Blob Blame History Raw
<h1>Status</h1>
<strong>Current Version: 20051019</strong>
<p>
	See <a href="index.php?page=download">download</a> for download
	information. Details of this release are part of the <a href="html/Changelog.txt">changelog</a>.
	This release focused on updating the policy to bring it in line with
	the NSA example policy in sourceforge CVS.  Currently both strict and
	targeted policies can be built.  MLS policies can be built, but the
	policy has not been tested on running systems.  MCS support has also
	been added, but it is still experimental.  Loadable modules can
	now be built with a compiler that has the require-in-conditionals,
	delcare-then-require, and stack-overflow patches applied.
</p>
<!--
<strong>Current Version: 20051207</strong>
<p>
	See <a href="index.php?page=download">download</a> for download
	information. Details of this release are part of the <a href="html/Changelog.txt">changelog</a>.
	This release focused on preparating the policy for use as the Fedora
	Core targeted policy.  Currently both strict and targeted policies can
	be built.  MLS policies can be built, but the policy has not been tested
	on running systems.  MCS support has also been added, and is being tested
	with the targeted policy in the Fedora development repositories (Rawhide).
</p>
-->
<p>&nbsp;</p>
<h2>Status and Tasks</h2>
<table border="1" cellspacing="0" cellpadding="3">
	<tr>
	<th class="title" colspan="3">Reference Policy Status</th>
	</tr>
	
	<tr>
	<td class="header">Task/Component</td><td class="header">Status</td><td class="header">Description</td>
	</tr>
	<tr>
		<td>Policy Structure</td>
		<td>Complete</td>
		<td>The policy is converted over to new Reference Policy structure</td>
	</tr>
	<tr>
		<td>TE Policy</td>
		<td>Conversion Ongoing</td>
		<td>Conversion of old policy to Reference Policy modules is ongoing</td>
	</tr>
	<tr>
		<td>Loadable Policy Modules</td>
		<td>Major improvements</td>
		<td>Infrastructure is in place to support both source policy and
			loadable policy modules.  Makefile support completed.
			Loadable modules can be built with a compler
			that has the require-in-conditionals,
			delcare-then-require, and stack-overflow patches
			applied.</td>
	</tr>
	<tr>
		<td>Documentation Infrastructure</td>
		<td>Interfaces, templates, Booleans, and tunables complete</td>
		<td>Tools to create webpages from the module interface and 
			template documentation is complete. Global Booleans and
			tunables are supported. Booleans and tunables local to
			policies are planned.</td>
	</tr>
	<tr>
		<td>Policy Documentation</td>
		<td>Ongoing</td>
		<td>Most modules are documented.</td>
	</tr>
	<tr>
		<td>Unused Modules</td>
		<td>Complete</td>
		<td>Modules can be disabled by using modules.conf.</td>
	</tr>
	<tr>
		<td>MLS Infrastructure</td>
		<td>Minor improvements</td>
		<td>MLS infrastructure added to support easy conversion between
			MLS and non-MLS policy.  Policy is compilable, but
			untested. Need further investigations to ensure
			the levels in the policy are correct.</td>
	</tr>
	<tr>
		<td>MCS Support</td>
		<td>Minor improvements</td>
		<td>MLS infrastructure has been extended to support MCS
			categories in users and all contexts.  MCS constraints
			have been added.  Policy has been tested in the
			targeted-mcs policy configuration.</td>
	</tr>
	<tr>
		<td>Network Infrastructure</td>
		<td>Minor improvements</td>
		<td>All network ports, nodes, and interfaces moved to
			corenetwork module, interfaces generated automatically.
			Plan to add more infrastructure for configuration of
			ports, nodes, and interfaces.</td>
	</tr>
	<tr>
		<td>User domains and roles</td>
		<td>Minor improvements</td>
		<td>Some infrastructure added to support per-user domain policy,
			e.g., to create types and policy for ssh,
			for each user.  Plan to add infrastructure to easily
			configure userdomains and roles.</td>
	</tr>
	<tr>
		<td>Labeling</td>
		<td>Minor improvements</td>
		<td>All labeling moved to modules, consistent with Reference
			Policy structure. Levels can be added to the labels
			without changes to the policy.</td>
	</tr>
	<tr>
		<td>Tunables</td>
		<td>Minor improvements</td>
		<td>Tunables are documented and included in the webpage policy
			documentation.</td>
	</tr>
	<tr>
		<td>Users</td>
		<td>Unchanged</td>
		<td>Assignment of users to roles.</td>
	</tr>
	<tr>
		<td>Constraints</td>
		<td>Unchanged</td>
		<td>Plan to split up into relevant modules when loadable modules
			support this.  There are ordering problems with source
			policies.</td>
	</tr>
	<tr>
		<td>Flask</td>
		<td>Unchanged</td>
		<td>Headers for the policy, describing object classes, and
			their permissions.  No planned changes.</td>
	</tr>
</table>
<p>&nbsp;</p>
<h2>Roadmap</h2>
<table cellpadding="3" cellspacing="0" border="1">
  <tbody>
    <tr>
      <th colspan="3" class="title">Reference Policy Roadmap</th>
    </tr>
    <tr>
      <td class="header">Version</td>
      <td class="header">Date</td>
      <td class="header">Description</td>
    </tr>
    <tr>
      <td>0.1</td>
      <td>June 2005</td>
      <td>Initial public release, basic policy restructuring, some infrastructure, few modules, and minimal documentation.</td>
    </tr>
    <tr>
      <td>0.2</td>
      <td>July 2005</td>
      <td>Restructuring complete, additional modules, and improved infrastructure.</td>
    </tr>
    <tr>
      <td>0.3</td>
      <td>August 2005</td>
      <td>Additional modules, documentation, and base module configuration support.</td>
    </tr>
    <tr>
      <td>0.4</td>
      <td>September 2005</td>
      <td>Additional modules, documentation, and tested loadable module support.</td>
    </tr>
    <tr>
      <td>0.5</td>
      <td>October 2005</td>
      <td>Additional modules, documentation, targeted policy, and tested MLS support</td>
    </tr>
    <tr>
      <td>0.6</td>
      <td>December 2005</td>
      <td>Additional modules, documentation, and module variations</td>
    </tr>
  </tbody>
</table>
<p>&nbsp;</p>
<h2>Policy Conversion</h2>
<p>
This phase of reference policy development involves the conversion of policies
from the example strict policy.  Please use the current NSA example policy
in <a href="http://cvs.sourceforge.net/viewcvs.py/selinux/nsa/selinux-usr/policy/">
NSA SourceForge CVS</a>.
We ask that modules that are in the targeted policy be given the first priority,
and then modules in the strict policy but not in targeted policy given second priority.
For those who wish to contribute, here is a listing of modules which need to be
converted:
</p>
<table cellpadding="3" cellspacing="0" border="1">
  <tbody>
    <tr>
      <th colspan="3" class="title">Policy Module Status</th>
    </tr>
    <tr>
      <td class="header">Module Name</td>
      <td class="header">Previous Policy Files</td>
      <td class="header">Assigned To</td>
    </tr>
    <tr>
      <td>amavis</td>
      <td>amavis.te amavis.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>asterisk</td>
      <td>asterisk.te asterisk.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>audio-entropy</td>
      <td>audio-entropyd.te audio-entropyd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>authbind</td>
      <td>authbind.te authbind.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>automount +</td>
      <td>automount.te automount.fc</td>
      <td>Tresys</td>
    </tr>
    <tr>
      <td>backup</td>
      <td>backup.te backup.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>bonobo +</td>
      <td>bonobo.te bonobo.fc bonobo_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>browser +</td>
      <td>mozilla.te mozilla.fc mozilla_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>calamaris</td>
      <td>calabaris.te calamaris.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>cdrecord +</td>
      <td>cdrecord.te cdrecord.fc cdrecord_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>certwatch +</td>
      <td>certwatch.te certwatch.fc</td>
      <td>Tresys</td>
    </tr>
    <tr>
      <td>cipe</td>
      <td>ciped.te ciped.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>clamav</td>
      <td>clamav.te clamav.fc clamav_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>courier</td>
      <td>courier.te courier.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>daemontools</td>
      <td>daemontools.te daemontools.fc daemontools_macros.te</td>
      <td>Tresys</td>
    </tr>
    <tr>
      <td>dante</td>
      <td>dante.te dante.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>dcc</td>
      <td>dcc.te dcc.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>ddclient</td>
      <td>ddclient.te ddclient.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>ddcprobe +</td>
      <td>ddcprobe.te ddcprobe.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>djbdns</td>
      <td>djbdns.te djbdns.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>dnsmasq</td>
      <td>dnsmasq.te dnsmasq.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>dpkg</td>
      <td>dpkg.te dpkg.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>ethereal +</td>
      <td>ethereal.te ethereal.fc ethereal_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>evolution +</td>
      <td>evolution.te evolution.fc evolution_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>fetchmail +</td>
      <td>fetchmail.te fetchmail.fc</td>
      <td>Tresys</td>
    </tr>
    <tr>
      <td>fontconfig +</td>
      <td>fontconfig.te fontconfig.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>gatekeeper</td>
      <td>gatekeeper.te gatekeeper.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>gconf +</td>
      <td>gconf.te gconf.fc gconf_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>games +</td>
      <td>games.te games.fc games_domain.te</td>
      <td></td>
    </tr>
    <tr>
      <td>gift</td>
      <td>gift.te gift.fc gift_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>gnome +</td>
      <td>gnome.te gnome.fc gnome_macros.te gnome_vfs.te gnome_vfs.fc gnome_vfs_macros.te gnome-pty-helper.te gnome-pty-helper.fc gph_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>iceauth +</td>
      <td>iceauth.te iceauth.fc iceauth_macros ice_macros.te(?)</td>
      <td></td>
    </tr>
    <tr>
      <td>imazesrv</td>
      <td>imazesrv.te imazesrv.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>irc +</td>
      <td>irc.te irc.fc irc_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>ircd</td>
      <td>ircd.te ircd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>jabber</td>
      <td>jabberd.te jabberd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>java +</td>
      <td>java.te java.fc java_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>lcd</td>
      <td>lcd.te lcd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>lockdev +</td>
      <td>lockdev.te lockdev.fc lockdev_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>lrr</td>
      <td>lrrd.te lrrd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>monop</td>
      <td>monopd.te monopd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>mplayer +</td>
      <td>mplayer.te mplayer.fc mplayer_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>mrtg +</td>
      <td>mrtg.te mrtg.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>nagios</td>
      <td>nagios.te nagios.fc nrpe.te nrpe.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>nessus</td>
      <td>nessusd.te nessusd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>nsd</td>
      <td>nsd.te nsd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>nx</td>
      <td>nx_server.te nx_server.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>oav-update</td>
      <td>oav-update.te oav-update.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>openca</td>
      <td>openca-ca.te openca-ca.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>openct +</td>
      <td>openct.te openct.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>orbit +</td>
      <td>orbit.te orbit.fc orbit_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>perdition</td>
      <td>perdition.te perdition.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>portslave</td>
      <td>portslave.te portslave.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>prelink +</td>
      <td>prelink.te prelink.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>publicfile</td>
      <td>publicfile.te publicfile.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>pxe</td>
      <td>pxe.te pxe.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>pyzor</td>
      <td>pyzor.te pyzor.fc pyzor_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>razor</td>
      <td>razor.te razor.fc razor_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>rdisc</td>
      <td>rdisc.te rdisc.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>resmgr</td>
      <td>resmgrd.te resmgrd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>rhgb +</td>
      <td>rhgb.te rhgb.fc rhgb_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>rssh</td>
      <td>rssh.te rssh.fc rssh_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>scannerdaemon</td>
      <td>scannerdaemon.te scannerdaemon.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>screen +</td>
      <td>screen.te screen.fc screen_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>slocate +</td>
      <td>slocate.te slocate.fc slocate_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>slrnpull +</td>
      <td>slrnpull.te slrnpull.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>snort</td>
      <td>snort.te snort.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>sound +</td>
      <td>alsa.te alsa.fc sound.te sound.fc sound-server.te sound-server.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>speedtouch</td>
      <td>speedmgmt.te speedmgmt.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>sxid</td>
      <td>sxid.te sxid.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>sysstat +</td>
      <td>sysstat.te sysstat.fc</td>
      <td>Tresys</td>
    </tr>
    <tr>
      <td>thunderbird +</td>
      <td>thunderbird.te thunderbird.fc thunderbird_macros.te mail_client_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>timidity +</td>
      <td>timidity.te timidity.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>tinydns</td>
      <td>tinydns.te tinydns.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>transproxy</td>
      <td>transproxy.te transproxy.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>tripwire</td>
      <td>tripwire.te tripwire.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>tvtime +</td>
      <td>tvtime.te tvtime.fc tvtime_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>ucspi-tcp</td>
      <td>ucspi-tcp.te ucspi-tcp.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>uml +</td>
      <td>uml.te uml.fc uml_macros.te uml_net.te uml_net.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>uptimed</td>
      <td>uptimed.te uptimed.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>userhelper +</td>
      <td>userhelper.te userhelper.fc userhelper_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>usernetctl +</td>
      <td>usernetctl.te usernetctl.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>uwimap</td>
      <td>uwimapd.te uwimapd.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>vmware +</td>
      <td>vmware.te vmware.fc vmware_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>watchdog</td>
      <td>watchdog.te watchdog.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>xdm *+</td>
      <td>xdm.te xdm.fc xdm_macros.te</td>
      <td>Tresys</td>
    </tr>
    <tr>
      <td>xprint</td>
      <td>xprint.te xprint.fc</td>
      <td></td>
    </tr>
    <tr>
      <td>xserver +</td>
      <td>xserver.te xserver.fc xserver_macros.te xauth.te xauth.fc xauth_macros.te</td>
      <td></td>
    </tr>
    <tr>
      <td>yam</td>
      <td>yam.te yam.fc</td>
      <td></td>
    </tr>
    <tr>
      <td colspan="3">(*) Modules in the Fedora targeted policy</td>
    </tr>
    <tr>
      <td colspan="3">(+) Modules in the Fedora strict policy</td>
    </tr>
  </tbody>
</table>

<h2>Testing Status</h2>
<p>
Reference policy is now included in the Fedora development repositories
(Rawhide) in the targeted and MLS policies.  These are the easiest way to test
Reference Policy.  They should be included in Fedora, beginning with Core 5
test 2.
</p>