Skip to content

Commit

Permalink
Bring config files from dist-git into the source repo
Browse files Browse the repository at this point in the history
The content of these files is more or less tied to the policy source
code. Therefore, moving these files to the source repo rather than
dist-git will make it easier to do changes that would formerly need
coordinated modification both in the sources and in dist-git (e.g.
adding or removing a module). It will also make it easier for other
distributions seeking to package a Fedora-like SELinux policy.

Those files that correspond to existing config/ files are just updated
locally to match what would be applied in dist-git; the rest is placed
into the new dist/ subdirectory. For better maintainability, files for
the different policy variants (targeted, minimum, mls) are placed into
separate subdirectories.

This will be followed up with a dist-git patch that converts it to use
the config files from sources rather than from dist-git.

Signed-off-by: Ondrej Mosnacek <[email protected]>
  • Loading branch information
WOnder93 authored and bachradsusi committed Sep 6, 2024
1 parent f5bd2a7 commit 71f9a91
Show file tree
Hide file tree
Showing 18 changed files with 5,546 additions and 13 deletions.
3 changes: 3 additions & 0 deletions config/appconfig-mcs/securetty_types
Original file line number Diff line number Diff line change
@@ -1 +1,4 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
5 changes: 5 additions & 0 deletions config/appconfig-mls/securetty_types
Original file line number Diff line number Diff line change
@@ -1 +1,6 @@
console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
auditadm_tty_device_t
secureadm_tty_device_t
36 changes: 23 additions & 13 deletions config/file_contexts.subs_dist
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,28 @@
#
# It does not perform substitutions as done by sed(1), for
# example, but aliasing.
#
/etc/init.d /etc/rc.d/init.d
/lib32 /lib
/lib64 /lib
/run /var/run
/run/lock /var/lock
/usr/lib32 /usr/lib
#
/var/run /run
/var/lock /run/lock
/run/systemd/system /usr/lib/systemd/system
/run/systemd/generator.early /run/systemd/generator
/run/systemd/generator.late /run/systemd/generator
/lib /usr/lib
/lib64 /usr/lib
/usr/lib64 /usr/lib
/usr/local/lib32 /usr/lib
/usr/local/lib64 /usr/lib
/usr/local/lib /usr/lib
/var/run/lock /var/lock
/bin /usr/bin
/sbin /usr/bin
/usr/sbin /usr/bin
/usr/local/lib32 /usr/lib
/etc/systemd/system /usr/lib/systemd/system
/var/lib/xguest/home /home
/var/named/chroot/usr/lib64 /usr/lib
/var/named/chroot/lib64 /usr/lib
/var/named/chroot/var /var
/home-inst /home
/home/home-inst /home
/var/roothome /root
/sbin /usr/bin
/sysroot/tmp /tmp
/var/usrlocal /usr/local
/var/mnt /mnt
/bin /usr/bin
/usr/sbin /usr/bin
54 changes: 54 additions & 0 deletions dist/booleans.subs_dist
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
allow_auditadm_exec_content auditadm_exec_content
allow_console_login login_console_enabled
allow_cvs_read_shadow cvs_read_shadow
allow_daemons_dump_core daemons_dump_core
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
allow_daemons_use_tty daemons_use_tty
allow_domain_fd_use domain_fd_use
allow_execheap selinuxuser_execheap
allow_execmod selinuxuser_execmod
allow_execstack selinuxuser_execstack
allow_ftpd_anon_write ftpd_anon_write
allow_ftpd_full_access ftpd_full_access
allow_ftpd_use_cifs ftpd_use_cifs
allow_ftpd_use_nfs ftpd_use_nfs
allow_gssd_read_tmp gssd_read_tmp
allow_guest_exec_content guest_exec_content
allow_httpd_anon_write httpd_anon_write
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
allow_httpd_mod_auth_pam httpd_mod_auth_pam
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
allow_kerberos kerberos_enabled
allow_mplayer_execstack mplayer_execstack
allow_mount_anyfile mount_anyfile
allow_nfsd_anon_write nfsd_anon_write
allow_polyinstantiation polyinstantiation_enabled
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
allow_rsync_anon_write rsync_anon_write
allow_saslauthd_read_shadow saslauthd_read_shadow
allow_secadm_exec_content secadm_exec_content
allow_smbd_anon_write smbd_anon_write
allow_ssh_keysign ssh_keysign
allow_staff_exec_content staff_exec_content
allow_sysadm_exec_content sysadm_exec_content
allow_user_exec_content user_exec_content
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
allow_write_xshm xserver_clients_write_xshm
allow_xguest_exec_content xguest_exec_content
allow_xserver_execmem xserver_execmem
allow_ypbind nis_enabled
allow_zebra_write_config zebra_write_config
user_direct_dri selinuxuser_direct_dri_enabled
user_ping selinuxuser_ping
user_share_music selinuxuser_share_music
user_tcp_server selinuxuser_tcp_server
sepgsql_enable_pitr_implementation postgresql_can_rsync
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
clamd_use_jit antivirus_use_jit
amavis_use_jit antivirus_use_jit
logwatch_can_sendmail logwatch_can_network_connect_mail
puppet_manage_all_files puppetagent_manage_all_files
virt_sandbox_use_nfs virt_use_nfs
14 changes: 14 additions & 0 deletions dist/customizable_types
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
container_file_t
sandbox_file_t
svirt_image_t
svirt_home_t
svirt_sandbox_file_t
virt_content_t
httpd_user_htaccess_t
httpd_user_script_exec_t
httpd_user_rw_content_t
httpd_user_ra_content_t
httpd_user_content_t
git_session_content_t
home_bin_t
user_tty_device_t
248 changes: 248 additions & 0 deletions dist/minimum/booleans.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,248 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false

# Allow making a modified private filemapping executable (text relocation).
#
allow_execmod = false

# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
allow_execstack = true

# Allow ftpd to read cifs directories.
#
allow_ftpd_use_cifs = false

# Allow ftpd to read nfs directories.
#
allow_ftpd_use_nfs = false

# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false

# Allow gssd to read temp directory.
#
allow_gssd_read_tmp = true

# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false

# Allow Apache to use mod_auth_pam module
#
allow_httpd_mod_auth_pam = false

# Allow system to run with kerberos
#
allow_kerberos = true

# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false

# Allow sasl to read shadow
#
allow_saslauthd_read_shadow = false

# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false

# Allow system to run with NIS
#
allow_ypbind = false

# Allow zebra to write it own configuration files
#
allow_zebra_write_config = false

# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false

#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false

#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true

#
# allow httpd to network relay
httpd_can_network_relay = false

# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true

# Allow http daemon to tcp connect
#
httpd_can_network_connect = false

# Allow httpd cgi support
#
httpd_enable_cgi = true

# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false

# Allow httpd to read home directories
#
httpd_enable_homedirs = false

# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false

# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false

# Run CGI in the main httpd domain
#
httpd_unified = false

# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false

# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true

# Allow nfs to be exported read only
#
nfs_export_all_ro = true

# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false

# Allow reading of default_t files.
#
read_default_t = false

# Allow samba to export user home directories.
#
samba_enable_home_dirs = false

# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false

# Support NFS home directories
#
use_nfs_home_dirs = true

# Support SAMBA home directories
#
use_samba_home_dirs = false

# Control users use of ping and traceroute
#
user_ping = false

# allow host key based authentication
#
allow_ssh_keysign = false

# Allow pppd to be run for a regular user
#
pppd_for_user = false

# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
#
read_untrusted_content = false

# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false

# Allow regular users direct mouse access
#
user_direct_mouse = false

# Allow users to read system messages.
#
user_dmesg = false

# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = false

# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false

# Allow w to display everyone
#
user_ttyfile_stat = false

# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
#
write_untrusted_content = false

# Allow all domains to talk to ttys
#
allow_daemons_use_tty = false

# Allow login domains to polyinstatiate directories
#
allow_polyinstantiation = false

# Allow all domains to dump core
#
allow_daemons_dump_core = true

# Allow samba to act as the domain controller
#
samba_domain_controller = false

# Allow samba to export user home directories.
#
samba_run_unconfined = false

# Allows XServer to execute writable memory
#
allow_xserver_execmem = false

# disallow guest accounts to execute files that they can create
#
allow_guest_exec_content = false
allow_xguest_exec_content = false

# Only allow browser to use the web
#
browser_confine_xguest=false

# Allow postfix locat to write to mail spool
#
allow_postfix_local_write_mail_spool=false

# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile=true

# Allow qemu to connect fully to the network
#
qemu_full_network=true

# Allow nsplugin execmem/execstack for bad plugins
#
allow_nsplugin_execmem=true

# Allow unconfined domain to transition to confined domain
#
allow_unconfined_nsplugin_transition=true

# System uses init upstart program
#
init_upstart = true

# Allow mount to mount any file/dir
#
allow_mount_anyfile = true
1 change: 1 addition & 0 deletions dist/minimum/modules.conf
1 change: 1 addition & 0 deletions dist/minimum/setrans.conf
1 change: 1 addition & 0 deletions dist/minimum/users
6 changes: 6 additions & 0 deletions dist/mls/booleans.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
kerberos_enabled = true
mount_anyfile = true
polyinstantiation_enabled = true
ftpd_is_daemon = true
selinuxuser_ping = true
xserver_object_manager = true
Loading

0 comments on commit 71f9a91

Please sign in to comment.