325 lines
8.8 KiB
HTML
325 lines
8.8 KiB
HTML
<h1>Status</h1>
|
|
<strong>Current Version: 20050707</strong>
|
|
<p>
|
|
See <a href="index.php?page=download">download</a> for download
|
|
information. Details of this release are part of the <a href="html/Changelog.txt">changelog</a>. This release
|
|
focused on infrastructure, organization, and initial design rather than
|
|
comprehensive policy coverage or security improvements. Currently only the
|
|
strict policy is supported, with targeted policy support planned for the future.
|
|
<br> <strong>Warning</strong>:This is a prototype release, not meant to be used
|
|
on real systems. It is targeted towards developers, to show the direction of
|
|
the policy's development and to solicit feedback.
|
|
</p>
|
|
<h1>Roadmap</h1>
|
|
|
|
<table cellpadding="3" cellspacing="0" border="1">
|
|
<tbody>
|
|
<tr>
|
|
<th colspan="3" class="title">Reference Policy Roadmap</th>
|
|
</tr>
|
|
<tr>
|
|
<td class="header">Version</td>
|
|
<td class="header">Date</td>
|
|
<td class="header">Description</td>
|
|
</tr>
|
|
<tr>
|
|
<td>0.1</td>
|
|
<td>June 2005</td>
|
|
<td>Initial public release, basic policy restructuring, some infrastructure, few modules, and minimal documentation.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>0.2</td>
|
|
<td>July 2005</td>
|
|
<td>Restructuring complete, additional modules, and improved infrastructure.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>0.3</td>
|
|
<td>August 2005</td>
|
|
<td>Additional modules, documentation, and base module configuration support.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>0.4</td>
|
|
<td>September 2005</td>
|
|
<td>Additional modules, documentation, and tested loadable module support.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>0.5</td>
|
|
<td>October 2005</td>
|
|
<td>Additional modules, documentation, targeted policy, and tested MLS support</td>
|
|
</tr>
|
|
<tr>
|
|
<td>0.6</td>
|
|
<td>December 2005</td>
|
|
<td>Additional modules, documentation, and module variations</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
<h1>Status and Tasks</h1>
|
|
<table border="1" cellspacing="0" cellpadding="3">
|
|
<tr>
|
|
<th class="title" colspan="3">Reference Policy Status</th>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td class="header">Task/Component</td><td class="header">Status</td><td class="header">Description</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Policy Structure</td>
|
|
<td>Complete</td>
|
|
<td>The policy is converted over to new Reference Policy structure</td>
|
|
</tr>
|
|
<tr>
|
|
<td>TE Policy</td>
|
|
<td>Conversion Ongoing</td>
|
|
<td>Conversion of old policy to Reference Policy modules is ongoing</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Loadable Policy Modules</td>
|
|
<td>Major improvements</td>
|
|
<td>Infrastructure is in place to support both source policy and
|
|
loadable policy modules. Makefile support planned.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Documentation Infrastructure</td>
|
|
<td>Interfaces complete</td>
|
|
<td>Tools to create webpages from the module interface documentation
|
|
is complete. Adding tunables to the webpages is planned.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Policy Documentation</td>
|
|
<td>Ongoing</td>
|
|
<td>Most kernel layer modules are documented.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Unused Modules</td>
|
|
<td>Complete</td>
|
|
<td>Modules can be disabled by using modules.conf.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>MLS Infrastructure</td>
|
|
<td>Minor improvements</td>
|
|
<td>MLS infrastructure added to support easy conversion between
|
|
MLS and non-MLS policy. Policy is compilable, but
|
|
untested.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Network Infrastructure</td>
|
|
<td>Minor improvements</td>
|
|
<td>All network ports, nodes, and interfaces moved to
|
|
corenetwork module, interfaces generated automatically.
|
|
Plan to add more infrastructure for configuration of
|
|
ports, nodes, and interfaces.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>User domains and roles</td>
|
|
<td>Minor improvements</td>
|
|
<td>Some infrastructure added to support per-user domain policy,
|
|
e.g., to create types and policy for ssh,
|
|
for each user. Plan to add infrastructure to easily
|
|
configure userdomains and roles.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Labeling</td>
|
|
<td>Minor improvements</td>
|
|
<td>All labeling moved to modules, consistent with Reference
|
|
Policy structure.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Tunables</td>
|
|
<td>Minor improvements</td>
|
|
<td>Tunables are documented, and in the future will be included
|
|
in the webpage policy documentation.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Users</td>
|
|
<td>Unchanged</td>
|
|
<td>Assignment of users to roles</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Constraints</td>
|
|
<td>Unchanged</td>
|
|
<td>Plan to split up into relevant modules. There are ordering
|
|
problems with source policies.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Flask</td>
|
|
<td>Unchanged</td>
|
|
<td>Headers for the policy, describing object classes, and
|
|
their permissions. No planned changes</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Genhomedircon</td>
|
|
<td>Unchanged</td>
|
|
<td>Tool to properly label users' home directories.
|
|
No planned changes</td>
|
|
</tr>
|
|
</table>
|
|
<h2>Policy Conversion</h2>
|
|
<p>
|
|
This phase of reference policy development involves the conversion of policies
|
|
from the example strict policy. We have been using the Fedora strict policy
|
|
version 1.23.2-1 as a baseline for policy conversion, which is available
|
|
on the <a href="index.php?page=download">download</a> page. Then after these policies
|
|
are added to reference policy, it can be updated to be in line with current
|
|
versions of the NSA example policy. For those who wish to contribute, here
|
|
is a listing of modules which need to be converted:
|
|
<ul>
|
|
<li>acct</li>
|
|
<li>arpwatch</li>
|
|
<li>automount</li>
|
|
<li>bind</li>
|
|
<li>bluetooth</li>
|
|
<li>cdrecord</li>
|
|
<li>comsat</li>
|
|
<li>cyrus</li>
|
|
<li>dictd</li>
|
|
<li>dovecot</li>
|
|
<li>fetchmail</li>
|
|
<li>fingerd</li>
|
|
<li>firstboot</li>
|
|
<li>ftpd</li>
|
|
<li>games</li>
|
|
<li>gpm</li>
|
|
<li>howl</li>
|
|
<li>inn</li>
|
|
<li>ipsec</li>
|
|
<li>irqbalance</li>
|
|
<li>ktalkd</li>
|
|
<li>kudzu</li>
|
|
<li>loadkeys</li>
|
|
<li>lockdev</li>
|
|
<li>mrtg</li>
|
|
<li>mysql</li>
|
|
<li>ntpd</li>
|
|
<li>pcmcia (was cardmgr)</li>
|
|
<li>portmap</li>
|
|
<li>postfix</li>
|
|
<li>postgresql</li>
|
|
<li>prelink</li>
|
|
<li>procmail</li>
|
|
<li>quota</li>
|
|
<li>radius</li>
|
|
<li>radvd</li>
|
|
<li>raid (was mdadm)</li>
|
|
<li>rlogin</li>
|
|
<li>rsync</li>
|
|
<li>samba</li>
|
|
<li>sasl</li>
|
|
<li>screen</li>
|
|
<li>slocate</li>
|
|
<li>slrnpull</li>
|
|
<li>snmp</li>
|
|
<li>spamassassin</li>
|
|
<li>squid</li>
|
|
<li>stunnel</li>
|
|
<li>sysstat</li>
|
|
<li>tcpd</li>
|
|
<li>telnet</li>
|
|
<li>tftp</li>
|
|
<li>tmpreaper</li>
|
|
<li>uml</li>
|
|
<li>updfstab</li>
|
|
<li>userhelper</li>
|
|
<li>vpnc</li>
|
|
<li>zebra</li>
|
|
</ul>
|
|
<h2>Testing Status</h2>
|
|
<p>
|
|
A very minimal RedHat Enterprise Linux 4 system with the following RPMs has
|
|
can be successfully booted in enforcing mode, and users can log in locally,
|
|
with Reference Policy:
|
|
</p>
|
|
<ul>
|
|
<li>libgcc-3.4.3-9.EL4</li>
|
|
<li>rootfiles-8-1</li>
|
|
<li>filesystem-2.3.0-1</li>
|
|
<li>termcap-5.4-3</li>
|
|
<li>glibc-common-2.3.4-2</li>
|
|
<li>bzip2-libs-1.0.2-13</li>
|
|
<li>device-mapper-1.00.19-2</li>
|
|
<li>elfutils-libelf-0.97-5</li>
|
|
<li>expat-1.95.7-4</li>
|
|
<li>glib2-2.4.7-1</li>
|
|
<li>libattr-2.4.16-3</li>
|
|
<li>libcap-1.10-20</li>
|
|
<li>libsepol-1.1.1-2</li>
|
|
<li>db4-4.2.52-7.1</li>
|
|
<li>libtermcap-2.0.8-39</li>
|
|
<li>mktemp-1.5-20</li>
|
|
<li>iproute-2.6.9-3</li>
|
|
<li>less-382-4</li>
|
|
<li>pcre-4.5-3</li>
|
|
<li>usbutils-0.11-6.1</li>
|
|
<li>vim-minimal-6.3.046-0.40E.4</li>
|
|
<li>info-4.7-5</li>
|
|
<li>diffutils-2.8.1-12</li>
|
|
<li>gawk-3.1.3-10.1</li>
|
|
<li>coreutils-5.2.1-31</li>
|
|
<li>gzip-1.3.3-13</li>
|
|
<li>module-init-tools-3.1-0.pre5.3</li>
|
|
<li>procps-3.2.3-7EL</li>
|
|
<li>sed-4.1.2-4</li>
|
|
<li>MAKEDEV-3.15-2</li>
|
|
<li>sysklogd-1.4.1-26_EL</li>
|
|
<li>cracklib-2.7-29</li>
|
|
<li>pam-0.77-65.1</li>
|
|
<li>SysVinit-2.85-34</li>
|
|
<li>lvm2-2.00.31-1.0.RHEL4</li>
|
|
<li>kernel-2.6.9-5.0.5.EL</li>
|
|
<li>libuser-0.52.5-1</li>
|
|
<li>crontabs-1.10-7</li>
|
|
<li>tmpwatch-2.9.1-1</li>
|
|
<li>m4-1.4.1-16</li>
|
|
<li>mgetty-1.1.31-2</li>
|
|
<li>time-1.7-25</li>
|
|
<li>dhclient-3.0.1-12_EL</li>
|
|
<li>samhain-2.0.6-1</li>
|
|
<li>hwdata-0.146.1.EL-1</li>
|
|
<li>redhat-logos-1.1.25-1</li>
|
|
<li>setup-2.5.37-1.1</li>
|
|
<li>basesystem-8.0-4</li>
|
|
<li>tzdata-2004e-2</li>
|
|
<li>glibc-2.3.4-2</li>
|
|
<li>beecrypt-3.1.0-6</li>
|
|
<li>chkconfig-1.3.11.2-1</li>
|
|
<li>e2fsprogs-1.35-11.6.EL4</li>
|
|
<li>ethtool-1.8-4</li>
|
|
<li>gdbm-1.8.0-24</li>
|
|
<li>iputils-20020927-16</li>
|
|
<li>libacl-2.2.23-5</li>
|
|
<li>libselinux-1.19.1-7</li>
|
|
<li>libstdc++-3.4.3-9.EL4</li>
|
|
<li>mingetty-1.07-3</li>
|
|
<li>bash-3.0-19.2</li>
|
|
<li>ncurses-5.4-13</li>
|
|
<li>net-tools-1.60-37</li>
|
|
<li>popt-1.9.1-7_nonptl</li>
|
|
<li>redhat-release-4AS-2</li>
|
|
<li>hotplug-2004_04_01-7.2</li>
|
|
<li>zlib-1.2.1.2-1</li>
|
|
<li>cpio-2.5-7.EL4.1</li>
|
|
<li>findutils-4.1.20-7</li>
|
|
<li>grep-2.5.1-31</li>
|
|
<li>grub-0.95-3.1</li>
|
|
<li>readline-4.3-13</li>
|
|
<li>rpm-libs-4.3.3-7_nonptl</li>
|
|
<li>shadow-utils-4.0.3-41.1</li>
|
|
<li>rpm-4.3.3-7_nonptl</li>
|
|
<li>tar-1.14-4</li>
|
|
<li>cracklib-dicts-2.7-29</li>
|
|
<li>policycoreutils-1.18.1-4</li>
|
|
<li>util-linux-2.12a-16.EL4.6</li>
|
|
<li>udev-039-10.8.EL4</li>
|
|
<li>initscripts-7.93.11.EL-1</li>
|
|
<li>mkinitrd-4.1.18-2</li>
|
|
<li>passwd-0.68-10</li>
|
|
<li>bzip2-1.0.2-13</li>
|
|
<li>logrotate-3.7.1-2</li>
|
|
<li>libxml2-2.6.16-6</li>
|
|
<li>make-3.80-5</li>
|
|
<li>iptables-1.2.11-3.1.RHEL4</li>
|
|
<li>vixie-cron-4.1-20_EL</li>
|
|
<li>comps-4AS-0.20050107</li>
|
|
</ul>
|