[Buildroot] [v3 2/2] refpolicy: new package
Bryce Ferguson
bryce.ferguson at rockwellcollins.com
Fri Oct 7 18:08:27 UTC 2016
Performed a build with this package enabled using the qemu selinux
defconfig (updated for kernel 4.7) which is part of the outstanding
v12 patchset found
here:http://patchwork.ozlabs.org/bundle/matthewlweber/rc_selinux/.
Tested-by: Bryce Ferguson <bryce.ferguson at rockwellcollins.com>
On Fri, Oct 7, 2016 at 1:06 PM, Matthew Weber
<matthew.weber at rockwellcollins.com> wrote:
> Bryce,
>
> On Sat, Jul 16, 2016 at 7:35 PM, Adam Duskett <aduskett at gmail.com> wrote:
>> The patch is for adding selinux reference policy (refpolicy).
>> It is a complete SELinux policy that can be used as the system policy
>> for a variety of systems and used as the basis for creating other policies.
>>
>> Signed-off-by: Adam Duskett <Aduskett at gmail.com>
>
> CC'n Bryce as he wasn't on the mailing list for the original.
>
>> ---
>> Changes:
>>
>> Changes v2 - v3:
>> - Updated url.
>>
>> Changes v1 - v2:
>> - Updated version to 20151208
>> - Moved Fix-awk-references patch into base dir, as it still applies to the new
>> Version.
>> - Added custom policy name to menuconfig (default is buildroot).
>> - Added custom default boolean file.
>> - Added path for custom boolean file in menuconfig.
>> - Changed /selinux to newer /sys/fs/selinux in S00Selinux
>>
>>
>> package/Config.in | 1 +
>> .../0001-Fix-awk-references-to-use-variable.patch | 42 +
>> package/refpolicy/Config.in | 146 +++
>> package/refpolicy/S00selinux | 126 ++
>> package/refpolicy/booleans.conf | 1278 ++++++++++++++++++++
>> package/refpolicy/config | 8 +
>> package/refpolicy/modules.conf | 430 +++++++
>> package/refpolicy/refpolicy.hash | 2 +
>> package/refpolicy/refpolicy.mk | 118 ++
>> 9 files changed, 2151 insertions(+)
>> create mode 100644 package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
>> create mode 100644 package/refpolicy/Config.in
>> create mode 100644 package/refpolicy/S00selinux
>> create mode 100644 package/refpolicy/booleans.conf
>> create mode 100644 package/refpolicy/config
>> create mode 100644 package/refpolicy/modules.conf
>> create mode 100644 package/refpolicy/refpolicy.hash
>> create mode 100644 package/refpolicy/refpolicy.mk
>>
>> diff --git a/package/Config.in b/package/Config.in
>> index cc875e8..fcba5d0 100644
>> --- a/package/Config.in
>> +++ b/package/Config.in
>> @@ -1620,6 +1620,7 @@ endmenu
>>
>> menu "Security"
>> source "package/policycoreutils/Config.in"
>> + source "package/refpolicy/Config.in"
>> source "package/setools/Config.in"
>> endmenu
>>
>> diff --git a/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
>> new file mode 100644
>> index 0000000..8236fa2
>> --- /dev/null
>> +++ b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
>> @@ -0,0 +1,42 @@
>> +From 1d4c826e8de366bccb93f167cd9be834ab5911c8 Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
>> +Date: Fri, 8 May 2015 14:13:00 -0500
>> +Subject: [PATCH] Fix awk references to use variable
>> +
>> +Ensure all awk calls use the variable setup in the makefile rather than
>> +relying on the system.
>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
>> +---
>> + Makefile | 8 ++++----
>> + 1 file changed, 4 insertions(+), 4 deletions(-)
>> +
>> +diff --git a/Makefile b/Makefile
>> +index 85d4cfb..3aa4b51 100644
>> +--- a/Makefile
>> ++++ b/Makefile
>> +@@ -292,9 +292,9 @@ cmdline_mods := $(addsuffix .te,$(APPS_MODS))
>> + cmdline_off := $(addsuffix .te,$(APPS_OFF))
>> +
>> + # extract settings from modules.conf
>> +-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
>> +-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
>> +-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
>> ++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
>> ++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
>> ++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
>> +
>> + base_mods := $(cmdline_base)
>> + mod_mods := $(cmdline_mods)
>> +@@ -308,7 +308,7 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
>> + off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
>> +
>> + # filesystems to be used in labeling targets
>> +-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
>> ++filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
>> + fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
>> +
>> + ########################################
>> +--
>> +1.9.1
>> +
>> diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
>> new file mode 100644
>> index 0000000..5a46829
>> --- /dev/null
>> +++ b/package/refpolicy/Config.in
>> @@ -0,0 +1,146 @@
>> +config BR2_PACKAGE_REFPOLICY
>> + bool "refpolicy"
>> + select BR2_PACKAGE_POLICYCOREUTILS
>> + select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
>> + depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
>> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # policycoreutils
>> + help
>> + The SELinux Reference Policy project (refpolicy) is a
>> + complete SELinux policy that can be used as the system
>> + policy for a variety of systems and used as the basis
>> + for creating other policies. Reference Policy was originally
>> + based on the NSA example policy, but aims to accomplish
>> + many additional goals.
>> +
>> + The current refpolicy does not fully support Buildroot
>> + and needs modifications to work with the default system
>> + file layout. These changes should be added as patches to
>> + the refpolicy that modify a single SELinux policy.
>> +
>> + The refpolicy works for the most part in permissive mode. Only the
>> + basic set of utilities are enabled in the example policy config and
>> + some of the pathing in the policies is not correct. Individual
>> + policies would need to be tweaked to get everything functioning
>> + properly.
>> +
>> +comment "refpolicy needs a toolchain w/ threads, glibc or musl"
>> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
>> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
>> +
>> +if BR2_PACKAGE_REFPOLICY
>> +
>> +choice
>> +prompt "SELinux policy type"
>> +default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
>> +
>> +config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
>> +bool "Standard"
>> +help
>> +Standard SELinux policy
>> +
>> +config BR2_PACKAGE_REFPOLICY_TYPE_MCS
>> +bool "MCS"
>> +help
>> +SELinux policy with multi-catagory support
>> +
>> +config BR2_PACKAGE_REFPOLICY_TYPE_MLS
>> +bool "MLS"
>> +help
>> +SELinux policy with multi-catagory and multi-level support
>> +endchoice
>> +
>> +config BR2_PACKAGE_REFPOLICY_TYPE
>> + string
>> + default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
>> + default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
>> + default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
>> +
>> +choice
>> +prompt "SELinux default state"
>> +default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
>> +
>> +config BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
>> +bool "Enforcing"
>> +help
>> +SELinux security policy is enforced
>> +
>> +config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
>> +bool "Permissive"
>> +help
>> +SELinux prints warnings instead of enforcing
>> +
>> +config BR2_PACKAGE_REFPOLICY_STATE_DISABLE
>> +bool "Disabled"
>> +help
>> +No SELinux policy is loaded
>> +endchoice
>> +
>> +config BR2_PACKAGE_REFPOLICY_NAME
>> + string "Custom policy Name"
>> + default "Buildroot"
>> +
>> +config BR2_PACKAGE_REFPOLICY_STATE
>> + string
>> + default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
>> + default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
>> + default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLE
>> +
>> +config BR2_PACKAGE_REFPOLICY_MODULES_FILE
>> + string "Refpolicy modules configuration"
>> + default "package/refpolicy/modules.conf"
>> + help
>> + Location of a custom modules.conf file that lists the
>> + SELinux policy modules to be included in the compiled
>> + policy. See policy/modules.conf in the refpolicy sources for
>> + the complete list of available modules.
>> + NOTE: This file is only used if a Custom Git repo is
>> + not specified.
>> +
>> +config BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE
>> + string "Refpolicy boolean configuration"
>> + default "package/refpolicy/booleans.conf"
>> + help
>> + Location of a custom booleans.conf file that lists the
>> + SELinux booleans to be set in the compiled
>> + policy. See policy/booleans.conf in the refpolicy sources for
>> + the complete list of available modules.
>> + NOTE: This file is only used if a Custom Git repo is
>> + not specified.
>> +
>> +config BR2_PACKAGE_REFPOLICY_MODULAR
>> + bool "Build a modular SELinux policy"
>> + help
>> + Select Y to build a modular SELinux policy. By default,
>> + a monolithic policy will be built to save space on the
>> + target. A modular policy can also be built if policies
>> + need to be modified without reloading the target.
>> +
>> +config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
>> + bool "Custom Git repository"
>> + select BR2_PACKAGE_REFPOLICY_CONTRIB
>> + help
>> + This option allows Buildroot to get the refpolicy source
>> + code from a Git repository. This option should generally
>> + be used to add custom SELinux policy to the base refpolicy
>> + without having to deal with lots of patches.
>> +
>> + Please note that with the current configuration of the
>> + mainline refpolicy git repositories, a refpolicy and a
>> + refpolicy-contrib git repo must be specified. These are
>> + linked using a git submodule which does not get initialized
>> + during the Buildroot build.
>> +
>> +if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
>> +
>> +config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
>> + string "URL of custom repository"
>> +
>> +config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
>> + string "Custom repository version"
>> + help
>> + Revision to use in the typical format used by Git
>> + e.g. a SHA id, a tag, branch, ..
>> +
>> +endif
>> +
>> +endif
>> diff --git a/package/refpolicy/S00selinux b/package/refpolicy/S00selinux
>> new file mode 100644
>> index 0000000..4faccfb
>> --- /dev/null
>> +++ b/package/refpolicy/S00selinux
>> @@ -0,0 +1,126 @@
>> +#!/bin/sh
>> +################################################################################
>> +#
>> +# This file labels the security contexts of memory based filesystems such as
>> +# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
>> +#
>> +# This script is a heavily stripped down and modified version of the one used
>> +# in CentOS 6.2
>> +#
>> +################################################################################
>> +
>> +failed()
>> +{
>> + echo $1
>> + exit 1
>> +}
>> +
>> +# Get SELinux config env vars
>> +. /etc/selinux/config || failed "Failed to source the SELinux config"
>> +
>> +setup_selinux() {
>> + # Create required directories
>> + mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ ||
>> + failed "Failed to create the policy folder"
>> + mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
>> + failed "Failed to create the modules folder"
>> + if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
>> + then
>> + touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
>> + failed "Failed to create the file_contexts.local file"
>> + fi
>> +
>> + # Load the policy to activate it
>> + load_policy -i || failed "Failed to load the SELinux policy"
>> +}
>> +
>> +relabel_selinux() {
>> + # if /sbin/init is not labeled correctly this process is running in the
>> + # wrong context, so a reboot will be required after relabel
>> + AUTORELABEL=
>> +
>> + # Switch to Permissive mode
>> + echo "0" > /sys/fs/selinux/enforce || failed "Failed to disable enforcing mode"
>> +
>> + echo
>> + echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
>> + echo "*** Relabeling could take a very long time, depending on file"
>> + echo "*** system size and speed of hard drives."
>> +
>> + # Relabel mount points
>> + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
>> + >/dev/null 2>&1 || failed "Failed to relabel the mount points"
>> +
>> + # Relabel file system
>> + echo "Relabeling file systems"
>> + restorecon -R -F / || failed "Failed to relabel the file system"
>> +
>> + # Remove label
>> + rm -f /.autorelabel || failed "Failed to remove the autorelabel flag"
>> +
>> + # Reboot to activate relabeled file system
>> + echo "Automatic reboot in progress."
>> + reboot -f
>> +}
>> +
>> +start() {
>> + printf "Initializing SELinux: "
>> +
>> + # Check to see if the default policy has been installed
>> + if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
>> + if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ]
>> + then
>> + setup_selinux
>> + else
>> + # Load the policy to activate it
>> + load_policy -i || failed "Failed to load the SELinux policy"
>> + fi
>> + fi
>> +
>> + # Check SELinux status
>> + SELINUX_STATE=
>> + if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
>> + if [ -r "/selinux/enforce" ] ; then
>> + SELINUX_STATE=$(cat "/selinux/enforce")
>> + else
>> + # assume enforcing if you can't read it
>> + SELINUX_STATE=1
>> + fi
>> + fi
>> +
>> + # Context Label /dev/
>> + /sbin/restorecon -R -F /dev 2>/dev/null
>> +
>> + # Context Label tmpfs mounts.
>> + # using /proc/mounts to discover tmpfs mounts
>> + /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
>> +
>> + # Clean up SELinux labels
>> + restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
>> +
>> + # Check for filesystem relabel request
>> + if [ -f /.autorelabel ] ; then
>> + relabel_selinux
>> + fi
>> +
>> + echo "OK"
>> +}
>> +stop() {
>> + # There is nothing to do
>> + echo "OK"
>> +}
>> +
>> +case "$1" in
>> + start)
>> + start
>> + ;;
>> + stop)
>> + stop
>> + ;;
>> + *)
>> + echo "Usage: $0 {start|stop}"
>> + exit 1
>> + ;;
>> +esac
>> +
>> +exit $?
>> diff --git a/package/refpolicy/booleans.conf b/package/refpolicy/booleans.conf
>> new file mode 100644
>> index 0000000..31c70b9
>> --- /dev/null
>> +++ b/package/refpolicy/booleans.conf
>> @@ -0,0 +1,1278 @@
>> +#
>> +# Disable kernel module loading.
>> +#
>> +secure_mode_insmod = false
>> +
>> +#
>> +# Boolean to determine whether the system permits loading policy, setting
>> +# enforcing mode, and changing boolean values. Set this to true and you
>> +# have to reboot to set it back.
>> +#
>> +secure_mode_policyload = false
>> +
>> +#
>> +# Enabling secure mode disallows programs, such as
>> +# newrole, from transitioning to administrative
>> +# user domains.
>> +#
>> +secure_mode = false
>> +
>> +#
>> +# Control users use of ping and traceroute
>> +#
>> +user_ping = false
>> +
>> +#
>> +# Determine whether ABRT can modify
>> +# public files used for public file
>> +# transfer services.
>> +#
>> +abrt_anon_write = false
>> +
>> +#
>> +# Determine whether abrt-handle-upload
>> +# can modify public files used for public file
>> +# transfer services in /var/spool/abrt-upload/.
>> +#
>> +abrt_upload_watch_anon_write = true
>> +
>> +#
>> +# Determine whether ABRT can run in
>> +# the abrt_handle_event_t domain to
>> +# handle ABRT event scripts.
>> +#
>> +abrt_handle_event = false
>> +
>> +#
>> +# Determine whether amavis can
>> +# use JIT compiler.
>> +#
>> +amavis_use_jit = false
>> +
>> +#
>> +# Determine whether httpd can modify
>> +# public files used for public file
>> +# transfer services. Directories/Files must
>> +# be labeled public_content_rw_t.
>> +#
>> +allow_httpd_anon_write = false
>> +
>> +#
>> +# Determine whether httpd can use mod_auth_pam.
>> +#
>> +allow_httpd_mod_auth_pam = false
>> +
>> +#
>> +# Determine whether httpd can use built in scripting.
>> +#
>> +httpd_builtin_scripting = false
>> +
>> +#
>> +# Determine whether httpd can check spam.
>> +#
>> +httpd_can_check_spam = false
>> +
>> +#
>> +# Determine whether httpd scripts and modules
>> +# can connect to the network using TCP.
>> +#
>> +httpd_can_network_connect = true
>> +
>> +#
>> +# Determine whether httpd scripts and modules
>> +# can connect to cobbler over the network.
>> +#
>> +httpd_can_network_connect_cobbler = false
>> +
>> +#
>> +# Determine whether scripts and modules can
>> +# connect to databases over the network.
>> +#
>> +httpd_can_network_connect_db = false
>> +
>> +#
>> +# Determine whether httpd can connect to
>> +# ldap over the network.
>> +#
>> +httpd_can_network_connect_ldap = false
>> +
>> +#
>> +# Determine whether httpd can connect
>> +# to memcache server over the network.
>> +#
>> +httpd_can_network_connect_memcache = false
>> +
>> +#
>> +# Determine whether httpd can act as a relay.
>> +#
>> +httpd_can_network_relay = false
>> +
>> +#
>> +# Determine whether httpd daemon can
>> +# connect to zabbix over the network.
>> +#
>> +httpd_can_network_connect_zabbix = false
>> +
>> +#
>> +# Determine whether httpd can send mail.
>> +#
>> +httpd_can_sendmail = false
>> +
>> +#
>> +# Determine whether httpd can communicate
>> +# with avahi service via dbus.
>> +#
>> +httpd_dbus_avahi = false
>> +
>> +#
>> +# Determine wether httpd can use support.
>> +#
>> +httpd_enable_cgi = false
>> +
>> +#
>> +# Determine whether httpd can act as a
>> +# FTP server by listening on the ftp port.
>> +#
>> +httpd_enable_ftp_server = false
>> +
>> +#
>> +# Determine whether httpd can traverse
>> +# user home directories.
>> +#
>> +httpd_enable_homedirs = false
>> +
>> +#
>> +# Determine whether httpd gpg can modify
>> +# public files used for public file
>> +# transfer services. Directories/Files must
>> +# be labeled public_content_rw_t.
>> +#
>> +httpd_gpg_anon_write = false
>> +
>> +#
>> +# Determine whether httpd can execute
>> +# its temporary content.
>> +#
>> +httpd_tmp_exec = false
>> +
>> +#
>> +# Determine whether httpd scripts and
>> +# modules can use execmem and execstack.
>> +#
>> +httpd_execmem = true
>> +
>> +#
>> +# Determine whether httpd can connect
>> +# to port 80 for graceful shutdown.
>> +#
>> +httpd_graceful_shutdown = false
>> +
>> +#
>> +# Determine whether httpd can
>> +# manage IPA content files.
>> +#
>> +httpd_manage_ipa = false
>> +
>> +#
>> +# Determine whether httpd can use mod_auth_ntlm_winbind.
>> +#
>> +httpd_mod_auth_ntlm_winbind = false
>> +
>> +#
>> +# Determine whether httpd can read
>> +# generic user home content files.
>> +#
>> +httpd_read_user_content = true
>> +
>> +#
>> +# Determine whether httpd can change
>> +# its resource limits.
>> +#
>> +httpd_setrlimit = false
>> +
>> +#
>> +# Determine whether httpd can run
>> +# SSI executables in the same domain
>> +# as system CGI scripts.
>> +#
>> +httpd_ssi_exec = false
>> +
>> +#
>> +# Determine whether httpd can communicate
>> +# with the terminal. Needed for entering the
>> +# passphrase for certificates at the terminal.
>> +#
>> +httpd_tty_comm = false
>> +
>> +#
>> +# Determine whether httpd can have full access
>> +# to its content types.
>> +#
>> +httpd_unified = false
>> +
>> +#
>> +# Determine whether httpd can use
>> +# cifs file systems.
>> +#
>> +httpd_use_cifs = false
>> +
>> +#
>> +# Determine whether httpd can
>> +# use fuse file systems.
>> +#
>> +httpd_use_fusefs = false
>> +
>> +#
>> +# Determine whether httpd can use gpg.
>> +#
>> +httpd_use_gpg = false
>> +
>> +#
>> +# Determine whether httpd can use
>> +# nfs file systems.
>> +#
>> +httpd_use_nfs = false
>> +
>> +#
>> +# Determine whether awstats can
>> +# purge httpd log files.
>> +#
>> +awstats_purge_apache_log_files = false
>> +
>> +#
>> +# Determine whether Bind can bind tcp socket to http ports.
>> +#
>> +named_tcp_bind_http_port = false
>> +
>> +#
>> +# Determine whether Bind can write to master zone files.
>> +# Generally this is used for dynamic DNS or zone transfers.
>> +#
>> +named_write_master_zones = false
>> +
>> +#
>> +# Determine whether boinc can execmem/execstack.
>> +#
>> +boinc_execmem = true
>> +
>> +#
>> +# Determine whether cdrecord can read
>> +# various content. nfs, samba, removable
>> +# devices, user temp and untrusted
>> +# content files
>> +#
>> +cdrecord_read_content = false
>> +
>> +#
>> +# Determine whether clamscan can
>> +# read user content files.
>> +#
>> +clamav_read_user_content_files_clamscan = false
>> +
>> +#
>> +# Determine whether clamscan can read
>> +# all non-security files.
>> +#
>> +clamav_read_all_non_security_files_clamscan = false
>> +
>> +#
>> +# Determine whether can clamd use JIT compiler.
>> +#
>> +clamd_use_jit = false
>> +
>> +#
>> +# Determine whether Cobbler can modify
>> +# public files used for public file
>> +# transfer services.
>> +#
>> +cobbler_anon_write = false
>> +
>> +#
>> +# Determine whether Cobbler can connect
>> +# to the network using TCP.
>> +#
>> +cobbler_can_network_connect = false
>> +
>> +#
>> +# Determine whether Cobbler can access
>> +# cifs file systems.
>> +#
>> +cobbler_use_cifs = false
>> +
>> +#
>> +# Determine whether Cobbler can access
>> +# nfs file systems.
>> +#
>> +cobbler_use_nfs = false
>> +
>> +#
>> +# Determine whether collectd can connect
>> +# to the network using TCP.
>> +#
>> +collectd_tcp_network_connect = false
>> +
>> +#
>> +# Determine whether Condor can connect
>> +# to the network using TCP.
>> +#
>> +condor_tcp_network_connect = false
>> +
>> +#
>> +# Determine whether system cron jobs
>> +# can relabel filesystem for
>> +# restoring file contexts.
>> +#
>> +cron_can_relabel = false
>> +
>> +#
>> +# Determine whether crond can execute jobs
>> +# in the user domain as opposed to the
>> +# the generic cronjob domain.
>> +#
>> +cron_userdomain_transition = false
>> +
>> +#
>> +# Determine whether extra rules
>> +# should be enabled to support fcron.
>> +#
>> +fcron_crond = false
>> +
>> +#
>> +# Determine whether cvs can read shadow
>> +# password files.
>> +#
>> +allow_cvs_read_shadow = false
>> +
>> +#
>> +# Determine whether dbadm can manage
>> +# generic user files.
>> +#
>> +dbadm_manage_user_files = false
>> +
>> +#
>> +# Determine whether dbadm can read
>> +# generic user files.
>> +#
>> +dbadm_read_user_files = false
>> +
>> +#
>> +# Determine whether DHCP daemon
>> +# can use LDAP backends.
>> +#
>> +dhcpd_use_ldap = false
>> +
>> +#
>> +# Determine whether entropyd can use
>> +# audio devices as the source for
>> +# the entropy feeds.
>> +#
>> +entropyd_use_audio = false
>> +
>> +#
>> +# Determine whether exim can connect to
>> +# databases.
>> +#
>> +exim_can_connect_db = false
>> +
>> +#
>> +# Determine whether exim can read generic
>> +# user content files.
>> +#
>> +exim_read_user_files = false
>> +
>> +#
>> +# Determine whether exim can create,
>> +# read, write, and delete generic user
>> +# content files.
>> +#
>> +exim_manage_user_files = false
>> +
>> +#
>> +# Determine whether ftpd can modify
>> +# public files used for public file
>> +# transfer services. Directories/Files must
>> +# be labeled public_content_rw_t.
>> +#
>> +allow_ftpd_anon_write = false
>> +
>> +#
>> +# Determine whether ftpd can login to
>> +# local users and can read and write
>> +# all files on the system, governed by DAC.
>> +#
>> +allow_ftpd_full_access = false
>> +
>> +#
>> +# Determine whether ftpd can use CIFS
>> +# used for public file transfer services.
>> +#
>> +allow_ftpd_use_cifs = false
>> +
>> +#
>> +# Determine whether ftpd can use NFS
>> +# used for public file transfer services.
>> +#
>> +allow_ftpd_use_nfs = false
>> +
>> +#
>> +# Determine whether ftpd can connect to
>> +# databases over the TCP network.
>> +#
>> +ftpd_connect_db = false
>> +
>> +#
>> +# Determine whether ftpd can bind to all
>> +# unreserved ports for passive mode.
>> +#
>> +ftpd_use_passive_mode = false
>> +
>> +#
>> +# Determine whether ftpd can connect to
>> +# all unreserved ports.
>> +#
>> +ftpd_connect_all_unreserved = false
>> +
>> +#
>> +# Determine whether ftpd can read and write
>> +# files in user home directories.
>> +#
>> +ftp_home_dir = false
>> +
>> +#
>> +# Determine whether sftpd can modify
>> +# public files used for public file
>> +# transfer services. Directories/Files must
>> +# be labeled public_content_rw_t.
>> +#
>> +sftpd_anon_write = false
>> +
>> +#
>> +# Determine whether sftpd-can read and write
>> +# files in user home directories.
>> +#
>> +sftpd_enable_homedirs = false
>> +
>> +#
>> +# Determine whether sftpd-can login to
>> +# local users and read and write all
>> +# files on the system, governed by DAC.
>> +#
>> +sftpd_full_access = false
>> +
>> +#
>> +# Determine whether sftpd can read and write
>> +# files in user ssh home directories.
>> +#
>> +sftpd_write_ssh_home = false
>> +
>> +#
>> +# Determine whether Git CGI
>> +# can search home directories.
>> +#
>> +git_cgi_enable_homedirs = false
>> +
>> +#
>> +# Determine whether Git CGI
>> +# can access cifs file systems.
>> +#
>> +git_cgi_use_cifs = false
>> +
>> +#
>> +# Determine whether Git CGI
>> +# can access nfs file systems.
>> +#
>> +git_cgi_use_nfs = false
>> +
>> +#
>> +# Determine whether Git session daemon
>> +# can bind TCP sockets to all
>> +# unreserved ports.
>> +#
>> +git_session_bind_all_unreserved_ports = false
>> +
>> +#
>> +# Determine whether calling user domains
>> +# can execute Git daemon in the
>> +# git_session_t domain.
>> +#
>> +git_session_users = false
>> +
>> +#
>> +# Determine whether Git session daemons
>> +# can send syslog messages.
>> +#
>> +git_session_send_syslog_msg = false
>> +
>> +#
>> +# Determine whether Git system daemon
>> +# can search home directories.
>> +#
>> +git_system_enable_homedirs = false
>> +
>> +#
>> +# Determine whether Git system daemon
>> +# can access cifs file systems.
>> +#
>> +git_system_use_cifs = false
>> +
>> +#
>> +# Determine whether Git system daemon
>> +# can access nfs file systems.
>> +#
>> +git_system_use_nfs = false
>> +
>> +#
>> +# Determine whether Gitosis can send mail.
>> +#
>> +gitosis_can_sendmail = false
>> +
>> +#
>> +# Determine whether GPG agent can manage
>> +# generic user home content files. This is
>> +# required by the --write-env-file option.
>> +#
>> +gpg_agent_env_file = false
>> +
>> +#
>> +# Determine whether icecast can listen
>> +# on and connect to any TCP port.
>> +#
>> +icecast_use_any_tcp_ports = false
>> +
>> +#
>> +# Determine whether irc clients can
>> +# listen on and connect to any
>> +# unreserved TCP ports.
>> +#
>> +irc_use_any_tcp_ports = false
>> +
>> +#
>> +# Determine whether java can make
>> +# its stack executable.
>> +#
>> +allow_java_execstack = false
>> +
>> +#
>> +# Determine whether kerberos is supported.
>> +#
>> +allow_kerberos = false
>> +
>> +#
>> +# Determine whether logwatch can connect
>> +# to mail over the network.
>> +#
>> +logwatch_can_network_connect_mail = false
>> +
>> +#
>> +# Determine whether to support lpd server.
>> +#
>> +use_lpd_server = false
>> +
>> +#
>> +# Determine whether mcelog supports
>> +# client mode.
>> +#
>> +mcelog_client = false
>> +
>> +#
>> +# Determine whether mcelog can execute scripts.
>> +#
>> +mcelog_exec_scripts = true
>> +
>> +#
>> +# Determine whether mcelog can use all
>> +# the user ttys.
>> +#
>> +mcelog_foreground = false
>> +
>> +#
>> +# Determine whether mcelog supports
>> +# server mode.
>> +#
>> +mcelog_server = false
>> +
>> +#
>> +# Determine whether mcelog can use syslog.
>> +#
>> +mcelog_syslog = false
>> +
>> +#
>> +# Determine whether minidlna can read generic user content.
>> +#
>> +minidlna_read_generic_user_content = false
>> +
>> +#
>> +# Determine whether mozilla can
>> +# make its stack executable.
>> +#
>> +mozilla_execstack = false
>> +
>> +#
>> +# Determine whether mpd can traverse
>> +# user home directories.
>> +#
>> +mpd_enable_homedirs = false
>> +
>> +#
>> +# Determine whether mpd can use
>> +# cifs file systems.
>> +#
>> +mpd_use_cifs = false
>> +
>> +#
>> +# Determine whether mpd can use
>> +# nfs file systems.
>> +#
>> +mpd_use_nfs = false
>> +
>> +#
>> +# Determine whether mplayer can make
>> +# its stack executable.
>> +#
>> +allow_mplayer_execstack = false
>> +
>> +#
>> +# Determine whether mysqld can
>> +# connect to all TCP ports.
>> +#
>> +mysql_connect_any = false
>> +
>> +#
>> +# Determine whether confined applications
>> +# can use nscd shared memory.
>> +#
>> +nscd_use_shm = false
>> +
>> +#
>> +# Determine whether openvpn can
>> +# read generic user home content files.
>> +#
>> +openvpn_enable_homedirs = false
>> +
>> +#
>> +# Determine whether openvpn can
>> +# connect to the TCP network.
>> +#
>> +openvpn_can_network_connect = false
>> +
>> +#
>> +# Determine whether Polipo system
>> +# daemon can access CIFS file systems.
>> +#
>> +polipo_system_use_cifs = false
>> +
>> +#
>> +# Determine whether Polipo system
>> +# daemon can access NFS file systems.
>> +#
>> +polipo_system_use_nfs = false
>> +
>> +#
>> +# Determine whether calling user domains
>> +# can execute Polipo daemon in the
>> +# polipo_session_t domain.
>> +#
>> +polipo_session_users = false
>> +
>> +#
>> +# Determine whether Polipo session daemon
>> +# can send syslog messages.
>> +#
>> +polipo_session_send_syslog_msg = false
>> +
>> +#
>> +# Determine whether portage can
>> +# use nfs filesystems.
>> +#
>> +portage_use_nfs = false
>> +
>> +#
>> +# Determine whether postfix local
>> +# can manage mail spool content.
>> +#
>> +postfix_local_write_mail_spool = true
>> +
>> +#
>> +# Determine whether pppd can
>> +# load kernel modules.
>> +#
>> +pppd_can_insmod = false
>> +
>> +#
>> +# Determine whether common users can
>> +# run pppd with a domain transition.
>> +#
>> +pppd_for_user = false
>> +
>> +#
>> +# Determine whether privoxy can
>> +# connect to all tcp ports.
>> +#
>> +privoxy_connect_any = false
>> +
>> +#
>> +# Determine whether puppet can
>> +# manage all non-security files.
>> +#
>> +puppet_manage_all_files = false
>> +
>> +#
>> +# Determine whether qemu has full
>> +# access to the network.
>> +#
>> +qemu_full_network = false
>> +
>> +#
>> +# Determine whether rgmanager can
>> +# connect to the network using TCP.
>> +#
>> +rgmanager_can_network_connect = false
>> +
>> +#
>> +# Determine whether fenced can
>> +# connect to the TCP network.
>> +#
>> +fenced_can_network_connect = false
>> +
>> +#
>> +# Determine whether fenced can use ssh.
>> +#
>> +fenced_can_ssh = false
>> +
>> +#
>> +# Determine whether gssd can read
>> +# generic user temporary content.
>> +#
>> +allow_gssd_read_tmp = false
>> +
>> +#
>> +# Determine whether gssd can write
>> +# generic user temporary content.
>> +#
>> +allow_gssd_write_tmp = false
>> +
>> +#
>> +# Determine whether nfs can modify
>> +# public files used for public file
>> +# transfer services. Directories/Files must
>> +# be labeled public_content_rw_t.
>> +#
>> +allow_nfsd_anon_write = false
>> +
>> +#
>> +# Determine whether rsync can use
>> +# cifs file systems.
>> +#
>> +rsync_use_cifs = false
>> +
>> +#
>> +# Determine whether rsync can
>> +# use fuse file systems.
>> +#
>> +rsync_use_fusefs = false
>> +
>> +#
>> +# Determine whether rsync can use
>> +# nfs file systems.
>> +#
>> +rsync_use_nfs = false
>> +
>> +#
>> +# Determine whether rsync can
>> +# run as a client
>> +#
>> +rsync_client = false
>> +
>> +#
>> +# Determine whether rsync can
>> +# export all content read only.
>> +#
>> +rsync_export_all_ro = false
>> +
>> +#
>> +# Determine whether rsync can modify
>> +# public files used for public file
>> +# transfer services. Directories/Files must
>> +# be labeled public_content_rw_t.
>> +#
>> +allow_rsync_anon_write = false
>> +
>> +#
>> +# Determine whether samba can modify
>> +# public files used for public file
>> +# transfer services. Directories/Files must
>> +# be labeled public_content_rw_t.
>> +#
>> +allow_smbd_anon_write = false
>> +
>> +#
>> +# Determine whether samba can
>> +# create home directories via pam.
>> +#
>> +samba_create_home_dirs = false
>> +
>> +#
>> +# Determine whether samba can act as the
>> +# domain controller, add users, groups
>> +# and change passwords.
>> +#
>> +samba_domain_controller = false
>> +
>> +#
>> +# Determine whether samba can
>> +# act as a portmapper.
>> +#
>> +samba_portmapper = false
>> +
>> +#
>> +# Determine whether samba can share
>> +# users home directories.
>> +#
>> +samba_enable_home_dirs = false
>> +
>> +#
>> +# Determine whether samba can share
>> +# any content read only.
>> +#
>> +samba_export_all_ro = false
>> +
>> +#
>> +# Determine whether samba can share any
>> +# content readable and writable.
>> +#
>> +samba_export_all_rw = false
>> +
>> +#
>> +# Determine whether samba can
>> +# run unconfined scripts.
>> +#
>> +samba_run_unconfined = false
>> +
>> +#
>> +# Determine whether samba can
>> +# use nfs file systems.
>> +#
>> +samba_share_nfs = false
>> +
>> +#
>> +# Determine whether samba can
>> +# use fuse file systems.
>> +#
>> +samba_share_fusefs = false
>> +
>> +#
>> +# Determine whether sanlock can use
>> +# nfs file systems.
>> +#
>> +sanlock_use_nfs = false
>> +
>> +#
>> +# Determine whether sanlock can use
>> +# cifs file systems.
>> +#
>> +sanlock_use_samba = false
>> +
>> +#
>> +# Determine whether sasl can
>> +# read shadow files.
>> +#
>> +allow_saslauthd_read_shadow = false
>> +
>> +#
>> +# Determine whether smartmon can support
>> +# devices on 3ware controllers.
>> +#
>> +smartmon_3ware = false
>> +
>> +#
>> +# Determine whether spamassassin
>> +# clients can use the network.
>> +#
>> +spamassassin_can_network = false
>> +
>> +#
>> +# Determine whether spamd can manage
>> +# generic user home content.
>> +#
>> +spamd_enable_home_dirs = false
>> +
>> +#
>> +# Determine whether squid can
>> +# connect to all TCP ports.
>> +#
>> +squid_connect_any = false
>> +
>> +#
>> +# Determine whether squid can run
>> +# as a transparent proxy.
>> +#
>> +squid_use_tproxy = false
>> +
>> +#
>> +# Determine whether telepathy connection
>> +# managers can connect to generic tcp ports.
>> +#
>> +telepathy_tcp_connect_generic_network_ports = false
>> +
>> +#
>> +# Determine whether telepathy connection
>> +# managers can connect to any port.
>> +#
>> +telepathy_connect_all_ports = false
>> +
>> +#
>> +# Determine whether tftp can modify
>> +# public files used for public file
>> +# transfer services. Directories/Files must
>> +# be labeled public_content_rw_t.
>> +#
>> +tftp_anon_write = false
>> +
>> +#
>> +# Determine whether tftp can manage
>> +# generic user home content.
>> +#
>> +tftp_enable_homedir = false
>> +
>> +#
>> +# Determine whether tor can bind
>> +# tcp sockets to all unreserved ports.
>> +#
>> +tor_bind_all_unreserved_ports = false
>> +
>> +#
>> +# Determine whether varnishd can
>> +# use the full TCP network.
>> +#
>> +varnishd_connect_any = false
>> +
>> +#
>> +# Determine whether attempts by
>> +# vbetool to mmap low regions should
>> +# be silently blocked.
>> +#
>> +vbetool_mmap_zero_ignore = false
>> +
>> +#
>> +# Determine whether confined virtual guests
>> +# can use serial/parallel communication ports.
>> +#
>> +virt_use_comm = false
>> +
>> +#
>> +# Determine whether confined virtual guests
>> +# can use executable memory and can make
>> +# their stack executable.
>> +#
>> +virt_use_execmem = false
>> +
>> +#
>> +# Determine whether confined virtual guests
>> +# can use fuse file systems.
>> +#
>> +virt_use_fusefs = false
>> +
>> +#
>> +# Determine whether confined virtual guests
>> +# can use nfs file systems.
>> +#
>> +virt_use_nfs = false
>> +
>> +#
>> +# Determine whether confined virtual guests
>> +# can use cifs file systems.
>> +#
>> +virt_use_samba = false
>> +
>> +#
>> +# Determine whether confined virtual guests
>> +# can manage device configuration.
>> +#
>> +virt_use_sysfs = false
>> +
>> +#
>> +# Determine whether confined virtual guests
>> +# can use usb devices.
>> +#
>> +virt_use_usb = false
>> +
>> +#
>> +# Determine whether confined virtual guests
>> +# can interact with xserver.
>> +#
>> +virt_use_xserver = false
>> +
>> +#
>> +# Determine whether confined virtual guests
>> +# can use vfio for pci device pass through (vt-d).
>> +#
>> +virt_use_vfio = false
>> +
>> +#
>> +# Determine whether webadm can
>> +# manage generic user files.
>> +#
>> +webadm_manage_user_files = false
>> +
>> +#
>> +# Determine whether webadm can
>> +# read generic user files.
>> +#
>> +webadm_read_user_files = false
>> +
>> +#
>> +# Determine whether attempts by
>> +# wine to mmap low regions should
>> +# be silently blocked.
>> +#
>> +wine_mmap_zero_ignore = false
>> +
>> +#
>> +# Determine whether xend can
>> +# run blktapctrl and tapdisk.
>> +#
>> +xend_run_blktap = false
>> +
>> +#
>> +# Determine whether xen can
>> +# use fusefs file systems.
>> +#
>> +xen_use_fusefs = false
>> +
>> +#
>> +# Determine whether xen can
>> +# use nfs file systems.
>> +#
>> +xen_use_nfs = false
>> +
>> +#
>> +# Determine whether xen can
>> +# use samba file systems.
>> +#
>> +xen_use_samba = false
>> +
>> +#
>> +# Determine whether xguest can
>> +# mount removable media.
>> +#
>> +xguest_mount_media = false
>> +
>> +#
>> +# Determine whether xguest can
>> +# configure network manager.
>> +#
>> +xguest_connect_network = false
>> +
>> +#
>> +# Determine whether xguest can
>> +# use blue tooth devices.
>> +#
>> +xguest_use_bluetooth = false
>> +
>> +#
>> +# Determine whether zabbix can
>> +# connect to all TCP ports
>> +#
>> +zabbix_can_network = false
>> +
>> +#
>> +# Determine whether zebra daemon can
>> +# manage its configuration files.
>> +#
>> +allow_zebra_write_config = false
>> +
>> +#
>> +# Control the ability to mmap a low area of the address space,
>> +# as configured by /proc/sys/kernel/mmap_min_addr.
>> +#
>> +mmap_low_allowed = false
>> +
>> +#
>> +# Allow sysadm to debug or ptrace all processes.
>> +#
>> +allow_ptrace = false
>> +
>> +#
>> +# Allow unprived users to execute DDL statement
>> +#
>> +sepgsql_enable_users_ddl = false
>> +
>> +#
>> +# Allow transmit client label to foreign database
>> +#
>> +sepgsql_transmit_client_label = false
>> +
>> +#
>> +# Allow database admins to execute DML statement
>> +#
>> +sepgsql_unconfined_dbadm = false
>> +
>> +#
>> +# allow host key based authentication
>> +#
>> +allow_ssh_keysign = false
>> +
>> +#
>> +# Allow ssh logins as sysadm_r:sysadm_t
>> +#
>> +ssh_sysadm_login = false
>> +
>> +#
>> +# Allow ssh to use gpg-agent
>> +#
>> +ssh_use_gpg_agent = false
>> +
>> +#
>> +# Allows clients to write to the X server shared
>> +# memory segments.
>> +#
>> +allow_write_xshm = false
>> +
>> +#
>> +# Allow xdm logins as sysadm
>> +#
>> +xdm_sysadm_login = false
>> +
>> +#
>> +# Support X userspace object manager
>> +#
>> +xserver_object_manager = false
>> +
>> +#
>> +# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
>> +#
>> +authlogin_nsswitch_use_ldap = false
>> +
>> +#
>> +# Enable support for upstart as the init program.
>> +#
>> +init_upstart = false
>> +
>> +#
>> +# Allow racoon to read shadow
>> +#
>> +racoon_read_shadow = false
>> +
>> +#
>> +# Allow the mount command to mount any directory or file.
>> +#
>> +allow_mount_anyfile = false
>> +
>> +#
>> +# Enable support for systemd-tmpfiles to manage all non-security files.
>> +#
>> +systemd_tmpfiles_manage_all = false
>> +
>> +#
>> +# Allow users to connect to mysql
>> +#
>> +allow_user_mysql_connect = false
>> +
>> +#
>> +# Allow users to connect to PostgreSQL
>> +#
>> +allow_user_postgresql_connect = false
>> +
>> +#
>> +# Allow regular users direct mouse access
>> +#
>> +user_direct_mouse = false
>> +
>> +#
>> +# Allow users to read system messages.
>> +#
>> +user_dmesg = false
>> +
>> +#
>> +# Allow user to r/w files on filesystems
>> +# that do not have extended attributes (FAT, CDROM, FLOPPY)
>> +#
>> +user_rw_noexattrfile = false
>> +
>> +#
>> +# Allow w to display everyone
>> +#
>> +user_ttyfile_stat = false
>> +
>> +#
>> +# Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
>> +#
>> +allow_execheap = false
>> +
>> +#
>> +# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
>> +#
>> +allow_execmem = false
>> +
>> +#
>> +# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
>> +#
>> +allow_execmod = false
>> +
>> +#
>> +# Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
>> +#
>> +allow_execstack = false
>> +
>> +#
>> +# Enable polyinstantiated directory support.
>> +#
>> +allow_polyinstantiation = false
>> +
>> +#
>> +# Allow system to run with NIS
>> +#
>> +allow_ypbind = false
>> +
>> +#
>> +# Allow logging in and using the system from /dev/console.
>> +#
>> +console_login = true
>> +
>> +#
>> +# Enable reading of urandom for all domains.
>> +#
>> +#
>> +#
>> +#
>> +# This should be enabled when all programs
>> +# are compiled with ProPolice/SSP
>> +# stack smashing protection. All domains will
>> +# be allowed to read from /dev/urandom.
>> +#
>> +global_ssp = false
>> +
>> +#
>> +# Allow email client to various content.
>> +# nfs, samba, removable devices, and user temp
>> +# files
>> +#
>> +mail_read_content = false
>> +
>> +#
>> +# Allow any files/directories to be exported read/write via NFS.
>> +#
>> +nfs_export_all_rw = false
>> +
>> +#
>> +# Allow any files/directories to be exported read/only via NFS.
>> +#
>> +nfs_export_all_ro = false
>> +
>> +#
>> +# Support NFS home directories
>> +#
>> +use_nfs_home_dirs = false
>> +
>> +#
>> +# Support SAMBA home directories
>> +#
>> +use_samba_home_dirs = false
>> +
>> +#
>> +# Allow users to run TCP servers (bind to ports and accept connection from
>> +# the same domain and outside users) disabling this forces FTP passive mode
>> +# and may change other protocols.
>> +#
>> +user_tcp_server = false
>> +
>> diff --git a/package/refpolicy/config b/package/refpolicy/config
>> new file mode 100644
>> index 0000000..5eee807
>> --- /dev/null
>> +++ b/package/refpolicy/config
>> @@ -0,0 +1,8 @@
>> +# This file controls the state of SELinux on the system.
>> +# SELINUX= can take one of these three values:
>> +# enforcing - SELinux security policy is enforced.
>> +# permissive - SELinux prints warnings instead of enforcing.
>> +# disabled - No SELinux policy is loaded.
>> +SELINUX=permissive
>> +# SELINUXTYPE= name of the selinux policy to use
>> +SELINUXTYPE=refpolicy
>> diff --git a/package/refpolicy/modules.conf b/package/refpolicy/modules.conf
>> new file mode 100644
>> index 0000000..2304dc4
>> --- /dev/null
>> +++ b/package/refpolicy/modules.conf
>> @@ -0,0 +1,430 @@
>> +#
>> +# This file contains a listing of available modules.
>> +# To prevent a module from being used in policy
>> +# creation, set the module name to "off".
>> +#
>> +# For monolithic policies, modules set to "base" and "module"
>> +# will be built into the policy.
>> +#
>> +# For modular policies, modules set to "base" will be
>> +# included in the base module. "module" will be compiled
>> +# as individual loadable modules.
>> +#
>> +
>> +# Layer: kernel
>> +# Module: corecommands
>> +# Required in base
>> +#
>> +# Core policy for shells, and generic programs
>> +# in /bin, /sbin, /usr/bin, and /usr/sbin.
>> +#
>> +corecommands = base
>> +
>> +# Layer: kernel
>> +# Module: corenetwork
>> +# Required in base
>> +#
>> +# Policy controlling access to network objects
>> +#
>> +corenetwork = base
>> +
>> +# Layer: kernel
>> +# Module: devices
>> +# Required in base
>> +#
>> +# Device nodes and interfaces for many basic system devices.
>> +#
>> +devices = base
>> +
>> +# Layer: kernel
>> +# Module: domain
>> +# Required in base
>> +#
>> +# Core policy for domains.
>> +#
>> +domain = base
>> +
>> +# Layer: kernel
>> +# Module: files
>> +# Required in base
>> +#
>> +# Basic filesystem types and interfaces.
>> +#
>> +files = base
>> +
>> +# Layer: kernel
>> +# Module: alsa
>> +# Required in base
>> +#
>> +# alsa types and interfaces.
>> +#
>> +alsa = base
>> +
>> +# Layer: kernel
>> +# Module: mta
>> +# Required in base
>> +#
>> +# mta types and interfaces.
>> +#
>> +mta = base
>> +
>> +# Layer: kernel
>> +# Module: apache
>> +# Required in base
>> +#
>> +# apache types and interfaces.
>> +#
>> +apache = base
>> +
>> +# Layer: kernel
>> +# Module: filesystem
>> +# Required in base
>> +#
>> +# Policy for filesystems.
>> +#
>> +filesystem = base
>> +
>> +# Layer: kernel
>> +# Module: kernel
>> +# Required in base
>> +#
>> +# Policy for kernel threads, proc filesystem,
>> +# and unlabeled processes and objects.
>> +#
>> +kernel = base
>> +
>> +# Layer: kernel
>> +# Module: mcs
>> +# Required in base
>> +#
>> +# Multicategory security policy
>> +#
>> +mcs = base
>> +
>> +# Layer: kernel
>> +# Module: mls
>> +# Required in base
>> +#
>> +# Multilevel security policy
>> +#
>> +mls = base
>> +
>> +# Layer: kernel
>> +# Module: selinux
>> +# Required in base
>> +#
>> +# Policy for kernel security interface, in particular, selinuxfs.
>> +#
>> +selinux = base
>> +
>> +# Layer: kernel
>> +# Module: terminal
>> +# Required in base
>> +#
>> +# Policy for terminals.
>> +#
>> +terminal = base
>> +
>> +# Layer: kernel
>> +# Module: ubac
>> +# Required in base
>> +#
>> +# User-based access control policy
>> +#
>> +ubac = base
>> +
>> +# Layer: admin
>> +# Module: bootloader
>> +#
>> +# Policy for the kernel modules, kernel image, and bootloader.
>> +#
>> +bootloader = module
>> +
>> +# Layer: admin
>> +# Module: consoletype
>> +#
>> +# Determine of the console connected to the controlling terminal.
>> +#
>> +consoletype = module
>> +
>> +# Layer: admin
>> +# Module: dmesg
>> +#
>> +# Policy for dmesg.
>> +#
>> +dmesg = module
>> +
>> +# Layer: admin
>> +# Module: netutils
>> +#
>> +# Network analysis utilities
>> +#
>> +netutils = module
>> +
>> +# Layer: admin
>> +# Module: su
>> +#
>> +# Run shells with substitute user and group
>> +#
>> +su = module
>> +
>> +# Layer: admin
>> +# Module: sudo
>> +#
>> +# Execute a command with a substitute user
>> +#
>> +sudo = module
>> +
>> +# Layer: admin
>> +# Module: usermanage
>> +#
>> +# Policy for managing user accounts.
>> +#
>> +usermanage = module
>> +
>> +# Layer: apps
>> +# Module: seunshare
>> +#
>> +# Filesystem namespacing/polyinstantiation application.
>> +#
>> +seunshare = module
>> +
>> +# Layer: kernel
>> +# Module: storage
>> +#
>> +# Policy controlling access to storage devices
>> +#
>> +storage = module
>> +
>> +# Layer: roles
>> +# Module: auditadm
>> +#
>> +# Audit administrator role
>> +#
>> +auditadm = module
>> +
>> +# Layer: roles
>> +# Module: logadm
>> +#
>> +# Log administrator role
>> +#
>> +logadm = module
>> +
>> +# Layer: roles
>> +# Module: secadm
>> +#
>> +# Security administrator role
>> +#
>> +secadm = module
>> +
>> +# Layer: roles
>> +# Module: staff
>> +#
>> +# Administrator's unprivileged user role
>> +#
>> +staff = module
>> +
>> +# Layer: roles
>> +# Module: sysadm
>> +#
>> +# General system administration role
>> +#
>> +sysadm = module
>> +
>> +# Layer: roles
>> +# Module: unprivuser
>> +#
>> +# Generic unprivileged user role
>> +#
>> +unprivuser = module
>> +
>> +# Layer: services
>> +# Module: postgresql
>> +#
>> +# PostgreSQL relational database
>> +#
>> +postgresql = module
>> +
>> +# Layer: services
>> +# Module: ssh
>> +#
>> +# Secure shell client and server policy.
>> +#
>> +ssh = module
>> +
>> +# Layer: services
>> +# Module: xserver
>> +#
>> +# X Windows Server
>> +#
>> +xserver = module
>> +
>> +# Layer: system
>> +# Module: application
>> +#
>> +# Policy for user executable applications.
>> +#
>> +application = module
>> +
>> +# Layer: system
>> +# Module: authlogin
>> +#
>> +# Common policy for authentication and user login.
>> +#
>> +authlogin = module
>> +
>> +# Layer: system
>> +# Module: clock
>> +#
>> +# Policy for reading and setting the hardware clock.
>> +#
>> +clock = module
>> +
>> +# Layer: system
>> +# Module: fstools
>> +#
>> +# Tools for filesystem management, such as mkfs and fsck.
>> +#
>> +fstools = module
>> +
>> +# Layer: system
>> +# Module: getty
>> +#
>> +# Policy for getty.
>> +#
>> +getty = module
>> +
>> +# Layer: system
>> +# Module: hostname
>> +#
>> +# Policy for changing the system host name.
>> +#
>> +hostname = module
>> +
>> +# Layer: system
>> +# Module: hotplug
>> +#
>> +# Policy for hotplug system, for supporting the
>> +# connection and disconnection of devices at runtime.
>> +#
>> +hotplug = module
>> +
>> +# Layer: system
>> +# Module: init
>> +#
>> +# System initialization programs (init and init scripts).
>> +#
>> +init = module
>> +
>> +# Layer: system
>> +# Module: ipsec
>> +#
>> +# TCP/IP encryption
>> +#
>> +ipsec = module
>> +
>> +# Layer: system
>> +# Module: iptables
>> +#
>> +# Policy for iptables.
>> +#
>> +iptables = module
>> +
>> +# Layer: system
>> +# Module: libraries
>> +#
>> +# Policy for system libraries.
>> +#
>> +libraries = module
>> +
>> +# Layer: system
>> +# Module: locallogin
>> +#
>> +# Policy for local logins.
>> +#
>> +locallogin = module
>> +
>> +# Layer: system
>> +# Module: logging
>> +#
>> +# Policy for the kernel message logger and system logging daemon.
>> +#
>> +logging = module
>> +
>> +# Layer: system
>> +# Module: lvm
>> +#
>> +# Policy for logical volume management programs.
>> +#
>> +lvm = module
>> +
>> +# Layer: system
>> +# Module: miscfiles
>> +#
>> +# Miscelaneous files.
>> +#
>> +miscfiles = module
>> +
>> +# Layer: system
>> +# Module: modutils
>> +#
>> +# Policy for kernel module utilities
>> +#
>> +modutils = module
>> +
>> +# Layer: system
>> +# Module: mount
>> +#
>> +# Policy for mount.
>> +#
>> +mount = module
>> +
>> +# Layer: system
>> +# Module: netlabel
>> +#
>> +# NetLabel/CIPSO labeled networking management
>> +#
>> +netlabel = module
>> +
>> +# Layer: system
>> +# Module: selinuxutil
>> +#
>> +# Policy for SELinux policy and userland applications.
>> +#
>> +selinuxutil = module
>> +
>> +# Layer: system
>> +# Module: setrans
>> +#
>> +# SELinux MLS/MCS label translation service.
>> +#
>> +setrans = module
>> +
>> +# Layer: system
>> +# Module: sysnetwork
>> +#
>> +# Policy for network configuration: ifconfig and dhcp client.
>> +#
>> +sysnetwork = module
>> +
>> +# Layer: system
>> +# Module: udev
>> +#
>> +# Policy for udev.
>> +#
>> +udev = module
>> +
>> +# Layer: system
>> +# Module: unconfined
>> +#
>> +# The unconfined domain.
>> +#
>> +unconfined = module
>> +
>> +# Layer: system
>> +# Module: userdomain
>> +#
>> +# Policy for user domains
>> +#
>> +userdomain = module
>> +
>> diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
>> new file mode 100644
>> index 0000000..c10de45
>> --- /dev/null
>> +++ b/package/refpolicy/refpolicy.hash
>> @@ -0,0 +1,2 @@
>> +#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
>> +sha256 2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de refpolicy-2.20151208.tar.bz2
>> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
>> new file mode 100644
>> index 0000000..edfda28
>> --- /dev/null
>> +++ b/package/refpolicy/refpolicy.mk
>> @@ -0,0 +1,118 @@
>> +################################################################################
>> +#
>> +# refpolicy
>> +#
>> +################################################################################
>> +
>> +REFPOLICY_VERSION = 2.20151208
>> +REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
>> +REFPOLICY_SITE = https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files
>> +REFPOLICY_LICENSE = GPLv2
>> +REFPOLICY_LICENSE_FILES = COPYING
>> +
>> +# Cannot use multiple threads to build the reference policy
>> +REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
>> +
>> +REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
>> + host-setools host-gawk host-python policycoreutils
>> +
>> +REFPOLICY_INSTALL_STAGING = YES
>> +
>> +
>> +# To apply board specific customizations, create a refpolicy folder in
>> +# BR2_GLOBAL_PATCH_DIR. These patches will be applied after the patches
>> +# in package/refpolicy
>> +
>> +# Passing the HOST_CONFIGURE_OPTS to the target build because all of the
>> +# build utilities are expected to be on system. This fools the make files
>> +# into using the host built utilities to compile the SELinux policy for
>> +# the target.
>> +#
>> +# Note, the TEST_TOOLCHAIN option will also set the
>> +# LD_LIBRARY_PATH at run time.
>> +REFPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
>> + TEST_TOOLCHAIN="$(HOST_DIR)"
>> +
>> +# Build requires python2 to run
>> +REFPOLICY_MAKE_ENV = \
>> + PYTHON="$(HOST_DIR)/usr/bin/python2" \
>> + AWK="$(HOST_DIR)/usr/bin/gawk" \
>> + M4="$(HOST_DIR)/usr/bin/m4"
>> +
>> +
>> +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
>> +REFPOLICY_MONOLITHIC = n
>> +else
>> +REFPOLICY_MONOLITHIC = y
>> +endif
>> +
>> +ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
>> +define REFPOLICY_GIT_SUBMODULE_SETUP
>> + rsync -ar $(RSYNC_VCS_EXCLUSIONS) $(REFPOLICY_CONTRIB_DIR)/* \
>> + $(@D)/policy/modules/contrib/
>> +endef
>> +else
>> +REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
>> +define REFPOLICY_CUSTOM_MODULES_CONF
>> + cp $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
>> +endef
>> +
>> +REFPOLICY_BOOLEAN_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE))
>> +define REFPOLICY_CUSTOM_BOOLEAN_CONF
>> + cp $(REFPOLICY_BOOLEAN_FILE) $(@D)/policy/booleans.conf
>> +endef
>> +endif
>> +
>> +define REFPOLICY_CONFIGURE_CMDS
>> + $(REFPOLICY_GIT_SUBMODULE_SETUP)
>> + # If an external repo is used to build refpolicy, this preserves the
>> + # custom modules.conf which defines the enabled components.
>> + if [ -f $(@D)/policy/modules.conf ]; then \
>> + mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk ; \
>> + fi
>> + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) bare \
>> + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
>> + $(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
>> + $(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
>> + $(SED) "/NAME/c\NAME = $(BR2_PACKAGE_REFPOLICY_NAME)" $(@D)/build.conf
>> +
>> + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \
>> + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
>> + if [ -f $(@D)/modules.conf.bk ]; then \
>> + echo "[Preserved modules.conf]" ; \
>> + mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \
>> + fi
>> + $(REFPOLICY_CUSTOM_MODULES_CONF)
>> + $(REFPOLICY_CUSTOM_BOOLEAN_CONF)
>> +endef
>> +
>> +define REFPOLICY_INSTALL_STAGING_CMDS
>> + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
>> + install-docs $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
>> +endef
>> +
>> +define REFPOLICY_INSTALL_TARGET_CMDS
>> + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install \
>> + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
>> + $(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
>> + $(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(BR2_PACKAGE_REFPOLICY_NAME)" \
>> + $(TARGET_DIR)/etc/selinux/config
>> + $(SED) "/^SELINUX=/c\SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE)" \
>> + $(TARGET_DIR)/etc/selinux/config
>> + touch $(TARGET_DIR)/.autorelabel
>> + $(RM) $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/booleans
>> +endef
>> +
>> +define REFPOLICY_INSTALL_INIT_SYSV
>> + $(INSTALL) -m 0755 -D package/refpolicy/S00selinux \
>> + $(TARGET_DIR)/etc/init.d/S00selinux
>> +endef
>> +
>> +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
>> +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/policy
>> +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/modules/active/modules
>> +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files
>> +touch $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local
>> +endif
>> +
>> +$(eval $(generic-package))
>> --
>> 2.7.4
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>
>
>
> --
> Matthew L Weber / Pr Software Engineer
> Airborne Information Systems / Security Systems and Software / Secure Platforms
> MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
> www.rockwellcollins.com
>
> Note: Any Export License Required Information and License Restricted
> Third Party Intellectual Property (TPIP) content must be encrypted and
> sent to matthew.weber at corp.rockwellcollins.com.
--
Bryce Ferguson
Software Engineer
Airborne Information Solutions \ Secure Platforms
400 Collins Rd NE Cedar Rapids, Iowa 52498
Bryce.Ferguson at rockwellcollins.com
More information about the buildroot
mailing list