dist git files

.github/workflows/build.yml

@@ -7,10 +7,11 @@ jobs:
       image: quay.io/fedora/fedora:rawhide
       options: --security-opt seccomp=unconfined
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - run: dnf install --nogpgcheck -y git-core checkpolicy policycoreutils-devel make m4 findutils
       - run: git clone --depth=1 https://github.com/containers/container-selinux.git /tmp/container-selinux
       - run: cp /tmp/container-selinux/container.* policy/modules/contrib
+      - run: cp dist/targeted/modules.conf policy
       - run: make -j $(nproc) policy
       - run: make -j $(nproc) validate
       - run: make -j $(nproc) container.pp

config/appconfig-mcs/securetty_types

@@ -1 +1,2 @@
+console_device_t
 user_tty_device_t

config/appconfig-mls/securetty_types

@@ -1 +1,2 @@
+console_device_t
 user_tty_device_t

config/appconfig-standard/securetty_types

@@ -1 +1,2 @@
+console_device_t
 user_tty_device_t

config/file_contexts.subs_dist

@@ -7,16 +7,27 @@
 #
 # It does not perform substitutions as done by sed(1), for
 # example, but aliasing.
-# 
-/etc/init.d /etc/rc.d/init.d
-/lib32 /lib
-/lib64 /lib
-/run /var/run
-/run/lock /var/lock
-/usr/lib32 /usr/lib
+#
+/var/run /run
+/var/lock /run/lock
+/run/systemd/system /usr/lib/systemd/system
+/run/systemd/generator.early /run/systemd/generator
+/run/systemd/generator.late /run/systemd/generator
+/lib /usr/lib
+/lib64 /usr/lib
 /usr/lib64 /usr/lib
-/usr/local/lib32 /usr/lib
 /usr/local/lib64 /usr/lib
-/usr/local/lib /usr/lib
-/var/run/lock /var/lock
-/sbin /usr/sbin
+/usr/local/lib32 /usr/lib
+/etc/systemd/system /usr/lib/systemd/system
+/var/lib/xguest/home /home
+/var/named/chroot/usr/lib64 /usr/lib
+/var/named/chroot/lib64 /usr/lib
+/var/named/chroot/var  /var
+/home-inst            /home
+/home/home-inst            /home
+/var/roothome        /root
+/sbin                /usr/sbin
+/sysroot/tmp         /tmp
+/var/usrlocal        /usr/local
+/var/mnt             /mnt
+/bin                 /usr/bin

dist/booleans.subs_dist

@@ -0,0 +1,54 @@
+allow_auditadm_exec_content auditadm_exec_content
+allow_console_login login_console_enabled
+allow_cvs_read_shadow cvs_read_shadow
+allow_daemons_dump_core daemons_dump_core
+allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
+allow_daemons_use_tty daemons_use_tty
+allow_domain_fd_use domain_fd_use
+allow_execheap selinuxuser_execheap
+allow_execmod selinuxuser_execmod
+allow_execstack selinuxuser_execstack
+allow_ftpd_anon_write ftpd_anon_write
+allow_ftpd_full_access ftpd_full_access
+allow_ftpd_use_cifs ftpd_use_cifs
+allow_ftpd_use_nfs ftpd_use_nfs
+allow_gssd_read_tmp gssd_read_tmp
+allow_guest_exec_content guest_exec_content
+allow_httpd_anon_write httpd_anon_write
+allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
+allow_httpd_mod_auth_pam httpd_mod_auth_pam
+allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
+allow_kerberos kerberos_enabled
+allow_mplayer_execstack mplayer_execstack
+allow_mount_anyfile mount_anyfile
+allow_nfsd_anon_write nfsd_anon_write
+allow_polyinstantiation polyinstantiation_enabled
+allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
+allow_rsync_anon_write rsync_anon_write
+allow_saslauthd_read_shadow saslauthd_read_shadow
+allow_secadm_exec_content secadm_exec_content
+allow_smbd_anon_write smbd_anon_write
+allow_ssh_keysign ssh_keysign
+allow_staff_exec_content staff_exec_content
+allow_sysadm_exec_content sysadm_exec_content
+allow_user_exec_content user_exec_content
+allow_user_mysql_connect selinuxuser_mysql_connect_enabled
+allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
+allow_write_xshm xserver_clients_write_xshm
+allow_xguest_exec_content xguest_exec_content
+allow_xserver_execmem xserver_execmem
+allow_ypbind nis_enabled
+allow_zebra_write_config zebra_write_config
+user_direct_dri selinuxuser_direct_dri_enabled
+user_ping selinuxuser_ping
+user_share_music selinuxuser_share_music
+user_tcp_server selinuxuser_tcp_server
+sepgsql_enable_pitr_implementation postgresql_can_rsync
+sepgsql_enable_users_ddl  postgresql_selinux_users_ddl
+sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
+sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
+clamd_use_jit antivirus_use_jit
+amavis_use_jit antivirus_use_jit
+logwatch_can_sendmail logwatch_can_network_connect_mail
+puppet_manage_all_files puppetagent_manage_all_files
+virt_sandbox_use_nfs virt_use_nfs

dist/customizable_types

@@ -0,0 +1,14 @@
+container_file_t
+sandbox_file_t
+svirt_image_t
+svirt_home_t
+svirt_sandbox_file_t
+virt_content_t
+httpd_user_htaccess_t
+httpd_user_script_exec_t
+httpd_user_rw_content_t
+httpd_user_ra_content_t
+httpd_user_content_t
+git_session_content_t
+home_bin_t
+user_tty_device_t

dist/minimum/booleans.conf

@@ -0,0 +1,248 @@
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# 
+allow_execmem = false
+
+# Allow making a modified private filemapping executable (text relocation).
+# 
+allow_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+# 
+allow_execstack = true
+
+# Allow ftpd to read cifs directories.
+# 
+allow_ftpd_use_cifs = false
+
+# Allow ftpd to read nfs directories.
+# 
+allow_ftpd_use_nfs = false
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+# 
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+# 
+allow_gssd_read_tmp = true
+
+# Allow Apache to modify public filesused for public file transfer services.
+# 
+allow_httpd_anon_write = false
+
+# Allow Apache to use mod_auth_pam module
+# 
+allow_httpd_mod_auth_pam = false
+
+# Allow system to run with kerberos
+# 
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+# 
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+# 
+allow_saslauthd_read_shadow = false
+
+# Allow samba to modify public filesused for public file transfer services.
+# 
+allow_smbd_anon_write = false
+
+# Allow system to run with NIS
+# 
+allow_ypbind = false
+
+# Allow zebra to write it own configuration files
+# 
+allow_zebra_write_config = false
+
+# Enable extra rules in the cron domainto support fcron.
+# 
+fcron_crond = false
+
+#
+# allow httpd to connect to mysql/posgresql 
+httpd_can_network_connect_db = false
+
+#
+# allow httpd to send dbus messages to avahi
+httpd_dbus_avahi = true
+
+#
+# allow httpd to network relay
+httpd_can_network_relay = false
+
+# Allow httpd to use built in scripting (usually php)
+# 
+httpd_builtin_scripting = true
+
+# Allow http daemon to tcp connect
+# 
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+# 
+httpd_enable_cgi = true
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+# 
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+# 
+httpd_enable_homedirs = false
+
+# Run SSI execs in system CGI script domain.
+# 
+httpd_ssi_exec = false
+
+# Allow http daemon to communicate with the TTY
+# 
+httpd_tty_comm = false
+
+# Run CGI in the main httpd domain
+# 
+httpd_unified = false
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+# 
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+# 
+nfs_export_all_rw = true
+
+# Allow nfs to be exported read only
+# 
+nfs_export_all_ro = true
+
+# Allow pppd to load kernel modules for certain modems
+# 
+pppd_can_insmod = false
+
+# Allow reading of default_t files.
+# 
+read_default_t = false
+
+# Allow samba to export user home directories.
+# 
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+# 
+squid_connect_any = false
+
+# Support NFS home directories
+# 
+use_nfs_home_dirs = true
+
+# Support SAMBA home directories
+# 
+use_samba_home_dirs = false
+
+# Control users use of ping and traceroute
+# 
+user_ping = false
+
+# allow host key based authentication
+# 
+allow_ssh_keysign = false
+
+# Allow pppd to be run for a regular user
+# 
+pppd_for_user = false
+
+# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
+# 
+read_untrusted_content = false
+
+# Allow spamd to write to users homedirs
+# 
+spamd_enable_home_dirs = false
+
+# Allow regular users direct mouse access
+# 
+user_direct_mouse = false
+
+# Allow users to read system messages.
+# 
+user_dmesg = false
+
+# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
+# 
+user_rw_noexattrfile = false
+
+# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
+# 
+user_tcp_server = false
+
+# Allow w to display everyone
+# 
+user_ttyfile_stat = false
+
+# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
+# 
+write_untrusted_content = false
+
+# Allow all domains to talk to ttys
+# 
+allow_daemons_use_tty = false
+
+# Allow login domains to polyinstatiate directories
+# 
+allow_polyinstantiation = false
+
+# Allow all domains to dump core
+# 
+allow_daemons_dump_core = true
+
+# Allow samba to act as the domain controller
+# 
+samba_domain_controller = false
+
+# Allow samba to export user home directories.
+# 
+samba_run_unconfined = false
+
+# Allows XServer to execute writable memory
+# 
+allow_xserver_execmem = false
+
+# disallow guest accounts to execute files that they can create 
+# 
+allow_guest_exec_content = false
+allow_xguest_exec_content = false
+
+# Only allow browser to use the web
+# 
+browser_confine_xguest=false
+
+# Allow postfix locat to write to mail spool
+# 
+allow_postfix_local_write_mail_spool=false
+
+# Allow common users to read/write noexattrfile systems
+# 
+user_rw_noexattrfile=true
+
+# Allow qemu to connect fully to the network
+# 
+qemu_full_network=true
+
+# Allow nsplugin execmem/execstack for bad plugins
+# 
+allow_nsplugin_execmem=true
+
+# Allow unconfined domain to transition to confined domain
+# 
+allow_unconfined_nsplugin_transition=true
+
+# System uses init upstart program
+# 
+init_upstart = true
+
+# Allow mount to mount any file/dir
+# 
+allow_mount_anyfile = true

dist/minimum/modules.conf

@@ -0,0 +1 @@
+../targeted/modules.conf

dist/minimum/setrans.conf

@@ -0,0 +1 @@
+../targeted/setrans.conf

dist/minimum/users

@@ -0,0 +1 @@
+../targeted/users

dist/mls/booleans.conf

@@ -0,0 +1,6 @@
+kerberos_enabled = true
+mount_anyfile = true
+polyinstantiation_enabled = true
+ftpd_is_daemon = true
+selinuxuser_ping = true
+xserver_object_manager = true