Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2012-12-28 22:49:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy", Maintainer is "VCizek@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2011-09-23 12:45:58.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2012-12-28 22:49:31.000000000 +0100 @@ -1,0 +2,31 @@ +Tue Dec 11 13:40:27 UTC 2012 - vcizek@suse.com + +- bump up policy version to 27, due to recent libsepol update +- dropped currently unused policy-rawhide.patch +- fix installing of file_contexts (this enables restorecond to run properly) +- Recommends: audit and setools + +------------------------------------------------------------------- +Mon Dec 10 15:47:13 UTC 2012 - meissner@suse.com + +- mark included files in source + +------------------------------------------------------------------- +Mon Oct 22 18:47:00 UTC 2012 - vcizek@suse.com + +- update to 2.20120725 +- added selinux-policy-run_sepolgen_during_build.patch +- renamed patch with SUSE-specific policy to selinux-policy-SUSE.patch +- dropped policygentool and OLPC stuff + +------------------------------------------------------------------- +Wed May 9 10:01:26 UTC 2012 - coolo@suse.com + +- patch license to be in spdx.org format + +------------------------------------------------------------------- +Fri May 21 16:05:49 CEST 2010 - prusnak@suse.cz + +- use policy created by Alan Rouse + +------------------------------------------------------------------- Old: ---- config refpolicy-2.20081210.tar.bz2 selinux-policy-build_conf.patch New: ---- Alan_Rouse-Policy_Development_Process.txt Alan_Rouse-openSUSE_with_SELinux.txt Makefile.devel booleans-minimum.conf booleans-mls.conf booleans-targeted.conf booleans.subs_dist config.tgz customizable_types file_contexts.subs_dist modules-minimum.conf modules-mls.conf modules-targeted.conf refpolicy-2.20120725.tar.bz2 securetty_types-minimum securetty_types-mls securetty_types-targeted selinux-policy-SUSE.patch selinux-policy-run_sepolgen_during_build.patch selinux-policy.conf selinux-policy.sysconfig setrans-minimum.conf setrans-mls.conf setrans-targeted.conf users-minimum users-mls users-targeted ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.xgxPue/_old 2012-12-28 22:49:33.000000000 +0100 +++ /var/tmp/diff_new_pack.xgxPue/_new 2012-12-28 22:49:33.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package selinux-policy (Version 2.20081210) +# spec file for package selinux-policy # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,103 +15,507 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild - +%define distro suse +%define polyinstatiate n +%define monolithic n +%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} +%define BUILD_DOC 0 +%endif +%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} +%define BUILD_TARGETED 1 +%endif +# minimum policy is currently disabled a may not even build +%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} +%define BUILD_MINIMUM 0 +%endif +%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} +%define BUILD_MLS 1 +%endif +%define POLICYVER 27 +%define libsepolver 2.0.20-1 +%define POLICYCOREUTILSVER 2.0.71-2 +%define CHECKPOLICYVER 2.0.16-3 + +Summary: SELinux policy configuration +License: GPL-2.0+ +Group: System/Management Name: selinux-policy -Version: 2.20081210 -Release: 4 -Url: http://oss.tresys.com/projects/refpolicy/ -License: GPLv2 -Group: System/Base -Summary: SELinux policies +Version: 2.20120725 +Release: 1%{?dist} Source: refpolicy-%{version}.tar.bz2 -Source1: config -Patch0: %{name}-build_conf.patch +Source1: modules-targeted.conf +Source2: booleans-targeted.conf +Source3: Makefile.devel +Source4: setrans-targeted.conf +Source5: modules-mls.conf +Source6: booleans-mls.conf +Source8: setrans-mls.conf +Source14: securetty_types-targeted +Source15: securetty_types-mls +Source16: modules-minimum.conf +Source17: booleans-minimum.conf +Source18: setrans-minimum.conf +Source19: securetty_types-minimum +Source20: customizable_types +Source21: config.tgz +Source22: users-mls +Source23: users-targeted +Source25: users-minimum +Source26: selinux-policy.sysconfig +Source27: selinux-policy.conf +Source28: file_contexts.subs_dist +Source30: booleans.subs_dist + +# the following two files are more like a packaging documentation +Source40: Alan_Rouse-openSUSE_with_SELinux.txt +Source41: Alan_Rouse-Policy_Development_Process.txt + +# PATCH-FEATURE-OPENSUSE SUSE specific policy from Alan Rouse +Patch1: selinux-policy-SUSE.patch +# PATCH-FEATURE-OPENSUSE check for errors in .if files +Patch3: selinux-policy-run_sepolgen_during_build.patch + +Url: http://oss.tresys.com/repos/refpolicy/ BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: checkpolicy libsepol-devel m4 policycoreutils python python-xml BuildArch: noarch -# default is refpolicy-standard (mentioned in config) -Requires: selinux-policy-refpolicy-standard +BuildRequires: %fillup_prereq +BuildRequires: %insserv_prereq +BuildRequires: bzip2 +BuildRequires: checkpolicy >= %{CHECKPOLICYVER} +BuildRequires: gawk +BuildRequires: m4 +BuildRequires: policycoreutils-python >= %{POLICYCOREUTILSVER} +BuildRequires: python +BuildRequires: python-xml +# we need selinuxenabled +Requires(post): selinux-tools +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(post): /usr/bin/bunzip2 /bin/mktemp /bin/awk +Requires: checkpolicy >= %{CHECKPOLICYVER} +Requires: m4 +Recommends: audit +Recommends: selinux-tools +Obsoletes: selinux-policy-devel <= %{version}-%{release} +Provides: selinux-policy-devel = %{version}-%{release} %description -SELinux policy +SELinux Base package -%package refpolicy-standard -License: GPLv2 -Group: System/Base -Summary: SELinux policy - Tresys Standard Refpolicy -Requires: selinux-policy - -%description refpolicy-standard -SELinux policy - based on reference policy from Tresys - standard - -%package refpolicy-mcs -License: GPLv2 -Group: System/Base -Summary: SELinux policy - Tresys MCS Refpolicy -Requires: selinux-policy - -%description refpolicy-mcs -SELinux policy - based on reference policy from Tresys - mcs - -%package refpolicy-mls -License: GPLv2 -Group: System/Base -Summary: SELinux policy - Tresys MLS Refpolicy -Requires: selinux-policy +%files +%defattr(-,root,root,-) +%dir %{_usr}/share/selinux +%dir %{_usr}/share/selinux/packages +%dir %{_sysconfdir}/selinux +%attr(0600,root,root) %ghost %config(noreplace) %{_sysconfdir}/selinux/config +%dir /usr/lib/tmpfiles.d +%{_usr}/lib/tmpfiles.d/selinux-policy.conf +%{_mandir}/man*/* +# policycoreutils owns these manpage directories, we only own the files within them +%{_mandir}/ru/*/* +%dir %{_usr}/share/selinux/devel +%dir %{_usr}/share/selinux/devel/include +%{_usr}/share/selinux/devel/include/* +%{_usr}/share/selinux/devel/Makefile +%{_usr}/share/selinux/devel/example.* +%{_usr}/share/selinux/devel/policy.* +%dir %{_localstatedir}/adm/fillup-templates +%dir %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} + +%package doc +Summary: SELinux policy documentation +Group: System/Management +Requires(pre): selinux-policy = %{version}-%{release} +Requires: /usr/bin/xdg-open + +%description doc +SELinux policy documentation package + +%files doc +%defattr(-,root,root,-) +%doc %{_usr}/share/doc/%{name}-%{version} +%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp + +#TODO: this doesn't work currently +#%%check +#/usr/bin/sepolgen-ifgen -v -d -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null + +%define makeCmds() \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \ +cp -f selinux_config/modules-%1.conf ./policy/modules.conf \ +cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ +cp -f selinux_config/users-%1 ./policy/users \ + +%define installCmds() \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ +make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \ +make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ +%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \ +%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \ +%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \ +%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \ +touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ +touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ +install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/seusers \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/nodes.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users_extra.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users.local \ +cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ +bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \ +rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \ +for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \ +rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ +/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \ +/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ +rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern +%nil + +%define fileList() \ +%defattr(-,root,root) \ +%dir %{_sysconfdir}/selinux/%1 \ +#%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ +%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ +%ghost %{_sysconfdir}/selinux/%1/seusers \ +%dir %{_sysconfdir}/selinux/%1/logins \ +%dir %{_sysconfdir}/selinux/%1/modules \ +%verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ +%verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ +%attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \ +%dir %{_sysconfdir}/selinux/%1/modules/active/modules \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.template \ +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/seusers.final \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/netfilter_contexts \ +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \ +%ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \ +%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \ +%dir %{_sysconfdir}/selinux/%1/policy/ \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ +%{_sysconfdir}/selinux/%1/.policy.sha512 \ +%dir %{_sysconfdir}/selinux/%1/contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ +#%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ +%dir %{_sysconfdir}/selinux/%1/contexts/files \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ +%{_sysconfdir}/selinux/%1/booleans.subs_dist \ +%config %{_sysconfdir}/selinux/%1/contexts/files/media \ +%dir %{_sysconfdir}/selinux/%1/contexts/users \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/virtual_image_context + +%define relabel() \ +. %{_sysconfdir}/sysconfig/selinux-policy; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +selinuxenabled; \ +if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ + fixfiles -C ${FILE_CONTEXT}.pre restore; \ + restorecon -R /root /var/log /var/run /var/lib 2> /dev/null; \ + rm -f ${FILE_CONTEXT}.pre; \ +fi; + +%define preInstall() \ +if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ + [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ + fi; \ + touch /etc/selinux/%1/.rebuild; \ + if [ -e /etc/selinux/%1/.policy.sha512 ]; then \ + sha512=`sha512sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \ + checksha512=`cat /etc/selinux/%1/.policy.sha512`; \ + if [ "$sha512" == "$checksha512" ] ; then \ + rm /etc/selinux/%1/.rebuild; \ + fi; \ + fi; \ +fi; + +%define postInstall() \ +. %{_sysconfdir}/selinux/config; \ +if [ -e /etc/selinux/%2/.rebuild ]; then \ + rm /etc/selinux/%2/.rebuild; \ + /usr/sbin/semodule -B -n -s %2; \ +fi; \ +if [ "${SELINUXTYPE}" == "%2" ]; then \ + if selinuxenabled; then \ + load_policy; \ + else \ + # selinux isn't enabled \ + # (probably a first install of the policy) \ + # -> we can't load the policy \ + true; \ + fi; \ +fi; \ +if selinuxenabled; then \ + if [ %1 -eq 1 ]; then \ + /sbin/restorecon -R /root /var/log /var/run 2> /dev/null; \ + else \ + %relabel %2; \ + fi; \ +else \ + # run fixfiles on next boot \ + touch /.autorelabel \ +fi; \ -%description refpolicy-mls -SELinux policy - based on reference policy from Tresys - mls +%define modulesList() \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \ + +%description +SELinux Reference Policy - modular. +Based off of reference policy: Checked out revision 2.20120725 %prep -%setup -q -c -n selinux-policy -T -tar xfj %{SOURCE0} && mv refpolicy refpolicy-standard -tar xfj %{SOURCE0} && mv refpolicy refpolicy-mcs -tar xfj %{SOURCE0} && mv refpolicy refpolicy-mls -%patch0 +%setup -n refpolicy -q +%patch1 -p1 +%patch3 -p1 +#%patch4 -p1 %build -for i in standard mcs mls; do - cd refpolicy-$i - make conf - make policy - cd .. -done %install -for i in standard mcs mls; do - cd refpolicy-$i - make DESTDIR=$RPM_BUILD_ROOT install - sed -i "s:^# edit $RPM_BUILD_ROOT:# edit :" $RPM_BUILD_ROOT%{_sysconfdir}/selinux/refpolicy-$i/contexts/files/file_contexts.homedirs - cd .. +mkdir selinux_config +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE28};do + cp $i selinux_config done -install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/selinux/ +tar zxvf selinux_config/config.tgz +# Build targeted policy +%{__rm} -fR %{buildroot} +mkdir -p %{buildroot}%{_mandir} +cp -R man/* %{buildroot}%{_mandir} +mkdir -p %{buildroot}%{_sysconfdir}/selinux +mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ +cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ + +# Always create policy module package directories +mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ + +# Install devel +make clean +%if %{BUILD_TARGETED} +# Build targeted policy +%makeCmds targeted mcs n y allow +%installCmds targeted mcs n y allow +%endif + +%if %{BUILD_MINIMUM} +# Build minimum policy +%makeCmds minimum mcs n y allow +%installCmds minimum mcs n y allow +%modulesList minimum +%endif + +%if %{BUILD_MLS} +# Build mls policy +%makeCmds mls mls n y deny +%installCmds mls mls n y deny +%endif + +make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs +mkdir %{buildroot}%{_usr}/share/selinux/devel/ +mkdir %{buildroot}%{_usr}/share/selinux/packages/ +mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include +install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile +install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ +install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ +echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp +chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp +rm -rf selinux_config + +# fillup sysconfig +mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates +cp %{SOURCE26} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %clean -rm -rf $RPM_BUILD_ROOT +#%%{__rm} -fR %{buildroot} -%files -%defattr(-,root,root) -%dir %{_sysconfdir}/selinux -%config %{_sysconfdir}/selinux/config +#TODO: add minimum to the policies list in /etc/selinux/config once the package is built +# minimum - Modification of targeted policy. Only selected processes are protected. +%post +if [ ! -s /etc/sysconfig/selinux-policy ]; then +# New install so we will default to targeted policy + %{fillup_only} + ln -sf /etc/sysconfig/selinux-policy /etc/selinux/config + restorecon /etc/selinux/config 2> /dev/null || : +else + %{fillup_only} + . /etc/sysconfig/selinux-policy + # if first time update booleans.local needs to be copied to sandbox + [ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/ + [ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers +fi +exit 0 + +%postun +if [ $1 = 0 ]; then + setenforce 0 2> /dev/null + if [ ! -s /etc/selinux/config ]; then + echo "SELINUX=disabled" > /etc/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config + fi +fi +exit 0 + +%if %{BUILD_TARGETED} +%package targeted +Summary: SELinux targeted base policy +Group: System/Management +Provides: selinux-policy-base = %{version}-%{release} +Obsoletes: selinux-policy-targeted-sources < 2 +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: audispd-plugins <= 1.7.7-1 +Obsoletes: mod_fcgid-selinux <= %{version}-%{release} +Conflicts: seedit + +%description targeted +SELinux Reference policy targeted base module. + +%pre targeted +%preInstall targeted + +%post targeted +%postInstall $1 targeted +exit 0 + +%triggerpostun targeted -- selinux-policy-targeted < 3.9.0 +restorecon -R -p /home +exit 0 + +%files targeted +%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u +%fileList targeted +%endif + +%if %{BUILD_MINIMUM} +%package minimum +Summary: SELinux minimum base policy +Group: System/Management +Provides: selinux-policy-base = %{version}-%{release} +Requires(post): policycoreutils-python >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit + +%description minimum +SELinux Reference policy minimum base module. + +%pre minimum +%preInstall minimum +if [ $1 -ne 1 ]; then + /usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ print $1 }' > /usr/share/selinux/minimum/instmodules.lst +fi + +%post minimum +allpackages=`cat /usr/share/selinux/minimum/modules.lst` +if [ $1 -eq 1 ]; then +packages="clock.pp execmem.pp unconfined.pp unconfineduser.pp application.pp userdomain.pp authlogin.pp logging.pp selinuxutil.pp init.pp systemd.pp sysnetwork.pp miscfiles.pp libraries.pp modutils.pp sysadm.pp locallogin.pp dbus.pp rpm.pp mount.pp fstools.pp usermanage.pp mta.pp" +for p in $allpackages; do + touch /etc/selinux/minimum/modules/active/modules/$p.disabled +done +for p in $packages; do + rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled +done +/usr/sbin/semanage -S minimum -i - << __eof +login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ +login -m -s unconfined_u -r s0-s0:c0.c1023 root +__eof +/sbin/restorecon -R /root /var/log /var/run 2> /dev/null +/usr/sbin/semodule -B -s minimum +else +instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` +for p in $allpackages; do + touch /etc/selinux/minimum/modules/active/modules/$p.disabled +done +for p in $instpackages; do + rm -f /etc/selinux/minimum/modules/active/modules/$p.pp.disabled +done +/usr/sbin/semodule -B -s minimum +%relabel minimum +fi +exit 0 + +%files minimum +%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u +%fileList minimum +%dir %{_usr}/share/selinux/minimum +%{_usr}/share/selinux/minimum/modules.lst +%endif + +%if %{BUILD_MLS} +%package mls +Summary: SELinux mls base policy +Group: System/Management +Provides: selinux-policy-base = %{version}-%{release} +Obsoletes: selinux-policy-mls-sources < 2 +Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} +Requires: setransd +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): coreutils +Requires(pre): selinux-policy = %{version}-%{release} +Requires: selinux-policy = %{version}-%{release} +Conflicts: seedit + +%description mls +SELinux Reference policy mls base module. + +%pre mls +%preInstall mls + +%post mls +%postInstall $1 mls +exit 0 + +%files mls +%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u +%fileList mls -%files refpolicy-standard -%defattr(-,root,root) -%doc refpolicy-standard/{build.conf,Changelog,config,COPYING,doc,INSTALL,Makefile,man,policy,README,Rules.modular,Rules.monolithic,support,VERSION} -%dir %{_sysconfdir}/selinux/refpolicy-standard -%{_sysconfdir}/selinux/refpolicy-standard/* - -%files refpolicy-mcs -%defattr(-,root,root) -%doc refpolicy-mcs/{build.conf,Changelog,config,COPYING,doc,INSTALL,Makefile,man,policy,README,Rules.modular,Rules.monolithic,support,VERSION} -%dir %{_sysconfdir}/selinux/refpolicy-mcs -%{_sysconfdir}/selinux/refpolicy-mcs/* - -%files refpolicy-mls -%defattr(-,root,root) -%doc refpolicy-mls/{build.conf,Changelog,config,COPYING,doc,INSTALL,Makefile,man,policy,README,Rules.modular,Rules.monolithic,support,VERSION} -%dir %{_sysconfdir}/selinux/refpolicy-mls -%{_sysconfdir}/selinux/refpolicy-mls/* +%endif %changelog ++++++ Alan_Rouse-Policy_Development_Process.txt ++++++ Policy Development Process (At least, the way I do it!) 1. Build an openSUSE environment according to openSUSE_with_SELinux.txt 2. Create a git repository for policy source development 3. Boot that system to runlevel 3 and login as root (you should be in the /root home directory). * tar xzvf /usr/src/packages/SOURCES/serefpolicy-05042010-1.tgz * cd serefpolicy-05042010 * git init * git add . * git commit * git config --global user.name "<your name>" * git config --global user.email "<your email>" * git branch opensuse * git checkout opensuse * cp -R /usr/src/packages/BUILD/serefpolicy-05042010/. . * rm *.pp * git add . * git commit * git status <should be no outstanding commits> * git checkout master * git status <should be no outstanding commits> * git branch <should be master> * git diff fedora * git checkout opensuse * make sure there is no .git folder in /usr/src/packages/BUILD/serefpolicy-3.6.32 * if there is, delete it (and all its contents) * cp -R /usr/src/packages/BUILD/serefpolicy-3.6.32/. . * git add . * git commit * git status <should be in opensuse, with no outstanding commits> * cd .. * mv serefpolicy-05042010 git * tar czvf git-refpolicy-opensuse.tgz git * initial backup of git repository. Backup to a safe place. 4. Working with the policy source The most interesting part of the source code is under git/policy/modules. You will see seven folders under modules, including one named "suse" which was created for this project. Each of these folders contains a collection of m4 source files containing selinux policy source code. Each policy module has three source files: * <module>.te - Type enforcement rules (mainly, allow rules) * <module>.fc - File context declarations (for labeling the filesystem) * <module>.if - Interface definitions for access to the module from other modules Strategy: First, get the file labels right (.fc). I compared the labeling on openSUSE system with a Fedora 12 system, paying particular attention to the files that are located in different directories on the two systems. I would grep the .fc source files for the label found on FC 12, and make an entry applying that label to the file in its location on OpenSUSE. Wrap each OpenSUSE-specific entry in "ifdef('distro_suse','...')". For an example, see services/apm.fc Once the filesystem is labeled correctly, I iterated the following process identifying AVC's and seeking a proper solution to them: * rm /var/log/messages * rm /var/log/audit/audit.log * reboot login as root * grep avc /var/log/messages > avc.txt * audit2allow -i avc.txt -M <module> - I used "a2a" as the prefix for modules generated from audit2allow - Examine the resulting <module>.te and the corresponding AVC in avc.txt - Decide whether that access is appropriate, and remove from .te if not - Ignore the message instructing you to run "semodule -i <module>.pp" - We want to build and manage all the changes from source code * copy the .te to git/policy/src/suse/. Create a stub .if and .te (see existing stubs in the suse directory for examples. Do it exactly like the examples) * Note: you could either add the new module in the suse folder, or edit an existing .te file and add the allow rules (and "requires" declaration) to the existing file. If you add a new module, you also need to edit /usr/src/packages/SOURCES/modules-targeted.conf and add the new module *exactly* like the existing ones (including the associated comments.) * Now cd into the git folder and execute * git commit -a * git diff master opensuse > /usr/src/packages/SOURCES/policy-opensuse-11.3.patch * cd /usr/src/packages/SPECS * rpmbuild -ba selinux-policy.spec * When the build completes successfully, you'll have a SRPM and two new RPMS (not counting the .doc rpm) SRPMS/selinux-policy-05042010-1.src.rpm RPMS/noarch/selinux-policy-05042010-1.noarch.rpm RPMS/noarch/selinux-policy-targeted-050420100-1.noarch.rpm * Do this: cd /usr/src/packages/RPMS/noarch/ rpm -e selinux-policy-targeted rpm -i selinux-policy-targeted-05042010-1.noarch.rpm * When that finishes * rm /var/log/messages * rm /var/log/audit/audit.log * Reboot and repeat Note: Be careful that you do not accidentally create allow rules for the steps you are using in this development process, since those actions probably are not appropriate in a production environment. * To avoid that, try this process: * remove /var/log/messages and /var/log/audit/audit.log * boot to desktop * login and execute the processes you are trying to allow * reboot to runlevel 3 and login as root * do all your examination of AVC's, audit2allow etc in runlevel 3 as root * Periodically, at interesting milestones, tar up your git folder and back it up to a safe place. Copy your binary and source rpm's to the same place Making decisions about policy When an AVC tells you that a certain access was denied from a "scontext" (source context) to a "tcontext" (target context), there are several ways to resolve that situation. * Do nothing. It may be appropriate to deny that access. After all, the whole point of selinux is to deny things. * Add the "allow" rule generated by audit2allow. But before you do that, consider all the other options. * Change the target context (for example, relabel a file). * Change the source context (for example, add a domain transition, or relabel an executable file and possibly add a domain transition) It can be tempting to allow whatever audit2allow generates. But that may not be appropriate. For example, a user trying to execute a file labeled sbin_exec_t may be denied. audit2allow might suggest that you just allow that user to execute files labeled sbin_exec_t. But that means he can execute every file on the system which is labeled sbin_exec_t - - probably not what you want! Instead you might consider creating a new label, labeling only that executable, and granting the user the right to execute files of the new label. Good resource for learning more about selinux: [http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html] In the opensuse branch, iterate the following until all desired label changes are made ------------------------------------------------------------------------ Identify files that are mislabled Find corresponding .fc file in policy/modules/<dir> and change label ------------------------------------------------------------------------ git commit git diff fedora > policy-opensuse.patch place patchfile in SOURCES dir and proceed to next step to build rpm Creating a selinux-policy-targeted RPM including the modules created by audit2allow: cd /usr/src/packages/SOURCES/ tar xzvf serefpolicy-3.6.32.tgz mv serefpolicy-3.6.32 serefpolicy-3.6.32.suse.a2a cd serefpolicy-3.6.32 serefpolicy-3.6.32.suse.a2a/policy/modules/ mkdir a2a cd a2a --copy all the .pp modules you created via audit2allow into the current directory Cd /usr/src/packages/SOURCES tar -czvf serefpolicy-3.6.32.suse.a2a.tgz serefpolicy-3.6.32.suse.a2a cd /usr/src/packages/SOURCES vi modules-targeted.conf -- for all the modules you copied into the a2a directory, add an entry at the end of this file. cd /usr/src/packages/SPECS -- edit selinux-policy.spec and change Version: to "3.6.32.suse.a2a" In the SPECS directory: rpmbuild -bb selinux-policy.spec -- your RPMs will be in /user/src/packages/RPMS/noarch/* -- You'll need to install these two: selinux-policy.3.6.32-suse.a2a-106.noarch.rpm selinux-policy-targeted-3.6.32.suse.a2a-106.noarch.rpm Note, the minimal and mls packages have not been modified to contain the a2a modules. These are the RPM versions which were installed in the above process: checkpolicy-2.0.21-16.4.i586.rpm eclipse-setools-3.3.5.1-1.2.i586.rpm findutils-4.4.2-9.2.i586.rpm libcap-ng0-0.6.3-3.3.i586.rpm libcap-ng-devel-0.6.3-3.3.i586.rpm libcap-ng-utils-0.6.3-3.3.i586.rpm libselinux1-2.0.91-32.3.i586.rpm libselinux-devel-2.0.91-32.3.i586.rpm libselinux-devel-static-2.0.91-32.3.i586.rpm libsemanage1-2.0.43-14.4.i586.rpm libsemanage-devel-2.0.43-14.4.i586.rpm libsemanage-devel-static-2.0.43-14.4.i586.rpm libsepol1-2.0.41-22.3.i586.rpm libsepol-devel-2.0.41-22.3.i586.rpm libsepol-devel-static-2.0.41-22.3.i586.rpm libuser-0.56.14-1.5.i586.rpm libuser-devel-0.56.14-1.5.i586.rpm libuser-python-0.56.14-1.5.i586.rpm libustr-1_0-1-1.0.4-16.2.i586.rpm libustr-devel-1.0.4-16.2.i586.rpm libustr-devel-static-1.0.4-16.2.i586.rpm mcstrans-0.3.1-8.2.i586.rpm policycoreutils-2.0.79-30.1.i586.rpm policycoreutils-gui-2.0.79-30.1.i586.rpm policycoreutils-newrole-2.0.79-30.1.i586.rpm policycoreutils-python-2.0.79-30.1.i586.rpm policycoreutils-sandbox-2.0.79-30.1.i586.rpm python-capng-0.6.3-3.3.i586.rpm python-selinux-2.0.91-40.3.i586.rpm python-semanage-2.0.43-14.4.i586.rpm python-setools-3.3.6-5.3.i586.rpm ruby-selinux-2.0.91-40.3.i586.rpm selinux-policy-3.6.32.suse.a2a-106.noarch.rpm selinux-policy-targeted-3.6.32.suse.a2a-106.noarch.rpm selinux-tools-2.0.91-32.3.i586.rpm setools-console-3.3.6-5.3.i586.rpm setools-devel-3.3.6-5.3.i586.rpm setools-gui-3.3.6-5.3.i586.rpm setools-java-3.3.6-5.3.i586.rpm setools-libs-3.3.6-5.3.i586.rpm setools-tcl-3.3.6-5.3.i586.rpm setroubleshoot-2.2.64-11.1.i586.rpm setroubleshoot-doc-2.2.64-11.1.i586.rpm setroubleshoot-server-2.2.64-11.1.i586.rpm usermode-1.103-2.5.i586.rpm usermode-gtk-1.103-2.5.i586.rpm ++++++ Alan_Rouse-openSUSE_with_SELinux.txt ++++++ openSUSE with SELinux ~~~~~~~~~~~~~~~~~~~~~ The following procedure describes a way to create a system from openSUSE 11.3 installation media, with SELinux enabled and enforcing, and to produce the necessary RPMs for creating other instances. Be careful not to skip steps. Ignore error message "libsemanage.dbase query: could not query record value ..." in several steps below. 1. Install a default openSUSE 11.3 system (with KDE) 2. Kickoff Launcher -> Computer -> Install/Remove Software * Search tab; enter "selinux" (select Name, Keywords, Summary checkboxes) and click Search button * Right mouse -> All in this List -> Install * Click Accept button * Accept the automatic changes (click Continue) 3. Install utilities required for this procedure * Open terminal * Login as root (su) * zypper install make m4 gcc patch git * usermod -s /sbin/nologin nobody 4. Build selinux policy from source * Get and install selinux-policy-05042010-1.src.rpm * cd /usr/src/packages/SPECS/ * rpmbuild -ba selinux-policy.spec * cd /usr/src/packages/RPMS/noarch * rpm -i selinux-policy-05042010-1.noarch.rpm * rpm -i selinux-policy-targeted-05042010-1.noarch.rpm -- OR, if you already have the two rpms built, just install them and skip the above steps 5. Edit /etc/selinux/config * set SELINUX=permissive * set SELINUXTYPE=targeted 6. Turn on SELinux in permissive mode from the grub boot line * vi /boot/grub/menu.lst * insert "3" for runlevel 3 after the kernel parameter, and at the end "security=selinux selinux=1 enforcing=0" * reboot and login to runlevel 3 7. Perform configurations required for selinux * semanage login -a -s sysadm_u root * semanage login -a -s user_u <unprivileged-user> * fixfiles -F relabel ... does not matter whether or not you ask it to clear out files from /tmp * vi /etc/init.d/boot * insert "restorecon -R /dev" as line 132 * pam-config -d --debug --apparmor * pam-config -a --debug --selinux * Now must fix su since pam-config incorrectly adds pam-selinux.so to su * cd /etc/pam.d/ * cp common-session common-session-su * vi common-session-su - and delete the two lines containing 'pam-selinux' * vi su - and change 'common-session' to 'common-session-su' * edit /boot/grub/menu.lst - remove the "3" so it will boot to desktop * rm /var/log/messages; rm /var/log/audit/audit.log 8. Reboot ++++++ Makefile.devel ++++++ # installation paths SHAREDIR := /usr/share/selinux AWK ?= gawk NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)) ifeq ($(MLSENABLED),) MLSENABLED := 1 endif ifeq ($(MLSENABLED),1) NTYPE = mcs endif ifeq ($(NAME),mls) NTYPE = mls endif TYPE ?= $(NTYPE) HEADERDIR := $(SHAREDIR)/devel/include include $(HEADERDIR)/Makefile ++++++ booleans-minimum.conf ++++++ # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = false # Allow making a modified private filemapping executable (text relocation). # allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # allow_execstack = true # Allow ftpd to read cifs directories. # allow_ftpd_use_cifs = false # Allow ftpd to read nfs directories. # allow_ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # allow_ftpd_anon_write = false # Allow gssd to read temp directory. # allow_gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # allow_httpd_anon_write = false # Allow Apache to use mod_auth_pam module # allow_httpd_mod_auth_pam = false # Allow system to run with kerberos # allow_kerberos = true # Allow rsync to modify public filesused for public file transfer services. # allow_rsync_anon_write = false # Allow sasl to read shadow # allow_saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # allow_smbd_anon_write = false # Allow system to run with NIS # allow_ypbind = false # Allow zebra to write it own configuration files # allow_zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # fcron_crond = false # Allow ftp to read and write files in the user home directories # ftp_home_dir = false # # allow httpd to connect to mysql/posgresql httpd_can_network_connect_db = false # # allow httpd to send dbus messages to avahi httpd_dbus_avahi = true # # allow httpd to network relay httpd_can_network_relay = false # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = true # Allow http daemon to tcp connect # httpd_can_network_connect = false # Allow httpd cgi support # httpd_enable_cgi = true # Allow httpd to act as a FTP server bylistening on the ftp port. # httpd_enable_ftp_server = false # Allow httpd to read home directories # httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # httpd_tty_comm = false # Run CGI in the main httpd domain # httpd_unified = false # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # named_write_master_zones = false # Allow nfs to be exported read/write. # nfs_export_all_rw = true # Allow nfs to be exported read only # nfs_export_all_ro = true # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # Allow reading of default_t files. # read_default_t = false # Allow samba to export user home directories. # samba_enable_home_dirs = false # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. # squid_connect_any = false # Support NFS home directories # use_nfs_home_dirs = true # Support SAMBA home directories # use_samba_home_dirs = false # Control users use of ping and traceroute # user_ping = false # allow host key based authentication # allow_ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false # Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted # read_untrusted_content = false # Allow spamd to write to users homedirs # spamd_enable_home_dirs = false # Allow regular users direct mouse access # user_direct_mouse = false # Allow users to read system messages. # user_dmesg = false # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = false # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false # Allow w to display everyone # user_ttyfile_stat = false # Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. # write_untrusted_content = false # Allow all domains to talk to ttys # allow_daemons_use_tty = false # Allow login domains to polyinstatiate directories # allow_polyinstantiation = false # Allow all domains to dump core # allow_daemons_dump_core = true # Allow samba to act as the domain controller # samba_domain_controller = false # Allow samba to export user home directories. # samba_run_unconfined = false # Allows XServer to execute writable memory # allow_xserver_execmem = false # disallow guest accounts to execute files that they can create # allow_guest_exec_content = false allow_xguest_exec_content = false # Only allow browser to use the web # browser_confine_xguest=false # Allow postfix locat to write to mail spool # allow_postfix_local_write_mail_spool=false # Allow common users to read/write noexattrfile systems # user_rw_noexattrfile=true # Allow qemu to connect fully to the network # qemu_full_network=true # Allow nsplugin execmem/execstack for bad plugins # allow_nsplugin_execmem=true # Allow unconfined domain to transition to confined domain # allow_unconfined_nsplugin_transition=true # System uses init upstart program # init_upstart = true # Allow mount to mount any file/dir # allow_mount_anyfile = true ++++++ booleans-mls.conf ++++++ d# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = false # Allow making a modified private filemapping executable (text relocation). # allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # allow_execstack = false # Allow ftp servers to modify public filesused for public file transfer services. # allow_ftpd_anon_write = false # Allow gssd to read temp directory. # allow_gssd_read_tmp = false # Allow Apache to modify public filesused for public file transfer services. # allow_httpd_anon_write = false # Allow system to run with kerberos # allow_kerberos = true # Allow rsync to modify public filesused for public file transfer services. # allow_rsync_anon_write = false # Allow sasl to read shadow # allow_saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # allow_smbd_anon_write = false # Allow sysadm to ptrace all processes # allow_ptrace = false # Allow system to run with NIS # allow_ypbind = false # Enable extra rules in the cron domainto support fcron. # fcron_crond = false # Allow ftp to read and write files in the user home directories # ftp_home_dir = false # Allow ftpd to run directly without inetd # ftpd_is_daemon = true # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = false # Allow http daemon to tcp connect # httpd_can_network_connect = false # Allow httpd cgi support # httpd_enable_cgi = false # Allow httpd to act as a FTP server bylistening on the ftp port. # httpd_enable_ftp_server = false # Allow httpd to read home directories # httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # httpd_tty_comm = false # Run CGI in the main httpd domain # httpd_unified = false # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # named_write_master_zones = false # Allow nfs to be exported read/write. # nfs_export_all_rw = false # Allow nfs to be exported read only # nfs_export_all_ro = false # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # Allow reading of default_t files. # read_default_t = false # Allow ssh to run from inetd instead of as a daemon. # run_ssh_inetd = false # Allow samba to export user home directories. # samba_enable_home_dirs = false # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. # squid_connect_any = false # Allow ssh logins as sysadm_r:sysadm_t # ssh_sysadm_login = false # Configure stunnel to be a standalone daemon orinetd service. # stunnel_is_daemon = false # Support NFS home directories # use_nfs_home_dirs = false # Support SAMBA home directories # use_samba_home_dirs = false # Control users use of ping and traceroute # user_ping = true # Allow gpg executable stack # allow_gpg_execstack = false # allow host key based authentication # allow_ssh_keysign = false # Allow users to connect to mysql # allow_user_mysql_connect = false # Allow system cron jobs to relabel filesystemfor restoring file contexts. # cron_can_relabel = false # Allow pppd to be run for a regular user # pppd_for_user = false # Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted # read_untrusted_content = false # Allow user spamassassin clients to use the network. # spamassassin_can_network = false # Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc) # staff_read_sysadm_file = false # Allow regular users direct mouse access # user_direct_mouse = false # Allow users to read system messages. # user_dmesg = false # Allow users to control network interfaces(also needs USERCTL=true) # user_net_control = false # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = false # Allow users to rw usb devices # user_rw_usb = false # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false # Allow w to display everyone # user_ttyfile_stat = false # Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. # write_untrusted_content = false spamd_enable_home_dirs = false # Allow login domains to polyinstatiate directories # allow_polyinstantiation = true # Allow mount command to mounton any directory # allow_mounton_anydir = true # Allow unlabeled packets to flow # allow_unlabeled_packets = true # Allow samba to act as the domain controller # samba_domain_controller = false # Run the xserver as an object manager # xserver_object_manager = true # System uses init upstart program # init_upstart = true ++++++ booleans-targeted.conf ++++++ # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = true # Allow making a modified private filemapping executable (text relocation). # allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # allow_execstack = true # Allow ftpd to read cifs directories. # allow_ftpd_use_cifs = false # Allow ftpd to read nfs directories. # allow_ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # allow_ftpd_anon_write = false # Allow gssd to read temp directory. # allow_gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # allow_httpd_anon_write = false # Allow Apache to use mod_auth_pam module # allow_httpd_mod_auth_pam = false # Allow system to run with kerberos # allow_kerberos = true # Allow rsync to modify public filesused for public file transfer services. # allow_rsync_anon_write = false # Allow sasl to read shadow # allow_saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # allow_smbd_anon_write = false # Allow system to run with NIS # allow_ypbind = false # Allow zebra to write it own configuration files # allow_zebra_write_config = true # Enable extra rules in the cron domainto support fcron. # fcron_crond = false # Allow ftp to read and write files in the user home directories # ftp_home_dir = false # # allow httpd to connect to mysql/posgresql httpd_can_network_connect_db = false # # allow httpd to send dbus messages to avahi httpd_dbus_avahi = true # # allow httpd to network relay httpd_can_network_relay = false # Allow httpd to use built in scripting (usually php) # httpd_builtin_scripting = true # Allow http daemon to tcp connect # httpd_can_network_connect = false # Allow httpd cgi support # httpd_enable_cgi = true # Allow httpd to act as a FTP server bylistening on the ftp port. # httpd_enable_ftp_server = false # Allow httpd to read home directories # httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # httpd_tty_comm = true # Run CGI in the main httpd domain # httpd_unified = true # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # named_write_master_zones = false # Allow nfs to be exported read/write. # nfs_export_all_rw = true # Allow nfs to be exported read only # nfs_export_all_ro = true ## Allow openvpn to read home directories ## openvpn_enable_homedirs = true # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false # Allow samba to export user home directories. # samba_enable_home_dirs = false # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. # squid_connect_any = false # Support NFS home directories # use_nfs_home_dirs = true # Support SAMBA home directories # use_samba_home_dirs = false # Control users use of ping and traceroute # user_ping = true # allow host key based authentication # allow_ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false # Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted # read_untrusted_content = true # Allow spamd to write to users homedirs # spamd_enable_home_dirs = true # Allow regular users direct mouse access # user_direct_mouse = false # Allow regular users direct dri access # user_direct_dri = true # Allow users to read system messages. # user_dmesg = true # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # user_rw_noexattrfile = false # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = true # Allow w to display everyone # user_ttyfile_stat = false # Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. # write_untrusted_content = true # Allow all domains to talk to ttys # allow_daemons_use_tty = true # Allow login domains to polyinstatiate directories # allow_polyinstantiation = false # Allow all domains to dump core # allow_daemons_dump_core = true # Allow samba to act as the domain controller # samba_domain_controller = false # Allow samba to export user home directories. # samba_run_unconfined = false # Allows XServer to execute writable memory # allow_xserver_execmem = false # disallow guest accounts to execute files that they can create # allow_guest_exec_content = false allow_xguest_exec_content = false # Only allow browser to use the web # browser_confine_xguest=false # Allow postfix locat to write to mail spool # allow_postfix_local_write_mail_spool=true # Allow common users to read/write noexattrfile systems # user_rw_noexattrfile=true # Allow qemu to connect fully to the network # qemu_full_network=true # Allow nsplugin execmem/execstack for bad plugins # allow_nsplugin_execmem=true # Allow unconfined domain to transition to confined domain # allow_unconfined_nsplugin_transition=false # System uses init upstart program # init_upstart = true # Allow mount to mount any file/dir # allow_mount_anyfile = true # Allow confined domains to communicate with ncsd via shared memory # nscd_use_shm = true # Allow fenced domain to connect to the network using TCP. # fenced_can_network_connect=false # Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports. # privoxy_connect_any = true ++++++ booleans.subs_dist ++++++ allow_auditadm_exec_content auditadm_exec_content allow_console_login login_console_enabled allow_cvs_read_shadow cvs_read_shadow allow_daemons_dump_core daemons_dump_core allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper allow_daemons_use_tty daemons_use_tty allow_domain_fd_use domain_fd_use allow_execheap selinuxuser_execheap allow_execmod selinuxuser_execmod allow_execstack selinuxuser_execstack allow_ftpd_anon_write ftpd_anon_write allow_ftpd_full_access ftpd_full_access allow_ftpd_use_cifs ftpd_use_cifs allow_ftpd_use_nfs ftpd_use_nfs allow_gssd_read_tmp gssd_read_tmp allow_guest_exec_content guest_exec_content allow_httpd_anon_write httpd_anon_write allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind allow_httpd_mod_auth_pam httpd_mod_auth_pam allow_httpd_sys_script_anon_write httpd_sys_script_anon_write allow_kerberos kerberos_enabled allow_mplayer_execstack mplayer_execstack allow_mount_anyfile mount_anyfile allow_nfsd_anon_write nfsd_anon_write allow_polyinstantiation polyinstantiation_enabled allow_postfix_local_write_mail_spool postfix_local_write_mail_spool allow_rsync_anon_write rsync_anon_write allow_saslauthd_read_shadow saslauthd_read_shadow allow_secadm_exec_content secadm_exec_content allow_smbd_anon_write smbd_anon_write allow_ssh_keysign ssh_keysign allow_staff_exec_content staff_exec_content allow_sysadm_exec_content sysadm_exec_content allow_user_exec_content user_exec_content allow_user_mysql_connect selinuxuser_mysql_connect_enabled allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled allow_write_xshm xserver_clients_write_xshm allow_xguest_exec_content xguest_exec_content allow_xserver_execmem xserver_execmem allow_ypbind nis_enabled allow_zebra_write_config zebra_write_config user_direct_dri selinuxuser_direct_dri_enabled user_ping selinuxuser_ping user_share_music selinuxuser_share_music ++++++ customizable_types ++++++ svirt_image_t virt_content_t httpd_user_htaccess_t httpd_user_script_exec_t httpd_user_content_ra_t httpd_user_content_rw_t httpd_user_content_t git_session_content_t ++++++ file_contexts.subs_dist ++++++ /run /var/run /run/lock /var/lock /var/run/lock /var/lock /lib64 /lib /usr/lib64 /usr/lib /usr/local /usr /usr/local/lib64 /usr/lib /usr/local/lib32 /usr/lib /etc/systemd/system /lib/systemd/system /var/lib/xguest/home /home ++++++ modules-minimum.conf ++++++ ++++ 2100 lines (skipped) ++++++ modules-mls.conf ++++++ ++++ 2024 lines (skipped) ++++++ modules-targeted.conf ++++++ ++++ 2214 lines (skipped) ++++++ refpolicy-2.20081210.tar.bz2 -> refpolicy-2.20120725.tar.bz2 ++++++ ++++ 376838 lines of diff (skipped) ++++++ securetty_types-minimum ++++++ sysadm_tty_device_t user_tty_device_t staff_tty_device_t ++++++ securetty_types-mls ++++++ sysadm_tty_device_t user_tty_device_t staff_tty_device_t auditadm_tty_device_t secureadm_tty_device_t ++++++ securetty_types-targeted ++++++ sysadm_tty_device_t user_tty_device_t staff_tty_device_t ++++++ selinux-policy-SUSE.patch ++++++ ++++ 1398 lines (skipped) ++++++ selinux-policy-run_sepolgen_during_build.patch ++++++ Index: refpolicy/Makefile =================================================================== --- refpolicy.orig/Makefile 2012-04-23 16:18:45.000000000 +0200 +++ refpolicy/Makefile 2012-12-03 15:27:59.608269542 +0100 @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule SEMOD_PKG ?= $(tc_usrbindir)/semodule_package SEMOD_LNK ?= $(tc_usrbindir)/semodule_link SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand +SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen LOADPOLICY ?= $(tc_usrsbindir)/load_policy SETFILES ?= $(tc_sbindir)/setfiles XMLLINT ?= $(BINDIR)/xmllint Index: refpolicy/Rules.modular =================================================================== --- refpolicy.orig/Rules.modular 2012-03-30 14:48:20.000000000 +0200 +++ refpolicy/Rules.modular 2012-12-03 15:28:28.304149778 +0100 @@ -201,6 +201,7 @@ validate: $(base_pkg) $(mod_pkgs) @echo "Validating policy linking." $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin + $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output @echo "Success." ######################################## ++++++ selinux-policy.conf ++++++ z /sys/devices/system/cpu/online - - - Z /sys/class/net - - - ++++++ selinux-policy.sysconfig ++++++ # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted ++++++ setrans-minimum.conf ++++++ # # Multi-Category Security translation table for SELinux # # Uncomment the following to disable translation libary # disable=1 # # Objects can be categorized with 0-1023 categories defined by the admin. # Objects can be in more than one category at a time. # Categories are stored in the system as c0-c1023. Users can use this # table to translate the categories into a more meaningful output. # Examples: # s0:c0=CompanyConfidential # s0:c1=PatientRecord # s0:c2=Unclassified # s0:c3=TopSecret # s0:c1,c3=CompanyConfidentialRedHat s0=SystemLow s0-s0:c0.c1023=SystemLow-SystemHigh s0:c0.c1023=SystemHigh ++++++ setrans-mls.conf ++++++ # # Multi-Level Security translation table for SELinux # # Uncomment the following to disable translation libary # disable=1 # # Objects can be labeled with one of 16 levels and be categorized with 0-1023 # categories defined by the admin. # Objects can be in more than one category at a time. # Users can modify this table to translate the MLS labels for different purpose. # # Assumptions: using below MLS labels. # SystemLow # SystemHigh # Unclassified # Secret with compartments A and B. # # SystemLow and SystemHigh s0=SystemLow s15:c0.c1023=SystemHigh s0-s15:c0.c1023=SystemLow-SystemHigh # Unclassified level s1=Unclassified # Secret level with compartments s2=Secret s2:c0=A s2:c1=B # ranges for Unclassified s0-s1=SystemLow-Unclassified s1-s2=Unclassified-Secret s1-s15:c0.c1023=Unclassified-SystemHigh # ranges for Secret with compartments s0-s2=SystemLow-Secret s0-s2:c0=SystemLow-Secret:A s0-s2:c1=SystemLow-Secret:B s0-s2:c0,c1=SystemLow-Secret:AB s1-s2:c0=Unclassified-Secret:A s1-s2:c1=Unclassified-Secret:B s1-s2:c0,c1=Unclassified-Secret:AB s2-s2:c0=Secret-Secret:A s2-s2:c1=Secret-Secret:B s2-s2:c0,c1=Secret-Secret:AB s2-s15:c0.c1023=Secret-SystemHigh s2:c0-s2:c0,c1=Secret:A-Secret:AB s2:c0-s15:c0.c1023=Secret:A-SystemHigh s2:c1-s2:c0,c1=Secret:B-Secret:AB s2:c1-s15:c0.c1023=Secret:B-SystemHigh s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh ++++++ setrans-targeted.conf ++++++ # # Multi-Category Security translation table for SELinux # # Uncomment the following to disable translation libary # disable=1 # # Objects can be categorized with 0-1023 categories defined by the admin. # Objects can be in more than one category at a time. # Categories are stored in the system as c0-c1023. Users can use this # table to translate the categories into a more meaningful output. # Examples: # s0:c0=CompanyConfidential # s0:c1=PatientRecord # s0:c2=Unclassified # s0:c3=TopSecret # s0:c1,c3=CompanyConfidentialRedHat s0=SystemLow s0-s0:c0.c1023=SystemLow-SystemHigh s0:c0.c1023=SystemHigh ++++++ users-minimum ++++++ ################################## # # Core User configuration. # # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) # # Note: Identities without a prefix wil not be listed # in the users_extra file used by genhomedircon. # # system_u is the user identity for system processes and objects. # There should be no corresponding Unix user identity for system, # and a user process should never be assigned the system user # identity. # gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no # SELinux user identity defined. The modified daemons will use # this user identity in the security context if there is no matching # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. # These identities are typically assigned as the user attribute # when login starts the user shell. Users with access to the sysadm_r # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++++++ users-mls ++++++ ################################## # # Core User configuration. # # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) # # Note: Identities without a prefix wil not be listed # in the users_extra file used by genhomedircon. # # system_u is the user identity for system processes and objects. # There should be no corresponding Unix user identity for system, # and a user process should never be assigned the system user # identity. # gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no # SELinux user identity defined. The modified daemons will use # this user identity in the security context if there is no matching # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. # These identities are typically assigned as the user attribute # when login starts the user shell. Users with access to the sysadm_r # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++++++ users-targeted ++++++ ################################## # # Core User configuration. # # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) # # Note: Identities without a prefix wil not be listed # in the users_extra file used by genhomedircon. # # system_u is the user identity for system processes and objects. # There should be no corresponding Unix user identity for system, # and a user process should never be assigned the system user # identity. # gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no # SELinux user identity defined. The modified daemons will use # this user identity in the security context if there is no matching # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. # These identities are typically assigned as the user attribute # when login starts the user shell. Users with access to the sysadm_r # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org