Bring config files from dist-git into the source repo

The content of these files is more or less tied to the policy source code. Therefore, moving these files to the source repo rather than dist-git will make it easier to do changes that would formerly need coordinated modification both in the sources and in dist-git (e.g. adding or removing a module). It will also make it easier for other distributions seeking to package a Fedora-like SELinux policy. Those files that correspond to existing config/ files are just updated locally to match what would be applied in dist-git; the rest is placed into the new dist/ subdirectory. For better maintainability, files for the different policy variants (targeted, minimum, mls) are placed into separate subdirectories. This will be followed up with a dist-git patch that converts it to use the config files from sources rather than from dist-git. Signed-off-by: Ondrej Mosnacek <[email protected]>
fedora-selinux · Sep 12, 2024 · 91ce853 · 91ce853
1 parent ce83836
commit 91ce853
Show file tree

Hide file tree

Showing 18 changed files with 5,551 additions and 13 deletions.
diff --git a/config/appconfig-mcs/securetty_types b/config/appconfig-mcs/securetty_types
@@ -1 +1,4 @@
+console_device_t
+sysadm_tty_device_t
 user_tty_device_t
+staff_tty_device_t
diff --git a/config/appconfig-mls/securetty_types b/config/appconfig-mls/securetty_types
@@ -1 +1,6 @@
+console_device_t
+sysadm_tty_device_t
 user_tty_device_t
+staff_tty_device_t
+auditadm_tty_device_t
+secureadm_tty_device_t
diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
@@ -7,18 +7,28 @@
 #
 # It does not perform substitutions as done by sed(1), for
 # example, but aliasing.
-# 
-/etc/init.d /etc/rc.d/init.d
-/lib32 /lib
-/lib64 /lib
-/run /var/run
-/run/lock /var/lock
-/usr/lib32 /usr/lib
+#
+/var/run /run
+/var/lock /run/lock
+/run/systemd/system /usr/lib/systemd/system
+/run/systemd/generator.early /run/systemd/generator
+/run/systemd/generator.late /run/systemd/generator
+/lib /usr/lib
+/lib64 /usr/lib
 /usr/lib64 /usr/lib
-/usr/local/lib32 /usr/lib
 /usr/local/lib64 /usr/lib
-/usr/local/lib /usr/lib
-/var/run/lock /var/lock
-/bin /usr/bin
-/sbin /usr/bin
-/usr/sbin /usr/bin
+/usr/local/lib32 /usr/lib
+/etc/systemd/system /usr/lib/systemd/system
+/var/lib/xguest/home /home
+/var/named/chroot/usr/lib64 /usr/lib
+/var/named/chroot/lib64 /usr/lib
+/var/named/chroot/var  /var
+/home-inst            /home
+/home/home-inst            /home
+/var/roothome        /root
+/sbin                /usr/bin
+/sysroot/tmp         /tmp
+/var/usrlocal        /usr/local
+/var/mnt             /mnt
+/bin                 /usr/bin
+/usr/sbin            /usr/bin
diff --git a/dist/booleans.subs_dist b/dist/booleans.subs_dist
@@ -0,0 +1,54 @@
+allow_auditadm_exec_content auditadm_exec_content
+allow_console_login login_console_enabled
+allow_cvs_read_shadow cvs_read_shadow
+allow_daemons_dump_core daemons_dump_core
+allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
+allow_daemons_use_tty daemons_use_tty
+allow_domain_fd_use domain_fd_use
+allow_execheap selinuxuser_execheap
+allow_execmod selinuxuser_execmod
+allow_execstack selinuxuser_execstack
+allow_ftpd_anon_write ftpd_anon_write
+allow_ftpd_full_access ftpd_full_access
+allow_ftpd_use_cifs ftpd_use_cifs
+allow_ftpd_use_nfs ftpd_use_nfs
+allow_gssd_read_tmp gssd_read_tmp
+allow_guest_exec_content guest_exec_content
+allow_httpd_anon_write httpd_anon_write
+allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
+allow_httpd_mod_auth_pam httpd_mod_auth_pam
+allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
+allow_kerberos kerberos_enabled
+allow_mplayer_execstack mplayer_execstack
+allow_mount_anyfile mount_anyfile
+allow_nfsd_anon_write nfsd_anon_write
+allow_polyinstantiation polyinstantiation_enabled
+allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
+allow_rsync_anon_write rsync_anon_write
+allow_saslauthd_read_shadow saslauthd_read_shadow
+allow_secadm_exec_content secadm_exec_content
+allow_smbd_anon_write smbd_anon_write
+allow_ssh_keysign ssh_keysign
+allow_staff_exec_content staff_exec_content
+allow_sysadm_exec_content sysadm_exec_content
+allow_user_exec_content user_exec_content
+allow_user_mysql_connect selinuxuser_mysql_connect_enabled
+allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
+allow_write_xshm xserver_clients_write_xshm
+allow_xguest_exec_content xguest_exec_content
+allow_xserver_execmem xserver_execmem
+allow_ypbind nis_enabled
+allow_zebra_write_config zebra_write_config
+user_direct_dri selinuxuser_direct_dri_enabled
+user_ping selinuxuser_ping
+user_share_music selinuxuser_share_music
+user_tcp_server selinuxuser_tcp_server
+sepgsql_enable_pitr_implementation postgresql_can_rsync
+sepgsql_enable_users_ddl  postgresql_selinux_users_ddl
+sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
+sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
+clamd_use_jit antivirus_use_jit
+amavis_use_jit antivirus_use_jit
+logwatch_can_sendmail logwatch_can_network_connect_mail
+puppet_manage_all_files puppetagent_manage_all_files
+virt_sandbox_use_nfs virt_use_nfs
diff --git a/dist/customizable_types b/dist/customizable_types
@@ -0,0 +1,14 @@
+container_file_t
+sandbox_file_t
+svirt_image_t
+svirt_home_t
+svirt_sandbox_file_t
+virt_content_t
+httpd_user_htaccess_t
+httpd_user_script_exec_t
+httpd_user_rw_content_t
+httpd_user_ra_content_t
+httpd_user_content_t
+git_session_content_t
+home_bin_t
+user_tty_device_t
diff --git a/dist/minimum/booleans.conf b/dist/minimum/booleans.conf
@@ -0,0 +1,248 @@
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# 
+allow_execmem = false
+
+# Allow making a modified private filemapping executable (text relocation).
+# 
+allow_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+# 
+allow_execstack = true
+
+# Allow ftpd to read cifs directories.
+# 
+allow_ftpd_use_cifs = false
+
+# Allow ftpd to read nfs directories.
+# 
+allow_ftpd_use_nfs = false
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+# 
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+# 
+allow_gssd_read_tmp = true
+
+# Allow Apache to modify public filesused for public file transfer services.
+# 
+allow_httpd_anon_write = false
+
+# Allow Apache to use mod_auth_pam module
+# 
+allow_httpd_mod_auth_pam = false
+
+# Allow system to run with kerberos
+# 
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+# 
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+# 
+allow_saslauthd_read_shadow = false
+
+# Allow samba to modify public filesused for public file transfer services.
+# 
+allow_smbd_anon_write = false
+
+# Allow system to run with NIS
+# 
+allow_ypbind = false
+
+# Allow zebra to write it own configuration files
+# 
+allow_zebra_write_config = false
+
+# Enable extra rules in the cron domainto support fcron.
+# 
+fcron_crond = false
+
+#
+# allow httpd to connect to mysql/posgresql 
+httpd_can_network_connect_db = false
+
+#
+# allow httpd to send dbus messages to avahi
+httpd_dbus_avahi = true
+
+#
+# allow httpd to network relay
+httpd_can_network_relay = false
+
+# Allow httpd to use built in scripting (usually php)
+# 
+httpd_builtin_scripting = true
+
+# Allow http daemon to tcp connect
+# 
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+# 
+httpd_enable_cgi = true
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+# 
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+# 
+httpd_enable_homedirs = false
+
+# Run SSI execs in system CGI script domain.
+# 
+httpd_ssi_exec = false
+
+# Allow http daemon to communicate with the TTY
+# 
+httpd_tty_comm = false
+
+# Run CGI in the main httpd domain
+# 
+httpd_unified = false
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+# 
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+# 
+nfs_export_all_rw = true
+
+# Allow nfs to be exported read only
+# 
+nfs_export_all_ro = true
+
+# Allow pppd to load kernel modules for certain modems
+# 
+pppd_can_insmod = false
+
+# Allow reading of default_t files.
+# 
+read_default_t = false
+
+# Allow samba to export user home directories.
+# 
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+# 
+squid_connect_any = false
+
+# Support NFS home directories
+# 
+use_nfs_home_dirs = true
+
+# Support SAMBA home directories
+# 
+use_samba_home_dirs = false
+
+# Control users use of ping and traceroute
+# 
+user_ping = false
+
+# allow host key based authentication
+# 
+allow_ssh_keysign = false
+
+# Allow pppd to be run for a regular user
+# 
+pppd_for_user = false
+
+# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
+# 
+read_untrusted_content = false
+
+# Allow spamd to write to users homedirs
+# 
+spamd_enable_home_dirs = false
+
+# Allow regular users direct mouse access
+# 
+user_direct_mouse = false
+
+# Allow users to read system messages.
+# 
+user_dmesg = false
+
+# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
+# 
+user_rw_noexattrfile = false
+
+# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
+# 
+user_tcp_server = false
+
+# Allow w to display everyone
+# 
+user_ttyfile_stat = false
+
+# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
+# 
+write_untrusted_content = false
+
+# Allow all domains to talk to ttys
+# 
+allow_daemons_use_tty = false
+
+# Allow login domains to polyinstatiate directories
+# 
+allow_polyinstantiation = false
+
+# Allow all domains to dump core
+# 
+allow_daemons_dump_core = true
+
+# Allow samba to act as the domain controller
+# 
+samba_domain_controller = false
+
+# Allow samba to export user home directories.
+# 
+samba_run_unconfined = false
+
+# Allows XServer to execute writable memory
+# 
+allow_xserver_execmem = false
+
+# disallow guest accounts to execute files that they can create 
+# 
+allow_guest_exec_content = false
+allow_xguest_exec_content = false
+
+# Only allow browser to use the web
+# 
+browser_confine_xguest=false
+
+# Allow postfix locat to write to mail spool
+# 
+allow_postfix_local_write_mail_spool=false
+
+# Allow common users to read/write noexattrfile systems
+# 
+user_rw_noexattrfile=true
+
+# Allow qemu to connect fully to the network
+# 
+qemu_full_network=true
+
+# Allow nsplugin execmem/execstack for bad plugins
+# 
+allow_nsplugin_execmem=true
+
+# Allow unconfined domain to transition to confined domain
+# 
+allow_unconfined_nsplugin_transition=true
+
+# System uses init upstart program
+# 
+init_upstart = true
+
+# Allow mount to mount any file/dir
+# 
+allow_mount_anyfile = true
diff --git a/dist/minimum/modules.conf b/dist/minimum/modules.conf
@@ -0,0 +1 @@
+../targeted/modules.conf
diff --git a/dist/minimum/setrans.conf b/dist/minimum/setrans.conf
@@ -0,0 +1 @@
+../targeted/setrans.conf
diff --git a/dist/minimum/users b/dist/minimum/users
@@ -0,0 +1 @@
+../targeted/users
diff --git a/dist/mls/booleans.conf b/dist/mls/booleans.conf
@@ -0,0 +1,6 @@
+kerberos_enabled = true
+mount_anyfile = true
+polyinstantiation_enabled = true
+ftpd_is_daemon = true
+selinuxuser_ping = true
+xserver_object_manager = true