From patchwork Tue Oct 25 19:26:04 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bryce Ferguson X-Patchwork-Id: 686672 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3t3NTD0Wtqz9sR9 for ; Wed, 26 Oct 2016 06:27:28 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 56F1F9208B; Tue, 25 Oct 2016 19:27:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bbchSNmNaxym; Tue, 25 Oct 2016 19:27:03 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id C18BD91FCD; Tue, 25 Oct 2016 19:26:41 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 4F3C31C1E97 for ; Tue, 25 Oct 2016 19:26:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 3C0DBC1D6D for ; Tue, 25 Oct 2016 19:26:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RNkd6p9rq3hG for ; Tue, 25 Oct 2016 19:26:32 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from da1vs02.rockwellcollins.com (da1vs02.rockwellcollins.com [205.175.227.29]) by fraxinus.osuosl.org (Postfix) with ESMTPS id C0909C1B44 for ; Tue, 25 Oct 2016 19:26:31 +0000 (UTC) Received: from ofwda1n02.rockwellcollins.com (HELO dtulimr01.rockwellcollins.com) ([205.175.227.14]) by da1vs02.rockwellcollins.com with ESMTP; 25 Oct 2016 14:26:31 -0500 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by dtulimr01.rockwellcollins.com (Postfix) with ESMTP id CFF4E601D8; Tue, 25 Oct 2016 14:26:30 -0500 (CDT) From: Bryce Ferguson To: buildroot@buildroot.org Date: Tue, 25 Oct 2016 14:26:04 -0500 Message-Id: <1477423570-15694-2-git-send-email-bryce.ferguson@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1477423570-15694-1-git-send-email-bryce.ferguson@rockwellcollins.com> References: <1477423570-15694-1-git-send-email-bryce.ferguson@rockwellcollins.com> Cc: Bryce Ferguson , David Graziano , Niranjan Reddy Subject: [Buildroot] [PATCH v13 2/8] refpolicy: new package X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" From: Clayton Shotwell The patch is for adding selinux reference policy (refpolicy). It is a complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. Changes were made to this patch in between versions 12 and 13 for which the change history can be found here: https://patchwork.ozlabs.org/patch/649175/ Signed-off-by: Clayton Shotwell Signed-off-by: Matt Weber Reviewed-by: Samuel Martin Signed-off-by: Niranjan Reddy Signed-off-by: David Graziano Signed-off-by: Bryce Ferguson --- Changes: v12 -> v13: - Incorporated changes found here: https://patchwork.ozlabs.org/patch/649175/ Changes v11 -> v12: - No changes Changes v10 -> v11: - Removed refpolicy-contrib package to maintain it as a seperate patch (suggested by Thomas) - Removed /sbin/restorecon condition check and added comments in S00selinux( how /proc/mounts are used to discover tmpfs mounts) - Removed variable REFPOLICY_POLICY_COMPILE and made Minor Indentation changes (suggested by Thomas). Changed v9 -> v10: - Removed trailing slash at the end (REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy) - Adds new menu option to select the SELinux state to be written to the /etc/selinux/config file for the target (D. Graziano) Changes v8 -> v9: - Minor nit picks on spacing (Suggested by Samuel) Changes v7 -> v8: - Changes REFPOLICY_MAKE_CMDS to REFPOLICY_MAKE_OPTS (Suggested by Samuel) - Added a help section to the custom git repo to explain why the refpolicy-contrib option is needed (Suggested by Samuel) - Added rsync exclusions to ensure no unneeded files are copied during the refpolicy-contrib sync (Suggested by Samuel) Changes v6 -> v7: - Moving the refpolicy patch into a version specific folder to prevent it from being applied to the custom git repos. (Clayton S.) Changes v5 -> v6: - Fixed references to GIT in config files (Suggested by Ryan B.) - Removed execute permissions on files (Suggested by Ryan B.) - Fixed spelling error and changed staging install to always install the documentation (Suggested by Samuel) Changes v4 -> v5: - Removed TODO and dependency on glibc (Matt W.) - Added lib depends to meet policycoreutils limitation on std lib (Matt W.) - Added comment for when an option is not defined (Matt W.) - Removed largefile, locale, and wchar dependencies (Clayton S.) - Remove dependancy on host-python-pyxml (Ryan B.) - Forced package to use $(HOST_DIR)/usr/bin/python2 for python executable (Ryan B.) - Added host-python dependency (Clayton S.) - Removed config menu (suggested by Thomas P.) - Added patch to fix awk issue (Clayton S.) Changes v3 -> v4: - Added a dependency on host-gawk and correct the awk calls in the makefile to use $(AWK) - Changed the default policy name to br_policy to differentiate the policy generated from refpolicy - Added a install step to create a /.autorelabel file to cause the file system to be relabeled by S12SELinux init script - Adding a default modules.conf file with an option to specify a different one. This will decrease the build time for refpolicy by removing unused policies. (implemented by Thomas P.) - Cleaned up the configure comments (implemented by Thomas). - Added a check to only install the documentation if the Buildroot option is enabled - Removed the build because the install step completes the same process. Also removed the clean step because it is being removed globally from buildroot (implemented by Thomas P.) - Added more error handling to the startup script to print a warning if SELinux fails to install the policy if it exists. This can be caused by the kernel not being configured with SELinux enabled Changes v2 -> v3: - Changes patch naming convention (suggested by Thomas P.) - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE (suggested by Thomas P.) - Removed configure option for a specific patch folder (suggested by Thomas P.) - Removed distribution configuration option (suggested by Thomas) - Changed the monolithic configuration option to a modular configuration option (suggested by Thomas P.) - Removed the refpolicy name option (suggested by Thomas P.) - Corrected gramatical and comment errors (suggested by Thomas P.) - Multiple style corrections to the mk file (suggested by Thomas P.) - Added a comment to clairfy the usage of the the host build options for a target build Changes v1 -> v2: - General cleanup to the mk file to conform to the standard format - Fixed the patch naming to match the standard 4 digit numbering - Changed package dependencies into selects in the config --- package/Config.in | 1 + .../0001-Fix-awk-references-to-use-variable.patch | 42 + package/refpolicy/Config.in | 146 +++ package/refpolicy/S00selinux | 126 ++ package/refpolicy/booleans.conf | 1278 ++++++++++++++++++++ package/refpolicy/config | 8 + package/refpolicy/modules.conf | 430 +++++++ package/refpolicy/refpolicy.hash | 2 + package/refpolicy/refpolicy.mk | 111 ++ 9 files changed, 2144 insertions(+) create mode 100644 package/refpolicy/0001-Fix-awk-references-to-use-variable.patch create mode 100644 package/refpolicy/Config.in create mode 100644 package/refpolicy/S00selinux create mode 100644 package/refpolicy/booleans.conf create mode 100644 package/refpolicy/config create mode 100644 package/refpolicy/modules.conf create mode 100644 package/refpolicy/refpolicy.hash create mode 100644 package/refpolicy/refpolicy.mk diff --git a/package/Config.in b/package/Config.in index 8091e33..853fc6e 100644 --- a/package/Config.in +++ b/package/Config.in @@ -1658,6 +1658,7 @@ endmenu menu "Security" source "package/policycoreutils/Config.in" + source "package/refpolicy/Config.in" source "package/setools/Config.in" endmenu diff --git a/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch new file mode 100644 index 0000000..8236fa2 --- /dev/null +++ b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch @@ -0,0 +1,42 @@ +From 1d4c826e8de366bccb93f167cd9be834ab5911c8 Mon Sep 17 00:00:00 2001 +From: Clayton Shotwell +Date: Fri, 8 May 2015 14:13:00 -0500 +Subject: [PATCH] Fix awk references to use variable + +Ensure all awk calls use the variable setup in the makefile rather than +relying on the system. + +Signed-off-by: Clayton Shotwell +--- + Makefile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 85d4cfb..3aa4b51 100644 +--- a/Makefile ++++ b/Makefile +@@ -292,9 +292,9 @@ cmdline_mods := $(addsuffix .te,$(APPS_MODS)) + cmdline_off := $(addsuffix .te,$(APPS_OFF)) + + # extract settings from modules.conf +-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null))) +-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null))) +-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null))) ++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null))) ++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null))) ++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null))) + + base_mods := $(cmdline_base) + mod_mods := $(cmdline_mods) +@@ -308,7 +308,7 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c + off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods))) + + # filesystems to be used in labeling targets +-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';) ++filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';) + fs_names := "btrfs ext2 ext3 ext4 xfs jfs" + + ######################################## +-- +1.9.1 + diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in new file mode 100644 index 0000000..5a46829 --- /dev/null +++ b/package/refpolicy/Config.in @@ -0,0 +1,146 @@ +config BR2_PACKAGE_REFPOLICY + bool "refpolicy" + select BR2_PACKAGE_POLICYCOREUTILS + select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX + depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # policycoreutils + help + The SELinux Reference Policy project (refpolicy) is a + complete SELinux policy that can be used as the system + policy for a variety of systems and used as the basis + for creating other policies. Reference Policy was originally + based on the NSA example policy, but aims to accomplish + many additional goals. + + The current refpolicy does not fully support Buildroot + and needs modifications to work with the default system + file layout. These changes should be added as patches to + the refpolicy that modify a single SELinux policy. + + The refpolicy works for the most part in permissive mode. Only the + basic set of utilities are enabled in the example policy config and + some of the pathing in the policies is not correct. Individual + policies would need to be tweaked to get everything functioning + properly. + +comment "refpolicy needs a toolchain w/ threads, glibc or musl" + depends on !BR2_TOOLCHAIN_HAS_THREADS \ + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL) + +if BR2_PACKAGE_REFPOLICY + +choice +prompt "SELinux policy type" +default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD + +config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD +bool "Standard" +help +Standard SELinux policy + +config BR2_PACKAGE_REFPOLICY_TYPE_MCS +bool "MCS" +help +SELinux policy with multi-catagory support + +config BR2_PACKAGE_REFPOLICY_TYPE_MLS +bool "MLS" +help +SELinux policy with multi-catagory and multi-level support +endchoice + +config BR2_PACKAGE_REFPOLICY_TYPE + string + default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD + default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS + default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS + +choice +prompt "SELinux default state" +default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE + +config BR2_PACKAGE_REFPOLICY_STATE_ENFORCE +bool "Enforcing" +help +SELinux security policy is enforced + +config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE +bool "Permissive" +help +SELinux prints warnings instead of enforcing + +config BR2_PACKAGE_REFPOLICY_STATE_DISABLE +bool "Disabled" +help +No SELinux policy is loaded +endchoice + +config BR2_PACKAGE_REFPOLICY_NAME + string "Custom policy Name" + default "Buildroot" + +config BR2_PACKAGE_REFPOLICY_STATE + string + default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE + default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCE + default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLE + +config BR2_PACKAGE_REFPOLICY_MODULES_FILE + string "Refpolicy modules configuration" + default "package/refpolicy/modules.conf" + help + Location of a custom modules.conf file that lists the + SELinux policy modules to be included in the compiled + policy. See policy/modules.conf in the refpolicy sources for + the complete list of available modules. + NOTE: This file is only used if a Custom Git repo is + not specified. + +config BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE + string "Refpolicy boolean configuration" + default "package/refpolicy/booleans.conf" + help + Location of a custom booleans.conf file that lists the + SELinux booleans to be set in the compiled + policy. See policy/booleans.conf in the refpolicy sources for + the complete list of available modules. + NOTE: This file is only used if a Custom Git repo is + not specified. + +config BR2_PACKAGE_REFPOLICY_MODULAR + bool "Build a modular SELinux policy" + help + Select Y to build a modular SELinux policy. By default, + a monolithic policy will be built to save space on the + target. A modular policy can also be built if policies + need to be modified without reloading the target. + +config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT + bool "Custom Git repository" + select BR2_PACKAGE_REFPOLICY_CONTRIB + help + This option allows Buildroot to get the refpolicy source + code from a Git repository. This option should generally + be used to add custom SELinux policy to the base refpolicy + without having to deal with lots of patches. + + Please note that with the current configuration of the + mainline refpolicy git repositories, a refpolicy and a + refpolicy-contrib git repo must be specified. These are + linked using a git submodule which does not get initialized + during the Buildroot build. + +if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT + +config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL + string "URL of custom repository" + +config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION + string "Custom repository version" + help + Revision to use in the typical format used by Git + e.g. a SHA id, a tag, branch, .. + +endif + +endif diff --git a/package/refpolicy/S00selinux b/package/refpolicy/S00selinux new file mode 100644 index 0000000..4faccfb --- /dev/null +++ b/package/refpolicy/S00selinux @@ -0,0 +1,126 @@ +#!/bin/sh +################################################################################ +# +# This file labels the security contexts of memory based filesystems such as +# /dev/ and checks for auto relabel request if '/.autorelabel' file exists. +# +# This script is a heavily stripped down and modified version of the one used +# in CentOS 6.2 +# +################################################################################ + +failed() +{ + echo $1 + exit 1 +} + +# Get SELinux config env vars +. /etc/selinux/config || failed "Failed to source the SELinux config" + +setup_selinux() { + # Create required directories + mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ || + failed "Failed to create the policy folder" + mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \ + failed "Failed to create the modules folder" + if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ] + then + touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \ + failed "Failed to create the file_contexts.local file" + fi + + # Load the policy to activate it + load_policy -i || failed "Failed to load the SELinux policy" +} + +relabel_selinux() { + # if /sbin/init is not labeled correctly this process is running in the + # wrong context, so a reboot will be required after relabel + AUTORELABEL= + + # Switch to Permissive mode + echo "0" > /sys/fs/selinux/enforce || failed "Failed to disable enforcing mode" + + echo + echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required." + echo "*** Relabeling could take a very long time, depending on file" + echo "*** system size and speed of hard drives." + + # Relabel mount points + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \ + >/dev/null 2>&1 || failed "Failed to relabel the mount points" + + # Relabel file system + echo "Relabeling file systems" + restorecon -R -F / || failed "Failed to relabel the file system" + + # Remove label + rm -f /.autorelabel || failed "Failed to remove the autorelabel flag" + + # Reboot to activate relabeled file system + echo "Automatic reboot in progress." + reboot -f +} + +start() { + printf "Initializing SELinux: " + + # Check to see if the default policy has been installed + if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then + if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ] + then + setup_selinux + else + # Load the policy to activate it + load_policy -i || failed "Failed to load the SELinux policy" + fi + fi + + # Check SELinux status + SELINUX_STATE= + if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then + if [ -r "/selinux/enforce" ] ; then + SELINUX_STATE=$(cat "/selinux/enforce") + else + # assume enforcing if you can't read it + SELINUX_STATE=1 + fi + fi + + # Context Label /dev/ + /sbin/restorecon -R -F /dev 2>/dev/null + + # Context Label tmpfs mounts. + # using /proc/mounts to discover tmpfs mounts + /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1 + + # Clean up SELinux labels + restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1 + + # Check for filesystem relabel request + if [ -f /.autorelabel ] ; then + relabel_selinux + fi + + echo "OK" +} +stop() { + # There is nothing to do + echo "OK" +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo "Usage: $0 {start|stop}" + exit 1 + ;; +esac + +exit $? diff --git a/package/refpolicy/booleans.conf b/package/refpolicy/booleans.conf new file mode 100644 index 0000000..31c70b9 --- /dev/null +++ b/package/refpolicy/booleans.conf @@ -0,0 +1,1278 @@ +# +# Disable kernel module loading. +# +secure_mode_insmod = false + +# +# Boolean to determine whether the system permits loading policy, setting +# enforcing mode, and changing boolean values. Set this to true and you +# have to reboot to set it back. +# +secure_mode_policyload = false + +# +# Enabling secure mode disallows programs, such as +# newrole, from transitioning to administrative +# user domains. +# +secure_mode = false + +# +# Control users use of ping and traceroute +# +user_ping = false + +# +# Determine whether ABRT can modify +# public files used for public file +# transfer services. +# +abrt_anon_write = false + +# +# Determine whether abrt-handle-upload +# can modify public files used for public file +# transfer services in /var/spool/abrt-upload/. +# +abrt_upload_watch_anon_write = true + +# +# Determine whether ABRT can run in +# the abrt_handle_event_t domain to +# handle ABRT event scripts. +# +abrt_handle_event = false + +# +# Determine whether amavis can +# use JIT compiler. +# +amavis_use_jit = false + +# +# Determine whether httpd can modify +# public files used for public file +# transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +allow_httpd_anon_write = false + +# +# Determine whether httpd can use mod_auth_pam. +# +allow_httpd_mod_auth_pam = false + +# +# Determine whether httpd can use built in scripting. +# +httpd_builtin_scripting = false + +# +# Determine whether httpd can check spam. +# +httpd_can_check_spam = false + +# +# Determine whether httpd scripts and modules +# can connect to the network using TCP. +# +httpd_can_network_connect = true + +# +# Determine whether httpd scripts and modules +# can connect to cobbler over the network. +# +httpd_can_network_connect_cobbler = false + +# +# Determine whether scripts and modules can +# connect to databases over the network. +# +httpd_can_network_connect_db = false + +# +# Determine whether httpd can connect to +# ldap over the network. +# +httpd_can_network_connect_ldap = false + +# +# Determine whether httpd can connect +# to memcache server over the network. +# +httpd_can_network_connect_memcache = false + +# +# Determine whether httpd can act as a relay. +# +httpd_can_network_relay = false + +# +# Determine whether httpd daemon can +# connect to zabbix over the network. +# +httpd_can_network_connect_zabbix = false + +# +# Determine whether httpd can send mail. +# +httpd_can_sendmail = false + +# +# Determine whether httpd can communicate +# with avahi service via dbus. +# +httpd_dbus_avahi = false + +# +# Determine wether httpd can use support. +# +httpd_enable_cgi = false + +# +# Determine whether httpd can act as a +# FTP server by listening on the ftp port. +# +httpd_enable_ftp_server = false + +# +# Determine whether httpd can traverse +# user home directories. +# +httpd_enable_homedirs = false + +# +# Determine whether httpd gpg can modify +# public files used for public file +# transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +httpd_gpg_anon_write = false + +# +# Determine whether httpd can execute +# its temporary content. +# +httpd_tmp_exec = false + +# +# Determine whether httpd scripts and +# modules can use execmem and execstack. +# +httpd_execmem = true + +# +# Determine whether httpd can connect +# to port 80 for graceful shutdown. +# +httpd_graceful_shutdown = false + +# +# Determine whether httpd can +# manage IPA content files. +# +httpd_manage_ipa = false + +# +# Determine whether httpd can use mod_auth_ntlm_winbind. +# +httpd_mod_auth_ntlm_winbind = false + +# +# Determine whether httpd can read +# generic user home content files. +# +httpd_read_user_content = true + +# +# Determine whether httpd can change +# its resource limits. +# +httpd_setrlimit = false + +# +# Determine whether httpd can run +# SSI executables in the same domain +# as system CGI scripts. +# +httpd_ssi_exec = false + +# +# Determine whether httpd can communicate +# with the terminal. Needed for entering the +# passphrase for certificates at the terminal. +# +httpd_tty_comm = false + +# +# Determine whether httpd can have full access +# to its content types. +# +httpd_unified = false + +# +# Determine whether httpd can use +# cifs file systems. +# +httpd_use_cifs = false + +# +# Determine whether httpd can +# use fuse file systems. +# +httpd_use_fusefs = false + +# +# Determine whether httpd can use gpg. +# +httpd_use_gpg = false + +# +# Determine whether httpd can use +# nfs file systems. +# +httpd_use_nfs = false + +# +# Determine whether awstats can +# purge httpd log files. +# +awstats_purge_apache_log_files = false + +# +# Determine whether Bind can bind tcp socket to http ports. +# +named_tcp_bind_http_port = false + +# +# Determine whether Bind can write to master zone files. +# Generally this is used for dynamic DNS or zone transfers. +# +named_write_master_zones = false + +# +# Determine whether boinc can execmem/execstack. +# +boinc_execmem = true + +# +# Determine whether cdrecord can read +# various content. nfs, samba, removable +# devices, user temp and untrusted +# content files +# +cdrecord_read_content = false + +# +# Determine whether clamscan can +# read user content files. +# +clamav_read_user_content_files_clamscan = false + +# +# Determine whether clamscan can read +# all non-security files. +# +clamav_read_all_non_security_files_clamscan = false + +# +# Determine whether can clamd use JIT compiler. +# +clamd_use_jit = false + +# +# Determine whether Cobbler can modify +# public files used for public file +# transfer services. +# +cobbler_anon_write = false + +# +# Determine whether Cobbler can connect +# to the network using TCP. +# +cobbler_can_network_connect = false + +# +# Determine whether Cobbler can access +# cifs file systems. +# +cobbler_use_cifs = false + +# +# Determine whether Cobbler can access +# nfs file systems. +# +cobbler_use_nfs = false + +# +# Determine whether collectd can connect +# to the network using TCP. +# +collectd_tcp_network_connect = false + +# +# Determine whether Condor can connect +# to the network using TCP. +# +condor_tcp_network_connect = false + +# +# Determine whether system cron jobs +# can relabel filesystem for +# restoring file contexts. +# +cron_can_relabel = false + +# +# Determine whether crond can execute jobs +# in the user domain as opposed to the +# the generic cronjob domain. +# +cron_userdomain_transition = false + +# +# Determine whether extra rules +# should be enabled to support fcron. +# +fcron_crond = false + +# +# Determine whether cvs can read shadow +# password files. +# +allow_cvs_read_shadow = false + +# +# Determine whether dbadm can manage +# generic user files. +# +dbadm_manage_user_files = false + +# +# Determine whether dbadm can read +# generic user files. +# +dbadm_read_user_files = false + +# +# Determine whether DHCP daemon +# can use LDAP backends. +# +dhcpd_use_ldap = false + +# +# Determine whether entropyd can use +# audio devices as the source for +# the entropy feeds. +# +entropyd_use_audio = false + +# +# Determine whether exim can connect to +# databases. +# +exim_can_connect_db = false + +# +# Determine whether exim can read generic +# user content files. +# +exim_read_user_files = false + +# +# Determine whether exim can create, +# read, write, and delete generic user +# content files. +# +exim_manage_user_files = false + +# +# Determine whether ftpd can modify +# public files used for public file +# transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +allow_ftpd_anon_write = false + +# +# Determine whether ftpd can login to +# local users and can read and write +# all files on the system, governed by DAC. +# +allow_ftpd_full_access = false + +# +# Determine whether ftpd can use CIFS +# used for public file transfer services. +# +allow_ftpd_use_cifs = false + +# +# Determine whether ftpd can use NFS +# used for public file transfer services. +# +allow_ftpd_use_nfs = false + +# +# Determine whether ftpd can connect to +# databases over the TCP network. +# +ftpd_connect_db = false + +# +# Determine whether ftpd can bind to all +# unreserved ports for passive mode. +# +ftpd_use_passive_mode = false + +# +# Determine whether ftpd can connect to +# all unreserved ports. +# +ftpd_connect_all_unreserved = false + +# +# Determine whether ftpd can read and write +# files in user home directories. +# +ftp_home_dir = false + +# +# Determine whether sftpd can modify +# public files used for public file +# transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +sftpd_anon_write = false + +# +# Determine whether sftpd-can read and write +# files in user home directories. +# +sftpd_enable_homedirs = false + +# +# Determine whether sftpd-can login to +# local users and read and write all +# files on the system, governed by DAC. +# +sftpd_full_access = false + +# +# Determine whether sftpd can read and write +# files in user ssh home directories. +# +sftpd_write_ssh_home = false + +# +# Determine whether Git CGI +# can search home directories. +# +git_cgi_enable_homedirs = false + +# +# Determine whether Git CGI +# can access cifs file systems. +# +git_cgi_use_cifs = false + +# +# Determine whether Git CGI +# can access nfs file systems. +# +git_cgi_use_nfs = false + +# +# Determine whether Git session daemon +# can bind TCP sockets to all +# unreserved ports. +# +git_session_bind_all_unreserved_ports = false + +# +# Determine whether calling user domains +# can execute Git daemon in the +# git_session_t domain. +# +git_session_users = false + +# +# Determine whether Git session daemons +# can send syslog messages. +# +git_session_send_syslog_msg = false + +# +# Determine whether Git system daemon +# can search home directories. +# +git_system_enable_homedirs = false + +# +# Determine whether Git system daemon +# can access cifs file systems. +# +git_system_use_cifs = false + +# +# Determine whether Git system daemon +# can access nfs file systems. +# +git_system_use_nfs = false + +# +# Determine whether Gitosis can send mail. +# +gitosis_can_sendmail = false + +# +# Determine whether GPG agent can manage +# generic user home content files. This is +# required by the --write-env-file option. +# +gpg_agent_env_file = false + +# +# Determine whether icecast can listen +# on and connect to any TCP port. +# +icecast_use_any_tcp_ports = false + +# +# Determine whether irc clients can +# listen on and connect to any +# unreserved TCP ports. +# +irc_use_any_tcp_ports = false + +# +# Determine whether java can make +# its stack executable. +# +allow_java_execstack = false + +# +# Determine whether kerberos is supported. +# +allow_kerberos = false + +# +# Determine whether logwatch can connect +# to mail over the network. +# +logwatch_can_network_connect_mail = false + +# +# Determine whether to support lpd server. +# +use_lpd_server = false + +# +# Determine whether mcelog supports +# client mode. +# +mcelog_client = false + +# +# Determine whether mcelog can execute scripts. +# +mcelog_exec_scripts = true + +# +# Determine whether mcelog can use all +# the user ttys. +# +mcelog_foreground = false + +# +# Determine whether mcelog supports +# server mode. +# +mcelog_server = false + +# +# Determine whether mcelog can use syslog. +# +mcelog_syslog = false + +# +# Determine whether minidlna can read generic user content. +# +minidlna_read_generic_user_content = false + +# +# Determine whether mozilla can +# make its stack executable. +# +mozilla_execstack = false + +# +# Determine whether mpd can traverse +# user home directories. +# +mpd_enable_homedirs = false + +# +# Determine whether mpd can use +# cifs file systems. +# +mpd_use_cifs = false + +# +# Determine whether mpd can use +# nfs file systems. +# +mpd_use_nfs = false + +# +# Determine whether mplayer can make +# its stack executable. +# +allow_mplayer_execstack = false + +# +# Determine whether mysqld can +# connect to all TCP ports. +# +mysql_connect_any = false + +# +# Determine whether confined applications +# can use nscd shared memory. +# +nscd_use_shm = false + +# +# Determine whether openvpn can +# read generic user home content files. +# +openvpn_enable_homedirs = false + +# +# Determine whether openvpn can +# connect to the TCP network. +# +openvpn_can_network_connect = false + +# +# Determine whether Polipo system +# daemon can access CIFS file systems. +# +polipo_system_use_cifs = false + +# +# Determine whether Polipo system +# daemon can access NFS file systems. +# +polipo_system_use_nfs = false + +# +# Determine whether calling user domains +# can execute Polipo daemon in the +# polipo_session_t domain. +# +polipo_session_users = false + +# +# Determine whether Polipo session daemon +# can send syslog messages. +# +polipo_session_send_syslog_msg = false + +# +# Determine whether portage can +# use nfs filesystems. +# +portage_use_nfs = false + +# +# Determine whether postfix local +# can manage mail spool content. +# +postfix_local_write_mail_spool = true + +# +# Determine whether pppd can +# load kernel modules. +# +pppd_can_insmod = false + +# +# Determine whether common users can +# run pppd with a domain transition. +# +pppd_for_user = false + +# +# Determine whether privoxy can +# connect to all tcp ports. +# +privoxy_connect_any = false + +# +# Determine whether puppet can +# manage all non-security files. +# +puppet_manage_all_files = false + +# +# Determine whether qemu has full +# access to the network. +# +qemu_full_network = false + +# +# Determine whether rgmanager can +# connect to the network using TCP. +# +rgmanager_can_network_connect = false + +# +# Determine whether fenced can +# connect to the TCP network. +# +fenced_can_network_connect = false + +# +# Determine whether fenced can use ssh. +# +fenced_can_ssh = false + +# +# Determine whether gssd can read +# generic user temporary content. +# +allow_gssd_read_tmp = false + +# +# Determine whether gssd can write +# generic user temporary content. +# +allow_gssd_write_tmp = false + +# +# Determine whether nfs can modify +# public files used for public file +# transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +allow_nfsd_anon_write = false + +# +# Determine whether rsync can use +# cifs file systems. +# +rsync_use_cifs = false + +# +# Determine whether rsync can +# use fuse file systems. +# +rsync_use_fusefs = false + +# +# Determine whether rsync can use +# nfs file systems. +# +rsync_use_nfs = false + +# +# Determine whether rsync can +# run as a client +# +rsync_client = false + +# +# Determine whether rsync can +# export all content read only. +# +rsync_export_all_ro = false + +# +# Determine whether rsync can modify +# public files used for public file +# transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +allow_rsync_anon_write = false + +# +# Determine whether samba can modify +# public files used for public file +# transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +allow_smbd_anon_write = false + +# +# Determine whether samba can +# create home directories via pam. +# +samba_create_home_dirs = false + +# +# Determine whether samba can act as the +# domain controller, add users, groups +# and change passwords. +# +samba_domain_controller = false + +# +# Determine whether samba can +# act as a portmapper. +# +samba_portmapper = false + +# +# Determine whether samba can share +# users home directories. +# +samba_enable_home_dirs = false + +# +# Determine whether samba can share +# any content read only. +# +samba_export_all_ro = false + +# +# Determine whether samba can share any +# content readable and writable. +# +samba_export_all_rw = false + +# +# Determine whether samba can +# run unconfined scripts. +# +samba_run_unconfined = false + +# +# Determine whether samba can +# use nfs file systems. +# +samba_share_nfs = false + +# +# Determine whether samba can +# use fuse file systems. +# +samba_share_fusefs = false + +# +# Determine whether sanlock can use +# nfs file systems. +# +sanlock_use_nfs = false + +# +# Determine whether sanlock can use +# cifs file systems. +# +sanlock_use_samba = false + +# +# Determine whether sasl can +# read shadow files. +# +allow_saslauthd_read_shadow = false + +# +# Determine whether smartmon can support +# devices on 3ware controllers. +# +smartmon_3ware = false + +# +# Determine whether spamassassin +# clients can use the network. +# +spamassassin_can_network = false + +# +# Determine whether spamd can manage +# generic user home content. +# +spamd_enable_home_dirs = false + +# +# Determine whether squid can +# connect to all TCP ports. +# +squid_connect_any = false + +# +# Determine whether squid can run +# as a transparent proxy. +# +squid_use_tproxy = false + +# +# Determine whether telepathy connection +# managers can connect to generic tcp ports. +# +telepathy_tcp_connect_generic_network_ports = false + +# +# Determine whether telepathy connection +# managers can connect to any port. +# +telepathy_connect_all_ports = false + +# +# Determine whether tftp can modify +# public files used for public file +# transfer services. Directories/Files must +# be labeled public_content_rw_t. +# +tftp_anon_write = false + +# +# Determine whether tftp can manage +# generic user home content. +# +tftp_enable_homedir = false + +# +# Determine whether tor can bind +# tcp sockets to all unreserved ports. +# +tor_bind_all_unreserved_ports = false + +# +# Determine whether varnishd can +# use the full TCP network. +# +varnishd_connect_any = false + +# +# Determine whether attempts by +# vbetool to mmap low regions should +# be silently blocked. +# +vbetool_mmap_zero_ignore = false + +# +# Determine whether confined virtual guests +# can use serial/parallel communication ports. +# +virt_use_comm = false + +# +# Determine whether confined virtual guests +# can use executable memory and can make +# their stack executable. +# +virt_use_execmem = false + +# +# Determine whether confined virtual guests +# can use fuse file systems. +# +virt_use_fusefs = false + +# +# Determine whether confined virtual guests +# can use nfs file systems. +# +virt_use_nfs = false + +# +# Determine whether confined virtual guests +# can use cifs file systems. +# +virt_use_samba = false + +# +# Determine whether confined virtual guests +# can manage device configuration. +# +virt_use_sysfs = false + +# +# Determine whether confined virtual guests +# can use usb devices. +# +virt_use_usb = false + +# +# Determine whether confined virtual guests +# can interact with xserver. +# +virt_use_xserver = false + +# +# Determine whether confined virtual guests +# can use vfio for pci device pass through (vt-d). +# +virt_use_vfio = false + +# +# Determine whether webadm can +# manage generic user files. +# +webadm_manage_user_files = false + +# +# Determine whether webadm can +# read generic user files. +# +webadm_read_user_files = false + +# +# Determine whether attempts by +# wine to mmap low regions should +# be silently blocked. +# +wine_mmap_zero_ignore = false + +# +# Determine whether xend can +# run blktapctrl and tapdisk. +# +xend_run_blktap = false + +# +# Determine whether xen can +# use fusefs file systems. +# +xen_use_fusefs = false + +# +# Determine whether xen can +# use nfs file systems. +# +xen_use_nfs = false + +# +# Determine whether xen can +# use samba file systems. +# +xen_use_samba = false + +# +# Determine whether xguest can +# mount removable media. +# +xguest_mount_media = false + +# +# Determine whether xguest can +# configure network manager. +# +xguest_connect_network = false + +# +# Determine whether xguest can +# use blue tooth devices. +# +xguest_use_bluetooth = false + +# +# Determine whether zabbix can +# connect to all TCP ports +# +zabbix_can_network = false + +# +# Determine whether zebra daemon can +# manage its configuration files. +# +allow_zebra_write_config = false + +# +# Control the ability to mmap a low area of the address space, +# as configured by /proc/sys/kernel/mmap_min_addr. +# +mmap_low_allowed = false + +# +# Allow sysadm to debug or ptrace all processes. +# +allow_ptrace = false + +# +# Allow unprived users to execute DDL statement +# +sepgsql_enable_users_ddl = false + +# +# Allow transmit client label to foreign database +# +sepgsql_transmit_client_label = false + +# +# Allow database admins to execute DML statement +# +sepgsql_unconfined_dbadm = false + +# +# allow host key based authentication +# +allow_ssh_keysign = false + +# +# Allow ssh logins as sysadm_r:sysadm_t +# +ssh_sysadm_login = false + +# +# Allow ssh to use gpg-agent +# +ssh_use_gpg_agent = false + +# +# Allows clients to write to the X server shared +# memory segments. +# +allow_write_xshm = false + +# +# Allow xdm logins as sysadm +# +xdm_sysadm_login = false + +# +# Support X userspace object manager +# +xserver_object_manager = false + +# +# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server +# +authlogin_nsswitch_use_ldap = false + +# +# Enable support for upstart as the init program. +# +init_upstart = false + +# +# Allow racoon to read shadow +# +racoon_read_shadow = false + +# +# Allow the mount command to mount any directory or file. +# +allow_mount_anyfile = false + +# +# Enable support for systemd-tmpfiles to manage all non-security files. +# +systemd_tmpfiles_manage_all = false + +# +# Allow users to connect to mysql +# +allow_user_mysql_connect = false + +# +# Allow users to connect to PostgreSQL +# +allow_user_postgresql_connect = false + +# +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# +# Allow users to read system messages. +# +user_dmesg = false + +# +# Allow user to r/w files on filesystems +# that do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = false + +# +# Allow w to display everyone +# +user_ttyfile_stat = false + +# +# Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla +# +allow_execheap = false + +# +# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") +# +allow_execmem = false + +# +# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") +# +allow_execmod = false + +# +# Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") +# +allow_execstack = false + +# +# Enable polyinstantiated directory support. +# +allow_polyinstantiation = false + +# +# Allow system to run with NIS +# +allow_ypbind = false + +# +# Allow logging in and using the system from /dev/console. +# +console_login = true + +# +# Enable reading of urandom for all domains. +# +# +# +# +# This should be enabled when all programs +# are compiled with ProPolice/SSP +# stack smashing protection. All domains will +# be allowed to read from /dev/urandom. +# +global_ssp = false + +# +# Allow email client to various content. +# nfs, samba, removable devices, and user temp +# files +# +mail_read_content = false + +# +# Allow any files/directories to be exported read/write via NFS. +# +nfs_export_all_rw = false + +# +# Allow any files/directories to be exported read/only via NFS. +# +nfs_export_all_ro = false + +# +# Support NFS home directories +# +use_nfs_home_dirs = false + +# +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# +# Allow users to run TCP servers (bind to ports and accept connection from +# the same domain and outside users) disabling this forces FTP passive mode +# and may change other protocols. +# +user_tcp_server = false + diff --git a/package/refpolicy/config b/package/refpolicy/config new file mode 100644 index 0000000..5eee807 --- /dev/null +++ b/package/refpolicy/config @@ -0,0 +1,8 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=permissive +# SELINUXTYPE= name of the selinux policy to use +SELINUXTYPE=refpolicy diff --git a/package/refpolicy/modules.conf b/package/refpolicy/modules.conf new file mode 100644 index 0000000..2304dc4 --- /dev/null +++ b/package/refpolicy/modules.conf @@ -0,0 +1,430 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: kernel +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: alsa +# Required in base +# +# alsa types and interfaces. +# +alsa = base + +# Layer: kernel +# Module: mta +# Required in base +# +# mta types and interfaces. +# +mta = base + +# Layer: kernel +# Module: apache +# Required in base +# +# apache types and interfaces. +# +apache = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem, +# and unlabeled processes and objects. +# +kernel = base + +# Layer: kernel +# Module: mcs +# Required in base +# +# Multicategory security policy +# +mcs = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# Required in base +# +# User-based access control policy +# +ubac = base + +# Layer: admin +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = module + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = module + +# Layer: apps +# Module: seunshare +# +# Filesystem namespacing/polyinstantiation application. +# +seunshare = module + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = module + +# Layer: roles +# Module: auditadm +# +# Audit administrator role +# +auditadm = module + +# Layer: roles +# Module: logadm +# +# Log administrator role +# +logadm = module + +# Layer: roles +# Module: secadm +# +# Security administrator role +# +secadm = module + +# Layer: roles +# Module: staff +# +# Administrator's unprivileged user role +# +staff = module + +# Layer: roles +# Module: sysadm +# +# General system administration role +# +sysadm = module + +# Layer: roles +# Module: unprivuser +# +# Generic unprivileged user role +# +unprivuser = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: xserver +# +# X Windows Server +# +xserver = module + +# Layer: system +# Module: application +# +# Policy for user executable applications. +# +application = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = module + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = module + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = module + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = module + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = module + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = module + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = module + +# Layer: system +# Module: netlabel +# +# NetLabel/CIPSO labeled networking management +# +netlabel = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = module + +# Layer: system +# Module: setrans +# +# SELinux MLS/MCS label translation service. +# +setrans = module + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = module + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = module + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = module + diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash new file mode 100644 index 0000000..c10de45 --- /dev/null +++ b/package/refpolicy/refpolicy.hash @@ -0,0 +1,2 @@ +#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease +sha256 2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de refpolicy-2.20151208.tar.bz2 diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk new file mode 100644 index 0000000..3622b6e --- /dev/null +++ b/package/refpolicy/refpolicy.mk @@ -0,0 +1,111 @@ +################################################################################ +# +# refpolicy +# +################################################################################ + +REFPOLICY_VERSION = RELEASE_2_20151208 +REFPOLICY_SITE = https://github.com/TresysTechnology/refpolicy.git +REFPOLICY_SITE_METHOD = git +REFPOLICY_GIT_SUBMODULES = y +REFPOLICY_LICENSE = GPLv2 +REFPOLICY_LICENSE_FILES = COPYING + +# Cannot use multiple threads to build the reference policy +REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1) + +REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \ + host-setools host-gawk host-python policycoreutils + +REFPOLICY_INSTALL_STAGING = YES + + +# To apply board specific customizations, create a refpolicy folder in +# BR2_GLOBAL_PATCH_DIR. These patches will be applied after the patches +# in package/refpolicy + +# Passing the HOST_CONFIGURE_OPTS to the target build because all of the +# build utilities are expected to be on system. This fools the make files +# into using the host built utilities to compile the SELinux policy for +# the target. +# +# Note, the TEST_TOOLCHAIN option will also set the +# LD_LIBRARY_PATH at run time. +REFPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \ + TEST_TOOLCHAIN="$(HOST_DIR)" + +# Build requires python2 to run +REFPOLICY_MAKE_ENV = \ + PYTHON="$(HOST_DIR)/usr/bin/python2" \ + AWK="$(HOST_DIR)/usr/bin/gawk" \ + M4="$(HOST_DIR)/usr/bin/m4" + + +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y) +REFPOLICY_MONOLITHIC = n +else +REFPOLICY_MONOLITHIC = y +endif + +REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE)) +define REFPOLICY_CUSTOM_MODULES_CONF + cp $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf +endef + +REFPOLICY_BOOLEAN_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE)) +define REFPOLICY_CUSTOM_BOOLEAN_CONF + cp $(REFPOLICY_BOOLEAN_FILE) $(@D)/policy/booleans.conf +endef + +define REFPOLICY_CONFIGURE_CMDS + # If an external repo is used to build refpolicy, this preserves the + # custom modules.conf which defines the enabled components. + if [ -f $(@D)/policy/modules.conf ]; then \ + mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk ; \ + fi + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) bare \ + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR) + $(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf + $(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf + $(SED) "/NAME/c\NAME = $(BR2_PACKAGE_REFPOLICY_NAME)" $(@D)/build.conf + + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \ + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR) + if [ -f $(@D)/modules.conf.bk ]; then \ + echo "[Preserved modules.conf]" ; \ + mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \ + fi + $(REFPOLICY_CUSTOM_MODULES_CONF) + $(REFPOLICY_CUSTOM_BOOLEAN_CONF) +endef + +define REFPOLICY_INSTALL_STAGING_CMDS + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \ + install-docs $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR) +endef + +define REFPOLICY_INSTALL_TARGET_CMDS + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install \ + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(TARGET_DIR) + $(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config + $(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(BR2_PACKAGE_REFPOLICY_NAME)" \ + $(TARGET_DIR)/etc/selinux/config + $(SED) "/^SELINUX=/c\SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE)" \ + $(TARGET_DIR)/etc/selinux/config + touch $(TARGET_DIR)/.autorelabel + $(RM) $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/booleans +endef + +define REFPOLICY_INSTALL_INIT_SYSV + $(INSTALL) -m 0755 -D package/refpolicy/S00selinux \ + $(TARGET_DIR)/etc/init.d/S00selinux +endef + +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y) +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/policy +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/modules/active/modules +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files +touch $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local +endif + +$(eval $(generic-package))