Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2024-12-02 16:58:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.28523 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Mon Dec 2 16:58:30 2024 rev:87 rq:1227757 version:20241105 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2024-11-30 13:27:13.268144230 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.28523/selinux-policy.changes 2024-12-02 16:58:39.596006832 +0100 @@ -2,108 +1,0 @@ -Mon Nov 25 09:06:36 UTC 2024 - cathy...@suse.com - -- Update to version 20241118: - * Add workaround for /run/rpmdb lockfile (bsc#1231127) - * Add dedicated health-checker module (bsc#1231127) - -------------------------------------------------------------------- -Thu Nov 07 12:06:01 UTC 2024 - cathy...@suse.com - -- Packaging rework: moving all config files to git repository - https://gitlab.suse.de/selinux/selinux-policy - - Moved booleans to dist/*/booleans.conf and dropped from package: - * booleans-minimum.conf - - user facing change: boolean settings are now the same as in upstream - * booleans-mls.conf - - user facing change: boolean settings are now the same as in upstream - * booleans-targeted.conf - - user facing change: kerberos_enabled boolean was not enabled due to a bug, now it is enabled - - Moved booleans.subs_dist to dist/booleans.subs_dist and dropped from package - - Moved customizable_types to dist/customizable_types and dropped from package - - user facing change: using upstream version - - Moved file_contexts.subs_dist to config/file_contexts.subs_dist and dropped from package - - user facing change: changed systemd entries in file_contexts.subs_dist: - /run/systemd/system -> dropped from file - /run/systemd/generator.early /run/systemd/generator - /run/systemd/generator.late /run/systemd/generator - - Moved modules config to dist/<policytype>/modules.conf and dropped from package: - - user facing change: minimum policy: modules base and contrib are merged into modules.lst - and modules-enabled.lst was added which contains the enabled modules, replacing modules-minimum-disable.lst - * modules-minimum-base.conf - * modules-minimum-contrib.conf - * modules-minimum-disable.lst - * Added: modules-minimum.lst - - user facing change: mls policy: modules base + contrib are merged into modules.lst - * modules-mls-base.conf - * modules-mls-contrib.conf - - user facing change: targeted policy: modules base + contrib are merged into modules.lst: - * modules-targeted-base.conf - * modules-targeted-contrib.conf - - Moved securetty config to config/appconfig-<policytype>/securetty_types and dropped from package - - user facing change: using upstream version for all policy types - * securetty_types-minimum - * securetty_types-mls - * securetty_types-targeted - - Moved setrans config to dist/<policytype>/setrans.conf and dropped from package - * setrans-minimum.conf - * setrans-mls.conf - * setrans-targeted.conf - - Moved users config to dist/<policytype>/users and dropped from package - * users-minimum - - user facing change: added guest_u and xguest_u - * users-mls - * users-targeted -- Fix debug-build.sh to follow symlinks when creating - the tarball -- Update embedded container-selinux version to commit: - * 3f06c141bebc00a07eec4c0ded038aac4f2ae3f0 -- Update to version 20241107: - * Re-add kanidm module to dist/targeted/modules.conf - * Add SUSE-specific file contexts to file_contexts.subs_dist - * Disallow execstack in dist/minimum/booleans.conf - * Add SUSE-specific booleans to dist/targeted/booleans.conf - * Add SUSE specific modules to targeted modules.conf - * Label /var/cache/systemd/home with systemd_homed_cache_t - * Allow login_userdomain connect to systemd-homed over a unix socket - * Allow boothd connect to systemd-homed over a unix socket - * Allow systemd-homed get attributes of a tmpfs filesystem - * Allow abrt-dump-journal-core connect to systemd-homed over a unix socket - * Allow aide connect to systemd-homed over a unix socket - * Label /dev/hfi1_[0-9]+ devices - * Remove the openct module sources - * Remove the timidity module sources - * Enable the slrn module - * Remove i18n_input module sources - * Enable the distcc module - * Remove the ddcprobe module sources - * Remove the timedatex module sources - * Remove the djbdns module sources - * Confine iio-sensor-proxy - * Allow staff user nlmsg_write - * Update policy for xdm with confined users - * Allow virtnodedev watch mdevctl config dirs - * Allow ssh watch home config dirs - * Allow ssh map home configs files - * Allow ssh read network sysctls - * Allow chronyc sendto to chronyd-restricted - * Allow cups sys_ptrace capability in the user namespace - * Add policy for systemd-homed - * Remove fc entry for /usr/bin/pump - * Label /usr/bin/noping and /usr/bin/oping with ping_exec_t - * Allow accountsd read gnome-initial-setup tmp files - * Allow xdm write to gnome-initial-setup fifo files - * Allow rngd read and write generic usb devices - * Allow qatlib search the content of the kernel debugging filesystem - * Allow qatlib connect to systemd-machined over a unix socket - * mls/modules.conf - fix typo - * Use dist/targeted/modules.conf in build workflow - * Fix default and dist config files - * Allow unprivileged user watch /run/systemd - * CI: update to actions/checkout@v4 - * Allow boothd connect to kernel over a unix socket - * Clean up and sync securetty_types - * Bring config files from dist-git into the source repo - * Confine gnome-remote-desktop - * Allow virtstoraged execute mount programs in the mount domain - * Make mdevctl_conf_t member of the file_type attribute - -------------------------------------------------------------------- Old: ---- modules-minimum.lst selinux-policy-20241118.tar.xz New: ---- booleans-minimum.conf booleans-mls.conf booleans-targeted.conf booleans.subs_dist customizable_types file_contexts.subs_dist modules-minimum-base.conf modules-minimum-contrib.conf modules-minimum-disable.lst modules-mls-base.conf modules-mls-contrib.conf modules-targeted-base.conf modules-targeted-contrib.conf securetty_types-minimum securetty_types-mls securetty_types-targeted selinux-policy-20241105.tar.xz setrans-minimum.conf setrans-mls.conf setrans-targeted.conf users-minimum users-mls users-targeted ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.RasmYX/_old 2024-12-02 16:58:40.392040232 +0100 +++ /var/tmp/diff_new_pack.RasmYX/_new 2024-12-02 16:58:40.396040400 +0100 @@ -36,7 +36,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20241118 +Version: 20241105 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc @@ -47,11 +47,37 @@ Source6: update.sh Source7: debug-build.sh -Source18: modules-minimum.lst +Source10: modules-targeted-base.conf +Source11: modules-targeted-contrib.conf +Source12: modules-mls-base.conf +Source13: modules-mls-contrib.conf +Source14: modules-minimum-base.conf +Source15: modules-minimum-contrib.conf +Source18: modules-minimum-disable.lst + +Source20: booleans-targeted.conf +Source21: booleans-mls.conf +Source22: booleans-minimum.conf +Source23: booleans.subs_dist + +Source30: setrans-targeted.conf +Source31: setrans-mls.conf +Source32: setrans-minimum.conf + +Source40: securetty_types-targeted +Source41: securetty_types-mls +Source42: securetty_types-minimum + +Source50: users-targeted +Source51: users-mls +Source52: users-minimum Source60: selinux-policy.conf Source91: Makefile.devel +Source92: customizable_types +#Source93: config.tgz +Source94: file_contexts.subs_dist Source95: macros.selinux-policy URL: https://github.com/fedora-selinux/selinux-policy.git @@ -90,11 +116,17 @@ %define makeCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ -install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \ -install -p -m0644 ./dist/%1/users ./policy/users \ +cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ +cp -f selinux_config/users-%1 ./policy/users \ +#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ %define makeModulesConf() \ -install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ +if [ %3 == "contrib" ];then \ + cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ + cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ +fi; \ %define installCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ @@ -105,13 +137,14 @@ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ %{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ -install -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ -install -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ -install -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ +install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ -install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \ +cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \ rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ %{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ @@ -174,7 +207,8 @@ %dir %{_datadir}/selinux/%1 \ %dir %{_datadir}/selinux/packages/%1 \ %{_datadir}/selinux/%1/base.lst \ -%{_datadir}/selinux/%1/modules.lst \ +%{_datadir}/selinux/%1/modules-base.lst \ +%{_datadir}/selinux/%1/modules-contrib.lst \ %{_datadir}/selinux/%1/nonbasemodules.lst \ %dir %{_sharedstatedir}/selinux/%1 \ %{_sharedstatedir}/selinux/%1/active/commit_num \ @@ -251,12 +285,16 @@ fi; %define modulesList() \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ +if [ -e ./policy/modules-contrib.conf ];then \ + awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ +fi; %define nonBaseModulesList() \ -modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \ -for i in $modules; do \ +contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ +base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ +for i in $contrib_modules $base_modules; do \ if [ $i != "sandbox" ];then \ echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ fi; \ @@ -337,10 +375,15 @@ mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/ +mkdir selinux_config +for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do + cp $i selinux_config +done + make clean %if %{BUILD_TARGETED} %makeCmds targeted mcs allow -%makeModulesConf targeted +%makeModulesConf targeted base contrib %installCmds targeted mcs allow # recreate sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox @@ -352,19 +395,19 @@ %if %{BUILD_MINIMUM} %makeCmds minimum mcs allow -%makeModulesConf targeted +%makeModulesConf targeted base contrib %installCmds minimum mcs allow +install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst # Sandbox is only targeted rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox -install -p -m 644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst %modulesList minimum %nonBaseModulesList minimum %endif %if %{BUILD_MLS} %makeCmds mls mls deny -%makeModulesConf mls +%makeModulesConf mls base contrib %installCmds mls mls deny %modulesList mls %nonBaseModulesList mls @@ -377,7 +420,7 @@ make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers mkdir %{buildroot}%{_datadir}/selinux/devel/ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include -install -m 644 %{SOURCE91} %{buildroot}%{_datadir}/selinux/devel/Makefile +install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} @@ -536,19 +579,16 @@ fi %post minimum -modules=`cat %{_datadir}/selinux/minimum/modules.lst` -basemodules=`cat %{_datadir}/selinux/minimum/base.lst` -enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst` -if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then - mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled -fi +contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` +basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` +mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null if [ $1 -eq 1 ]; then -for p in $modules; do + for p in $contribpackages; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p -done -for p in $basemodules $enabledmodules; do + done + for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p -done + done %{_sbindir}/semanage import -S minimum -f - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root @@ -557,7 +597,7 @@ %{_sbindir}/semodule -B -s minimum else instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` - for p in $packages; do + for p in $contribpackages; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $instpackages snapper dbus kerberos nscd rtkit; do @@ -574,7 +614,7 @@ %files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u -%{_datadir}/selinux/minimum/modules-enabled.lst +%{_datadir}/selinux/minimum/modules-minimum-disable.lst %fileList minimum %endif ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.RasmYX/_old 2024-12-02 16:58:40.464043253 +0100 +++ /var/tmp/diff_new_pack.RasmYX/_new 2024-12-02 16:58:40.468043421 +0100 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">8fe12e2d8c9c84620be4418dab55ad2cf91b3653</param></service><service name="tar_scm"> + <param name="changesrevision">6e8cf2b0a771eddc3ae1bee3be0042bd3d9d8ba1</param></service><service name="tar_scm"> <param name="url">https://github.com/containers/container-selinux.git</param> <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm"> <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param> ++++++ booleans-minimum.conf ++++++ # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = false # Allow making a modified private filemapping executable (text relocation). # selinuxuser_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # selinuxuser_execstack = false # Allow ftpd to read cifs directories. # ftpd_use_cifs = false # Allow ftpd to read nfs directories. # ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # allow_ftpd_anon_write = false # Allow gssd to read temp directory. # gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # allow_httpd_anon_write = false # Allow Apache to use mod_auth_pam module # httpd_mod_auth_pam = false # Allow system to run with kerberos # allow_kerberos = true # Allow rsync to modify public filesused for public file transfer services. # allow_rsync_anon_write = false # Allow sasl to read shadow # saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # allow_smbd_anon_write = false # Allow system to run with NIS # allow_ypbind = false # Allow zebra to write it own configuration files # zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # fcron_crond = false # # allow httpd to connect to mysql/posgresql httpd_can_network_connect_db = false # # allow httpd to send dbus messages to avahi httpd_dbus_avahi = true # # allow httpd to network relay httpd_can_network_relay = false # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = true # Allow http daemon to tcp connect # httpd_can_network_connect = false # Allow httpd cgi support # httpd_enable_cgi = true # Allow httpd to act as a FTP server bylistening on the ftp port. # httpd_enable_ftp_server = false # Allow httpd to read home directories # httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # httpd_tty_comm = false # Run CGI in the main httpd domain # httpd_unified = false # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # named_write_master_zones = false # Allow nfs to be exported read/write. # nfs_export_all_rw = true # Allow nfs to be exported read only # nfs_export_all_ro = true # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # Allow reading of default_t files. # read_default_t = false # Allow samba to export user home directories. # samba_enable_home_dirs = false # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. # squid_connect_any = false # Support NFS home directories # use_nfs_home_dirs = true # Support SAMBA home directories # use_samba_home_dirs = false # Control users use of ping and traceroute # user_ping = false # allow host key based authentication # ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false # Allow spamd to write to users homedirs # spamd_enable_home_dirs = false # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = true # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false # Allow all domains to talk to ttys # daemons_use_tty = false # Allow login domains to polyinstatiate directories # polyinstantiation_enabled = false # Allow all domains to dump core # daemons_dump_core = true # Allow samba to act as the domain controller # samba_domain_controller = false # Allow samba to export user home directories. # samba_run_unconfined = false # Allows XServer to execute writable memory # xserver_execmem = false # disallow guest accounts to execute files that they can create # guest_exec_content = false xguest_exec_content = false # Allow postfix locat to write to mail spool # postfix_local_write_mail_spool = false # Allow common users to read/write noexattrfile systems # user_rw_noexattrfile = true # Allow qemu to connect fully to the network # qemu_full_network = true # System uses init upstart program # init_upstart = true # Allow mount to mount any file/dir # mount_anyfile = true # Allow all domains to mmap files # domain_can_mmap_files = true # Allow confined applications to use nscd shared memory # nscd_use_shm = true # allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox # unconfined_chrome_sandbox_transition = true # Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. # unconfined_mozilla_plugin_transition = true ++++++ booleans-mls.conf ++++++ # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = false # Allow making a modified private filemapping executable (text relocation). # selinuxuser_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # selinuxuser_execstack = false # Allow ftpd to read cifs directories. # ftpd_use_cifs = false # Allow ftpd to read nfs directories. # ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # allow_ftpd_anon_write = false # Allow gssd to read temp directory. # gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # allow_httpd_anon_write = false # Allow Apache to use mod_auth_pam module # httpd_mod_auth_pam = false # Allow system to run with kerberos # allow_kerberos = true # Allow rsync to modify public filesused for public file transfer services. # allow_rsync_anon_write = false # Allow sasl to read shadow # saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # allow_smbd_anon_write = false # Allow system to run with NIS # allow_ypbind = false # Allow zebra to write it own configuration files # zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # fcron_crond = false # # allow httpd to connect to mysql/posgresql httpd_can_network_connect_db = false # # allow httpd to send dbus messages to avahi httpd_dbus_avahi = true # # allow httpd to network relay httpd_can_network_relay = false # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = true # Allow http daemon to tcp connect # httpd_can_network_connect = false # Allow httpd cgi support # httpd_enable_cgi = true # Allow httpd to act as a FTP server bylistening on the ftp port. # httpd_enable_ftp_server = false # Allow httpd to read home directories # httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # httpd_tty_comm = false # Run CGI in the main httpd domain # httpd_unified = false # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # named_write_master_zones = false # Allow nfs to be exported read/write. # nfs_export_all_rw = true # Allow nfs to be exported read only # nfs_export_all_ro = true # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # Allow reading of default_t files. # read_default_t = false # Allow samba to export user home directories. # samba_enable_home_dirs = false # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. # squid_connect_any = false # Support NFS home directories # use_nfs_home_dirs = true # Support SAMBA home directories # use_samba_home_dirs = false # Control users use of ping and traceroute # user_ping = false # allow host key based authentication # ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false # Allow spamd to write to users homedirs # spamd_enable_home_dirs = false # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = true # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false # Allow all domains to talk to ttys # daemons_use_tty = false # Allow login domains to polyinstatiate directories # polyinstantiation_enabled = false # Allow all domains to dump core # daemons_dump_core = true # Allow samba to act as the domain controller # samba_domain_controller = false # Allow samba to export user home directories. # samba_run_unconfined = false # Allows XServer to execute writable memory # xserver_execmem = false # disallow guest accounts to execute files that they can create # guest_exec_content = false xguest_exec_content = false # Allow postfix locat to write to mail spool # postfix_local_write_mail_spool = false # Allow common users to read/write noexattrfile systems # user_rw_noexattrfile = true # Allow qemu to connect fully to the network # qemu_full_network = true # System uses init upstart program # init_upstart = true # Allow mount to mount any file/dir # mount_anyfile = true # Allow all domains to mmap files # domain_can_mmap_files = true # Allow confined applications to use nscd shared memory # nscd_use_shm = true # allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox # unconfined_chrome_sandbox_transition = false # Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. # unconfined_mozilla_plugin_transition = false ++++++ booleans-targeted.conf ++++++ # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = false # Allow making a modified private filemapping executable (text relocation). # selinuxuser_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # selinuxuser_execstack = false # Allow ftpd to read cifs directories. # ftpd_use_cifs = false # Allow ftpd to read nfs directories. # ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # allow_ftpd_anon_write = false # Allow gssd to read temp directory. # gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # allow_httpd_anon_write = false # Allow Apache to use mod_auth_pam module # httpd_mod_auth_pam = false # Allow system to run with kerberos # allow_kerberos = true # Allow rsync to modify public filesused for public file transfer services. # allow_rsync_anon_write = false # Allow sasl to read shadow # saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # allow_smbd_anon_write = false # Allow system to run with NIS # allow_ypbind = false # Allow zebra to write it own configuration files # zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # fcron_crond = false # # allow httpd to connect to mysql/posgresql httpd_can_network_connect_db = false # # allow httpd to send dbus messages to avahi httpd_dbus_avahi = true # # allow httpd to network relay httpd_can_network_relay = false # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = true # Allow http daemon to tcp connect # httpd_can_network_connect = false # Allow httpd cgi support # httpd_enable_cgi = true # Allow httpd to act as a FTP server bylistening on the ftp port. # httpd_enable_ftp_server = false # Allow httpd to read home directories # httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # httpd_tty_comm = false # Run CGI in the main httpd domain # httpd_unified = false # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # named_write_master_zones = true # Allow nfs to be exported read/write. # nfs_export_all_rw = true # Allow nfs to be exported read only # nfs_export_all_ro = true # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # Allow reading of default_t files. # read_default_t = false # Allow samba to export user home directories. # samba_enable_home_dirs = false # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. # squid_connect_any = false # Support NFS home directories # use_nfs_home_dirs = true # Support SAMBA home directories # use_samba_home_dirs = false # Control users use of ping and traceroute # user_ping = false # allow host key based authentication # ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false # Allow spamd to write to users homedirs # spamd_enable_home_dirs = false # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = true # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false # Allow all domains to talk to ttys # daemons_use_tty = false # Allow login domains to polyinstatiate directories # polyinstantiation_enabled = false # Allow all domains to dump core # daemons_dump_core = true # Allow samba to act as the domain controller # samba_domain_controller = false # Allow samba to export user home directories. # samba_run_unconfined = false # Allows XServer to execute writable memory # xserver_execmem = false # disallow guest accounts to execute files that they can create # guest_exec_content = false xguest_exec_content = false # Allow postfix locat to write to mail spool # postfix_local_write_mail_spool = false # Allow common users to read/write noexattrfile systems # user_rw_noexattrfile = true # Allow qemu to connect fully to the network # qemu_full_network = true # System uses init upstart program # init_upstart = true # Allow mount to mount any file/dir # mount_anyfile = true # Allow all domains to mmap files # domain_can_mmap_files = true # Allow confined applications to use nscd shared memory # nscd_use_shm = true # allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox # unconfined_chrome_sandbox_transition = true # Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. # unconfined_mozilla_plugin_transition = true ++++++ booleans.subs_dist ++++++ allow_auditadm_exec_content auditadm_exec_content allow_console_login login_console_enabled allow_cvs_read_shadow cvs_read_shadow allow_daemons_dump_core daemons_dump_core allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper allow_daemons_use_tty daemons_use_tty allow_domain_fd_use domain_fd_use allow_execheap selinuxuser_execheap allow_execmod selinuxuser_execmod allow_execstack selinuxuser_execstack allow_ftpd_anon_write ftpd_anon_write allow_ftpd_full_access ftpd_full_access allow_ftpd_use_cifs ftpd_use_cifs allow_ftpd_use_nfs ftpd_use_nfs allow_gssd_read_tmp gssd_read_tmp allow_guest_exec_content guest_exec_content allow_httpd_anon_write httpd_anon_write allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind allow_httpd_mod_auth_pam httpd_mod_auth_pam allow_httpd_sys_script_anon_write httpd_sys_script_anon_write allow_kerberos kerberos_enabled allow_mplayer_execstack mplayer_execstack allow_mount_anyfile mount_anyfile allow_nfsd_anon_write nfsd_anon_write allow_polyinstantiation polyinstantiation_enabled allow_postfix_local_write_mail_spool postfix_local_write_mail_spool allow_rsync_anon_write rsync_anon_write allow_saslauthd_read_shadow saslauthd_read_shadow allow_secadm_exec_content secadm_exec_content allow_smbd_anon_write smbd_anon_write allow_ssh_keysign ssh_keysign allow_staff_exec_content staff_exec_content allow_sysadm_exec_content sysadm_exec_content allow_user_exec_content user_exec_content allow_user_mysql_connect selinuxuser_mysql_connect_enabled allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled allow_write_xshm xserver_clients_write_xshm allow_xguest_exec_content xguest_exec_content allow_xserver_execmem xserver_execmem allow_ypbind nis_enabled allow_zebra_write_config zebra_write_config user_direct_dri selinuxuser_direct_dri_enabled user_ping selinuxuser_ping user_share_music selinuxuser_share_music user_tcp_server selinuxuser_tcp_server sepgsql_enable_pitr_implementation postgresql_can_rsync sepgsql_enable_users_ddl postgresql_selinux_users_ddl sepgsql_transmit_client_label postgresql_selinux_transmit_client_label sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm clamd_use_jit antivirus_use_jit amavis_use_jit antivirus_use_jit logwatch_can_sendmail logwatch_can_network_connect_mail puppet_manage_all_files puppetagent_manage_all_files virt_sandbox_use_nfs virt_use_nfs ++++++ container.fc ++++++ --- /var/tmp/diff_new_pack.RasmYX/_old 2024-12-02 16:58:40.568047616 +0100 +++ /var/tmp/diff_new_pack.RasmYX/_new 2024-12-02 16:58:40.572047784 +0100 @@ -131,7 +131,7 @@ /var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) -/var/lib/kubelet/pod-resources(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0) +/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0) /var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) @@ -162,7 +162,6 @@ /run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) -/var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) /etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) ++++++ container.if ++++++ --- /var/tmp/diff_new_pack.RasmYX/_old 2024-12-02 16:58:40.588048456 +0100 +++ /var/tmp/diff_new_pack.RasmYX/_new 2024-12-02 16:58:40.588048456 +0100 @@ -512,7 +512,6 @@ files_pid_filetrans($1, container_var_run_t, dir, "containers") files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers") - logging_log_filetrans($1, container_log_t, dir, "kube-apiserver") logging_log_filetrans($1, container_log_t, dir, "lxc") files_var_lib_filetrans($1, container_var_lib_t, dir, "containers") files_var_lib_filetrans($1, container_file_t, dir, "origin") ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.RasmYX/_old 2024-12-02 16:58:40.616049631 +0100 +++ /var/tmp/diff_new_pack.RasmYX/_new 2024-12-02 16:58:40.620049798 +0100 @@ -1,4 +1,4 @@ -policy_module(container, 2.234.0) +policy_module(container, 2.232.1) gen_require(` class passwd rootok; @@ -757,7 +757,6 @@ # allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; role system_r types spc_t; -dontaudit spc_t self:memprotect mmap_zero; domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) @@ -1451,14 +1450,11 @@ allow container_engine_t fusefs_t:dir { relabelfrom relabelto }; allow container_engine_t fusefs_t:file relabelto; allow container_engine_t kernel_t:system module_request; -allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms }; +allow container_engine_t null_device_t:chr_file mounton; allow container_engine_t random_device_t:chr_file mounton; allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read; allow container_engine_t urandom_device_t:chr_file mounton; allow container_engine_t zero_device_t:chr_file mounton; -allow container_engine_t container_file_t:sock_file mounton; -allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms }; -allow container_engine_t devpts_t:chr_file setattr; manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t) @@ -1487,17 +1483,6 @@ can_exec(container_runtime_t, kubelet_exec_t) allow kubelet_t kubelet_exec_t:file entrypoint; -type kubelet_var_lib_t; -files_type(kubelet_var_lib_t) - -manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) -manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) -manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) -manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) - -files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources") -filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources") - ifdef(`enable_mcs',` init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh) ') @@ -1531,12 +1516,10 @@ # Standard container which needs to be allowed to use any device and # communicate with kubelet container_domain_template(container_device_plugin, container) -typeattribute container_device_plugin_t container_net_domain; allow container_device_plugin_t device_node:chr_file rw_chr_file_perms; dev_rw_sysfs(container_device_plugin_t) kernel_read_debugfs(container_device_plugin_t) container_kubelet_stream_connect(container_device_plugin_t) -stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t) # Standard container which needs to be allowed to use any device and # modify kubelet configuration ++++++ customizable_types ++++++ sandbox_file_t svirt_image_t svirt_home_t svirt_lxc_file_t virt_content_t httpd_user_htaccess_t httpd_user_script_exec_t httpd_user_rw_content_t httpd_user_ra_content_t httpd_user_content_t git_session_content_t home_bin_t user_tty_device_t ++++++ debug-build.sh ++++++ --- /var/tmp/diff_new_pack.RasmYX/_old 2024-12-02 16:58:40.660051477 +0100 +++ /var/tmp/diff_new_pack.RasmYX/_new 2024-12-02 16:58:40.664051645 +0100 @@ -23,7 +23,7 @@ # Create tar file with name like selinux-policy-<current-version>.tar.xz TAR_NAME=$REPO_NAME-$VERSION.tar.xz echo "Creating tar file: $TAR_NAME" -tar --exclude-vcs -cJhf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME . +tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME . # Some helpful prompts if test $? -eq 0; then ++++++ file_contexts.subs_dist ++++++ /var/run /run /var/lock /run/lock /var/run/lock /var/lock /lib /usr/lib /lib64 /usr/lib /usr/lib64 /usr/lib /usr/local /usr /usr/local/lib64 /usr/lib /usr/local/lib32 /usr/lib /etc/systemd/system /usr/lib/systemd/system /run/systemd/system /usr/lib/systemd/system /run/systemd/generator /usr/lib/systemd/system /run/systemd/generator.early /usr/lib/systemd/system /run/systemd/generator.late /usr/lib/systemd/system /var/lib/xguest/home /home /var/run/netconfig /etc /var/adm/netconfig/md5/etc /etc /var/adm/netconfig/md5/var /var /usr/etc /etc /bin /usr/bin /sbin /usr/bin /usr/sbin /usr/bin ++++++ modules-minimum-base.conf ++++++ # Layer: kernel # Module: bootloader # # Policy for the kernel modules, kernel image, and bootloader. # bootloader = module # Layer: kernel # Module: corecommands # Required in base # # Core policy for shells, and generic programs # in /bin, /sbin, /usr/bin, and /usr/sbin. # corecommands = base # Layer: kernel # Module: corenetwork # Required in base # # Policy controlling access to network objects # corenetwork = base # Layer: admin # Module: dmesg # # Policy for dmesg. # dmesg = module # Layer: admin # Module: netutils # # Network analysis utilities # netutils = module # Layer: admin # Module: sudo # # Execute a command with a substitute user # sudo = module # Layer: admin # Module: su # # Run shells with substitute user and group # su = module # Layer: admin # Module: usermanage # # Policy for managing user accounts. # usermanage = module # Layer: apps # Module: seunshare # # seunshare executable # seunshare = module # Module: devices # Required in base # # Device nodes and interfaces for many basic system devices. # devices = base # Module: domain # Required in base # # Core policy for domains. # domain = base # Layer: system # Module: userdomain # # Policy for user domains # userdomain = module # Module: files # Required in base # # Basic filesystem types and interfaces. # files = base # Layer: system # Module: miscfiles # # Miscelaneous files. # miscfiles = module # Module: filesystem # Required in base # # Policy for filesystems. # filesystem = base # Module: kernel # Required in base # # Policy for kernel threads, proc filesystem,and unlabeled processes and objects. # kernel = base # Module: mcs # Required in base # # MultiCategory security policy # mcs = base # Module: mls # Required in base # # Multilevel security policy # mls = base # Module: selinux # Required in base # # Policy for kernel security interface, in particular, selinuxfs. # selinux = base # Layer: kernel # Module: storage # # Policy controlling access to storage devices # storage = base # Module: terminal # Required in base # # Policy for terminals. # terminal = base # Layer: kernel # Module: ubac # # # ubac = base # Layer: kernel # Module: unconfined # # The unlabelednet module. # unlabelednet = module # Layer: role # Module: auditadm # # auditadm account on tty logins # auditadm = module # Layer: role # Module: logadm # # Minimally prived root role for managing logging system # logadm = module # Layer: role # Module: secadm # # secadm account on tty logins # secadm = module # Layer:role # Module: sysadm_secadm # # System Administrator with Security Admin rules # sysadm_secadm = module # Module: staff # # admin account # staff = module # Layer:role # Module: sysadm # # System Administrator # sysadm = module # Layer: role # Module: unconfineduser # # The unconfined user domain. # unconfineduser = module # Layer: role # Module: unprivuser # # Minimally privs guest account on tty logins # unprivuser = module # Layer: services # Module: postgresql # # PostgreSQL relational database # postgresql = module # Layer: services # Module: ssh # # Secure shell client and server policy. # ssh = module # Layer: services # Module: xserver # # X windows login display manager # xserver = module # Module: application # Required in base # # Defines attributs and interfaces for all user applications # application = module # Layer: system # Module: authlogin # # Common policy for authentication and user login. # authlogin = module # Layer: system # Module: clock # # Policy for reading and setting the hardware clock. # clock = module # Layer: system # Module: fstools # # Tools for filesystem management, such as mkfs and fsck. # fstools = module # Layer: system # Module: getty # # Policy for getty. # getty = module # Layer: system # Module: hostname # # Policy for changing the system host name. # hostname = module # Layer: system # Module: init # # System initialization programs (init and init scripts). # init = module # Layer: system # Module: ipsec # # TCP/IP encryption # ipsec = module # Layer: system # Module: iptables # # Policy for iptables. # iptables = module # Layer: system # Module: libraries # # Policy for system libraries. # libraries = module # Layer: system # Module: locallogin # # Policy for local logins. # locallogin = module # Layer: system # Module: logging # # Policy for the kernel message logger and system logging daemon. # logging = module # Layer: system # Module: lvm # # Policy for logical volume management programs. # lvm = module # Layer: system # Module: modutils # # Policy for kernel module utilities # modutils = module # Layer: system # Module: mount # # Policy for mount. # mount = module # Layer: system # Module: netlabel # # Basic netlabel types and interfaces. # netlabel = module # Layer: system # Module: selinuxutil # # Policy for SELinux policy and userland applications. # selinuxutil = module # Module: setrans # Required in base # # Policy for setrans # setrans = module # Layer: system # Module: sysnetwork # # Policy for network configuration: ifconfig and dhcp client. # sysnetwork = module # Layer: system # Module: systemd # # Policy for systemd components # systemd = module # Layer: system # Module: udev # # Policy for udev. # udev = module # Layer: system # Module: unconfined # # The unconfined domain. # unconfined = module # Layer: admin # Module: rpm # # Policy for the RPM package manager. # rpm = module # Layer: contrib # Module: packagekit # # Temporary permissive module for packagekit # packagekit = module # Layer: services # Module: nscd # # Name service cache daemon # nscd = module ++++++ modules-minimum-contrib.conf ++++++ ++++ 2610 lines (skipped) ++++++ modules-minimum-disable.lst ++++++ abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logr otate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tg td thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs ++++++ modules-mls-base.conf ++++++ # Layer: kernel # Module: bootloader # # Policy for the kernel modules, kernel image, and bootloader. # bootloader = module # Layer: kernel # Module: corenetwork # Required in base # # Policy controlling access to network objects # corenetwork = base # Layer: admin # Module: dmesg # # Policy for dmesg. # dmesg = module # Layer: admin # Module: netutils # # Network analysis utilities # netutils = module # Layer: admin # Module: sudo # # Execute a command with a substitute user # sudo = module # Layer: admin # Module: su # # Run shells with substitute user and group # su = module # Layer: admin # Module: usermanage # # Policy for managing user accounts. # usermanage = module # Layer: apps # Module: seunshare # # seunshare executable # seunshare = module # Layer: kernel # Module: corecommands # Required in base # # Core policy for shells, and generic programs # in /bin, /sbin, /usr/bin, and /usr/sbin. # corecommands = base # Module: devices # Required in base # # Device nodes and interfaces for many basic system devices. # devices = base # Module: domain # Required in base # # Core policy for domains. # domain = base # Layer: system # Module: userdomain # # Policy for user domains # userdomain = module # Module: files # Required in base # # Basic filesystem types and interfaces. # files = base # Module: filesystem # Required in base # # Policy for filesystems. # filesystem = base # Module: kernel # Required in base # # Policy for kernel threads, proc filesystem,and unlabeled processes and objects. # kernel = base # Module: mcs # Required in base # # MultiCategory security policy # mcs = base # Module: mls # Required in base # # Multilevel security policy # mls = base # Module: selinux # Required in base # # Policy for kernel security interface, in particular, selinuxfs. # selinux = base # Layer: kernel # Module: storage # # Policy controlling access to storage devices # storage = base # Module: terminal # Required in base # # Policy for terminals. # terminal = base # Layer: kernel # Module: ubac # # # ubac = base # Layer: kernel # Module: unlabelednet # # The unlabelednet module. # unlabelednet = module # Layer: role # Module: auditadm # # auditadm account on tty logins # auditadm = module # Layer: role # Module: logadm # # Minimally prived root role for managing logging system # logadm = module # Layer: role # Module: secadm # # secadm account on tty logins # secadm = module # Layer:role # Module: staff # # admin account # staff = module # Layer:role # Module: sysadm_secadm # # System Administrator with Security Admin rules # sysadm_secadm = module # Layer:role # Module: sysadm # # System Administrator # sysadm = module # Layer: role # Module: unprivuser # # Minimally privs guest account on tty logins # unprivuser = module # Layer: services # Module: postgresql # # PostgreSQL relational database # postgresql = module # Layer: services # Module: ssh # # Secure shell client and server policy. # ssh = module # Layer: services # Module: xserver # # X windows login display manager # xserver = module # Module: application # Required in base # # Defines attributs and interfaces for all user applications # application = module # Layer: system # Module: authlogin # # Common policy for authentication and user login. # authlogin = module # Layer: system # Module: clock # # Policy for reading and setting the hardware clock. # clock = module # Layer: system # Module: fstools # # Tools for filesystem management, such as mkfs and fsck. # fstools = module # Layer: system # Module: getty # # Policy for getty. # getty = module # Layer: system # Module: hostname # # Policy for changing the system host name. # hostname = module # Layer: system # Module: init # # System initialization programs (init and init scripts). # init = module # Layer: system # Module: ipsec # # TCP/IP encryption # ipsec = module # Layer: system # Module: iptables # # Policy for iptables. # iptables = module # Layer: system # Module: libraries # # Policy for system libraries. # libraries = module # Layer: system # Module: locallogin # # Policy for local logins. # locallogin = module # Layer: system # Module: logging # # Policy for the kernel message logger and system logging daemon. # logging = module # Layer: system # Module: lvm # # Policy for logical volume management programs. # lvm = module # Layer: system # Module: miscfiles # # Miscelaneous files. # miscfiles = module # Layer: system # Module: modutils # # Policy for kernel module utilities # modutils = module # Layer: system # Module: mount # # Policy for mount. # mount = module # Layer: system # Module: netlabel # # Basic netlabel types and interfaces. # netlabel = module # Layer: system # Module: selinuxutil # # Policy for SELinux policy and userland applications. # selinuxutil = module # Module: setrans # Required in base # # Policy for setrans # setrans = module # Layer: system # Module: sysnetwork # # Policy for network configuration: ifconfig and dhcp client. # sysnetwork = module # Layer: system # Module: systemd # # Policy for systemd components # systemd = module # Layer: system # Module: udev # # Policy for udev. # udev = module ++++++ modules-mls-contrib.conf ++++++ ++++ 1582 lines (skipped) ++++++ modules-targeted-base.conf ++++++ # Layer: kernel # Module: bootloader # # Policy for the kernel modules, kernel image, and bootloader. # bootloader = module # Layer: kernel # Module: corecommands # Required in base # # Core policy for shells, and generic programs # in /bin, /sbin, /usr/bin, and /usr/sbin. # corecommands = base # Layer: kernel # Module: corenetwork # Required in base # # Policy controlling access to network objects # corenetwork = base # Layer: admin # Module: dmesg # # Policy for dmesg. # dmesg = module # Layer: admin # Module: netutils # # Network analysis utilities # netutils = module # Layer: admin # Module: sudo # # Execute a command with a substitute user # sudo = module # Layer: admin # Module: su # # Run shells with substitute user and group # su = module # Layer: admin # Module: usermanage # # Policy for managing user accounts. # usermanage = module # Layer: apps # Module: seunshare # # seunshare executable # seunshare = module # Module: devices # Required in base # # Device nodes and interfaces for many basic system devices. # devices = base # Module: domain # Required in base # # Core policy for domains. # domain = base # Layer: system # Module: userdomain # # Policy for user domains # userdomain = module # Module: files # Required in base # # Basic filesystem types and interfaces. # files = base # Layer: system # Module: miscfiles # # Miscelaneous files. # miscfiles = module # Module: filesystem # Required in base # # Policy for filesystems. # filesystem = base # Module: kernel # Required in base # # Policy for kernel threads, proc filesystem,and unlabeled processes and objects. # kernel = base # Module: mcs # Required in base # # MultiCategory security policy # mcs = base # Module: mls # Required in base # # Multilevel security policy # mls = base # Module: selinux # Required in base # # Policy for kernel security interface, in particular, selinuxfs. # selinux = base # Layer: kernel # Module: storage # # Policy controlling access to storage devices # storage = base # Module: terminal # Required in base # # Policy for terminals. # terminal = base # Layer: kernel # Module: ubac # # # ubac = base # Layer: kernel # Module: unconfined # # The unlabelednet module. # unlabelednet = module # Layer: role # Module: auditadm # # auditadm account on tty logins # auditadm = module # Layer: role # Module: logadm # # Minimally prived root role for managing logging system # logadm = module # Layer: role # Module: secadm # # secadm account on tty logins # secadm = module # Layer:role # Module: sysadm_secadm # # System Administrator with Security Admin rules # sysadm_secadm = module # Module: staff # # admin account # staff = module # Layer:role # Module: sysadm # # System Administrator # sysadm = module # Layer: role # Module: unconfineduser # # The unconfined user domain. # unconfineduser = module # Layer: role # Module: unprivuser # # Minimally privs guest account on tty logins # unprivuser = module # Layer: services # Module: postgresql # # PostgreSQL relational database # postgresql = module # Layer: services # Module: ssh # # Secure shell client and server policy. # ssh = module # Layer: services # Module: xserver # # X windows login display manager # xserver = module # Module: application # Required in base # # Defines attributs and interfaces for all user applications # application = module # Layer: system # Module: authlogin # # Common policy for authentication and user login. # authlogin = module # Layer: system # Module: clock # # Policy for reading and setting the hardware clock. # clock = module # Layer: system # Module: fstools # # Tools for filesystem management, such as mkfs and fsck. # fstools = module # Layer: system # Module: getty # # Policy for getty. # getty = module # Layer: system # Module: hostname # # Policy for changing the system host name. # hostname = module # Layer: system # Module: init # # System initialization programs (init and init scripts). # init = module # Layer: system # Module: ipsec # # TCP/IP encryption # ipsec = module # Layer: system # Module: iptables # # Policy for iptables. # iptables = module # Layer: system # Module: libraries # # Policy for system libraries. # libraries = module # Layer: system # Module: locallogin # # Policy for local logins. # locallogin = module # Layer: system # Module: logging # # Policy for the kernel message logger and system logging daemon. # logging = module # Layer: system # Module: lvm # # Policy for logical volume management programs. # lvm = module # Layer: system # Module: modutils # # Policy for kernel module utilities # modutils = module # Layer: system # Module: mount # # Policy for mount. # mount = module # Layer: system # Module: netlabel # # Basic netlabel types and interfaces. # netlabel = module # Layer: system # Module: selinuxutil # # Policy for SELinux policy and userland applications. # selinuxutil = module # Module: setrans # Required in base # # Policy for setrans # setrans = module # Layer: system # Module: sysnetwork # # Policy for network configuration: ifconfig and dhcp client. # sysnetwork = module # Layer: system # Module: systemd # # Policy for systemd components # systemd = module # Layer: system # Module: udev # # Policy for udev. # udev = module # Layer: system # Module: unconfined # # The unconfined domain. # unconfined = module # Layer: contrib # Module: packagekit # # Temporary permissive module for packagekit # packagekit = module # Layer: contrib # Module: rtorrent # # Policy for rtorrent # rtorrent = module # Layer: contrib # Module: wicked # # Policy for wicked # wicked = module # Layer: system # Module: rebootmgr # # Policy for rebootmgr # rebootmgr = module ++++++ modules-targeted-contrib.conf ++++++ ++++ 2700 lines (skipped) ++++++ securetty_types-minimum ++++++ console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t ++++++ securetty_types-mls ++++++ console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t auditadm_tty_device_t secureadm_tty_device_t ++++++ securetty_types-targeted ++++++ console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t ++++++ selinux-policy-20241118.tar.xz -> selinux-policy-20241105.tar.xz ++++++ ++++ 11137 lines of diff (skipped) ++++++ setrans-minimum.conf ++++++ # # Multi-Category Security translation table for SELinux # # Uncomment the following to disable translation libary # disable=1 # # Objects can be categorized with 0-1023 categories defined by the admin. # Objects can be in more than one category at a time. # Categories are stored in the system as c0-c1023. Users can use this # table to translate the categories into a more meaningful output. # Examples: # s0:c0=CompanyConfidential # s0:c1=PatientRecord # s0:c2=Unclassified # s0:c3=TopSecret # s0:c1,c3=CompanyConfidentialRedHat s0=SystemLow s0-s0:c0.c1023=SystemLow-SystemHigh s0:c0.c1023=SystemHigh ++++++ setrans-mls.conf ++++++ # # Multi-Level Security translation table for SELinux # # Uncomment the following to disable translation libary # disable=1 # # Objects can be labeled with one of 16 levels and be categorized with 0-1023 # categories defined by the admin. # Objects can be in more than one category at a time. # Users can modify this table to translate the MLS labels for different purpose. # # Assumptions: using below MLS labels. # SystemLow # SystemHigh # Unclassified # Secret with compartments A and B. # # SystemLow and SystemHigh s0=SystemLow s15:c0.c1023=SystemHigh s0-s15:c0.c1023=SystemLow-SystemHigh # Unclassified level s1=Unclassified # Secret level with compartments s2=Secret s2:c0=A s2:c1=B # ranges for Unclassified s0-s1=SystemLow-Unclassified s1-s2=Unclassified-Secret s1-s15:c0.c1023=Unclassified-SystemHigh # ranges for Secret with compartments s0-s2=SystemLow-Secret s0-s2:c0=SystemLow-Secret:A s0-s2:c1=SystemLow-Secret:B s0-s2:c0,c1=SystemLow-Secret:AB s1-s2:c0=Unclassified-Secret:A s1-s2:c1=Unclassified-Secret:B s1-s2:c0,c1=Unclassified-Secret:AB s2-s2:c0=Secret-Secret:A s2-s2:c1=Secret-Secret:B s2-s2:c0,c1=Secret-Secret:AB s2-s15:c0.c1023=Secret-SystemHigh s2:c0-s2:c0,c1=Secret:A-Secret:AB s2:c0-s15:c0.c1023=Secret:A-SystemHigh s2:c1-s2:c0,c1=Secret:B-Secret:AB s2:c1-s15:c0.c1023=Secret:B-SystemHigh s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh ++++++ setrans-targeted.conf ++++++ # # Multi-Category Security translation table for SELinux # # Uncomment the following to disable translation libary # disable=1 # # Objects can be categorized with 0-1023 categories defined by the admin. # Objects can be in more than one category at a time. # Categories are stored in the system as c0-c1023. Users can use this # table to translate the categories into a more meaningful output. # Examples: # s0:c0=CompanyConfidential # s0:c1=PatientRecord # s0:c2=Unclassified # s0:c3=TopSecret # s0:c1,c3=CompanyConfidentialRedHat s0=SystemLow s0-s0:c0.c1023=SystemLow-SystemHigh s0:c0.c1023=SystemHigh ++++++ users-minimum ++++++ ################################## # # Core User configuration. # # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) # # Note: Identities without a prefix wil not be listed # in the users_extra file used by genhomedircon. # # system_u is the user identity for system processes and objects. # There should be no corresponding Unix user identity for system, # and a user process should never be assigned the system user # identity. # gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no # SELinux user identity defined. The modified daemons will use # this user identity in the security context if there is no matching # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. # These identities are typically assigned as the user attribute # when login starts the user shell. Users with access to the sysadm_r # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++++++ users-mls ++++++ ################################## # # Core User configuration. # # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) # # Note: Identities without a prefix wil not be listed # in the users_extra file used by genhomedircon. # # system_u is the user identity for system processes and objects. # There should be no corresponding Unix user identity for system, # and a user process should never be assigned the system user # identity. # gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no # SELinux user identity defined. The modified daemons will use # this user identity in the security context if there is no matching # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. # These identities are typically assigned as the user attribute # when login starts the user shell. Users with access to the sysadm_r # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(guest_u, user, guest_r, s0, s0) gen_user(xguest_u, user, xguest_r, s0, s0) ++++++ users-targeted ++++++ ################################## # # Core User configuration. # # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) # # Note: Identities without a prefix wil not be listed # in the users_extra file used by genhomedircon. # # system_u is the user identity for system processes and objects. # There should be no corresponding Unix user identity for system, # and a user process should never be assigned the system user # identity. # gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no # SELinux user identity defined. The modified daemons will use # this user identity in the security context if there is no matching # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. # These identities are typically assigned as the user attribute # when login starts the user shell. Users with access to the sysadm_r # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(guest_u, user, guest_r, s0, s0) gen_user(xguest_u, user, xguest_r, s0, s0)
