rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   1fe082e29e3e41c4bb818538021ac98df32050ff
  2.   www
  3.   html
  4.   status.html
Blob Blame History Raw 
<h1>Status</h1>
<h2>Current Version: 20050701</h2>
<p>
	See <a href="index.php?page=download">download</a> for download
	information.  This release focused on infrastructure, organization, and
	initial design rather than comprehensive policy coverage or security
	improvements.  Currently only the strict policy is supported, with
	targeted policy support planned for the future.
</p>
<p>
	This is a prototype release, not meant to be used on real systems.  It
	is targeted towards developers, to show the direction of the policy's
	development and to solicit feedback.
</p>
<br>
<table border="1" cellspacing="0" cellpadding="3">
	<tr>
	<th class="title" colspan="3">Reference Policy Status</th>
	</tr>
	
	<tr>
	<td class="header">Task/Component</td><td class="header">Status</td><td class="header">Description</td>
	</tr>
	<tr>
		<td>Policy Structure</td>
		<td>Complete</td>
		<td>The policy is converted over to new Reference Policy structure</td>
	</tr>
	<tr>
		<td>TE Policy</td>
		<td>Conversion Ongoing</td>
		<td>Conversion of old policy to Reference Policy modules is ongoing</td>
	<tr>
	<tr>
		<td>Loadable Policy Modules</td>
		<td>Major improvements</td>
		<td>Infrastructure is in place to support both source policy and
			loadable policy modules.  Makefile support planned.</td>
	</tr>
	</tr>
		<td>Documentation Infrastructure</td>
		<td>Interfaces complete</td>
		<td>Tools to create webpages from the module interface documentation
			is complete. Adding tunables to the webpages is planned.</td>
	</tr>
	<tr>
		<td>Policy Documentation</td>
		<td>Ongoing</td>
		<td>Most kernel layer modules are documented.</td>
	</tr>
	<tr>
		<td>Unused Modules</td>
		<td>Complete</td>
		<td>Modules can be disabled by using modules.conf.</td>
	</tr>
	<tr>
		<td>MLS Infrastructure</td>
		<td>Minor improvements</td>
		<td>MLS infrastructure added to support easy conversion between
			MLS and non-MLS policy.  Policy is compilable, but
			untested.</td>
	</tr>
	<tr>
		<td>Network Infrastructure</td>
		<td>Minor improvements</td>
		<td>All network ports, nodes, and interfaces moved to
			corenetwork module, interfaces generated automatically.
			Plan to add more infrastructure for configuration of
			ports, nodes, and interfaces.</td>
	</tr>
	<tr>
		<td>User domains and roles</td>
		<td>Minor improvements</td>
		<td>Some infrastructure added to support per-user domain policy,
			e.g., to create types and policy for ssh,
			for each user.  Plan to add infrastructure to easily
			configure userdomains and roles.</td>
	</tr>
	<tr>
		<td>Labeling</td>
		<td>Minor improvements</td>
		<td>All labeling moved to modules, consistent with Reference
			Policy structure.</td>
	</tr>
	<tr>
		<td>Tunables</td>
		<td>Minor improvements</td>
		<td>Tunables are documented, and in the future will be included
			in the webpage policy documentation.</td>
	</tr>
	<tr>
		<td>Users</td>
		<td>Unchanged</td>
		<td>Assignment of users to roles</td>
	</tr>
	<tr>
		<td>Constraints</td>
		<td>Unchanged</td>
		<td>Plan to split up into relevant modules.  There are ordering
			problems with source policies.</td>
	</tr>
	<tr>
		<td>Flask</td>
		<td>Unchanged</td>
		<td>Headers for the policy, describing object classes, and
			their permissions.  No planned changes</td>
	</tr>
	<tr>
		<td>Genhomedircon</td>
		<td>Unchanged</td>
		<td>Tool to properly label users' home directories.
			No planned changes</td>
	</tr>
</table>
<h2>Policy Conversion</h2>
<p>
This phase of reference policy development involves the conversion of policies
from the example strict policy.  We have been using the Fedora strict policy
version 1.23.2-1 as a baseline for policy conversion, which is available 
on the <a href="index.php?page=download">download</a> page.  Then after these policies
are added to reference policy, it can be updated to be in line with current
versions of the NSA example policy. For those who wish to contribute, here
is a listing of modules which need to be converted:
<ul>
<li>acct</li>
<li>arpwatch</li>
<li>automount</li>
<li>bind</li>
<li>bluetooth</li>
<li>cdrecord</li>
<li>comsat</li>
<li>cyrus</li>
<li>dictd</li>
<li>dovecot</li>
<li>fetchmail</li>
<li>fingerd</li>
<li>firstboot</li>
<li>ftpd</li>
<li>games</li>
<li>gpm</li>
<li>howl</li>
<li>inn</li>
<li>ipsec</li>
<li>irqbalance</li>
<li>ktalkd</li>
<li>kudzu</li>
<li>loadkeys</li>
<li>lockdev</li>
<li>mrtg</li>
<li>mysql</li>
<li>ntpd</li>
<li>pcmcia (was cardmgr)</li>
<li>portmap</li>
<li>postfix</li>
<li>postgresql</li>
<li>prelink</li>
<li>procmail</li>
<li>quota</li>
<li>radius</li>
<li>radvd</li>
<li>raid (was mdadm)</li>
<li>rlogin</li>
<li>rsync</li>
<li>samba</li>
<li>sasl</li>
<li>screen</li>
<li>slocate</li>
<li>slrnpull</li>
<li>snmp</li>
<li>spamassassin</li>
<li>squid</li>
<li>stunnel</li>
<li>sysstat</li>
<li>tcpd</li>
<li>telnet</li>
<li>tftp</li>
<li>tmpreaper</li>
<li>uml</li>
<li>updfstab</li>
<li>userhelper</li>
<li>vpnc</li>
<li>zebra</li>
</ul>
<h2>Testing Status</h2>
<p>
A very minimal RedHat Enterprise Linux 4 system with the following RPMs has
can be successfully booted in enforcing mode, and users can log in locally,
with Reference Policy:
</p>
<ul>
<li>libgcc-3.4.3-9.EL4</li>
<li>rootfiles-8-1</li>
<li>filesystem-2.3.0-1</li>
<li>termcap-5.4-3</li>
<li>glibc-common-2.3.4-2</li>
<li>bzip2-libs-1.0.2-13</li>
<li>device-mapper-1.00.19-2</li>
<li>elfutils-libelf-0.97-5</li>
<li>expat-1.95.7-4</li>
<li>glib2-2.4.7-1</li>
<li>libattr-2.4.16-3</li>
<li>libcap-1.10-20</li>
<li>libsepol-1.1.1-2</li>
<li>db4-4.2.52-7.1</li>
<li>libtermcap-2.0.8-39</li>
<li>mktemp-1.5-20</li>
<li>iproute-2.6.9-3</li>
<li>less-382-4</li>
<li>pcre-4.5-3</li>
<li>usbutils-0.11-6.1</li>
<li>vim-minimal-6.3.046-0.40E.4</li>
<li>info-4.7-5</li>
<li>diffutils-2.8.1-12</li>
<li>gawk-3.1.3-10.1</li>
<li>coreutils-5.2.1-31</li>
<li>gzip-1.3.3-13</li>
<li>module-init-tools-3.1-0.pre5.3</li>
<li>procps-3.2.3-7EL</li>
<li>sed-4.1.2-4</li>
<li>MAKEDEV-3.15-2</li>
<li>sysklogd-1.4.1-26_EL</li>
<li>cracklib-2.7-29</li>
<li>pam-0.77-65.1</li>
<li>SysVinit-2.85-34</li>
<li>lvm2-2.00.31-1.0.RHEL4</li>
<li>kernel-2.6.9-5.0.5.EL</li>
<li>libuser-0.52.5-1</li>
<li>crontabs-1.10-7</li>
<li>tmpwatch-2.9.1-1</li>
<li>m4-1.4.1-16</li>
<li>mgetty-1.1.31-2</li>
<li>time-1.7-25</li>
<li>dhclient-3.0.1-12_EL</li>
<li>samhain-2.0.6-1</li>
<li>hwdata-0.146.1.EL-1</li>
<li>redhat-logos-1.1.25-1</li>
<li>setup-2.5.37-1.1</li>
<li>basesystem-8.0-4</li>
<li>tzdata-2004e-2</li>
<li>glibc-2.3.4-2</li>
<li>beecrypt-3.1.0-6</li>
<li>chkconfig-1.3.11.2-1</li>
<li>e2fsprogs-1.35-11.6.EL4</li>
<li>ethtool-1.8-4</li>
<li>gdbm-1.8.0-24</li>
<li>iputils-20020927-16</li>
<li>libacl-2.2.23-5</li>
<li>libselinux-1.19.1-7</li>
<li>libstdc++-3.4.3-9.EL4</li>
<li>mingetty-1.07-3</li>
<li>bash-3.0-19.2</li>
<li>ncurses-5.4-13</li>
<li>net-tools-1.60-37</li>
<li>popt-1.9.1-7_nonptl</li>
<li>redhat-release-4AS-2</li>
<li>hotplug-2004_04_01-7.2</li>
<li>zlib-1.2.1.2-1</li>
<li>cpio-2.5-7.EL4.1</li>
<li>findutils-4.1.20-7</li>
<li>grep-2.5.1-31</li>
<li>grub-0.95-3.1</li>
<li>readline-4.3-13</li>
<li>rpm-libs-4.3.3-7_nonptl</li>
<li>shadow-utils-4.0.3-41.1</li>
<li>rpm-4.3.3-7_nonptl</li>
<li>tar-1.14-4</li>
<li>cracklib-dicts-2.7-29</li>
<li>policycoreutils-1.18.1-4</li>
<li>util-linux-2.12a-16.EL4.6</li>
<li>udev-039-10.8.EL4</li>
<li>initscripts-7.93.11.EL-1</li>
<li>mkinitrd-4.1.18-2</li>
<li>passwd-0.68-10</li>
<li>bzip2-1.0.2-13</li>
<li>logrotate-3.7.1-2</li>
<li>libxml2-2.6.16-6</li>
<li>make-3.80-5</li>
<li>iptables-1.2.11-3.1.RHEL4</li>
<li>vixie-cron-4.1-20_EL</li>
<li>comps-4AS-0.20050107</li>
</ul>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation