rpms/selinux-policy/F-9 booleans-minimum.conf, NONE, 1.1 modules-minimum.conf, NONE, 1.1 securetty_types-minimum, NONE, 1.1 setrans-minimum.conf, NONE, 1.1 policy-20071130.patch, 1.241, 1.242 selinux-policy.spec, 1.728, 1.729
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Nov 24 19:44:34 UTC 2008
- Previous message: rpms/glew/F-9 glew-1.5.1-makefile.patch, NONE, 1.1 glew.spec, 1.4, 1.5 sources, 1.3, 1.4 glew-1.3.6-pathandstrip.patch, 1.2, NONE glew-1.4.0-unused-direct-shlib-dependency.patch, 1.1, NONE
- Next message: rpms/clipper/devel .cvsignore, 1.4, 1.5 clipper.spec, 1.3, 1.4 sources, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20551
Modified Files:
policy-20071130.patch selinux-policy.spec
Added Files:
booleans-minimum.conf modules-minimum.conf
securetty_types-minimum setrans-minimum.conf
Log Message:
* Mon Nov 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-114
- Add minimum policy
- Split out doc package
--- NEW FILE booleans-minimum.conf ---
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
allow_execstack = true
# Allow ftpd to read cifs directories.
#
allow_ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
allow_ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
allow_gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
allow_httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
allow_saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
allow_zebra_write_config = true
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
# Allow ftp to read and write files in the user home directories
#
ftp_home_dir = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = true
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = true
# Run CGI in the main httpd domain
#
httpd_unified = true
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = true
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = true
# allow host key based authentication
#
allow_ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
#
read_untrusted_content = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = true
# Allow regular users direct mouse access
#
user_direct_mouse = false
# Allow users to read system messages.
#
user_dmesg = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = false
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow w to display everyone
#
user_ttyfile_stat = false
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
#
write_untrusted_content = false
# Allow all domains to talk to ttys
#
allow_daemons_use_tty = true
# Allow login domains to polyinstatiate directories
#
allow_polyinstantiation = false
# Allow all domains to dump core
#
allow_daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = true
# Allows XServer to execute writable memory
#
allow_xserver_execmem = true
# disallow guest accounts to execute files that they can create
#
allow_guest_exec_content = false
allow_xguest_exec_content = false
# Only allow browser to use the web
#
browser_confine_xguest=false
# Allow postfix locat to write to mail spool
#
allow_postfix_local_write_mail_spool=true
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile=true
# Allow qemu to connect fully to the network
#
qemu_full_network=true
# Allow nsplugin execmem/execstack for bad plugins
#
allow_nsplugin_execmem=true
# Allow unconfined domain to transition to confined domain
#
allow_unconfined_nsplugin_transition=true
# Allow unconfined domains mmap low kernel memory
#
allow_unconfined_mmap_low = false
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
allow_mount_anyfile = true
--- NEW FILE modules-minimum.conf ---
#
# This file contains a listing of available modules.
# To prevent a module from being used in policy
# creation, set the module name to "off".
#
# For monolithic policies, modules set to "base" and "module"
# will be built into the policy.
#
# For modular policies, modules set to "base" will be
# included in the base module. "module" will be compiled
# as individual loadable modules.
#
# Layer: admin
# Module: acct
#
# Berkeley process accounting
#
acct = base
# Layer: admin
# Module: alsa
#
# Ainit ALSA configuration tool
#
alsa = base
# Layer: apps
# Module: ada
#
# ada executable
#
ada = module
# Layer: modules
# Module: awstats
#
# awstats executable
#
awstats = module
# Layer: admin
# Module: amanda
#
# Automated backup program.
#
amanda = module
# Layer: services
# Module: amavis
#
# Anti-virus
#
amavis = module
# Layer: admin
# Module: anaconda
#
# Policy for the Anaconda installer.
#
anaconda = base
# Layer: services
# Module: apache
#
# Apache web server
#
apache = module
# Layer: services
# Module: apm
#
# Advanced power management daemon
#
apm = base
# Layer: system
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = base
# Layer: services
# Module: arpwatch
#
# Ethernet activity monitor.
#
arpwatch = module
# Layer: services
# Module: audioentropy
#
# Generate entropy from audio input
#
audioentropy = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = base
# Layer: services
# Module: automount
#
# Filesystem automounter service.
#
automount = module
# Layer: services
# Module: avahi
#
# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
#
avahi = module
# Layer: services
# Module: bind
#
# Berkeley internet name domain DNS server.
#
bind = module
# Layer: services
# Module: dnsmasq
#
# A lightweight DHCP and caching DNS server.
#
dnsmasq = module
# Layer: services
# Module: bluetooth
#
# Bluetooth tools and system services.
#
bluetooth = module
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = base
# Layer: services
# Module: canna
#
# Canna - kana-kanji conversion server
#
canna = module
# Layer: services
# Module: ccs
#
# policy for ccs
#
ccs = module
# Layer: apps
# Module: calamaris
#
#
# Squid log analysis
#
calamaris = module
# Layer: apps
# Module: cdrecord
#
# Policy for cdrecord
#
cdrecord = module
# Layer: admin
# Module: certwatch
#
# Digital Certificate Tracking
#
certwatch = module
# Layer: admin
# Module: certmaster
#
# Digital Certificate master
#
certmaster = module
# Layer: services
# Module: cipe
#
# Encrypted tunnel daemon
#
cipe = module
# Layer: services
# Module: comsat
#
# Comsat, a biff server.
#
comsat = module
# Layer: services
# Module: clamav
#
# ClamAV Virus Scanner
#
clamav = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = base
# Layer: services
# Module: consolekit
#
# ConsoleKit is a system daemon for tracking what users are logged
#
consolekit = module
# Layer: admin
# Module: consoletype
#
# Determine of the console connected to the controlling terminal.
#
consoletype = base
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: services
# Module: cpucontrol
#
# Services for loading CPU microcode and CPU frequency scaling.
#
cpucontrol = base
# Layer: services
# Module: cron
#
# Periodic execution of scheduled commands.
#
cron = base
# Layer: services
# Module: cups
#
# Common UNIX printing system
#
cups = module
# Layer: services
# Module: cvs
#
# Concurrent versions system
#
cvs = module
# Layer: services
# Module: cyphesis
#
# cyphesis game server
#
cyphesis = module
# Layer: services
# Module: cyrus
#
# Cyrus is an IMAP service intended to be run on sealed servers
#
cyrus = module
# Layer: system
# Module: daemontools
#
# Collection of tools for managing UNIX services
#
daemontools = module
# Layer: services
# Module: dbskk
#
# Dictionary server for the SKK Japanese input method system.
#
dbskk = module
# Layer: services
# Module: dbus
#
# Desktop messaging bus
#
dbus = base
# Layer: services
# Module: dcc
#
# A distributed, collaborative, spam detection and filtering network.
#
dcc = module
# Layer: admin
# Module: ddcprobe
#
# ddcprobe retrieves monitor and graphics card information
#
ddcprobe = off
# Layer: kernel
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Layer: services
# Module: dhcp
#
# Dynamic host configuration protocol (DHCP) server
#
dhcp = module
# Layer: services
# Module: dictd
#
# Dictionary daemon
#
dictd = module
# Layer: services
# Module: distcc
#
# Distributed compiler daemon
#
distcc = off
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = base
# Layer: admin
# Module: dmidecode
#
# Decode DMI data for x86/ia64 bioses.
#
dmidecode = base
# Layer: system
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: services
# Module: dovecot
#
# Dovecot POP and IMAP mail server
#
dovecot = module
# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
#
gpg = off
# Layer: services
# Module: gpm
#
# General Purpose Mouse driver
#
gpm = module
# Layer: apps
# Module: ethereal
#
# Ethereal packet capture tool.
#
ethereal = module
# Layer: services
# Module: fail2ban
#
# daiemon that bans IP that makes too many password failures
#
fail2ban = module
# Layer: services
# Module: fetchmail
#
# Remote-mail retrieval and forwarding utility
#
fetchmail = module
# Layer: kernel
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: kernel
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Layer: services
# Module: finger
#
# Finger user information service.
#
finger = module
# Layer: admin
# Module: firstboot
#
# Final system configuration run during the first boot
# after installation of Red Hat/Fedora systems.
#
firstboot = base
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = base
# Layer: services
# Module: ftp
#
# File transfer protocol service
#
ftp = module
# Layer: apps
# Module: games
#
# The Open Group Pegasus CIM/WBEM Server.
#
games = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = base
# Layer: apps
# Module: gnome
#
# gnome session and gconf
#
gnome = module
# Layer: services
# Module: gnomeclock
#
# gnomeclock used by dbus/polkit to set time
#
gnomeclock = module
# Layer: services
# Module: hal
#
# Hardware abstraction layer
#
hal = module
# Layer: services
# Module: polkit
#
# Hardware abstraction layer
#
polkit = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = base
# Layer: system
# Module: hotplug
#
# Policy for hotplug system, for supporting the
# connection and disconnection of devices at runtime.
#
hotplug = base
# Layer: services
# Module: howl
#
# Port of Apple Rendezvous multicast DNS
#
howl = module
# Layer: services
# Module: inetd
#
# Internet services daemon.
#
inetd = base
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = base
# Layer: services
# Module: inn
#
# Internet News NNTP server
#
inn = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = base
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: apps
# Module: irc
#
# IRC client policy
#
irc = module
# Layer: services
# Module: irqbalance
#
# IRQ balancing daemon
#
irqbalance = base
# Layer: system
# Module: iscsi
#
# Open-iSCSI daemon
#
iscsi = module
# Layer: services
# Module: i18n_input
#
# IIIMF htt server
#
i18n_input = off
# Layer: apps
# Module: java
#
# java executable
#
java = module
# Layer: services
# Module: kerberos
#
# MIT Kerberos admin and KDC
#
kerberos = module
# Layer: kernel
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Layer: services
# Module: ktalk
#
# KDE Talk daemon
#
ktalk = module
# Layer: admin
# Module: kudzu
#
# Hardware detection and configuration tools
#
kudzu = base
# Layer: services
# Module: ldap
#
# OpenLDAP directory server
#
ldap = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = base
# Layer: apps
# Module: loadkeys
#
# Load keyboard mappings.
#
loadkeys = base
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = base
# Layer: apps
# Module: lockdev
#
# device locking policy for lockdev
#
lockdev = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = base
# Layer: admin
# Module: logrotate
#
# Rotate and archive system logs
#
logrotate = base
# Layer: services
# Module: logwatch
#
# logwatch executable
#
logwatch = base
# Layer: services
# Module: lpd
#
# Line printer daemon
#
lpd = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = base
# Layer: services
# Module: mailman
#
# Mailman is for managing electronic mail discussion and e-newsletter lists
#
mailman = module
# Layer: services
# Module: mailscanner
#
# Anti-Virus and Anti-Spam Filter
#
mailscanner = module
# Layer: kernel
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = base
# Layer: kernel
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = base
# Layer: apps
# Module: mono
#
# mono executable
#
mono = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = base
# Layer: apps
# Module: mozilla
#
# Policy for Mozilla and related web browsers
#
mozilla = module
# Layer: apps
# Module: nsplugin
#
# Policy for nspluginwrapper
#
nsplugin = module
# Layer: apps
# Module: mplayer
#
# Policy for Mozilla and related web browsers
#
mplayer = module
# Layer: apps
# Module: gpg
#
# Policy for Mozilla and related web browsers
#
gpg = module
# Layer: admin
# Module: mrtg
#
# Network traffic graphing
#
mrtg = module
# Layer: services
# Module: mta
#
# Policy common to all email tranfer agents.
#
mta = base
# Layer: services
# Module: mysql
#
# Policy for MySQL
#
mysql = module
# Layer: services
# Module: nagios
#
# policy for nagios Host/service/network monitoring program
#
nagios = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = base
# Layer: services
# Module: networkmanager
#
# Manager for dynamically switching between networks.
#
networkmanager = base
# Layer: services
# Module: nis
#
# Policy for NIS (YP) servers and clients
#
nis = module
# Layer: services
# Module: nscd
#
# Name service cache daemon
#
nscd = base
# Layer: services
# Module: ntp
#
# Network time protocol daemon
#
ntp = module
# Layer: services
# Module: nx
#
# NX Remote Desktop
#
nx = module
# Layer: services
# Module: oddjob
#
# policy for oddjob
#
oddjob = module
# Layer: services
# Module: openct
#
# Service for handling smart card readers.
#
openct = off
# Layer: services
# Module: openvpn
#
# Policy for OPENVPN full-featured SSL VPN solution
#
openvpn = module
# Layer: service
# Module: pcscd
#
# PC/SC Smart Card Daemon
#
pcscd = module
# Layer: service
# Module: openct
#
# Middleware framework for smart card terminals
#
openct = module
# Layer: system
# Module: pcmcia
#
# PCMCIA card management services
#
pcmcia = base
# Layer: services
# Module: pegasus
#
# The Open Group Pegasus CIM/WBEM Server.
#
pegasus = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: portmap
#
# RPC port mapping service.
#
portmap = module
# Layer: services
# Module: postfix
#
# Postfix email server
#
postfix = module
o# Layer: services
# Module: postgrey
#
# email scanner
#
postgrey = module
# Layer: services
# Module: ppp
#
# Point to Point Protocol daemon creates links in ppp networks
#
ppp = module
# Layer: admin
# Module: prelink
#
# Manage temporary directory sizes and file ages
#
prelink = base
# Layer: services
# Module: procmail
#
# Procmail mail delivery agent
#
procmail = module
# Layer: services
# Module: privoxy
#
# Privacy enhancing web proxy.
#
privoxy = module
# Layer: services
# Module: publicfile
#
# publicfile supplies files to the public through HTTP and FTP
#
publicfile = module
# Layer: services
# Module: pyzor
#
# Spam Blocker
#
pyzor = module
# Layer: services
# Module: qmail
#
# Policy for qmail
#
qmail = module
# Layer: admin
# Module: quota
#
# File system quota management
#
quota = base
# Layer: system
# Module: raid
#
# RAID array management tools
#
raid = base
# Layer: services
# Module: radius
#
# RADIUS authentication and accounting server.
#
radius = module
# Layer: services
# Module: radvd
#
# IPv6 router advertisement daemon
#
radvd = module
# Layer: services
# Module: razor
#
# A distributed, collaborative, spam detection and filtering network.
#
razor = module
# Layer: admin
# Module: readahead
#
# Readahead, read files into page cache for improved performance
#
readahead = base
# Layer: services
# Module: rhgb
#
# X windows login display manager
#
rhgb = module
# Layer: services
# Module: rdisc
#
# Network router discovery daemon
#
rdisc = module
# Layer: services
# Module: remotelogin
#
# Policy for rshd, rlogind, and telnetd.
#
remotelogin = module
# Layer: services
# Module: ricci
#
# policy for ricci
#
ricci = module
# Layer: services
# Module: rlogin
#
# Remote login daemon
#
rlogin = module
# Layer: services
# Module: roundup
#
# Roundup Issue Tracking System policy
#
roundup = module
# Layer: services
# Module: rpc
#
# Remote Procedure Call Daemon for managment of network based process communication
#
rpc = base
# Layer: admin
# Module: rpm
#
# Policy for the RPM package manager.
#
rpm = base
# Layer: services
# Module: rshd
#
# Remote shell service.
#
rshd = module
# Layer: services
# Module: rsync
#
# Fast incremental file transfer for synchronization
#
rsync = module
# Layer: services
# Module: rwho
#
# who is logged in on local machines
#
rwho = module
# Layer: services
# Module: sasl
#
# SASL authentication server
#
sasl = module
# Layer: services
# Module: sendmail
#
# Policy for sendmail.
#
sendmail = base
# Layer: services
# Module: samba
#
# SMB and CIFS client/server programs for UNIX and
# name Service Switch daemon for resolving names
# from Windows NT servers.
#
samba = module
# Layer: apps
# Module: sambagui
#
# policy for system-config-samba
#
sambagui = module
# Layer: apps
# Module: screen
#
# GNU terminal multiplexer
#
screen = module
# Layer: kernel
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = base
# Layer: system
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = base
# Layer: services
# Module: setroubleshoot
#
# Policy for the SELinux troubleshooting utility
#
setroubleshoot = base
# Layer: services
# Module: slrnpull
#
# Service for downloading news feeds the slrn newsreader.
#
slrnpull = off
# Layer: apps
# Module: slocate
#
# Update database for mlocate
#
slocate = module
# Layer: services
# Module: smartmon
#
# Smart disk monitoring daemon policy
#
smartmon = module
# Layer: services
# Module: snmp
#
# Simple network management protocol services
#
snmp = module
# Layer: services
# Module: spamassassin
#
# Filter used for removing unsolicited email.
#
spamassassin = module
# Layer: services
# Module: squid
#
# Squid caching http proxy server
#
squid = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Layer: services
# Module: stunnel
#
# SSL Tunneling Proxy
#
stunnel = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = base
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = base
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = base
# Layer: services
# Module: sysstat
#
# Policy for sysstat. Reports on various system states
#
sysstat = module
# Layer: services
# Module: tcpd
#
# Policy for TCP daemon.
#
tcpd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = base
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: services
# Module: ulogd
#
#
#
ulogd = module
# Layer: apps
# Module: wine
#
# wine executable
#
wine = module
# Layer: admin
# Module: tzdata
#
# Policy for tzdata-update
#
tzdata = base
# Layer: apps
# Module: userhelper
#
# A helper interface to pam.
#
userhelper = module
# Layer: services
# Module: tor
#
# TOR, the onion router
#
tor = module
# Layer: apps
# Module: tvtime
#
# tvtime - a high quality television application
#
tvtime = module
# Layer: apps
# Module: uml
#
# Policy for UML
#
uml = module
# Layer: admin
# Module: usbmodules
#
# List kernel modules of USB devices
#
usbmodules = module
# Layer: apps
# Module: usernetctl
#
# User network interface configuration helper
#
usernetctl = module
# Layer: system
# Module: xen
#
# virtualization software
#
xen = module
# Layer: services
# Module: virt
#
# Virtualization libraries
#
virt = module
# Layer: apps
# Module: qemu
#
# Virtualization emulator
#
qemu = module
# Layer: system
# Module: brctl
#
# Utilities for configuring the linux ethernet bridge
#
brctl = base
# Layer: services
# Module: telnet
#
# Telnet daemon
#
telnet = module
# Layer: services
# Module: timidity
#
# MIDI to WAV converter and player configured as a service
#
timidity = off
# Layer: services
# Module: tftp
#
# Trivial file transfer protocol daemon
#
tftp = module
# Layer: services
# Module: uucp
#
# Unix to Unix Copy
#
uucp = module
# Layer: services
# Module: vbetool
#
# run real-mode video BIOS code to alter hardware state
#
vbetool = base
# Layer: apps
# Module: webalizer
#
# Web server log analysis
#
webalizer = module
# Layer: services
# Module: xfs
#
# X Windows Font Server
#
xfs = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = base
# Layer: services
# Module: zebra
#
# Zebra border gateway protocol network routing service
#
zebra = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = base
# Layer: admin
# Module: updfstab
#
# Red Hat utility to change /etc/fstab.
#
updfstab = base
# Layer: admin
# Module: vpn
#
# Virtual Private Networking client
#
vpn = module
# Layer: admin
# Module: vbetool
#
# run real-mode video BIOS code to alter hardware state
#
vbetool = base
# Layer: kernel
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: admin
# Module: tmpreaper
#
# Manage temporary directory sizes and file ages
#
tmpreaper = module
# Layer: admin
# Module: amtu
#
# Abstract Machine Test Utility (AMTU)
#
amtu = module
# Layer: services
# Module: zabbix
#
# Open-source monitoring solution for your IT infrastructure
#
zabbix = module
# Layer: services
# Module: apcupsd
#
# daemon for most APC’s UPS for Linux
#
apcupsd = module
# Layer: services
# Module: aide
#
# Policy for aide
#
aide = module
# Layer: services
# Module: w3c
#
# w3c
#
w3c = module
# Layer: services
# Module: portreserve
#
# reserve ports to prevent portmap mapping them
#
portreserve = module
# Layer: services
# Module: rpcbind
#
# universal addresses to RPC program number mapper
#
rpcbind = module
# Layer: apps
# Module: vmware
#
# VMWare Workstation virtual machines
#
vmware = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: webadm
#
# Minimally prived root role for managing apache
#
webadm = module
#
# Layer: services
# Module: exim
#
# exim mail server
#
exim = module
# Layer: services
# Module: kismet
#
# Wireless sniffing and monitoring
#
kismet = module
# Layer: services
# Module: munin
#
# Munin
#
munin = module
# Layer: services
# Module: bitlbee
#
# An IRC to other chat networks gateway
#
bitlbee = module
# Layer: services
# Module: soundserver
#
# sound server for network audio server programs, nasd, yiff, etc</summary>
#
soundserver = module
# Layer:role
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = base
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: prelude
#
prelude = module
# Layer: services
# Module: pads
#
pads = module
# Layer: services
# Module: kerneloops
#
# program to collect and submit kernel oopses to kerneloops.org
#
kerneloops = module
# Layer: apps
# Module: openoffice
#
# openoffice executable
#
openoffice = module
# Layer: apps
# Module: podsleuth
#
# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
#
podsleuth = module
# Layer: role
# Module: guest
#
# Minimally privs guest account on tty logins
#
guest = module
# Layer: role
# Module: xguest
#
# Minimally privs guest account on X Windows logins
#
xguest = module
# Layer: services
# Module: courier
#
# IMAP and POP3 email servers
#
courier = module
# Layer: apps
# Module: livecd
#
# livecd creator
#
livecd = module
# Layer: services
# Module: snort
#
# Snort network intrusion detection system
#
snort = module
# Layer: services
# Module: memcached
#
# high-performance memory object caching system
#
memcached = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: services
# Module: zosremote
#
# policy for z/OS Remote-services Audit dispatcher plugin</summary>
#
zosremote = module
--- NEW FILE securetty_types-minimum ---
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
--- NEW FILE setrans-minimum.conf ---
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.241
retrieving revision 1.242
diff -u -r1.241 -r1.242
--- policy-20071130.patch 24 Nov 2008 14:30:46 -0000 1.241
+++ policy-20071130.patch 24 Nov 2008 19:44:30 -0000 1.242
@@ -2260,8 +2260,17 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.3.1/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/logwatch.te 2008-11-03 16:14:53.000000000 -0500
-@@ -54,15 +54,15 @@
++++ serefpolicy-3.3.1/policy/modules/admin/logwatch.te 2008-11-24 11:55:37.000000000 -0500
+@@ -43,6 +43,8 @@
+ kernel_read_fs_sysctls(logwatch_t)
+ kernel_read_kernel_sysctls(logwatch_t)
+ kernel_read_system_state(logwatch_t)
++kernel_read_net_sysctls(logwatch_t)
++kernel_read_network_state(logwatch_t)
+
+ corecmd_exec_bin(logwatch_t)
+ corecmd_exec_shell(logwatch_t)
+@@ -54,15 +56,15 @@
domain_read_all_domains_state(logwatch_t)
files_list_var(logwatch_t)
@@ -2280,17 +2289,29 @@
fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
-@@ -88,9 +88,6 @@
+@@ -87,9 +89,7 @@
+ selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_dns_name_resolve(logwatch_t)
-
+-
-userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
-userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
--
++sysnet_exec_ifconfig(logwatch_t)
+
mta_send_mail(logwatch_t)
+@@ -97,9 +97,7 @@
+ apache_read_log(logwatch_t)
+ ')
+
+-optional_policy(`
+- auth_use_nsswitch(logwatch_t)
+-')
++auth_use_nsswitch(logwatch_t)
+
optional_policy(`
-@@ -132,4 +129,5 @@
+ avahi_dontaudit_search_pid(logwatch_t)
+@@ -132,4 +130,5 @@
optional_policy(`
samba_read_log(logwatch_t)
@@ -35222,7 +35243,16 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-11-21 16:14:31.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-11-24 14:40:12.000000000 -0500
+@@ -27,7 +27,7 @@
+ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+ allow iptables_t self:rawip_socket create_socket_perms;
+
+-allow iptables_t iptables_var_run_t:dir rw_dir_perms;
++manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
+ files_pid_filetrans(iptables_t,iptables_var_run_t,file)
+
+ can_exec(iptables_t,iptables_exec_t)
@@ -48,10 +48,12 @@
fs_getattr_xattr_fs(iptables_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.728
retrieving revision 1.729
diff -u -r1.728 -r1.729
--- selinux-policy.spec 24 Nov 2008 14:03:52 -0000 1.728
+++ selinux-policy.spec 24 Nov 2008 19:44:32 -0000 1.729
@@ -4,6 +4,9 @@
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
%define BUILD_TARGETED 1
%endif
+%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1}
+%define BUILD_MINIMUM 1
+%endif
%if %{?BUILD_OLPC:0}%{!?BUILD_OLPC:1}
%define BUILD_OLPC 0
%endif
@@ -17,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 112%{?dist}
+Release: 114%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -36,6 +39,10 @@
Source13: policygentool
Source14: securetty_types-targeted
Source15: securetty_types-mls
+Source16: modules-minimum.conf
+Source17: booleans-minimum.conf
+Source18: setrans-minimum.conf
+Source19: securetty_types-minimum
Url: http://serefpolicy.sourceforge.net
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -48,7 +55,6 @@
%files
%{_mandir}/*
-%doc %{_usr}/share/doc/%{name}-%{version}
%dir %{_usr}/share/selinux
%dir %{_sysconfdir}/selinux
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
@@ -71,6 +77,17 @@
%{_usr}/share/selinux/devel/policygentool
%{_usr}/share/selinux/devel/example.*
%{_usr}/share/selinux/devel/policy.*
+
+%package doc
+Summary: SELinux policy documentation
+Group: System Environment/Base
+Requires(pre): selinux-policy = %{version}-%{release}
+
+%description doc
+SELinux policy documentation package
+
+%files doc
+%doc %{_usr}/share/doc/%{name}-%{version}
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
%check
@@ -207,6 +224,13 @@
%installCmds mls mls n y deny
%endif
+%if %{BUILD_MINIMUM}
+# Build minimum policy
+# Commented out because only minimum ref policy currently builds
+%setupCmds minimum mcs n y allow
+%installCmds minimum mcs n y allow
+%endif
+
%if %{BUILD_OLPC}
# Build targeted policy
# Commented out because only targeted ref policy currently builds
@@ -323,6 +347,43 @@
%fileList targeted
%endif
+%if %{BUILD_MINIMUM}
+%package minimum
+Summary: SELinux minimum base policy
+Provides: selinux-policy-base
+Group: System Environment/Base
+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): coreutils
+Requires(pre): selinux-policy = %{version}-%{release}
+
+%description minimum
+SELinux Reference policy minimum base module.
+
+%pre minimum
+%saveFileContext minimum
+
+%post minimum
+if [ $1 -eq 1 ]; then
+%loadminpolicy minimum
+semanage -S minimum -i - << __eof
+user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
+__eof
+semanage -S minimum -i - << __eof
+login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
+login -m -s unconfined_u -r s0-s0:c0.c1023 root
+__eof
+restorecon -R /root /var/log /var/run 2> /dev/null
+else
+%loadminpolicy minimum
+%relabel minimum
+fi
+exit 0
+
+%files minimum
+%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
+%fileList minimum
+%endif
+
%if %{BUILD_OLPC}
%package olpc
Summary: SELinux olpc base policy
@@ -382,6 +443,13 @@
%endif
%changelog
+* Mon Nov 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-114
+- Add minimum policy
+- Split out doc package
+
+* Mon Nov 24 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-113
+- Allow logwatch to report on network information
+
* Thu Nov 20 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-112
- Allow automount to read nfs
- Previous message: rpms/glew/F-9 glew-1.5.1-makefile.patch, NONE, 1.1 glew.spec, 1.4, 1.5 sources, 1.3, 1.4 glew-1.3.6-pathandstrip.patch, 1.2, NONE glew-1.4.0-unused-direct-shlib-dependency.patch, 1.1, NONE
- Next message: rpms/clipper/devel .cvsignore, 1.4, 1.5 clipper.spec, 1.3, 1.4 sources, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list