From f7fc530302b2331d7c1a78ca1dd2f4596844e9bc Mon Sep 17 00:00:00 2001 From: xyr218 Date: Thu, 31 Oct 2024 17:31:13 +0800 Subject: [PATCH] support usec and umount control --- debian/Makefile.devel | 4 + debian/build.conf.usec | 74 + debian/changelog | 7 + debian/control | 14 + debian/modules.conf.usec | 2772 +++++++++++++++++ .../patches/0001-deepin-umount-control.patch | 39 + debian/patches/series | 1 + debian/postinst.policy | 6 +- debian/rules | 21 +- debian/selinux-policy-usec.install | 6 + debian/selinux-policy-usec.lintian-overrides | 2 + debian/selinux-policy-usec.mainscript | 6 + debian/setrans.conf.usec | 20 + 13 files changed, 2969 insertions(+), 3 deletions(-) create mode 100644 debian/build.conf.usec create mode 100644 debian/modules.conf.usec create mode 100644 debian/patches/0001-deepin-umount-control.patch create mode 100644 debian/selinux-policy-usec.install create mode 100644 debian/selinux-policy-usec.lintian-overrides create mode 100644 debian/selinux-policy-usec.mainscript create mode 100644 debian/setrans.conf.usec diff --git a/debian/Makefile.devel b/debian/Makefile.devel index b1c6bfe..fdea793 100644 --- a/debian/Makefile.devel +++ b/debian/Makefile.devel @@ -16,6 +16,10 @@ ifeq ($(NAME),mls) NTYPE = mls endif +ifeq ($(NAME),usec) + NTYPE = usec +endif + TYPE ?= $(NTYPE) HEADERDIR := $(SHAREDIR)/devel/include diff --git a/debian/build.conf.usec b/debian/build.conf.usec new file mode 100644 index 0000000..03f0f86 --- /dev/null +++ b/debian/build.conf.usec @@ -0,0 +1,74 @@ +######################################## +# +# Policy build options +# + +# Policy version +# By default, checkpolicy will create the highest +# version policy it supports. Setting this will +# override the version. This only has an +# effect for monolithic policies. +#OUTPUT_POLICY = 21 + +# Policy Type +# standard, mls, mcs +TYPE = mcs + +# Policy Name +# If set, this will be used as the policy +# name. Otherwise the policy type will be +# used for the name. +NAME = usec + +# Distribution +# Some distributions have portions of policy +# for programs or configurations specific to the +# distribution. Setting this will enable options +# for the distribution. +# redhat, gentoo, debian, suse, and rhel4 are current options. +# Fedora users should enable redhat. +DISTRO = debian + +# Unknown Permissions Handling +# The behavior for handling permissions defined in the +# kernel but missing from the policy. The permissions +# can either be allowed, denied, or the policy loading +# can be rejected. +# allow, deny, and reject are current options. +UNK_PERMS = deny + +# Direct admin init +# Setting this will allow sysadm to directly +# run init scripts, instead of requring run_init. +# This is a build option, as role transitions do +# not work in conditional policy. +DIRECT_INITRC = y + +# Build monolithic policy. Putting n here +# will build a loadable module policy. +MONOLITHIC = n + +# User-based access control (UBAC) +# Enable UBAC for role separations. +UBAC = y + +# Number of MLS Sensitivities +# The sensitivities will be s0 to s(MLS_SENS-1). +# Dominance will be in increasing numerical order +# with s0 being lowest. +MLS_SENS = 16 + +# Number of MLS Categories +# The categories will be c0 to c(MLS_CATS-1). +MLS_CATS = 1024 + +# Number of MCS Categories +# The categories will be c0 to c(MLS_CATS-1). +MCS_CATS = 1024 + +# Set this to y to only display status messages +# during build. +QUIET = n + +# arch-tag: ec64afa6-f6f8-4b08-b002-6025ada3a269 + diff --git a/debian/changelog b/debian/changelog index 061097b..5248398 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +refpolicy (2:2.20240723-2deepin3) unstable; urgency=medium + + * change to support umount control. + + -- xiongyingrong Thu, 31 Oct 2024 15:37:26 +0800 + + refpolicy (2:2.20240723-2deepin2) unstable; urgency=medium * usec support process unkill boolean diff --git a/debian/control b/debian/control index d6c0ce2..adb3470 100644 --- a/debian/control +++ b/debian/control @@ -59,6 +59,20 @@ Description: MLS (Multi Level Security) variant of the SELinux policy probably never be well supported in Debian and is only recommended for students who want to learn about the security features used by the military. +Package: selinux-policy-usec +Architecture: all +Depends: libselinux1 (>= 3.5), + libsemanage2 (>= 3.5), + libsepol2 (>= 3.5), + policycoreutils (>= 3.5-2), + selinux-utils (>= 3.5), + ${misc:Depends} +Recommends: checkpolicy, setools +Suggests: logcheck, syslog-summary +Breaks: selinux-basics (<< 0.5.2~) +Conflicts: mcstrans +Description: usec + Package: selinux-policy-src Architecture: all Depends: checkpolicy (>= 3.5), diff --git a/debian/modules.conf.usec b/debian/modules.conf.usec new file mode 100644 index 0000000..d1344b9 --- /dev/null +++ b/debian/modules.conf.usec @@ -0,0 +1,2772 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: kernel +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem, +# and unlabeled processes and objects. +# +kernel = base + +# Layer: kernel +# Module: mcs +# Required in base +# +# Multicategory security policy +# +mcs = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: systemd +# Required in base +# +# Policy for systemd as init +# +systemd = base + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# Required in base +# +# User-based access control policy +# +ubac = base + +# Layer: admin +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = off + +# Layer: admin +# Module: consolesetup +# +# setup the console +# +consolesetup = base + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = off + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = base + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = off + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = module + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = base + +# Layer: apps +# Module: seunshare +# +# Filesystem namespacing/polyinstantiation application. +# +seunshare = off + +# Layer: contrib +# Module: abrt +# +# Automated bug-reporting tool. +# +abrt = off + +# Layer: contrib +# Module: accountsd +# +# AccountsService and daemon for manipulating user account information via D-Bus. +# +accountsd = off + +# Layer: contrib +# Module: acct +# +# Berkeley process accounting. +# +acct = off + +# Layer: contrib +# Module: afs +# +# Andrew Filesystem server. +# +afs = off + +# Layer: contrib +# Module: aide +# +# Aide filesystem integrity checker. +# +aide = off + +# Layer: contrib +# Module: aisexec +# +# Aisexec Cluster Engine. +# +aisexec = off + +# Layer: contrib +# Module: alsa +# +# Advanced Linux Sound Architecture utilities. +# +alsa = off + +# Layer: contrib +# Module: amanda +# +# Advanced Maryland Automatic Network Disk Archiver. +# +amanda = off + +# Layer: contrib +# Module: amavis +# +# High-performance interface between an email server and content checkers. +# +amavis = off + +# Layer: contrib +# Module: amtu +# +# Abstract Machine Test Utility. +# +amtu = off + +# Layer: contrib +# Module: anaconda +# +# Anaconda installer. +# +anaconda = off + +# Layer: contrib +# Module: apache +# +# Various web servers. +# +apache = off + +# Layer: contrib +# Module: apcupsd +# +# APC UPS monitoring daemon. +# +apcupsd = off + +# Layer: contrib +# Module: acpi +# +# Advanced power management. +# +acpi = off + +# Layer: contrib +# Module: apt +# +# Advanced package tool. +# +apt = module + +# Layer: contrib +# Module: aptcacher +# +# Advanced package tool. +# +aptcacher = module + +# Layer: contrib +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = off + +# Layer: contrib +# Module: asterisk +# +# Asterisk IP telephony server. +# +asterisk = off + +# Layer: contrib +# Module: automount +# +# Filesystem automounter service. +# +automount = off + +# Layer: contrib +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture. +# +avahi = off + +# Layer: contrib +# Module: awstats +# +# Log file analyzer for advanced statistics. +# +awstats = off + +# Layer: contrib +# Module: backup +# +# System backup scripts. +# +backup = off + +# Layer: contrib +# Module: bacula +# +# Cross platform network backup. +# +bacula = off + +# Layer: contrib +# Module: bind +# +# Berkeley Internet name domain DNS server. +# +bind = off + +# Layer: contrib +# Module: bird +# +# BIRD Internet Routing Daemon. +# +bird = off + +# Layer: contrib +# Module: bitlbee +# +# Tunnels instant messaging traffic to a virtual IRC channel. +# +bitlbee = off + +# Layer: contrib +# Module: blueman +# +# Tool to manage Bluetooth devices. +# +blueman = off + +# Layer: contrib +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = off + +# Layer: contrib +# Module: boinc +# +# Platform for computing using volunteered resources. +# +boinc = off + +# Layer: contrib +# Module: brctl +# +# Utilities for configuring the Linux ethernet bridge. +# +brctl = off + +# Layer: contrib +# Module: bubblewrap +# +# sandboxing +# +bubblewrap = off + +# Layer: contrib +# Module: bugzilla +# +# Bugtracker. +# +bugzilla = off + +# Layer: contrib +# Module: cachefilesd +# +# CacheFiles user-space management daemon. +# +cachefilesd = off + +# Layer: contrib +# Module: calamaris +# +# Squid log analysis. +# +calamaris = off + +# Layer: contrib +# Module: canna +# +# Kana-kanji conversion server. +# +canna = off + +# Layer: contrib +# Module: cdrecord +# +# Record audio or data Compact Discs from a master. +# +cdrecord = off + +# Layer: contrib +# Module: certbot +# +# Certificate request daemon +# +certbot = off + +# Layer: contrib +# Module: certmaster +# +# Remote certificate distribution framework. +# +certmaster = off + +# Layer: contrib +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client. +# +certmonger = off + +# Layer: contrib +# Module: certwatch +# +# Digital Certificate Tracking. +# +certwatch = off + +# Layer: contrib +# Module: cfengine +# +# System administration tool for networks. +# +cfengine = off + +# Layer: contrib +# Module: cgroup +# +# libcg is a library that abstracts the control group file system in Linux. +# +cgroup = off + +# Layer: contrib +# Module: chromium +# +# Chromium web browser +# +chromium = off + +# Layer: contrib +# Module: chronyd +# +# Chrony NTP background daemon. +# +chronyd = off + +# Layer: contrib +# Module: clamav +# +# ClamAV Virus Scanner. +# +clamav = off + +# Layer: contrib +# Module: cobbler +# +# Cobbler installation server. +# +cobbler = off + +# Layer: contrib +# Module: cockpit +# +# Web based sysadmin tool that includes web shell access +# +cockpit = off + +# Layer: contrib +# Module: collectd +# +# Statistics collection daemon for filling RRD files. +# +collectd = off + +# Layer: contrib +# Module: colord +# +# GNOME color manager. +# +colord = off + +# Layer: contrib +# Module: comsat +# +# Comsat, a biff server. +# +comsat = off + +# Layer: contrib +# Module: condor +# +# High-Throughput Computing System. +# +condor = off + +# Layer: contrib +# Module: container +# +# base container policy +# +container = off + +# Layer: contrib +# Module: corosync +# +# Corosync Cluster Engine. +# +corosync = off + +# Layer: contrib +# Module: couchdb +# +# Document database server. +# +couchdb = off + +# Layer: contrib +# Module: courier +# +# Courier IMAP and POP3 email servers. +# +courier = off + +# Layer: contrib +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = off + +# Layer: contrib +# Module: cpufreqselector +# +# Command-line CPU frequency settings. +# +cpufreqselector = off + +# Layer: contrib +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = off + +# Layer: contrib +# Module: ctdb +# +# Clustered Database based on Samba Trivial Database. +# +ctdb = off + +# Layer: contrib +# Module: cups +# +# Common UNIX printing system. +# +cups = off + +# Layer: contrib +# Module: cvs +# +# Concurrent versions system. +# +cvs = off + +# Layer: contrib +# Module: cyphesis +# +# Cyphesis WorldForge game server. +# +cyphesis = off + +# Layer: contrib +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers. +# +cyrus = off + +# Layer: contrib +# Module: daemontools +# +# Collection of tools for managing UNIX services. +# +daemontools = off + +# Layer: contrib +# Module: dante +# +# Dante msproxy and socks4/5 proxy server. +# +dante = off + +# Layer: contrib +# Module: dbadm +# +# Database administrator role. +# +dbadm = off + +# Layer: contrib +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = off + +# Layer: contrib +# Module: dbus +# +# Desktop messaging bus. +# +dbus = base + +# Layer: contrib +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org. +# +ddclient = off + +# Layer: contrib +# Module: devicekit +# +# Devicekit modular hardware abstraction layer. +# +devicekit = off + +# Layer: contrib +# Module: dhcp +# +# Dynamic host configuration protocol server. +# +dhcp = off + +# Layer: contrib +# Module: dictd +# +# Dictionary daemon. +# +dictd = off + +# Layer: contrib +# Module: dirmngr +# +# Server for managing and downloading certificate revocation lists. +# +dirmngr = off + +# Layer: contrib +# Module: distcc +# +# Distributed compiler daemon. +# +distcc = off + +# Layer: contrib +# Module: djbdns +# +# Small and secure DNS daemon. +# +djbdns = off + +# Layer: contrib +# Module: dkim +# +# DomainKeys Identified Mail milter. +# +dkim = off + +# Layer: contrib +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = off + +# Layer: contrib +# Module: dnsmasq +# +# DNS forwarder and DHCP server. +# +dnsmasq = off + +# Layer: contrib +# Module: docker +# +# docker container system +# +docker = off + +# Layer: contrib +# Module: dovecot +# +# POP and IMAP mail server. +# +dovecot = off + +# Layer: contrib +# Module: dpkg +# +# Debian package manager. +# +dpkg = base + +# Layer: contrib +# Module: drbd +# +# Mirrors a block device over the network to another machine. +# +drbd = off + +# Layer: contrib +# Module: eg25manager +# +# Daemon for configuring the Quectel EG25 modem +# +eg25manager = off + +# Layer: contrib +# Module: entropyd +# +# Generate entropy from audio input. +# +entropyd = off + +# Layer: contrib +# Module: evolution +# +# Evolution email client. +# +evolution = off + +# Layer: contrib +# Module: exim +# +# Mail transfer agent. +# +exim = off + +# Layer: contrib +# Module: fail2ban +# +# Update firewall filtering to ban IP addresses with too many password failures. +# +fail2ban = off + +# Layer: contrib +# Module: fcoe +# +# Fibre Channel over Ethernet utilities. +# +fcoe = off + +# Layer: contrib +# Module: feedbackd +# +# haptik feedback for phones +# +feedbackd = off + +# Layer: contrib +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility. +# +fetchmail = off + +# Layer: contrib +# Module: finger +# +# Finger user information service. +# +finger = off + +# Layer: contrib +# Module: firewalld +# +# Service daemon with a D-BUS interface that provides a dynamic managed firewall. +# +firewalld = off + +# Layer: contrib +# Module: firstboot +# +# Initial system configuration utility. +# +firstboot = off + +# Layer: contrib +# Module: fprintd +# +# DBus fingerprint reader service. +# +fprintd = off + +# Layer: contrib +# Module: ftp +# +# File transfer protocol service. +# +ftp = off + +# Layer: system +# Module: fwupd +# +# firmware update service +# +fwupd = off + +# Layer: contrib +# Module: games +# +# Various games. +# +games = off + +# Layer: contrib +# Module: gatekeeper +# +# OpenH.323 Voice-Over-IP Gatekeeper. +# +gatekeeper = off + +# Layer: contrib +# Module: gdomap +# +# GNUstep distributed object mapper. +# +gdomap = off + +# Layer: contrib +# Module: geoclue +# +# GeoClue is a D-Bus geoinformation service +# +geoclue = off + +# Layer: contrib +# Module: git +# +# GIT revision control system. +# +git = off + +# Layer: contrib +# Module: gitosis +# +# Tools for managing and hosting git repositories. +# +gitosis = off + +# Layer: contrib +# Module: glance +# +# OpenStack image registry and delivery service. +# +glance = off + +# Layer: contrib +# Module: glusterfs +# +# Cluster File System binary, daemon and command line. +# +glusterfs = off + +# Layer: contrib +# Module: gnome +# +# GNU network object model environment. +# +gnome = off + +# Layer: contrib +# Module: gnomeclock +# +# Gnome clock handler for setting the time. +# +gnomeclock = off + +# Layer: contrib +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = off + +# Layer: contrib +# Module: gpm +# +# General Purpose Mouse driver. +# +gpm = off + +# Layer: contrib +# Module: gpsd +# +# gpsd monitor daemon. +# +gpsd = off + +# Layer: contrib +# Module: guest +# +# Least privledge terminal user role. +# +guest = off + +# Layer: contrib +# Module: hadoop +# +# Software for reliable, scalable, distributed computing. +# +hadoop = off + +# Layer: contrib +# Module: haproxy +# +# Software for reliable, scalable, distributed computing. +# +haproxy = off + +# Layer: contrib +# Module: hddtemp +# +# Hard disk temperature tool running as a daemon. +# +hddtemp = off + +# Layer: contrib +# Module: hostapd +# +# Wifi AP daemon +# +hostapd = off + +# Layer: contrib +# Module: hypervkvp +# +# HyperV key value pair (KVP). +# +hypervkvp = off + +# Layer: contrib +# Module: i18n_input +# +# IIIMF htt server. +# +i18n_input = off + +# Layer: contrib +# Module: icecast +# +# ShoutCast compatible streaming media server. +# +icecast = off + +# Layer: contrib +# Module: ifplugd +# +# Bring up/down ethernet interfaces based on cable detection. +# +ifplugd = off + +# Layer: contrib +# Module: iiosensorproxy +# +# IIO sensors to D-Bus proxy +# +iiosensorproxy = off + +# Layer: contrib +# Module: inetd +# +# Internet services daemon. +# +inetd = off + +# Layer: contrib +# Module: inn +# +# Internet News NNTP server. +# +inn = off + +# Layer: contrib +# Module: iodine +# +# IP over DNS tunneling daemon. +# +iodine = off + +# Layer: contrib +# Module: irc +# +# IRC client policy. +# +irc = off + +# Layer: contrib +# Module: ircd +# +# IRC servers. +# +ircd = off + +# Layer: contrib +# Module: irqbalance +# +# IRQ balancing daemon. +# +irqbalance = off + +# Layer: contrib +# Module: iscsi +# +# Establish connections to iSCSI devices. +# +iscsi = off + +# Layer: contrib +# Module: isns +# +# Internet Storage Name Service. +# +isns = off + +# Layer: contrib +# Module: jabber +# +# Jabber instant messaging servers. +# +jabber = off + +# Layer: contrib +# Module: java +# +# Java virtual machine +# +java = off + +# Layer: contrib +# Module: kdump +# +# Kernel crash dumping mechanism. +# +kdump = off + +# Layer: contrib +# Module: kerberos +# +# MIT Kerberos admin and KDC. +# +kerberos = off + +# Layer: contrib +# Module: kerneloops +# +# Service for reporting kernel oopses to kerneloops.org. +# +kerneloops = off + +# Layer: contrib +# Module: keystone +# +# Python implementation of the OpenStack identity service API. +# +keystone = off + +# Layer: contrib +# Module: kismet +# +# IEEE 802.11 wireless LAN sniffer. +# +kismet = off + +# Layer: contrib +# Module: ksmtuned +# +# Kernel Samepage Merging Tuning Daemon. +# +ksmtuned = off + +# Layer: contrib +# Module: l2tp +# +# Layer 2 Tunneling Protocol. +# +l2tp = off + +# Layer: contrib +# Module: ldap +# +# OpenLDAP directory server. +# +ldap = off + +# Layer: contrib +# Module: lightsquid +# +# Log analyzer for squid proxy. +# +lightsquid = off + +# Layer: contrib +# Module: likewise +# +# Likewise Active Directory support for UNIX. +# +likewise = off + +# Layer: contrib +# Module: lircd +# +# Linux infared remote control daemon. +# +lircd = off + +# Layer: contrib +# Module: livecd +# +# Tool for building alternate livecd for different os and policy versions. +# +livecd = off + +# Layer: contrib +# Module: lldpad +# +# Intel LLDP Agent. +# +lldpad = off + +# Layer: contrib +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = off + +# Layer: contrib +# Module: logrotate +# +# Rotates, compresses, removes and mails system log files. +# +logrotate = off + +# Layer: contrib +# Module: logwatch +# +# System log analyzer and reporter. +# +logwatch = off + +# Layer: contrib +# Module: lowmemorymonitor +# +# daemon to monitor low memory and manage kernel OOM +# +lowmemorymonitor = off + +# Layer: contrib +# Module: lpd +# +# Line printer daemon. +# +lpd = off + +# Layer: contrib +# Module: lsm +# +# Storage array management library. +# +lsm = off + +# Layer: contrib +# Module: mailman +# +# Manage electronic mail discussion and e-newsletter lists. +# +mailman = off + +# Layer: contrib +# Module: man2html +# +# A Unix manpage-to-HTML converter. +# +man2html = off + +# Layer: contrib +# Module: mandb +# +# On-line manual database. +# +mandb = off + +# Layer: contrib +# Module: matrixd +# +# Matrix IM daemon +# +matrixd = off + +# Layer: contrib +# Module: mcelog +# +# Linux hardware error daemon. +# +mcelog = off + +# Layer: contrib +# Module: mediawiki +# +# Open source wiki package written in PHP. +# +mediawiki = off + +# Layer: contrib +# Module: memcached +# +# High-performance memory object caching system. +# +memcached = off + +# Layer: contrib +# Module: memlockd +# +# Daemon that locks files into RAM so they are fast when the paging thrashes +# +memlockd = off + +# Layer: contrib +# Module: milter +# +# Milter mail filters. +# +milter = off + +# Layer: contrib +# Module: minidlna +# +# MiniDLNA lightweight DLNA/UPnP media server +# +minidlna = off + +# Layer: contrib +# Module: minissdpd +# +# Daemon used by MiniUPnPc to speed up device discoveries. +# +minissdpd = off + +# Layer: contrib +# Module: modemmanager +# +# Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards. +# +modemmanager = off + +# Layer: contrib +# Module: mojomojo +# +# MojoMojo Wiki. +# +mojomojo = off + +# Layer: contrib +# Module: mon +# +# mon network monitoring daemon +# +mon = off + +# Layer: contrib +# Module: monit +# +# monit monitoring daemon that restarts services +# +monit = off + +# Layer: contrib +# Module: mongodb +# +# Scalable, high-performance, open source NoSQL database. +# +mongodb = off + +# Layer: contrib +# Module: mono +# +# Run .NET server and client applications on Linux. +# +mono = off + +# Layer: contrib +# Module: monop +# +# Monopoly daemon. +# +monop = off + +# Layer: contrib +# Module: mozilla +# +# Policy for Mozilla and related web browsers. +# +mozilla = off + +# Layer: contrib +# Module: mpd +# +# Music Player Daemon. +# +mpd = off + +# Layer: contrib +# Module: mplayer +# +# Mplayer media player and encoder. +# +mplayer = off + +# Layer: contrib +# Module: mrtg +# +# Network traffic graphing. +# +mrtg = off + +# Layer: contrib +# Module: mta +# +# Common e-mail transfer agent policy. +# +mta = off + +# Layer: contrib +# Module: munin +# +# Munin network-wide load graphing. +# +munin = off + +# Layer: contrib +# Module: mysql +# +# Open source database. +# +mysql = off + +# Layer: contrib +# Module: nagios +# +# Network monitoring server. +# +nagios = off + +# Layer: contrib +# Module: ncftool +# +# Cross-platform network configuration library. +# +ncftool = off + +# Layer: contrib +# Module: nessus +# +# Network scanning daemon. +# +nessus = off + +# Layer: contrib +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = off + +# Layer: contrib +# Module: nis +# +# Policy for NIS (YP) servers and clients. +# +nis = off + +# Layer: contrib +# Module: nscd +# +# Name service cache daemon. +# +nscd = off + +# Layer: contrib +# Module: nsd +# +# Authoritative only name server. +# +nsd = off + +# Layer: contrib +# Module: nslcd +# +# Local LDAP name service daemon. +# +nslcd = off + +# Layer: contrib +# Module: ntop +# +# A network traffic probe similar to the UNIX top command. +# +ntop = off + +# Layer: contrib +# Module: ntp +# +# Network time protocol daemon. +# +ntp = off + +# Layer: contrib +# Module: numad +# +# Non-Uniform Memory Alignment Daemon. +# +numad = off + +# Layer: contrib +# Module: nut +# +# Network UPS Tools +# +nut = off + +# Layer: contrib +# Module: nx +# +# NX remote desktop. +# +nx = off + +# Layer: contrib +# Module: obex +# +# D-Bus service providing high-level OBEX client and server side functionality. +# +obex = off + +# Layer: contrib +# Module: oddjob +# +# D-BUS service which runs odd jobs on behalf of client applications. +# +oddjob = off + +# Layer: contrib +# Module: oident +# +# An ident daemon with IP masq/NAT support and the ability to specify responses. +# +oident = off + +# Layer: contrib +# Module: openca +# +# Open Certificate Authority. +# +openca = off + +# Layer: contrib +# Module: openct +# +# Service for handling smart card readers. +# +openct = off + +# Layer: contrib +# Module: openhpi +# +# Open source implementation of the Service Availability Forum Hardware Platform Interface. +# +openhpi = off + +# Layer: contrib +# Module: openvpn +# +# full-featured SSL VPN solution. +# +openvpn = off + +# Layer: contrib +# Module: openvswitch +# +# Multilayer virtual switch. +# +openvswitch = off + +# Layer: contrib +# Module: pacemaker +# +# A scalable high-availability cluster resource manager. +# +pacemaker = off + +# Layer: contrib +# Module: pads +# +# Passive Asset Detection System. +# +pads = off + +# Layer: contrib +# Module: passenger +# +# Ruby on rails deployment for Apache and Nginx servers. +# +passenger = off + +# Layer: contrib +# Module: pcscd +# +# PCSC smart card service. +# +pcscd = off + +# Layer: contrib +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = off + +# Layer: contrib +# Module: perdition +# +# Perdition POP and IMAP proxy. +# +perdition = off + +# Layer: contrib +# Module: pingd +# +# Pingd of the Whatsup cluster node up/down detection utility. +# +pingd = off + +# Layer: contrib +# Module: pkcs +# +# Implementations of the Cryptoki specification. +# +pkcs = off + +# Layer: contrib +# Module: plymouthd +# +# Plymouth graphical boot. +# +plymouthd = off + +# Layer: contrib +# Module: policykit +# +# Policy framework for controlling privileges for system-wide services. +# +policykit = off + +# Layer: contrib +# Module: portage +# +# Package Management System. +# +portage = off + +# Layer: contrib +# Module: portmap +# +# RPC port mapping service. +# +portmap = off + +# Layer: contrib +# Module: portreserve +# +# Reserve well-known ports in the RPC port range. +# +portreserve = off + +# Layer: contrib +# Module: portslave +# +# Portslave terminal server software. +# +portslave = off + +# Layer: contrib +# Module: postfix +# +# Postfix email server. +# +postfix = off + +# Layer: contrib +# Module: postfixpolicyd +# +# Postfix policy server. +# +postfixpolicyd = off + +# Layer: contrib +# Module: postgrey +# +# Postfix grey-listing server. +# +postgrey = off + +# Layer: contrib +# Module: powerprofiles +# +# daemon for setting power profiles +# +powerprofiles = off + +# Layer: contrib +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks. +# +ppp = off + +# Layer: contrib +# Module: prelink +# +# Prelink ELF shared library mappings. +# +prelink = off + +# Layer: contrib +# Module: prelude +# +# Prelude hybrid intrusion detection system. +# +prelude = off + +# Layer: contrib +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = off + +# Layer: contrib +# Module: procmail +# +# Procmail mail delivery agent. +# +procmail = off + +# Layer: contrib +# Module: psad +# +# Intrusion Detection and Log Analysis with iptables. +# +psad = off + +# Layer: contrib +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP. +# +publicfile = off + +# Layer: contrib +# Module: pulseaudio +# +# Pulseaudio network sound server. +# +pulseaudio = off + +# Layer: contrib +# Module: puppet +# +# Configuration management system. +# +puppet = off + +# Layer: contrib +# Module: pwauth +# +# External plugin for mod_authnz_external authenticator. +# +pwauth = off + +# Layer: contrib +# Module: pxe +# +# Server for the PXE network boot protocol. +# +pxe = off + +# Layer: contrib +# Module: pyzor +# +# Pyzor is a distributed, collaborative spam detection and filtering network. +# +pyzor = off + +# Layer: contrib +# Module: qemu +# +# QEMU machine emulator and virtualizer. +# +qemu = off + +# Layer: contrib +# Module: qmail +# +# Qmail Mail Server. +# +qmail = off + +# Layer: contrib +# Module: qpid +# +# Apache QPID AMQP messaging server. +# +qpid = off + +# Layer: contrib +# Module: quantum +# +# Virtual network service for Openstack. +# +quantum = off + +# Layer: contrib +# Module: quota +# +# File system quota management. +# +quota = off + +# Layer: contrib +# Module: rabbitmq +# +# AMQP server written in Erlang. +# +rabbitmq = off + +# Layer: contrib +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = off + +# Layer: contrib +# Module: radvd +# +# IPv6 router advertisement daemon. +# +radvd = off + +# Layer: contrib +# Module: raid +# +# RAID array management tools. +# +raid = off + +# Layer: contrib +# Module: rasdaemon +# +# rasdaemon tracks motherboard hardware errors +# +rasdaemon = off + +# Layer: contrib +# Module: razor +# +# A distributed, collaborative, spam detection and filtering network. +# +razor = off + +# Layer: contrib +# Module: rdisc +# +# Network router discovery daemon. +# +rdisc = off + +# Layer: contrib +# Module: realmd +# +# Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA. +# +realmd = off + +# Layer: contrib +# Module: redis +# +# Advanced key-value store. +# +redis = off + +# Layer: contrib +# Module: remotelogin +# +# Rshd, rlogind, and telnetd. +# +remotelogin = off + +# Layer: contrib +# Module: resmgr +# +# Resource management daemon. +# +resmgr = off + +# Layer: contrib +# Module: rhsmcertd +# +# Subscription Management Certificate Daemon. +# +rhsmcertd = off + +# Layer: contrib +# Module: rlogin +# +# Remote login daemon. +# +rlogin = off + +# Layer: contrib +# Module: rngd +# +# Check and feed random data from hardware device to kernel random device. +# +rngd = off + +# Layer: contrib +# Module: rpc +# +# Remote Procedure Call Daemon. +# +rpc = off + +# Layer: contrib +# Module: rpcbind +# +# Universal Addresses to RPC Program Number Mapper. +# +rpcbind = off + +# Layer: contrib +# Module: rpm +# +# Redhat package manager. +# +rpm = off + +# Layer: contrib +# Module: rshd +# +# Remote shell service. +# +rshd = off + +# Layer: contrib +# Module: rssh +# +# Restricted (scp/sftp) only shell. +# +rssh = off + +# Layer: contrib +# Module: rsync +# +# Fast incremental file transfer for synchronization. +# +rsync = off + +# Layer: contrib +# Module: rtkit +# +# Realtime scheduling for user processes. +# +rtkit = off + +# Layer: contrib +# Module: rwho +# +# Who is logged in on other machines? +# +rwho = off + +# Layer: contrib +# Module: samba +# +# SMB and CIFS client/server programs. +# +samba = off + +# Layer: contrib +# Module: samhain +# +# Check file integrity. +# +samhain = off + +# Layer: contrib +# Module: sanlock +# +# shared storage lock manager. +# +sanlock = off + +# Layer: contrib +# Module: sasl +# +# SASL authentication server. +# +sasl = off + +# Layer: contrib +# Module: sblim +# +# Standards Based Linux Instrumentation for Manageability. +# +sblim = off + +# Layer: contrib +# Module: screen +# +# GNU terminal multiplexer. +# +screen = off + +# Layer: contrib +# Module: sendmail +# +# Internetwork email routing facility. +# +sendmail = off + +# Layer: contrib +# Module: sensord +# +# Sensor information logging daemon. +# +sensord = off + +# Layer: contrib +# Module: setroubleshoot +# +# SELinux troubleshooting service. +# +setroubleshoot = off + +# Layer: contrib +# Module: shibboleth +# +# Shibboleth authentication deamon +# +shibboleth = off + +# Layer: contrib +# Module: shorewall +# +# Shoreline Firewall high-level tool for configuring netfilter. +# +shorewall = off + +# Layer: contrib +# Module: shutdown +# +# System shutdown command. +# +shutdown = off + +# Layer: contrib +# Module: slocate +# +# Update database for mlocate. +# +slocate = off + +# Layer: contrib +# Module: slpd +# +# OpenSLP server daemon to dynamically register services. +# +slpd = off + +# Layer: contrib +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = off + +# Layer: contrib +# Module: smartmon +# +# Smart disk monitoring daemon. +# +smartmon = off + +# Layer: contrib +# Module: smokeping +# +# Smokeping network latency measurement. +# +smokeping = off + +# Layer: contrib +# Module: smstools +# +# Tools to send and receive short messages through GSM modems or mobile phones. +# +smstools = off + +# Layer: contrib +# Module: snmp +# +# Simple network management protocol services. +# +snmp = off + +# Layer: contrib +# Module: snort +# +# Snort network intrusion detection system. +# +snort = off + +# Layer: contrib +# Module: sosreport +# +# Generate debugging information for system. +# +sosreport = off + +# Layer: contrib +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = off + +# Layer: contrib +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = off + +# Layer: contrib +# Module: squid +# +# Squid caching http proxy server. +# +squid = off + +# Layer: contrib +# Module: sssd +# +# System Security Services Daemon. +# +sssd = off + +# Layer: contrib +# Module: stunnel +# +# SSL Tunneling Proxy. +# +stunnel = off + +# Layer: contrib +# Module: svnserve +# +# Server for the svn repository access method. +# +svnserve = off + +# Layer: contrib +# Module: sxid +# +# SUID/SGID program monitoring. +# +sxid = off + +# Layer: contrib +# Module: sympa +# +# Manage electronic mail discussion and e-newsletter lists. +# +sympa = off + +# Layer: contrib +# Module: sysstat +# +# Reports on various system states. +# +sysstat = off + +# Layer: contrib +# Module: systemtap +# +# instrumentation system for Linux. +# +systemtap = off + +# Layer: contrib +# Module: tcpd +# +# TCP daemon. +# +tcpd = off + +# Layer: contrib +# Module: tcsd +# +# TSS Core Services daemon. +# +tcsd = off + +# Layer: contrib +# Module: telepathy +# +# Telepathy communications framework. +# +telepathy = off + +# Layer: contrib +# Module: telnet +# +# Telnet daemon. +# +telnet = off + +# Layer: contrib +# Module: tftp +# +# Trivial file transfer protocol daemon. +# +tftp = off + +# Layer: contrib +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = off + +# Layer: contrib +# Module: thunderbird +# +# Thunderbird email client. +# +thunderbird = off + +# Layer: contrib +# Module: thunderbolt +# +# Thunderbolt management daemon +# +thunderbolt = off + +# Layer: contrib +# Module: timidity +# +# MIDI to WAV converter and player configured as a service. +# +timidity = off + +# Layer: contrib +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages. +# +tmpreaper = off + +# Layer: contrib +# Module: tor +# +# The onion router. +# +tor = off + +# Layer: contrib +# Module: transproxy +# +# Portable Transparent Proxy Solution. +# +transproxy = off + +# Layer: contrib +# Module: tripwire +# +# File integrity checker. +# +tripwire = off + +# Layer: contrib +# Module: tuned +# +# Dynamic adaptive system tuning daemon. +# +tuned = off + +# Layer: contrib +# Module: tvtime +# +# High quality television application. +# +tvtime = off + +# Layer: contrib +# Module: tzdata +# +# Time zone updater. +# +tzdata = off + +# Layer: contrib +# Module: ucspitcp +# +# UNIX Client-Server Program Interface for TCP. +# +ucspitcp = off + +# Layer: contrib +# Module: ulogd +# +# Iptables/netfilter userspace logging daemon. +# +ulogd = off + +# Layer: contrib +# Module: uml +# +# User mode linux tools and services. +# +uml = off + +# Layer: contrib +# Module: updfstab +# +# Red Hat utility to change fstab. +# +updfstab = off + +# Layer: contrib +# Module: uptime +# +# Daemon to record and keep track of system up times. +# +uptime = off + +# Layer: contrib +# Module: usbmodules +# +# List kernel modules of USB devices. +# +usbmodules = off + +# Layer: contrib +# Module: usbmuxd +# +# USB multiplexing daemon for communicating with Apple iPod Touch and iPhone. +# +usbmuxd = off + +# Layer: contrib +# Module: userhelper +# +# A wrapper that helps users run system programs. +# +userhelper = off + +# Layer: contrib +# Module: usernetctl +# +# User network interface configuration helper. +# +usernetctl = off + +# Layer: contrib +# Module: uucp +# +# Unix to Unix Copy. +# +uucp = off + +# Layer: contrib +# Module: uuidd +# +# UUID generation daemon. +# +uuidd = off + +# Layer: contrib +# Module: uwimap +# +# University of Washington IMAP toolkit POP3 and IMAP mail server. +# +uwimap = off + +# Layer: contrib +# Module: varnishd +# +# Varnishd http accelerator daemon. +# +varnishd = off + +# Layer: contrib +# Module: vbetool +# +# run real-mode video BIOS code to alter hardware state. +# +vbetool = off + +# Layer: contrib +# Module: vdagent +# +# Spice agent for Linux. +# +vdagent = off + +# Layer: contrib +# Module: vhostmd +# +# Virtual host metrics daemon. +# +vhostmd = off + +# Layer: contrib +# Module: virt +# +# Libvirt virtualization API. +# +virt = off + +# Layer: contrib +# Module: vlock +# +# Lock one or more sessions on the Linux console. +# +vlock = off + +# Layer: contrib +# Module: vmware +# +# VMWare Workstation virtual machines. +# +vmware = off + +# Layer: contrib +# Module: vnstatd +# +# Console network traffic monitor. +# +vnstatd = off + +# Layer: contrib +# Module: vpn +# +# Virtual Private Networking client. +# +vpn = off + +# Layer: contrib +# Module: watchdog +# +# Software watchdog. +# +watchdog = off + +# Layer: contrib +# Module: wdmd +# +# Watchdog multiplexing daemon. +# +wdmd = off + +# Layer: contrib +# Module: webadm +# +# Web administrator role. +# +webadm = off + +# Layer: contrib +# Module: webalizer +# +# Web server log analysis. +# +webalizer = off + +# Layer: contrib +# Module: wine +# +# Run Windows programs in Linux. +# +wine = off + +# Layer: contrib +# Module: wireshark +# +# Wireshark packet capture tool. +# +wireshark = off + +# Layer: contrib +# Module: wm +# +# X Window Managers. +# +wm = off + +# Layer: contrib +# Module: xen +# +# Xen hypervisor. +# +xen = off + +# Layer: contrib +# Module: xfs +# +# X Windows Font Server. +# +xfs = off + +# Layer: contrib +# Module: xguest +# +# Least privledge xwindows user role. +# +xguest = off + +# Layer: contrib +# Module: xscreensaver +# +# Modular screen saver and locker for X11. +# +xscreensaver = off + +# Layer: contrib +# Module: zabbix +# +# Distributed infrastructure monitoring. +# +zabbix = off + +# Layer: contrib +# Module: zarafa +# +# Zarafa collaboration platform. +# +zarafa = off + +# Layer: contrib +# Module: zebra +# +# Zebra border gateway protocol network routing service. +# +zebra = off + +# Layer: contrib +# Module: zosremote +# +# z/OS Remote-services Audit dispatcher plugin. +# +zosremote = off + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: roles +# Module: auditadm +# +# Audit administrator role +# +auditadm = off + +# Layer: roles +# Module: logadm +# +# Log administrator role +# +logadm = off + +# Layer: roles +# Module: secadm +# +# Security administrator role +# +secadm = off + +# Layer: roles +# Module: staff +# +# Administrator's unprivileged user role +# +staff = off + +# Layer: roles +# Module: sysadm +# +# General system administration role +# +sysadm = base + +# Layer: roles +# Module: unprivuser +# +# Generic unprivileged user role +# +unprivuser = off + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = off + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = off + +# Layer: services +# Module: xserver +# +# X Windows Server +# +xserver = off + +# Layer: system +# Module: application +# +# Policy for user executable applications. +# +application = base + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = off + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = off + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = off + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = base + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = off + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = off + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = base + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = base + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = off + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: system +# Module: modutils +# +# Policy for kernel off utilities +# +modutils = base + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = base + +# Layer: system +# Module: netlabel +# +# NetLabel/CIPSO labeled networking management +# +netlabel = off + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = base + +# Layer: system +# Module: setrans +# +# SELinux MLS/MCS label translation service. +# +setrans = off + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = base + +# Layer: contrib +# Module: switcheroo +# +# daemon to switch between discrete and integrated GPUs +# +switcheroo = off + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = base + +# Layer: system +# Module: xdg +# +# Policy for xdg cache types +# +xdg = off + +# Layer: contrib +# Module: deepin_perm_control +# +# Policy for deepin_perm_control +# +deepin_perm_control = module + diff --git a/debian/patches/0001-deepin-umount-control.patch b/debian/patches/0001-deepin-umount-control.patch new file mode 100644 index 0000000..759371d --- /dev/null +++ b/debian/patches/0001-deepin-umount-control.patch @@ -0,0 +1,39 @@ +From b326ff0b0a12317382f582ae43e1dc02cc372448 Mon Sep 17 00:00:00 2001 +From: xyr218 +Date: Thu, 31 Oct 2024 19:01:01 +0800 +Subject: [PATCH] 0001-deepin-umount-control.patch + +--- + config/appconfig-mcs/seusers | 2 +- + policy/modules/services/deepin_perm_control.te | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers +index 66c6742..cd04920 100644 +--- a/config/appconfig-mcs/seusers ++++ b/config/appconfig-mcs/seusers +@@ -1,3 +1,3 @@ + root:unconfined_u:s0-mcs_systemhigh + __default__:unconfined_u:s0-mcs_systemhigh +-sddm:xdm:s0 ++#sddm:xdm:s0 +diff --git a/policy/modules/services/deepin_perm_control.te b/policy/modules/services/deepin_perm_control.te +index 0679477..ec485b7 100644 +--- a/policy/modules/services/deepin_perm_control.te ++++ b/policy/modules/services/deepin_perm_control.te +@@ -858,3 +858,11 @@ allow deepin_home_sec_t filesystem_type:filesystem associate; + allow deepin_home_sec_t self:filesystem associate; + allow deepin_executable_file_type deepin_home_sec_t:file ~{ relabelfrom relabelto }; + allow deepin_executable_file_type deepin_home_sec_t:dir list_dir_perms; ++ ++# umount管控 ++require { ++ class filesystem unmount; ++} ++type deepin_immutable_t; ++deepin_app_domain_set(deepin_immutable_t); ++allow deepin_immutable_t deepin_ro_file_t:filesystem { unmount }; +\ No newline at end of file +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index 8326dc3..b60e0d2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -17,3 +17,4 @@ thunderbolt 3000-bookworm 4000-bubblewrap support-v25-usec-policy.patch +0001-deepin-umount-control.patch diff --git a/debian/postinst.policy b/debian/postinst.policy index 4c7a13a..b0a08b2 100644 --- a/debian/postinst.policy +++ b/debian/postinst.policy @@ -117,7 +117,11 @@ case "$1" in fi ret=0 - semodule -X $priority $noreload -s $flavour $to_remove $to_install $to_disable || ret=$? + if [ "${flavour}" = "usec" ];then + semodule -X $priority $noreload -s $flavour $to_remove $to_install || ret=$? + else + semodule -X $priority $noreload -s $flavour $to_remove $to_install $to_disable || ret=$? + fi if [ $ret -eq 0 ]; then echo " done." else diff --git a/debian/rules b/debian/rules index 6b31383..9aa2e47 100755 --- a/debian/rules +++ b/debian/rules @@ -2,13 +2,16 @@ # -*- makefile -*- COMMON_OPTIONS = DISTRO=debian DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y WERROR=y -FLAVOURS = default mls +FLAVOURS = default mls usec TYPE_default = mcs UBAC_default = y UNK_PERMS_default = allow TYPE_mls = mls UBAC_mls = n UNK_PERMS_mls = deny +TYPE_usec = mcs +UBAC_usec = y +UNK_PERMS_usec = allow BUILD_DATE := $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d %H:%M:%S" 2>/dev/null) @@ -56,6 +59,7 @@ override_dh_clean: rm -f conf-$$flavour-policy; \ done rm -f install-default-dev; + rm -f install-usec-dev; rm -rf $(CURDIR)/debian/build-docs; rm -rf $(CURDIR)/debian/build-src; rm -rf support/__pycache__/; @@ -63,7 +67,7 @@ override_dh_clean: override_dh_auto_build: $(patsubst %, build-%-policy, $(FLAVOURS)) -override_dh_auto_install: $(patsubst %, install-%-policy, $(FLAVOURS)) install-default-dev install-docs install-src +override_dh_auto_install: $(patsubst %, install-%-policy, $(FLAVOURS)) install-default-dev install-docs install-src override_dh_auto_test: $(patsubst %, test-%-policy, $(FLAVOURS)) @@ -91,6 +95,7 @@ conf-docs: Rules.monolithic config VERSION Changelog COPYING INSTALL \ README man $(CURDIR)/debian/build-docs cp debian/build.conf.default $(CURDIR)/debian/build-docs/build.conf + cp debian/build.conf.usec $(CURDIR)/debian/build-docs/build.conf (cd $(CURDIR)/debian/build-docs ; \ $(MAKE) NAME=default TYPE=mcs UBAC=y UNK_PERMS=allow $(COMMON_OPTIONS) conf) touch $@ @@ -145,6 +150,18 @@ install-default-dev: build-default-policy cp -a $(CURDIR)/debian/Makefile.devel $(CURDIR)/debian/tmp/usr/share/selinux/devel/Makefile touch $@ +#install-usec-dev: build-usec-policy +# (cd $(CURDIR)/debian/build-usec; \ +# $(MAKE) NAME=usec TYPE=$(TYPE_usec) UBAC=$(UBAC_usec) UNK_PERMS=$(UNK_PERMS_usec) $(COMMON_OPTIONS) DESTDIR=$(CURDIR)/debian/tmp install-headers) +# mkdir -p $(CURDIR)/debian/tmp/usr/share/selinux/devel/ +# mv $(CURDIR)/debian/tmp/usr/share/selinux/usec/include $(CURDIR)/debian/tmp/usr/share/selinux/devel/ +# cp -a $(CURDIR)/debian/build-usec/doc/policy.dtd $(CURDIR)/debian/tmp/usr/share/selinux/devel/ +# cp -a $(CURDIR)/debian/build-usec/doc/policy.xml $(CURDIR)/debian/tmp/usr/share/selinux/devel/ +# grep -v genfscon.selinuxfs $(CURDIR)/debian/tmp/usr/share/selinux/devel/include/kernel/selinux.if > $(CURDIR)/debian/tmp/usr/share/selinux/devel/include/kernel/selinux.if.new +# mv $(CURDIR)/debian/tmp/usr/share/selinux/devel/include/kernel/selinux.if.new $(CURDIR)/debian/tmp/usr/share/selinux/devel/include/kernel/selinux.if +# cp -a $(CURDIR)/debian/Makefile.devel $(CURDIR)/debian/tmp/usr/share/selinux/devel/Makefile +# touch $@ + install-docs: conf-docs (cd $(CURDIR)/debian/build-docs; \ $(MAKE) NAME=default TYPE=mcs UBAC=n UNK_PERMS=allow $(COMMON_OPTIONS) DESTDIR=$(CURDIR)/debian/tmp/ PKGNAME=selinux-policy-doc conf \ diff --git a/debian/selinux-policy-usec.install b/debian/selinux-policy-usec.install new file mode 100644 index 0000000..00446c7 --- /dev/null +++ b/debian/selinux-policy-usec.install @@ -0,0 +1,6 @@ +etc/selinux/usec/ +usr/share/selinux/usec/.basemodules +usr/share/selinux/usec/.modules +usr/share/selinux/usec/*.pp +var/lib/selinux/usec/ + diff --git a/debian/selinux-policy-usec.lintian-overrides b/debian/selinux-policy-usec.lintian-overrides new file mode 100644 index 0000000..412f5fa --- /dev/null +++ b/debian/selinux-policy-usec.lintian-overrides @@ -0,0 +1,2 @@ +selinux-policy-usec: non-standard-dir-perm 0700 != 0755 [var/lib/selinux/usec/] + diff --git a/debian/selinux-policy-usec.mainscript b/debian/selinux-policy-usec.mainscript new file mode 100644 index 0000000..741bf01 --- /dev/null +++ b/debian/selinux-policy-usec.mainscript @@ -0,0 +1,6 @@ +rm_conffile /etc/selinux/usec/users/local.users 2:2.20140421-10~ +rm_conffile /etc/selinux/usec/users/system.users 2:2.20140421-10~ +rm_conffile /etc/selinux/usec/modules/semanage.read.LOCK 2:2.20140421-10~ +rm_conffile /etc/selinux/usec/modules/semanage.trans.LOCK 2:2.20140421-10~ +rm_conffile /etc/selinux/usec/modules/active/file_contexts.local 2:2.20140421-10~ + diff --git a/debian/setrans.conf.usec b/debian/setrans.conf.usec new file mode 100644 index 0000000..aa70cff --- /dev/null +++ b/debian/setrans.conf.usec @@ -0,0 +1,20 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh +