Chris PeBenito faf0db
		Unchanged
Chris PeBenito faf0db
		Plan to split up into relevant modules.  There are ordering
Chris PeBenito faf0db
			problems with source policies.
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Flask
Chris PeBenito faf0db
		Unchanged
Chris PeBenito faf0db
		Headers for the policy, describing object classes, and
Chris PeBenito faf0db
			their permissions.  No planned changes
Chris PeBenito faf0db
	
Chris PeBenito faf0db
	
Chris PeBenito faf0db
		Genhomedircon
Chris PeBenito faf0db
		Unchanged
Chris PeBenito faf0db
		Tool to properly label users' home directories.
Chris PeBenito faf0db
			No planned changes
Chris PeBenito faf0db
	
Chris PeBenito faf0db
Chris PeBenito 1fe082

Policy Conversion

Chris PeBenito 1fe082

Chris PeBenito 1fe082
This phase of reference policy development involves the conversion of policies
Chris PeBenito 1fe082
from the example strict policy.  We have been using the Fedora strict policy
Chris PeBenito 1fe082
version 1.23.2-1 as a baseline for policy conversion, which is available 
Chris PeBenito 1fe082
on the download page.  Then after these policies
Chris PeBenito 1fe082
are added to reference policy, it can be updated to be in line with current
Chris PeBenito 1fe082
versions of the NSA example policy. For those who wish to contribute, here
Chris PeBenito 1fe082
is a listing of modules which need to be converted:
Chris PeBenito 1fe082
    Chris PeBenito 1fe082
  • acct
  • Chris PeBenito 1fe082
  • arpwatch
  • Chris PeBenito 1fe082
  • automount
  • Chris PeBenito 1fe082
  • bind
  • Chris PeBenito 1fe082
  • bluetooth
  • Chris PeBenito 1fe082
  • cdrecord
  • Chris PeBenito 1fe082
  • comsat
  • Chris PeBenito 1fe082
  • cyrus
  • Chris PeBenito 1fe082
  • dictd
  • Chris PeBenito 1fe082
  • dovecot
  • Chris PeBenito 1fe082
  • fetchmail
  • Chris PeBenito 1fe082
  • fingerd
  • Chris PeBenito 1fe082
  • firstboot
  • Chris PeBenito 1fe082
  • ftpd
  • Chris PeBenito 1fe082
  • games
  • Chris PeBenito 1fe082
  • gpm
  • Chris PeBenito 1fe082
  • howl
  • Chris PeBenito 1fe082
  • inn
  • Chris PeBenito 1fe082
  • ipsec
  • Chris PeBenito 1fe082
  • irqbalance
  • Chris PeBenito 1fe082
  • ktalkd
  • Chris PeBenito 1fe082
  • kudzu
  • Chris PeBenito 1fe082
  • loadkeys
  • Chris PeBenito 1fe082
  • lockdev
  • Chris PeBenito 1fe082
  • mrtg
  • Chris PeBenito 1fe082
  • mysql
  • Chris PeBenito 1fe082
  • ntpd
  • Chris PeBenito 1fe082
  • pcmcia (was cardmgr)
  • Chris PeBenito 1fe082
  • portmap
  • Chris PeBenito 1fe082
  • postfix
  • Chris PeBenito 1fe082
  • postgresql
  • Chris PeBenito 1fe082
  • prelink
  • Chris PeBenito 1fe082
  • procmail
  • Chris PeBenito 1fe082
  • quota
  • Chris PeBenito 1fe082
  • radius
  • Chris PeBenito 1fe082
  • radvd
  • Chris PeBenito 1fe082
  • raid (was mdadm)
  • Chris PeBenito 1fe082
  • rlogin
  • Chris PeBenito 1fe082
  • rsync
  • Chris PeBenito 1fe082
  • samba
  • Chris PeBenito 1fe082
  • sasl
  • Chris PeBenito 1fe082
  • screen
  • Chris PeBenito 1fe082
  • slocate
  • Chris PeBenito 1fe082
  • slrnpull
  • Chris PeBenito 1fe082
  • snmp
  • Chris PeBenito 1fe082
  • spamassassin
  • Chris PeBenito 1fe082
  • squid
  • Chris PeBenito 1fe082
  • stunnel
  • Chris PeBenito 1fe082
  • sysstat
  • Chris PeBenito 1fe082
  • tcpd
  • Chris PeBenito 1fe082
  • telnet
  • Chris PeBenito 1fe082
  • tftp
  • Chris PeBenito 1fe082
  • tmpreaper
  • Chris PeBenito 1fe082
  • uml
  • Chris PeBenito 1fe082
  • updfstab
  • Chris PeBenito 1fe082
  • userhelper
  • Chris PeBenito 1fe082
  • vpnc
  • Chris PeBenito 1fe082
  • zebra
  • Chris PeBenito 1fe082
    Chris PeBenito fe51b3

    Testing Status

    Chris PeBenito fe51b3

    Chris PeBenito fe51b3
    A very minimal RedHat Enterprise Linux 4 system with the following RPMs has
    Chris PeBenito fe51b3
    can be successfully booted in enforcing mode, and users can log in locally,
    Chris PeBenito fe51b3
    with Reference Policy:
    Chris PeBenito fe51b3

    Chris PeBenito fe51b3
      Chris PeBenito fe51b3
    • libgcc-3.4.3-9.EL4
    • Chris PeBenito fe51b3
    • rootfiles-8-1
    • Chris PeBenito fe51b3
    • filesystem-2.3.0-1
    • Chris PeBenito fe51b3
    • termcap-5.4-3
    • Chris PeBenito fe51b3
    • glibc-common-2.3.4-2
    • Chris PeBenito fe51b3
    • bzip2-libs-1.0.2-13
    • Chris PeBenito fe51b3
    • device-mapper-1.00.19-2
    • Chris PeBenito fe51b3
    • elfutils-libelf-0.97-5
    • Chris PeBenito fe51b3
    • expat-1.95.7-4
    • Chris PeBenito fe51b3
    • glib2-2.4.7-1
    • Chris PeBenito fe51b3
    • libattr-2.4.16-3
    • Chris PeBenito fe51b3
    • libcap-1.10-20
    • Chris PeBenito fe51b3
    • libsepol-1.1.1-2
    • Chris PeBenito fe51b3
    • db4-4.2.52-7.1
    • Chris PeBenito fe51b3
    • libtermcap-2.0.8-39
    • Chris PeBenito fe51b3
    • mktemp-1.5-20
    • Chris PeBenito fe51b3
    • iproute-2.6.9-3
    • Chris PeBenito fe51b3
    • less-382-4
    • Chris PeBenito fe51b3
    • pcre-4.5-3
    • Chris PeBenito fe51b3
    • usbutils-0.11-6.1
    • Chris PeBenito fe51b3
    • vim-minimal-6.3.046-0.40E.4
    • Chris PeBenito fe51b3
    • info-4.7-5
    • Chris PeBenito fe51b3
    • diffutils-2.8.1-12
    • Chris PeBenito fe51b3
    • gawk-3.1.3-10.1
    • Chris PeBenito fe51b3
    • coreutils-5.2.1-31
    • Chris PeBenito fe51b3
    • gzip-1.3.3-13
    • Chris PeBenito fe51b3
    • module-init-tools-3.1-0.pre5.3
    • Chris PeBenito fe51b3
    • procps-3.2.3-7EL
    • Chris PeBenito fe51b3
    • sed-4.1.2-4
    • Chris PeBenito fe51b3
    • MAKEDEV-3.15-2
    • Chris PeBenito fe51b3
    • sysklogd-1.4.1-26_EL
    • Chris PeBenito fe51b3
    • cracklib-2.7-29
    • Chris PeBenito fe51b3
    • pam-0.77-65.1
    • Chris PeBenito fe51b3
    • SysVinit-2.85-34
    • Chris PeBenito fe51b3
    • lvm2-2.00.31-1.0.RHEL4
    • Chris PeBenito fe51b3
    • kernel-2.6.9-5.0.5.EL
    • Chris PeBenito fe51b3
    • libuser-0.52.5-1
    • Chris PeBenito fe51b3
    • crontabs-1.10-7
    • Chris PeBenito fe51b3
    • tmpwatch-2.9.1-1
    • Chris PeBenito fe51b3
    • m4-1.4.1-16
    • Chris PeBenito fe51b3
    • mgetty-1.1.31-2
    • Chris PeBenito fe51b3
    • time-1.7-25
    • Chris PeBenito fe51b3
    • dhclient-3.0.1-12_EL
    • Chris PeBenito fe51b3
    • samhain-2.0.6-1
    • Chris PeBenito fe51b3
    • hwdata-0.146.1.EL-1
    • Chris PeBenito fe51b3
    • redhat-logos-1.1.25-1
    • Chris PeBenito fe51b3
    • setup-2.5.37-1.1
    • Chris PeBenito fe51b3
    • basesystem-8.0-4
    • Chris PeBenito fe51b3
    • tzdata-2004e-2
    • Chris PeBenito fe51b3
    • glibc-2.3.4-2
    • Chris PeBenito fe51b3
    • beecrypt-3.1.0-6
    • Chris PeBenito fe51b3
    • chkconfig-1.3.11.2-1
    • Chris PeBenito fe51b3
    • e2fsprogs-1.35-11.6.EL4
    • Chris PeBenito fe51b3
    • ethtool-1.8-4
    • Chris PeBenito fe51b3
    • gdbm-1.8.0-24
    • Chris PeBenito fe51b3
    • iputils-20020927-16
    • Chris PeBenito fe51b3
    • libacl-2.2.23-5
    • Chris PeBenito fe51b3
    • libselinux-1.19.1-7
    • Chris PeBenito fe51b3
    • libstdc++-3.4.3-9.EL4
    • Chris PeBenito fe51b3
    • mingetty-1.07-3
    • Chris PeBenito fe51b3
    • bash-3.0-19.2
    • Chris PeBenito fe51b3
    • ncurses-5.4-13
    • Chris PeBenito fe51b3
    • net-tools-1.60-37
    • Chris PeBenito fe51b3
    • popt-1.9.1-7_nonptl
    • Chris PeBenito fe51b3
    • redhat-release-4AS-2
    • Chris PeBenito fe51b3
    • hotplug-2004_04_01-7.2
    • Chris PeBenito fe51b3
    • zlib-1.2.1.2-1
    • Chris PeBenito fe51b3
    • cpio-2.5-7.EL4.1
    • Chris PeBenito fe51b3
    • findutils-4.1.20-7
    • Chris PeBenito fe51b3
    • grep-2.5.1-31
    • Chris PeBenito fe51b3
    • grub-0.95-3.1
    • Chris PeBenito fe51b3
    • readline-4.3-13
    • Chris PeBenito fe51b3
    • rpm-libs-4.3.3-7_nonptl
    • Chris PeBenito fe51b3
    • shadow-utils-4.0.3-41.1
    • Chris PeBenito fe51b3
    • rpm-4.3.3-7_nonptl
    • Chris PeBenito fe51b3
    • tar-1.14-4
    • Chris PeBenito fe51b3
    • cracklib-dicts-2.7-29
    • Chris PeBenito fe51b3
    • policycoreutils-1.18.1-4
    • Chris PeBenito fe51b3
    • util-linux-2.12a-16.EL4.6
    • Chris PeBenito fe51b3
    • udev-039-10.8.EL4
    • Chris PeBenito fe51b3
    • initscripts-7.93.11.EL-1
    • Chris PeBenito fe51b3
    • mkinitrd-4.1.18-2
    • Chris PeBenito fe51b3
    • passwd-0.68-10
    • Chris PeBenito fe51b3
    • bzip2-1.0.2-13
    • Chris PeBenito fe51b3
    • logrotate-3.7.1-2
    • Chris PeBenito fe51b3
    • libxml2-2.6.16-6
    • Chris PeBenito fe51b3
    • make-3.80-5
    • Chris PeBenito fe51b3
    • iptables-1.2.11-3.1.RHEL4
    • Chris PeBenito fe51b3
    • vixie-cron-4.1-20_EL
    • Chris PeBenito fe51b3
    • comps-4AS-0.20050107
    • Chris PeBenito fe51b3