{"id":13510677,"url":"https://github.com/SELinuxProject/refpolicy","last_synced_at":"2025-03-30T16:34:43.090Z","repository":{"id":33392528,"uuid":"138409907","full_name":"SELinuxProject/refpolicy","owner":"SELinuxProject","description":"SELinux Reference Policy v2","archived":false,"fork":false,"pushed_at":"2024-10-24T13:40:34.000Z","size":14003,"stargazers_count":302,"open_issues_count":3,"forks_count":135,"subscribers_count":18,"default_branch":"main","last_synced_at":"2024-10-25T16:26:35.240Z","etag":null,"topics":["access-control","policy","rbac","security","security-hardening","security-policy","selinux"],"latest_commit_sha":null,"homepage":"https://github.com/SELinuxProject/refpolicy/wiki","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SELinuxProject.png","metadata":{"files":{"readme":"README","changelog":"Changelog","contributing":"CONTRIBUTING","funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"support/Makefile.devel","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-06-23T14:57:28.000Z","updated_at":"2024-10-24T13:40:39.000Z","dependencies_parsed_at":"2023-10-02T15:24:27.080Z","dependency_job_id":"6f09f504-033d-45e2-9137-74861b99364c","html_url":"https://github.com/SELinuxProject/refpolicy","commit_stats":null,"previous_names":[],"tags_count":49,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SELinuxProject%2Frefpolicy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SELinuxProject%2Frefpolicy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SELinuxProject%2Frefpolicy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SELinuxProject%2Frefpolicy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SELinuxProject","download_url":"https://codeload.github.com/SELinuxProject/refpolicy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222566739,"owners_count":17004237,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","policy","rbac","security","security-hardening","security-policy","selinux"],"created_at":"2024-08-01T02:01:49.408Z","updated_at":"2025-03-30T16:34:43.072Z","avatar_url":"https://github.com/SELinuxProject.png","language":"Python","funding_links":[],"categories":["Python","security"],"sub_categories":[],"readme":"1) Reference Policy make targets:\n\nGeneral Make targets:\n\ninstall-src\t\tInstall the policy sources into\n\t\t\t/etc/selinux/NAME/src/policy, where NAME is defined in\n\t\t\tthe Makefile.  If not defined, the TYPE, as defined in\n\t\t\tthe Makefile, is used.  The default NAME is refpolicy.\n\t\t\tA pre-existing source policy will be moved to\n\t\t\t/etc/selinux/NAME/src/policy.bak.\n\nconf\t\t\tRegenerate policy.xml, and update/create modules.conf\n\t\t\tand booleans.conf.  This should be done after adding\n\t\t\tor removing modules, or after running the bare target.\n\t\t\tIf the configuration files exist, their settings will\n\t\t\tbe preserved.  This must be ran on policy sources that\n\t\t\tare checked out from the CVS repository before they can\n\t\t\tbe used.\n\nclean\t\t\tDelete all temporary files, compiled policies,\n\t\t\tand file_contexts.  Configuration files are left intact.\n\nbare\t\t\tDo the clean make target and also delete configuration\n\t\t\tfiles, web page documentation, and policy.xml.\n\nhtml\t\t\tRegenerate policy.xml and create web page documentation\n\t\t\tin the doc/html directory.\n\nMake targets specific to modular (loadable modules) policies:\n\nbase\t\t\tCompile and package the base module.  This is the\n\t\t\tdefault target for modular policies.\n\nmodules\t\t\tCompile and package all Reference Policy modules\n\t\t\tconfigured to be built as loadable modules.\n\nMODULENAME.pp\t\tCompile and package the MODULENAME Reference Policy\n\t\t\tmodule.\n\nall\t\t\tCompile and package the base module and all Reference\n\t\t\tPolicy modules configured to be built as loadable\n\t\t\tmodules.\n\ninstall\t\t\tCompile, package, and install the base module and\n\t\t\tReference Policy modules configured to be built as\n\t\t\tloadable modules.\n\nload\t\t\tCompile, package, and install the base module and\n\t\t\tReference Policy modules configured to be built as\n\t\t\tloadable modules, then insert them into the module\n\t\t\tstore.\n\nvalidate\t\tValidate if the configured modules can successfully\n\t\t\tlink and expand.\n\ninstall-headers\t\tInstall the policy headers into /usr/share/selinux/NAME.\n\t\t\tThe headers are sufficient for building a policy\n\t\t\tmodule locally, without requiring the complete\n\t\t\tReference Policy sources.  The build.conf settings\n\t\t\tfor this policy configuration should be set before\n\t\t\tusing this target.\n\nbuild-interface-db\tBuild the policy interface database with\n\t\t\t'sepolgen-ifgen'.  This database is required for\n\t\t\treference style policy generation by\n\t\t\t'audit2allow --reference'.\n\nMake targets specific to monolithic policies:\n\npolicy\t\t\tCompile a policy locally for development and testing.\n\t\t\tThis is the default target for monolithic policies.\n\ninstall\t\t\tCompile and install the policy and file contexts.\n\nload\t\t\tCompile and install the policy and file contexts, then\n\t\t\tload the policy.\n\nenableaudit\t\tRemove all dontaudit rules from policy.conf.\n\nrelabel\t\t\tRelabel the filesystem.\n\nchecklabels\t\tCheck the labels on the filesystem, and report when\n\t\t\ta file would be relabeled, but do not change its label.\n\nrestorelabels\t\tRelabel the filesystem and report each file that is\n\t\t\trelabeled.\n\n\n2) Reference Policy Build Options (build.conf)\n\nTYPE\t\t\tString.  Available options are standard, mls, and mcs.\n\t\t\tFor a type enforcement only system, set standard.\n\t\t\tThis optionally enables multi-level security (MLS) or\n\t\t\tmulti-category security (MCS) features.  This option\n\t\t\tcontrols enable_mls, and enable_mcs policy blocks.\n\nNAME\t\t\tString (optional).  Sets the name of the policy; the\n\t\t\tNAME is used when installing files to e.g.,\n\t\t\t/etc/selinux/NAME and /usr/share/selinux/NAME.  If not\n\t\t\tset, the policy type (TYPE) is used.\n\nDISTRO\t\t\tString (optional).  Enable distribution-specific policy.\n\t\t\tAvailable options are redhat, gentoo, and debian.\n\t\t\tThis option controls distro_redhat, distro_gentoo, and\n\t\t\tdistro_debian build option policy blocks.\n\nMONOLITHIC\t\tBoolean.  If set, a monolithic policy is built,\n\t\t\totherwise a modular policy is built.\n\nDIRECT_INITRC\t\tBoolean.  If set, sysadm will be allowed to directly\n\t\t\trun init scripts, instead of requiring the run_init\n\t\t\ttool.  This is a build option instead of a tunable since\n\t\t\trole transitions do not work in conditional policy.\n\t\t\tThis option controls direct_sysadm_daemon policy\n\t\t\tblocks.\n\nOUTPUT_POLICY\t\tInteger.  Set the version of the policy created when\n\t\t\tbuilding a monolithic policy.  This option has no effect\n\t\t\ton modular policy.\n\nOUTPUT_MODULE\t\tInteger.  Set the version of the module policy created when\n\t\t\tbuilding a modular policy.  This option has no effect\n\t\t\ton monolithic policy.\n\nUNK_PERMS\t\tString.  Set the kernel behavior for handling of\n\t\t\tpermissions defined in the kernel but missing from the\n\t\t\tpolicy.  The permissions can either be allowed (allow),\n\t\t\tdenied (deny), or the policy loading can be rejected\n\t\t\t(reject).\n\nUBAC\t\t\tBoolean.  If set, the SELinux user will be used\n\t\t\tadditionally for approximate role separation.\n\nSYSTEMD\t\t\tBoolean.  If set, systemd will be assumed to be the init\n\t\t\tprocess provider.\n\nMLS_SENS\t\tInteger.  Set the number of sensitivities in the MLS\n\t\t\tpolicy.  Ignored on standard and MCS policies.\n\nMLS_CATS\t\tInteger.  Set the number of categories in the MLS\n\t\t\tpolicy.  Ignored on standard and MCS policies.\n\nMCS_CATS\t\tInteger.  Set the number of categories in the MCS\n\t\t\tpolicy.  Ignored on standard and MLS policies.\n\nQUIET\t\t\tBoolean.  If set, the build system will only display\n\t\t\tstatus messages and error messages.  This option has no\n\t\t\teffect on policy.\n\nWERROR\t\t\tBoolean.  If set, the build system will treat warnings\n\t\t\tas errors.  If any warnings are encountered, the build\n\t\t\twill fail.\n\n\n3) Reference Policy Files and Directories\nAll directories relative to the root of the Reference Policy sources directory.\n\nMakefile\t\tGeneral rules for building the policy.\n\nRules.modular\t\tMakefile rules specific to building loadable module\n\t\t\tpolicies.\n\nRules.monolithic\tMakefile rules specific to building monolithic policies.\n\nbuild.conf\t\tOptions which influence the building of the policy,\n\t\t\tsuch as the policy type and distribution.\n\nconfig/appconfig-*\tApplication configuration files for all configurations\n\t\t\tof the Reference Policy (targeted/strict with or without\n\t\t\tMLS or MCS).  These are used by SELinux-aware programs.\n\nconfig/local.users\tThe file read by load policy for adding SELinux users\n\t\t\tto the policy on the fly.\n\ndoc/html/*\t\tThis contains the contents of the in-policy XML\n\t\t\tdocumentation, presented in web page form.\n\ndoc/policy.dtd\t\tThe doc/policy.xml file is validated against this DTD.\n\ndoc/policy.xml\t\tThis file is generated/updated by the conf and html make\n\t\t\ttargets.  It contains the complete XML documentation\n\t\t\tincluded in the policy.\n\ndoc/templates/*\t\tTemplates used for documentation web pages.\n\npolicy/booleans.conf\tThis file is generated/updated by the conf make target.\n\t\t\tIt contains the booleans in the policy, and their\n\t\t\tdefault values.  If tunables are implemented as\n\t\t\tbooleans, tunables will also be included.  This file\n\t\t\twill be installed as the /etc/selinux/NAME/booleans\n\t\t\tfile.\n\npolicy/constraints\tThis file defines additional constraints on permissions\n\t\t\tin the form of boolean expressions that must be\n\t\t\tsatisfied in order for specified permissions to be\n\t\t\tgranted.  These constraints are used to further refine\n\t\t\tthe type enforcement rules and the role allow rules.\n\t\t\tTypically, these constraints are used to restrict\n\t\t\tchanges in user identity or role to certain domains.\n\npolicy/global_booleans\tThis file defines all booleans that have a global scope,\n\t\t\ttheir default value, and documentation.\n\npolicy/global_tunables\tThis file defines all tunables that have a global scope,\n\t\t\ttheir default value, and documentation.\n\npolicy/flask/initial_sids  This file has declarations for each initial SID.\n\npolicy/flask/security_classes  This file has declarations for each security class.\n\npolicy/flask/access_vectors  This file defines the access vectors.  Common\n\t\t\tprefixes for access vectors may be defined at the\n\t\t\tbeginning of the file.  After the common prefixes are\n\t\t\tdefined, an access vector may be defined for each\n\t\t\tsecurity class.\n\npolicy/mcs\t\tThe multi-category security (MCS) configuration.\n\npolicy/mls\t\tThe multi-level security (MLS) configuration.\n\npolicy/modules/*\tEach directory represents a layer in Reference Policy\n\t\t\tall of the modules are contained in one of these layers.\n\npolicy/modules.conf\tThis file contains a listing of available modules, and\n\t\t\thow they will be used when building Reference Policy. To\n\t\t\tprevent a module from  being used, set the module to\n\t\t\t\"off\".  For monolithic policies, modules set to \"base\"\n\t\t\tand \"module\" will be included in the policy.  For\n\t\t\tmodular policies, modules set to \"base\"\twill be included\n\t\t\tin the base module; those set to \"module\" will be\n\t\t\tcompiled as individual loadable\tmodules.\n\npolicy/support/*\tSupport macros.\n\npolicy/users\t\tThis file defines the users included in the policy.\n\nsupport/*\t\tTools used in the build process.\n\n\n4) Building policy modules using Reference Policy headers:\n\nThe system must first have the Reference Policy headers installed, typically\nby the distribution.  Otherwise, the headers can be installed using the\ninstall-headers target from the full Reference Policy sources.\n\nTo set up a directory to build a local module, one must simply place a .te\nfile in a directory.  A sample Makefile to use in the directory is the\nMakefile.example in the doc directory.  This may be installed in\n/usr/share/doc, under the directory for the distribution's policy.\nAlternatively, the primary Makefile in the headers directory (typically\n/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f\noption.\n\nLarger projects can set up a structure of layers, just as in Reference\nPolicy, by creating policy/modules/LAYERNAME directories.  Each layer also\nmust have a metadata.xml file which is an XML file with a summary tag and\noptional desc (long description) tag.  This should describe the purpose of\nthe layer.\n\nMetadata.xml example:\n\n\u003csummary\u003eABC modules for the XYZ components.\u003c/summary\u003e\n\nMake targets for modules built from headers:\n\nMODULENAME.pp\t\tCompile and package the MODULENAME local module.\n\nall\t\t\tCompile and package the modules in the current\n\t\t\tdirectory.\n\nload\t\t\tCompile and package the modules in the current\n\t\t\tdirectory, then insert them into the module store.\n\nrefresh\t\t\tAttempts to reinsert all modules that are currently\n\t\t\tin the module store from the local and system module\n\t\t\tpackages.\n\nxml\t\t\tBuild a policy.xml from the XML included with the\n\t\t\tbase policy headers and any XML in the modules in\n\t\t\tthe current directory.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSELinuxProject%2Frefpolicy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSELinuxProject%2Frefpolicy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSELinuxProject%2Frefpolicy/lists"}