diff --git a/booleans-mls.conf b/booleans-mls.conf new file mode 100644 index 0000000..f3803e3 --- /dev/null +++ b/booleans-mls.conf @@ -0,0 +1,208 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +allow_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +allow_execstack = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +allow_gssd_read_tmp = false + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +allow_saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow sysadm to ptrace all processes +# +allow_ptrace = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# Allow ftp to read and write files in the user home directories +# +ftp_home_dir = false + +# Allow ftpd to run directly without inetd +# +ftpd_is_daemon = true + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = false + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = false + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = false + +# Allow nfs to be exported read only +# +nfs_export_all_ro = false + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow ssh to run from inetd instead of as a daemon. +# +run_ssh_inetd = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Allow ssh logins as sysadm_r:sysadm_t +# +ssh_sysadm_login = false + +# Configure stunnel to be a standalone daemon orinetd service. +# +stunnel_is_daemon = false + +# Support NFS home directories +# +use_nfs_home_dirs = false + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# Allow gpg executable stack +# +allow_gpg_execstack = false + +# allow host key based authentication +# +allow_ssh_keysign = false + +# Allow users to connect to mysql +# +allow_user_mysql_connect = false + +# Allow system cron jobs to relabel filesystemfor restoring file contexts. +# +cron_can_relabel = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted +# +read_untrusted_content = false + +# Allow user spamassassin clients to use the network. +# +spamassassin_can_network = false + +# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc) +# +staff_read_sysadm_file = false + +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# Allow users to read system messages. +# +user_dmesg = false + +# Allow users to control network interfaces(also needs USERCTL=true) +# +user_net_control = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = false + +# Allow users to rw usb devices +# +user_rw_usb = false + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow w to display everyone +# +user_ttyfile_stat = false + +# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. +# +write_untrusted_content = false + diff --git a/booleans-targeted.conf b/booleans-targeted.conf new file mode 100644 index 0000000..f35a0db --- /dev/null +++ b/booleans-targeted.conf @@ -0,0 +1,208 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = true + +# Allow making a modified private filemapping executable (text relocation). +# +allow_execmod = true + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +allow_execstack = true + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +allow_gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +allow_saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow sysadm to ptrace all processes +# +allow_ptrace = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# Allow ftp to read and write files in the user home directories +# +ftp_home_dir = false + +# Allow ftpd to run directly without inetd +# +ftpd_is_daemon = true + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = true + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = true + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = true + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = true + +# Allow ssh to run from inetd instead of as a daemon. +# +run_ssh_inetd = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Allow ssh logins as sysadm_r:sysadm_t +# +ssh_sysadm_login = false + +# Configure stunnel to be a standalone daemon orinetd service. +# +stunnel_is_daemon = false + +# Support NFS home directories +# +use_nfs_home_dirs = false + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = true + +# Allow gpg executable stack +# +allow_gpg_execstack = false + +# allow host key based authentication +# +allow_ssh_keysign = false + +# Allow users to connect to mysql +# +allow_user_mysql_connect = false + +# Allow system cron jobs to relabel filesystemfor restoring file contexts. +# +cron_can_relabel = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted +# +read_untrusted_content = false + +# Allow user spamassassin clients to use the network. +# +spamassassin_can_network = false + +# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc) +# +staff_read_sysadm_file = false + +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# Allow users to read system messages. +# +user_dmesg = false + +# Allow users to control network interfaces(also needs USERCTL=true) +# +user_net_control = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = false + +# Allow users to rw usb devices +# +user_rw_usb = false + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow w to display everyone +# +user_ttyfile_stat = false + +# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. +# +write_untrusted_content = false + diff --git a/modules-mls.conf b/modules-mls.conf new file mode 100644 index 0000000..a86d10b --- /dev/null +++ b/modules-mls.conf @@ -0,0 +1,875 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: system +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: system +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: system +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = base + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = base + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = base + +# Layer: admin +# Module: kudzu +# +# Hardware detection and configuration tools +# +kudzu = base + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = base + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = base + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = off + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = base + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = base + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = base + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = base + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = off + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = off + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = base + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = off + +# Layer: admin +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = off + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = off + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = base + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = off + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = base + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = base + +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = base + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = base + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = base + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = base + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = base + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = base + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = base + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = base + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = base + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = base + +# Layer: services +# Module: samba +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = base + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = base + +# Layer: services +# Module: howl +# +# Port of Apple Rendezvous multicast DNS +# +howl = base + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = base + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = base + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = base + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = base + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = base + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = base + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = base + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = base + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = base + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = base + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = base + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = base + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = base + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = base + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = base + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = base + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = base + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = base + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = base + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = base + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = base + +# Layer: services +# Module: xdm +# +# X windows login display manager +# +xdm = off + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = base + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = base + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = base + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = off + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = base + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = base + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = base + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = off + +# Layer: services +# Module: hal +# +# Hardware abstraction layer +# +hal = base + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = base + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = base + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = base + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = base + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = base + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = base + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = base + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = base + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = base + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = base + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = base + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = base + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = base + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = base + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = base + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = off + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = base + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = base + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = base + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = base + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = base + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = base + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = off + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = base + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = base + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = base + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = base + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = base + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = off + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = base + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = base + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = base + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = off + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = off + diff --git a/modules-targeted.conf b/modules-targeted.conf new file mode 100644 index 0000000..b8e9fed --- /dev/null +++ b/modules-targeted.conf @@ -0,0 +1,875 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: system +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: system +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: system +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = base + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = base + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = base + +# Layer: admin +# Module: kudzu +# +# Hardware detection and configuration tools +# +kudzu = base + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = base + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = base + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = off + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = base + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = base + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = base + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = base + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = off + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = off + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = base + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = off + +# Layer: admin +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = base + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = off + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = base + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = off + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = base + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = base + +# Layer: kernel +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = base + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = off + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = base + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = base + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = base + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = base + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = base + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = base + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = base + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = base + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = base + +# Layer: services +# Module: samba +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = base + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = base + +# Layer: services +# Module: howl +# +# Port of Apple Rendezvous multicast DNS +# +howl = base + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = base + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = base + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = base + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = base + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = base + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = base + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = base + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = base + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = base + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = base + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = base + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = base + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = base + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = base + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = base + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = base + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = base + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = base + +# Layer: services +# Module: procmail +# +# Procmail mail delivery agent +# +procmail = base + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = base + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = base + +# Layer: services +# Module: xdm +# +# X windows login display manager +# +xdm = base + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = base + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = base + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = base + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = off + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = base + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = base + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = base + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = base + +# Layer: services +# Module: hal +# +# Hardware abstraction layer +# +hal = base + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = base + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = base + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = base + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = base + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = base + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = base + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = base + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = base + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = base + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = base + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = base + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = base + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = base + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = base + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = base + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = off + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = base + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = base + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = base + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = base + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = base + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = base + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = off + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = base + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = base + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = base + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = base + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = base + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = off + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = base + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = base + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = base + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = off + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = off + diff --git a/selinux-policy.spec b/selinux-policy.spec index 3f36e8e..56d16ce 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -117,15 +117,19 @@ SELinux Reference Policy - modular. %patch0 -p1 %install + +# Build targeted policy make conf %{__rm} -fR $RPM_BUILD_ROOT %installCmds %{polname1} %{type1} %{direct_initrc} +# Build strict policy # Commented out because only targeted ref policy currently builds +# make clean +# make conf #%#installCmds %{polname2} %{type2} %{direct_initrc} -#%patch2 -p1 -# Commented out because only targeted ref policy currently builds +# Build mls policy make clean make conf %installCmds %{polname3} %{type3} n diff --git a/setrans-mls.conf b/setrans-mls.conf new file mode 100644 index 0000000..c009357 --- /dev/null +++ b/setrans-mls.conf @@ -0,0 +1,53 @@ +# +# Multi-Level Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be labeled with one of 16 levels and be categorized with 0-256 +# categories defined by the admin. +# Objects can be in more than one category at a time. +# Users can modify this table to translate the MLS labels for different purpose. +# +# Assumptions: using below MLS labels. +# SystemLow +# SystemHigh +# Unclassified +# Secret with compartments A and B. +# +# SystemLow and SystemHigh +s0=SystemLow +s15:c0.c255=SystemHigh +s0-s15:c0.c255=SystemLow-SystemHigh + +# Unclassified level +s1=Unclassified + +# Secret level with compartments +s2=Secret +s2:c0=Secret:A +s2:c1=Secret:B +s2:c0,c1=Secret:AB + +# ranges for Unclassified +s0-s1=SystemLow-Unclassified +s1-s2=Unclassified-Secret +s1-s15:c0.c255=Unclassified-SystemHigh + +# ranges for Secret with compartments +s0-s2=SystemLow-Secret +s0-s2:c0=SystemLow-Secret:A +s0-s2:c1=SystemLow-Secret:B +s0-s2:c0,c1=SystemLow-Secret:AB +s1-s2:c0=Unclassified-Secret:A +s1-s2:c1=Unclassified-Secret:B +s1-s2:c0,c1=Unclassified-Secret:AB +s2-s2:c0=Secret-Secret:A +s2-s2:c1=Secret-Secret:B +s2-s2:c0,c1=Secret-Secret:AB +s2-s15:c0.c255=Secret-SystemHigh +s2:c0-s2:c0,c1=Secret:A-Secret:AB +s2:c0-s15:c0.c255=Secret:A-SystemHigh +s2:c1-s2:c0,c1=Secret:B-Secret:AB +s2:c1-s15:c0.c255=Secret:B-SystemHigh +s2:c0,c1-s15:c0.c255=Secret:AB-SystemHigh diff --git a/setrans-targeted.conf b/setrans-targeted.conf new file mode 100644 index 0000000..0d8aaeb --- /dev/null +++ b/setrans-targeted.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-256 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c255. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0= +s0-s0:c0.c255=SystemLow-SystemHigh +s0:c0.c255=SystemHigh diff --git a/seusers-mls b/seusers-mls new file mode 100644 index 0000000..d92f29e --- /dev/null +++ b/seusers-mls @@ -0,0 +1,3 @@ +root:root:s0-s15:c0.c255 +__default__:user_u:s0 + diff --git a/seusers-targeted b/seusers-targeted new file mode 100644 index 0000000..c400c79 --- /dev/null +++ b/seusers-targeted @@ -0,0 +1,2 @@ +root:root:s0-s0:c0.c255 +__default__:user_u:s0