diff --git a/modules-strict.conf b/modules-strict.conf index ccc4e57..268acec 100644 --- a/modules-strict.conf +++ b/modules-strict.conf @@ -20,6 +20,14 @@ terminal = base # Layer: kernel +# Module: mcs +# Required in base +# +# Multicategory security policy +# +mcs = base + +# Layer: kernel # Module: files # Required in base # @@ -81,17 +89,9 @@ corenetwork = base # Module: mls # Required in base # -# MultiCategory security policy -# -mls = base - -# Layer: kernel -# Module: mcs -# Required in base -# # Multilevel security policy # -mcs = base +mls = base # Layer: kernel # Module: selinux @@ -144,6 +144,13 @@ readahead = module kudzu = module # Layer: admin +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = base + +# Layer: admin # Module: updfstab # # Red Hat utility to change /etc/fstab. @@ -155,7 +162,7 @@ updfstab = module # # Network analysis utilities # -netutils = module +netutils = base # Layer: admin # Module: alsa @@ -187,6 +194,13 @@ portage = module su = module # Layer: admin +# Module: apt +# +# APT advanced package toll. +# +apt = module + +# Layer: admin # Module: dmesg # # Policy for dmesg. @@ -201,6 +215,13 @@ dmesg = module anaconda = module # Layer: admin +# Module: dpkg +# +# Policy for the Debian package manager. +# +dpkg = off + +# Layer: admin # Module: amanda # # Automated backup program. @@ -279,6 +300,13 @@ certwatch = module tmpreaper = module # Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: admin # Module: dmidecode # # Decode DMI data for x86/ia64 bioses. @@ -292,6 +320,27 @@ dmidecode = module # logwatch = module +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: apps +# Module: evolution +# +# Evolution email client +# +evolution = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + # Layer: apps # Module: irc # @@ -321,6 +370,13 @@ usernetctl = module gpg = module # Layer: apps +# Module: thunderbird +# +# Thunderbird email client +# +thunderbird = module + +# Layer: apps # Module: wine # # Wine Is Not an Emulator. Run Windows programs in Linux. @@ -342,6 +398,20 @@ loadkeys = module screen = module # Layer: apps +# Module: calamaris +# +# Squid log analysis +# +calamaris = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: apps # Module: java # # Java virtual machine @@ -349,6 +419,13 @@ screen = module java = module # Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: apps # Module: cdrecord # # Policy for cdrecord @@ -356,6 +433,13 @@ java = module cdrecord = module # Layer: apps +# Module: mplayer +# +# Mplayer media player and encoder +# +mplayer = module + +# Layer: apps # Module: webalizer # # Web server log analysis @@ -363,6 +447,13 @@ cdrecord = module webalizer = module # Layer: apps +# Module: ethereal +# +# Ethereal packet capture tool. +# +ethereal = module + +# Layer: apps # Module: userhelper # # SELinux utility to run a shell with a new role @@ -370,6 +461,13 @@ webalizer = module userhelper = module # Layer: apps +# Module: games +# +# Games +# +games = module + +# Layer: apps # Module: mono # # Run .NET server and client applications on Linux. @@ -383,19 +481,181 @@ mono = module # slocate = module -# Layer: kernel -# Module: bootloader +# Layer: system +# Module: xen # -# Policy for the kernel modules, kernel image, and bootloader. +# Xen hypervisor # -bootloader = module +xen = module -# Layer: kernel -# Module: storage +# Layer: system +# Module: fstools # -# Policy controlling access to storage devices +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = module + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = module + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = base + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = base + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = base + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = base + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = base + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = base + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = base + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = base + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = module + +# Layer: system +# Module: mount +# +# Policy for mount. # -storage = module +mount = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module # Layer: services # Module: nis @@ -412,6 +672,13 @@ nis = module distcc = module # Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services # Module: rshd # # Remote shell service. @@ -433,6 +700,13 @@ cpucontrol = module bind = module # Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services # Module: canna # # Canna - kana-kanji conversion server @@ -624,6 +898,14 @@ arpwatch = module dovecot = module # Layer: services +# Module: amavis +# +# Daemon that interfaces mail transfer agents and content +# checkers, such as virus scanners. +# +amavis = module + +# Layer: services # Module: cups # # Common UNIX printing system @@ -715,13 +997,6 @@ cyrus = module rdisc = module # Layer: services -# Module: xserver -# -# X windows login display manager -# -xserver = module - -# Layer: services # Module: nscd # # Name service cache daemon @@ -757,11 +1032,25 @@ ftp = module gpm = module # Layer: services +# Module: audioentropy +# +# Generate entropy from audio input +# +audioentropy = module + +# Layer: services # Module: mta # # Policy common to all email tranfer agents. # -mta = module +mta = base + +# Layer: services +# Module: rhgb +# +# Red Hat Graphical Boot +# +rhgb = module # Layer: services # Module: postfix @@ -834,6 +1123,13 @@ apache = module slrnpull = module # Layer: services +# Module: clamav +# +# ClamAV Virus Scanner +# +clamav = module + +# Layer: services # Module: rsync # # Fast incremental file transfer for synchronization @@ -966,186 +1262,3 @@ cvs = module # rlogin = module -# Layer: system -# Module: fstools -# -# Tools for filesystem management, such as mkfs and fsck. -# -fstools = module - -# Layer: system -# Module: logging -# -# Policy for the kernel message logger and system logging daemon. -# -logging = module - -# Layer: system -# Module: hostname -# -# Policy for changing the system host name. -# -hostname = module - -# Layer: system -# Module: daemontools -# -# Collection of tools for managing UNIX services -# -daemontools = module - -# Layer: system -# Module: getty -# -# Policy for getty. -# -getty = module - -# Layer: system -# Module: lvm -# -# Policy for logical volume management programs. -# -lvm = module - -# Layer: system -# Module: sysnetwork -# -# Policy for network configuration: ifconfig and dhcp client. -# -sysnetwork = module - -# Layer: system -# Module: init -# -# System initialization programs (init and init scripts). -# -init = module - -# Layer: system -# Module: selinuxutil -# -# Policy for SELinux policy and userland applications. -# -selinuxutil = module - -# Layer: system -# Module: udev -# -# Policy for udev. -# -udev = module - -# Layer: system -# Module: pcmcia -# -# PCMCIA card management services -# -pcmcia = module - -# Layer: system -# Module: authlogin -# -# Common policy for authentication and user login. -# -authlogin = base - -# Layer: system -# Module: libraries -# -# Policy for system libraries. -# -libraries = base - -# Layer: system -# Module: raid -# -# RAID array management tools -# -raid = module - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = module - -# Layer: system -# Module: modutils -# -# Policy for kernel module utilities -# -modutils = module - -# Layer: system -# Module: hotplug -# -# Policy for hotplug system, for supporting the -# connection and disconnection of devices at runtime. -# -hotplug = module - -# Layer: system -# Module: clock -# -# Policy for reading and setting the hardware clock. -# -clock = module - -# Layer: system -# Module: locallogin -# -# Policy for local logins. -# -locallogin = module - -# Layer: system -# Module: iptables -# -# Policy for iptables. -# -iptables = module - -# Layer: system -# Module: mount -# -# Policy for mount. -# -mount = module - -# Layer: system -# Module: unconfined -# -# The unconfined domain. -# -unconfined = module - -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = module - -# Layer: system -# Module: ipsec -# -# TCP/IP encryption -# -ipsec = module - -# Layer: admin -# Module: mrtg -# -# System log analyzer and reporter -# -mrtg = module - -# Layer: system -# Module: xen -# -# TCP/IP encryption -# -xen = base - diff --git a/selinux-policy.spec b/selinux-policy.spec index 612eb0b..e02ea8b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -184,6 +184,7 @@ chmod +x ${RPM_BUILD_ROOT}%{_usr}/share/selinux/devel/policyhelp # Commented out because only targeted ref policy currently builds make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} POLY=n bare make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} POLY=n conf +cp -f ${RPM_SOURCE_DIR}/modules-strict.conf ./policy/modules.conf %installCmds strict strict-mcs y n %endif