Pushing 2.20120215 (current version)

20 files changed, 236 insertions, 0 deletions

diff --git a/config/appconfig-mls/dbus_contexts b/config/appconfig-mls/dbus_contexts
new file mode 100644
index 000000000..116e684f9
--- /dev/null
+++ b/config/appconfig-mls/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <selinux>
+  </selinux>
+</busconfig>
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
new file mode 100644
index 000000000..801d97b6f
--- /dev/null
+++ b/config/appconfig-mls/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0		sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/default_type b/config/appconfig-mls/default_type
new file mode 100644
index 000000000..33528d61f
--- /dev/null
+++ b/config/appconfig-mls/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-mls/failsafe_context b/config/appconfig-mls/failsafe_context
new file mode 100644
index 000000000..999abd9a3
--- /dev/null
+++ b/config/appconfig-mls/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/guest_u_default_contexts b/config/appconfig-mls/guest_u_default_contexts
new file mode 100644
index 000000000..e2106efae
--- /dev/null
+++ b/config/appconfig-mls/guest_u_default_contexts
@@ -0,0 +1,5 @@
+guest_r:guest_t:s0		guest_r:guest_t:s0
+system_r:crond_t:s0		guest_r:guest_t:s0
+system_r:local_login_t:s0	guest_r:guest_t:s0
+system_r:remote_login_t:s0	guest_r:guest_t:s0
+system_r:sshd_t:s0		guest_r:guest_t:s0
diff --git a/config/appconfig-mls/initrc_context b/config/appconfig-mls/initrc_context
new file mode 100644
index 000000000..4598f92e8
--- /dev/null
+++ b/config/appconfig-mls/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0-mls_systemhigh
diff --git a/config/appconfig-mls/media b/config/appconfig-mls/media
new file mode 100644
index 000000000..81f3463e0
--- /dev/null
+++ b/config/appconfig-mls/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-mls/removable_context b/config/appconfig-mls/removable_context
new file mode 100644
index 000000000..7fcc56e43
--- /dev/null
+++ b/config/appconfig-mls/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts
new file mode 100644
index 000000000..7805778a2
--- /dev/null
+++ b/config/appconfig-mls/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/securetty_types b/config/appconfig-mls/securetty_types
new file mode 100644
index 000000000..527d8358e
--- /dev/null
+++ b/config/appconfig-mls/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-mls/sepgsql_contexts b/config/appconfig-mls/sepgsql_contexts
new file mode 100644
index 000000000..76ff21cd7
--- /dev/null
+++ b/config/appconfig-mls/sepgsql_contexts
@@ -0,0 +1,40 @@
+#
+# Initial security label for SE-PostgreSQL (MLS)
+#
+
+# <databases>
+db_database	*			system_u:object_r:sepgsql_db_t:s0
+
+# <schemas>
+db_schema	*.*			system_u:object_r:sepgsql_schema_t:s0
+
+# <tables>
+db_table	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_table	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <column>
+db_column	*.pg_catalog.*.*	system_u:object_r:sepgsql_sysobj_t:s0
+db_column	*.*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <sequences>
+db_sequence	*.*.*			system_u:object_r:sepgsql_seq_t:s0
+
+# <views>
+db_view		*.*.*			system_u:object_r:sepgsql_view_t:s0
+
+# <procedures>
+db_procedure	*.*.*			system_u:object_r:sepgsql_proc_exec_t:s0
+
+# <tuples>
+db_tuple	*.pg_catalog.*		system_u:object_r:sepgsql_sysobj_t:s0
+db_tuple	*.*.*			system_u:object_r:sepgsql_table_t:s0
+
+# <blobs>
+db_blob		*.*			system_u:object_r:sepgsql_blob_t:s0
+
+# <language>
+db_language	*.sql			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plpgsql		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.pltcl			system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.plperl		system_u:object_r:sepgsql_safe_lang_t:s0
+db_language	*.*			system_u:object_r:sepgsql_lang_t:s0
diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers
new file mode 100644
index 000000000..dc156bfa8
--- /dev/null
+++ b/config/appconfig-mls/seusers
@@ -0,0 +1,3 @@
+system_u:system_u:s0-mls_systemhigh
+root:root:s0-mls_systemhigh
+__default__:user_u:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
new file mode 100644
index 000000000..881a292e3
--- /dev/null
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0	staff_r:staff_t:s0
+system_r:sshd_t:s0		staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0		staff_r:cronjob_t:s0
+system_r:xdm_t:s0		staff_r:staff_t:s0
+staff_r:staff_su_t:s0		staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
+sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mls/unconfined_u_default_contexts b/config/appconfig-mls/unconfined_u_default_contexts
new file mode 100644
index 000000000..106e093d8
--- /dev/null
+++ b/config/appconfig-mls/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0		unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0	unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0		unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0		unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
new file mode 100644
index 000000000..cacbc939f
--- /dev/null
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t:s0	user_r:user_t:s0
+system_r:remote_login_t:s0	user_r:user_t:s0
+system_r:sshd_t:s0		user_r:user_t:s0
+system_r:crond_t:s0		user_r:cronjob_t:s0
+system_r:xdm_t:s0		user_r:user_t:s0
+user_r:user_su_t:s0		user_r:user_t:s0
+user_r:user_sudo_t:s0		user_r:user_t:s0
+
diff --git a/config/appconfig-mls/userhelper_context b/config/appconfig-mls/userhelper_context
new file mode 100644
index 000000000..dc37a69bb
--- /dev/null
+++ b/config/appconfig-mls/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
new file mode 100644
index 000000000..d387b428b
--- /dev/null
+++ b/config/appconfig-mls/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
new file mode 100644
index 000000000..8ab1e27ea
--- /dev/null
+++ b/config/appconfig-mls/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mls/x_contexts b/config/appconfig-mls/x_contexts
new file mode 100644
index 000000000..0b3204435
--- /dev/null
+++ b/config/appconfig-mls/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client	*				system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context.  A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_*			system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER?			system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property *	   			system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context.  A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux			system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension *	   			system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context.  A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY			system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD			system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection *				system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context.  A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress			system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease			system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress			system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease			system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify			system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify	system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn	system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut	system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage			system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify		system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify			system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify		system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event *					system_u:object_r:xevent_t:s0
diff --git a/config/appconfig-mls/xguest_u_default_contexts b/config/appconfig-mls/xguest_u_default_contexts
new file mode 100644
index 000000000..574363b57
--- /dev/null
+++ b/config/appconfig-mls/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0		xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0		xguest_r:xguest_t:s0
+system_r:local_login_t:s0	xguest_r:xguest_t:s0
+system_r:remote_login_t:s0	xguest_r:xguest_t:s0
+system_r:sshd_t:s0		xguest_r:xguest_t:s0
+system_r:xdm_t:s0		xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0		xguest_r:xguest_t:s0