<h1>Status</h1>
<strong>Current Version: 20050907</strong>
<p>
See <a href="index.php?page=download">download</a> for download
information. Details of this release are part of the <a href="html/Changelog.txt">changelog</a>.
This release focused on addition of policies from the NSA example
policy. Currently both strict and targeted policies can be
built. MLS policies can be built, but the policy has not been tested
on running systems.
</p>
<p> </p>
<h2>Status and Tasks</h2>
<table border="1" cellspacing="0" cellpadding="3">
<tr>
<th class="title" colspan="3">Reference Policy Status</th>
</tr>
<tr>
<td class="header">Task/Component</td><td class="header">Status</td><td class="header">Description</td>
</tr>
<tr>
<td>Policy Structure</td>
<td>Complete</td>
<td>The policy is converted over to new Reference Policy structure</td>
</tr>
<tr>
<td>TE Policy</td>
<td>Conversion Ongoing</td>
<td>Conversion of old policy to Reference Policy modules is ongoing</td>
</tr>
<tr>
<td>Loadable Policy Modules</td>
<td>Major improvements</td>
<td>Infrastructure is in place to support both source policy and
loadable policy modules. Makefile support completed.</td>
</tr>
<tr>
<td>Documentation Infrastructure</td>
<td>Interfaces, templates, Booleans, and tunables complete</td>
<td>Tools to create webpages from the module interface and
template documentation is complete. Global Booleans and
tunables are supported. Booleans and tunables local to
policies are planned.</td>
</tr>
<tr>
<td>Policy Documentation</td>
<td>Ongoing</td>
<td>Most modules are documented.</td>
</tr>
<tr>
<td>Unused Modules</td>
<td>Complete</td>
<td>Modules can be disabled by using modules.conf.</td>
</tr>
<tr>
<td>MLS Infrastructure</td>
<td>Minor improvements</td>
<td>MLS infrastructure added to support easy conversion between
MLS and non-MLS policy. Policy is compilable, but
untested. Need further investigations to ensure
the levels in the policy are correct.</td>
</tr>
<tr>
<td>Network Infrastructure</td>
<td>Minor improvements</td>
<td>All network ports, nodes, and interfaces moved to
corenetwork module, interfaces generated automatically.
Plan to add more infrastructure for configuration of
ports, nodes, and interfaces.</td>
</tr>
<tr>
<td>User domains and roles</td>
<td>Minor improvements</td>
<td>Some infrastructure added to support per-user domain policy,
e.g., to create types and policy for ssh,
for each user. Plan to add infrastructure to easily
configure userdomains and roles.</td>
</tr>
<tr>
<td>Labeling</td>
<td>Minor improvements</td>
<td>All labeling moved to modules, consistent with Reference
Policy structure. Levels can be added to the labels
without changes to the policy.</td>
</tr>
<tr>
<td>Tunables</td>
<td>Minor improvements</td>
<td>Tunables are documented and included in the webpage policy
documentation.</td>
</tr>
<tr>
<td>Users</td>
<td>Unchanged</td>
<td>Assignment of users to roles.</td>
</tr>
<tr>
<td>Constraints</td>
<td>Unchanged</td>
<td>Plan to split up into relevant modules when loadable modules
support this. There are ordering problems with source
policies.</td>
</tr>
<tr>
<td>Flask</td>
<td>Unchanged</td>
<td>Headers for the policy, describing object classes, and
their permissions. No planned changes.</td>
</tr>
<tr>
<td>Genhomedircon</td>
<td>Unchanged</td>
<td>Tool to properly label users' home directories.
No planned changes</td>
</tr>
</table>
<p> </p>
<h2>Roadmap</h2>
<table cellpadding="3" cellspacing="0" border="1">
<tbody>
<tr>
<th colspan="3" class="title">Reference Policy Roadmap</th>
</tr>
<tr>
<td class="header">Version</td>
<td class="header">Date</td>
<td class="header">Description</td>
</tr>
<tr>
<td>0.1</td>
<td>June 2005</td>
<td>Initial public release, basic policy restructuring, some infrastructure, few modules, and minimal documentation.</td>
</tr>
<tr>
<td>0.2</td>
<td>July 2005</td>
<td>Restructuring complete, additional modules, and improved infrastructure.</td>
</tr>
<tr>
<td>0.3</td>
<td>August 2005</td>
<td>Additional modules, documentation, and base module configuration support.</td>
</tr>
<tr>
<td>0.4</td>
<td>September 2005</td>
<td>Additional modules, documentation, and tested loadable module support.</td>
</tr>
<tr>
<td>0.5</td>
<td>October 2005</td>
<td>Additional modules, documentation, targeted policy, and tested MLS support</td>
</tr>
<tr>
<td>0.6</td>
<td>December 2005</td>
<td>Additional modules, documentation, and module variations</td>
</tr>
</tbody>
</table>
<p> </p>
<h2>Policy Conversion</h2>
<p>
This phase of reference policy development involves the conversion of policies
from the example strict policy. We have been using the Fedora strict policy
version 1.23.2-1 as a baseline for policy conversion, which is available
on the <a href="index.php?page=download">download</a> page. Then after these policies
are added to reference policy, it can be updated to be in line with current
versions of the NSA example policy. For those who wish to contribute, here
is a listing of modules which need to be converted:
</p>
<table cellpadding="3" cellspacing="0" border="1">
<tbody>
<tr>
<th colspan="3" class="title">Policy Module Status</th>
</tr>
<tr>
<td class="header">Module Name</td>
<td class="header">Previous Policy Files</td>
<td class="header">Assigned To</td>
</tr>
<tr>
<td>amanda</td>
<td>amanda.te amanda.fc</td>
<td></td>
</tr>
<tr>
<td>anaconda</td>
<td>anaconda.te anaconda.fc</td>
<td></td>
</tr>
<tr>
<td>apache</td>
<td>apache.te apache.fc apache_macros.te</td>
<td>Tresys</td>
</tr>
<tr>
<td>arpwatch</td>
<td>arpwatch.te arpwatch.fc</td>
<td></td>
</tr>
<tr>
<td>automount</td>
<td>automount.te automount.fc</td>
<td></td>
</tr>
<td>bluetooth</td>
<td>bluetooth.te bluetooth.fc</td>
<td></td>
</tr>
<tr>
<td>bonobo</td>
<td>bonobo.te bonobo.fc bonobo_macros.te</td>
<td></td>
</tr>
<tr>
<td>browser</td>
<td>mozilla.te mozilla.fc mozilla_macros.te</td>
<td></td>
</tr>
<tr>
<td>cdrecord</td>
<td>cdrecord.te cdrecord.fc cdrecord_macros.te</td>
<td></td>
</tr>
<tr>
<td>certwatch</td>
<td>certwatch.te certwatch.fc</td>
<td></td>
</tr>
<tr>
<td>cvs</td>
<td>cvs.te cvs.fc</td>
<td></td>
</tr>
<tr>
<td>cyrus</td>
<td>cyrus.te cyrus.fc</td>
<td></td>
</tr>
<tr>
<td>ddcprobe</td>
<td>ddcprobe.te ddcprobe.fc</td>
<td></td>
</tr>
<tr>
<td>dmidecode</td>
<td>dmidecode.te dmidecode.fc</td>
<td></td>
</tr>
<tr>
<td>dovecot</td>
<td>dovecot.te dovecot.fc</td>
<td></td>
</tr>
<tr>
<td>ethereal</td>
<td>ethereal.te ethereal.fc ethereal_macros.te</td>
<td></td>
</tr>
<tr>
<td>fetchmail</td>
<td>fetchmail.te fetchmail.fc</td>
<td></td>
</tr>
<tr>
<td>finger</td>
<td>fingerd.te fingerd.fc fingerd_macros.te</td>
<td></td>
</tr>
<tr>
<td>fontconfig</td>
<td>fontconfig.te fontconfig.fc</td>
<td></td>
</tr>
<tr>
<td>ftp</td>
<td>ftpd.te ftpd.fc</td>
<td></td>
</tr>
<tr>
<td>gconf</td>
<td>gconf.te gconf.fc gconf_macros.te</td>
<td></td>
</tr>
<tr>
<td>games</td>
<td>games.te games.fc games_domain.te</td>
<td></td>
</tr>
<tr>
<td>gnome</td>
<td>gnome.te gnome.fc gnome_macros.te gnome_vfs.te gnome_vfs.fc gnome_vfs_macros.te gnome-pty-helper.te gnome-pty-helper.fc gph_macros.te</td>
<td></td>
</tr>
<tr>
<td>iceauth</td>
<td>iceauth.te iceauth.fc iceauth_macros ice_macros.te(?)</td>
<td></td>
</tr>
<tr>
<td>irc</td>
<td>irc.te irc.fc irc_macros.te</td>
<td></td>
</tr>
<tr>
<td>irqbalance</td>
<td>irqbalance.te irqbalance.fc</td>
<td></td>
</tr>
<tr>
<td>java</td>
<td>java.te java.fc java_macros.te</td>
<td></td>
</tr>
<tr>
<td>kudzu</td>
<td>kudzu.te kudzu.fc</td>
<td></td>
</tr>
<tr>
<td>lockdev</td>
<td>lockdev.te lockdev.fc lockdev_macros.te</td>
<td></td>
</tr>
<tr>
<td>mailman</td>
<td>mailman.te mailman.fc</td>
<td></td>
</tr>
<tr>
<td>mplayer</td>
<td>mplayer.te mplayer.fc mplayer_macros.te</td>
<td></td>
</tr>
<tr>
<td>mrtg</td>
<td>mrtg.te mrtg.fc</td>
<td></td>
</tr>
<tr>
<td>openct</td>
<td>openct.te openct.fc</td>
<td></td>
</tr>
<tr>
<td>orbit</td>
<td>orbit.te orbit.fc orbit_macros.te</td>
<td></td>
</tr>
<tr>
<td>postfix</td>
<td>postfix.te postfix.fc</td>
<td></td>
</tr>
<tr>
<td>ppp</td>
<td>pppd.te pppd.fc</td>
<td></td>
</tr>
<tr>
<td>prelink</td>
<td>prelink.te prelink.fc</td>
<td></td>
</tr>
<tr>
<td>print</td>
<td>cups.te cups.fc lpd.te lpd.fc lpr_macros.te</td>
<td>Tresys</td>
</tr>
<tr>
<td>procmail</td>
<td>procmail.te procmail.fc</td>
<td></td>
</tr>
<tr>
<td>radius</td>
<td>radius.te radius.fc</td>
<td></td>
</tr>
<tr>
<td>radvd</td>
<td>radvd.te radvd.fc</td>
<td></td>
</tr>
<tr>
<td>rlogin</td>
<td>rlogind.te rlogind.fc login_macros.te</td>
<td>Tresys</td>
</tr>
<tr>
<td>sasl</td>
<td>saslauthd.te saslauthd.fc</td>
<td></td>
</tr>
<tr>
<td>screen</td>
<td>screen.te screen.fc screen_macros.te</td>
<td></td>
</tr>
<tr>
<td>slocate</td>
<td>slocate.te slocate.fc slocate_macros.te</td>
<td></td>
</tr>
<tr>
<td>slrnpull</td>
<td>slrnpull.te slrnpull.fc</td>
<td></td>
</tr>
<tr>
<td>sound</td>
<td>alsa.te alsa.fc sound.te sound.fc</td>
<td></td>
</tr>
<tr>
<td>spamassassin</td>
<td>spamassassin.te spamc.te spamd.te spamassassin.fc spamc.fc spamd.fc spamassassin_macros.te</td>
<td></td>
</tr>
<tr>
<td>stunnel</td>
<td>stunnel.te stunnel.fc</td>
<td></td>
</tr>
<tr>
<td>sysstat</td>
<td>sysstat.te sysstat.fc</td>
<td></td>
</tr>
<tr>
<td>telnet</td>
<td>telnetd.te telnetd.fc</td>
<td></td>
</tr>
<tr>
<td>thunderbird</td>
<td>thunderbird.te thunderbird.fc thunderbird_macros.te mail_client_macros.te</td>
<td></td>
</tr>
<tr>
<td>timidity</td>
<td>timidity.te timidity.fc</td>
<td></td>
</tr>
<tr>
<td>tvtime</td>
<td>tvtime.te tvtime.fc tvtime_macros.te</td>
<td></td>
</tr>
<tr>
<td>uml</td>
<td>uml.te uml.fc uml_macros.te</td>
<td></td>
</tr>
<tr>
<td>userhelper</td>
<td>userhelper.te userhelper.fc userhelper_macros.te</td>
<td></td>
</tr>
<tr>
<td>usernetctl</td>
<td>usernetctl.te usernetctl.fc</td>
<td></td>
</tr>
<tr>
<td>uucp</td>
<td>uucpd.te uucpd.fc</td>
<td></td>
</tr>
<tr>
<td>vmware</td>
<td>vmware.te vmware.fc vmware_macros.te</td>
<td></td>
</tr>
<tr>
<td>vpn</td>
<td>vpnc.te vpnc.fc</td>
<td></td>
</tr>
<tr>
<td>webalizer</td>
<td>webalizer.te webalizer.fc</td>
<td></td>
</tr>
<tr>
<td>winbind</td>
<td>winbind.te winbind.fc</td>
<td></td>
</tr>
<tr>
<td>xdm</td>
<td>xdm.te xdm.fc xdm_macros.te</td>
<td></td>
</tr>
<tr>
<td>xfs</td>
<td>xfs.te xfs.fc</td>
<td></td>
</tr>
<tr>
<td>xserver</td>
<td>xserver.te xserver.fc xserver_macros.te xauth.te xauth.fc xauth_macros.te</td>
<td></td>
</tr>
</tbody>
</table>
<h2>Testing Status</h2>
<p>
The policy as successfully been booted and can run with a Fedora Core 4
installation, using a targeted Reference Policy. See the
<a href="index.php?page=switch">switching guide</a> to switch a Fedora system
over to targeted Reference policy configuration.
A very minimal RedHat Enterprise Linux 4 system with the following RPMs has
can be successfully booted in enforcing mode, and users can log in locally,
with a strict Reference Policy:
</p>
<ul>
<li>libgcc-3.4.3-9.EL4</li>
<li>rootfiles-8-1</li>
<li>filesystem-2.3.0-1</li>
<li>termcap-5.4-3</li>
<li>glibc-common-2.3.4-2</li>
<li>bzip2-libs-1.0.2-13</li>
<li>device-mapper-1.00.19-2</li>
<li>elfutils-libelf-0.97-5</li>
<li>expat-1.95.7-4</li>
<li>glib2-2.4.7-1</li>
<li>libattr-2.4.16-3</li>
<li>libcap-1.10-20</li>
<li>libsepol-1.1.1-2</li>
<li>db4-4.2.52-7.1</li>
<li>libtermcap-2.0.8-39</li>
<li>mktemp-1.5-20</li>
<li>iproute-2.6.9-3</li>
<li>less-382-4</li>
<li>pcre-4.5-3</li>
<li>usbutils-0.11-6.1</li>
<li>vim-minimal-6.3.046-0.40E.4</li>
<li>info-4.7-5</li>
<li>diffutils-2.8.1-12</li>
<li>gawk-3.1.3-10.1</li>
<li>coreutils-5.2.1-31</li>
<li>gzip-1.3.3-13</li>
<li>module-init-tools-3.1-0.pre5.3</li>
<li>procps-3.2.3-7EL</li>
<li>sed-4.1.2-4</li>
<li>MAKEDEV-3.15-2</li>
<li>sysklogd-1.4.1-26_EL</li>
<li>cracklib-2.7-29</li>
<li>pam-0.77-65.1</li>
<li>SysVinit-2.85-34</li>
<li>lvm2-2.00.31-1.0.RHEL4</li>
<li>kernel-2.6.9-5.0.5.EL</li>
<li>libuser-0.52.5-1</li>
<li>crontabs-1.10-7</li>
<li>tmpwatch-2.9.1-1</li>
<li>m4-1.4.1-16</li>
<li>mgetty-1.1.31-2</li>
<li>time-1.7-25</li>
<li>dhclient-3.0.1-12_EL</li>
<li>samhain-2.0.6-1</li>
<li>hwdata-0.146.1.EL-1</li>
<li>redhat-logos-1.1.25-1</li>
<li>setup-2.5.37-1.1</li>
<li>basesystem-8.0-4</li>
<li>tzdata-2004e-2</li>
<li>glibc-2.3.4-2</li>
<li>beecrypt-3.1.0-6</li>
<li>chkconfig-1.3.11.2-1</li>
<li>e2fsprogs-1.35-11.6.EL4</li>
<li>ethtool-1.8-4</li>
<li>gdbm-1.8.0-24</li>
<li>iputils-20020927-16</li>
<li>libacl-2.2.23-5</li>
<li>libselinux-1.19.1-7</li>
<li>libstdc++-3.4.3-9.EL4</li>
<li>mingetty-1.07-3</li>
<li>bash-3.0-19.2</li>
<li>ncurses-5.4-13</li>
<li>net-tools-1.60-37</li>
<li>popt-1.9.1-7_nonptl</li>
<li>redhat-release-4AS-2</li>
<li>hotplug-2004_04_01-7.2</li>
<li>zlib-1.2.1.2-1</li>
<li>cpio-2.5-7.EL4.1</li>
<li>findutils-4.1.20-7</li>
<li>grep-2.5.1-31</li>
<li>grub-0.95-3.1</li>
<li>readline-4.3-13</li>
<li>rpm-libs-4.3.3-7_nonptl</li>
<li>shadow-utils-4.0.3-41.1</li>
<li>rpm-4.3.3-7_nonptl</li>
<li>tar-1.14-4</li>
<li>cracklib-dicts-2.7-29</li>
<li>policycoreutils-1.18.1-4</li>
<li>util-linux-2.12a-16.EL4.6</li>
<li>udev-039-10.8.EL4</li>
<li>initscripts-7.93.11.EL-1</li>
<li>mkinitrd-4.1.18-2</li>
<li>passwd-0.68-10</li>
<li>bzip2-1.0.2-13</li>
<li>logrotate-3.7.1-2</li>
<li>libxml2-2.6.16-6</li>
<li>make-3.80-5</li>
<li>iptables-1.2.11-3.1.RHEL4</li>
<li>vixie-cron-4.1-20_EL</li>
<li>comps-4AS-0.20050107</li>
</ul>