move additional .rst files out of contrib

4 files changed, 0 insertions, 759 deletions

diff --git a/policy/modules/contrib/aide.rst b/policy/modules/contrib/aide.rst
deleted file mode 100644
index 16922e5a1..000000000
--- a/policy/modules/contrib/aide.rst
+++ /dev/null
@@ -1,107 +0,0 @@
-=================
- aide_selinux
-=================
-
-------------------------------
-SELinux policy module for AIDE
-------------------------------
-
-:Author:        Sven Vermeulen <swift@gentoo.org>
-:Date:          2013-04-11
-:Manual section:        8
-:Manual group:          SELinux
-
-DESCRIPTION
-===========
-
-The **aide** SELinux module supports the AIDE application (Advanced Intrusion
-Detection Environment) and resources.
-
-DOMAINS
-=======
-
-aide_t
-------
-
-The **aide_t** domain is used for the application runtime context. When the
-``aide`` command is invoked, it should run within this domain. 
-
-The use of this domain is restricted to the roles responsible for the security
-administration of the system, so **sysadm_r** and **secadm_r**. It is strongly
-discouraged to allow the use of AIDE for other roles.
-
-Due to its sensitive nature, when the MLS policy is enabled, AIDE runs in the
-**mls_systemhigh** sensitivity.
-
-LOCATIONS
-=========
-
-USER-ORIENTED
--------------
-
-The following list of locations identify file resources that are used by the
-AIDE domain. They are by default allocated towards the default locations for
-AIDE, so if you use a different location, you will need to properly address
-this. You can do so through ``semanage``, like so::
-
-  semanage fcontext -a -t aide_db_t "/mnt/db/aide(/.*)?"
-
-The above example marks the */mnt/db/aide* location as the location where
-the AIDE databases are stored (identified through the **aide_db_t** type).
-
-aide_db_t
-  is used for the AIDE database location
-
-aide_log_t
-  is used for the AIDE logs
-
-OTHER RESOURCES
-===============
-
-EXECUTABLE FILES
-----------------
-
-aide_exec_t
-  is used as entry point for the AIDE application that runs in the **aide_t**
-  domain
-
-POLICY
-======
-
-The following interfaces can be used to enhance the default policy with
-AIDE-related privileges. More details on these interfaces can be found in the
-interface HTML documentation, we will not list all available interfaces here.
-
-Run interfaces
---------------
-
-The following run interfaces allow users and roles access to the specified
-domains. Only to be used for new user domains and roles.
-
-aide_run
-  Allow the specified user domain and role access and transition rights to the
-  **aide_t** domain.
-
-aide_admin
-  Allow the specified user domain and role access and transition rights to the
-  **aide_t** domain, and allow administration of the AIDE related resources.
-
-Domtrans interfaces
--------------------
-
-The following domain transition interfaces allow domains to execute and
-transition into the mentioned AIDE domain. Only to be used for domains
-assumed to be running within the general **system_r** role, or within a role
-already allowed access to the AIDE domain (such as **sysadm_r**).
-
-aide_domtrans
-  Allow the specified domain access and transition rights to the **aide_t**
-  domain.
-
-SEE ALSO
-========
-
-* Gentoo and SELinux at 
-  https://wiki.gentoo.org/wiki/SELinux
-* Gentoo Hardened SELinux Project at 
-  https://wiki.gentoo.org/wiki/Project:Hardened
diff --git a/policy/modules/contrib/cron.rst b/policy/modules/contrib/cron.rst
deleted file mode 100644
index a35c26a46..000000000
--- a/policy/modules/contrib/cron.rst
+++ /dev/null
@@ -1,284 +0,0 @@
-============
-cron_selinux
-============
-
-------------------------------
-SELinux policy module for Cron
-------------------------------
-
-:Author:        Sven Vermeulen <swift@gentoo.org>
-:Date:          2014-11-11
-:Manual section:        8
-:Manual group:          SELinux
-
-DESCRIPTION
-===========
-
-The **cron** SELinux module supports various Unix cron daemons, including (but
-not limited to) vixie-cron, cronie, fcron and anacron.
-
-The SELinux cron support is somewhat more complex than most other SELinux
-domains, because the cron daemon is responsible for executing workload in the
-context of end users as well as the overall system. Most Cron implementations
-are also SELinux-aware, so having some understanding of how they operate is
-important.
-
-Most of these cron implementations use the SELinux ownership of the crontab
-file (the file which contains the execution task definitions) to determine
-in which context a task is to be executed. For instance, if a crontab file
-installed in ``/var/spool/cron/crontabs`` has a SELinux context whose SELinux
-owner is *staff_u*, then the tasks defined in it will be run through either
-the general cronjob domain (*cronjob_t*) or the end user domain (*staff_t*)
-depending on the value of the *cron_userdomain_transition* boolean.
-
-This boolean, if set to 1 (true), will have the tasks run in the user domain
-(such as *staff_t*, *sysadm_t*, *unconfined_t*, etc.) whereas, if it is set
-to 0 (false), will have the tasks run in the general cronjob domain
-(*cronjob_t*) for end user tasks, or the system cronjob domain
-(*system_cronjob_t*) for system tasks.
-
-The latter is also an important detail - if for some reason packages deploy
-their tasks as end user cronjobs, then the resulting commands might not be
-running in the proper domain. As a general rule, system cronjobs are defined
-in either ``/etc/crontab`` or in files in the ``/etc/cron.d`` directory. End
-user cronjobs are defined in files in the ``/var/spool/cron/crontabs``
-directory.
-
-System administration
----------------------
-
-To perform system administration tasks (non-end user tasks) through cron jobs,
-take the following considerations into account:
-
-* To ensure that the jobs run in the right context (*system_cronjob_t* for
-  starts), make sure that the cronjob definitions (the crontab files) are
-  inside ``/etc/crontab`` or in the ``/etc/cron.d`` directories.
-* Have the scripts to be executed labeled properly, and consider using a domain
-  transition for these scripts (through ``cron_system_entry()``).
-* Make sure the ``HOME`` directory is set to ``/`` so that the target domains
-  do not need any privileges inside end user locations (including ``/root``).
-
-User cronjobs
--------------
-
-When working with end user crontabs (those triggered / managed through the
-**crontab** command), take care that this is done as the SELinux user which is
-associated with the file. This is for two reasons:
-
-1. If ``USE="ubac"`` is set, then the SELinux User Based Access Control is
-   enabled. This could prevent one SELinux user from editing (or even viewing)
-   the crontab files of another user.
-2. The owner of the crontab file is also used by most cron implementations to
-   find out which context the user cronjob should run in. If this ownership is
-   incorrect, then the cronjob might not even launch properly, or run in the
-   wrong context.
-
-If this was not done correctly, you will get the following error::
-
-  cron[20642]: (root) ENTRYPOINT FAILED (crontabs/root)
-
-If the above error still comes up even though the ownership of the ``crontab``
-file is correct, then check the state of the *cron_userdomain_transition*
-boolean and the ``default_contexts`` file. If the boolean is set to true, then
-the ``default_contexts`` file (or the user-specific files in the ``users/``
-directory) should target the user domains instead of the cronjob domains::
-
-  ~# getsebool cron_userdomain_transition
-  cron_userdomain_transition --> on
-
-  ~# grep crond_t /etc/selinux/*/contexts{default_contexts,users/*}
-  system_r:crond_t:s0	user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
-
-Remember that the default context definitions in the ``users/`` directory
-take priority over the ones defined in the ``default_contexts`` files.
-
-BOOLEANS
-========
-
-The following booleans are defined through the **cron** SELinux policy module.
-They can be toggled using ``setsebool``, like so::
-
-  setsebool -P cron_userdomain_transition on
-
-cron_can_relabel
-  Allow system cron jobs to relabel files on the file system (and restore the
-  context of files). This privilege is assigned to the *system_cronjob_t*
-  domain.
-
-cron_userdomain_transition
-  If enabled, end user cron jobs run in their default associated user domain
-  (such as *user_t* or *unconfined_t*) instead of the general end user cronjob
-  domain (*cronjob_t*).
-
-  This also requires that the ``default_contexts`` file (inside
-  ``/etc/selinux/*/contexts``) is updated accordingly, mentioning that the target
-  contexts are now the user domains rather than the cronjob domains.
-
-fcron_crond
-  Enable additional SELinux policy rules needed for the fcron cron implementation.
-
-DOMAINS
-=======
-
-crond_t
--------
-
-The main cron domain is *crond_t*, used by the cron daemon. It is generally
-responsible for initiating the cronjob tasks, detecting changes on the crontab
-files and reloading the configuration if that happens.
-
-Almost all cron implementations are launched through their respective init
-script.
-
-Some cron implementations which are not SELinux-aware might have the cronjobs
-themselves also run through the *crond_t* domain.
-
-cronjob_t
----------
-
-The *cronjob_t* domain is used for end user generic cronjobs.
-
-system_cronjob_t
-----------------
-
-The *system_cronjob_t* domain is used for system cronjobs.
-
-crontab_t
----------
-
-The *crontab_t* domain is used by end users' **crontab** execution (the command
-used to manipulate end user crontab files).
-
-admin_crontab_t
----------------
-
-The *admin_crontab_t* domain is used by administrators4 **crontab** execution
-(the command used to manipulate crontab files).
-
-LOCATIONS
-=========
-
-The following list of locations identify file resources that are used by the
-cron domains. They are by default allocated towards the default locations for
-cron, so if you use a different location, you will need to properly address
-this. You can do so through ``semanage``, like so::
-
-  semanage fcontext -a -t system_cron_spool_t "/usr/local/etc/cron\.d(/.*)?"
-
-The above example marks the */usr/local/etc/cron.d* location as the location where
-system cronjob definitions are stored.
-
-FUNCTIONAL
-----------
-
-cron_spool_t
-  is used for the end user cronjob definition files
-
-sysadm_cron_spool_t
-  is used for the administrator cronjob definition files
-
-system_cron_spool_t
-  is used for the system cronjob definition files
-
-EXECUTABLES
------------
-
-anacron_exec_t
-  is used for the **anacron** binary
-
-crond_exec_t
-  is used for the cron daemon binary
-
-crond_initrc_exec_t
-  is used for the cron init script (such as ``/etc/init.d/crond``)
-
-crontab_exec_t
-  is used for the **crontab** binary
-
-
-DAEMON FILES
-------------
-
-cron_log_t
-  is used for the cron log files
-
-cron_var_lib_t
-  is used for the variable state information of the cron daemon
-
-crond_tmp_t
-  is used for the temporary files created/managed by the cron daemon
-
-crond_var_run_t
-  is used for the variable runtime information of the cron daemon
-
-POLICY
-======
-
-The following interfaces can be used to enhance the default policy with
-cron-related provileges. More details on these interfaces can be found in the
-interface HTML documentation, we will not list all available interfaces here.
-
-Domain interaction
-------------------
-
-The most interesting definition in the policy is the ``cron_system_entry``
-interface. It allows for the system cronjob domain (*system_cronjob_t*) to
-execute a particular type (second argument) and transition to a given domain
-(first argument).
-
-For instance, to allow a system cronjob to execute any portage commands::
-
-  cron_system_entry(portage_t, portage_exec_t)
-
-
-It is generally preferred to transition a system cron job as fast as possible
-to a specific domain rather than enhancing the *system_cronjob_t* with
-additional privileges.
-
-Role interfaces
----------------
-
-The following role interfaces allow users and roles access to the specified
-domains. Only to be used for user domains and roles.
-
-cron_role
-  is used to allow users and roles access to the cron related domains. This
-  one should be used for end users, not administrators.
-
-  For instance::
-
-    cron_role(myuser_r, myuser_t)
-
-cron_admin_role
-  is used to allow users and roles administrative access to the cron related
-  domains.
-
-  For instance::
-
-    cron_admin_role(myuser_r, myuser_t)
-
-BUGS
-====
-
-Munin
------
-
-The ``net-analyzer/munin`` package deploys the munin cronjobs as end user
-cronjobs inside ``/var/spool/cron/crontabs``. The munin cronjobs are meant to
-be executed as the munin Linux account, but the jobs themselves are best seen
-as system cronjobs (as they are not related to a true interactive end user).
-
-The default deployed files might not get the *system_u* SELinux ownership
-assigned. To fix this, execute the following command::
-
-  ~# chcon -u system_u /var/spool/cron/crontabs/munin
-
-For more information, see bug #526532.
-
-
-SEE ALSO
-========
-
-* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
-* Gentoo Hardened SELinux Project at
-  https://wiki.gentoo.org/wiki/Project:Hardened
diff --git a/policy/modules/contrib/munin.rst b/policy/modules/contrib/munin.rst
deleted file mode 100644
index 220c75e10..000000000
--- a/policy/modules/contrib/munin.rst
+++ /dev/null
@@ -1,130 +0,0 @@
-=============
-munin_selinux
-=============
-
--------------------------------
-SELinux policy module for Munin
--------------------------------
-
-:Author:        Sven Vermeulen <swift@gentoo.org>
-:Date:          2014-11-11
-:Manual section:        8
-:Manual group:          SELinux
-
-DESCRIPTION
-===========
-
-The *munin* SELinux module supports the Munin networked resource management
-tool. 
-
-DOMAINS
-=======
-
-The following is a list of munin related domains.
-
-munin_t
-  is the main domain for the munin daemon
-
-'*'_munin_plugin_t
-  is a set of domains related to the munin plugins
-
-LOCATIONS
-=========
-
-The following list of locations identify file resources that are used by the
-munin domains. They are by default allocated towards the default locations for
-munin, so if you use a different location, you will need to properly address
-this. You can do so through ``semanage``, like so::
-
-  semanage fcontext -a -t system_cron_spool_t "/usr/local/share/munin/plugins(/.*)?"
-
-The above example marks the */usr/local/share/munin/plugins* location as the location where
-munin plugin executables are stored.
-
-FUNCTIONAL
-----------
-
-munin_etc_t
-  is used for the munin configuration files
-
-EXECUTABLES
------------
-
-munin_exec_t
-  is used for the munin binaries
-
-munin_initrc_exec_t
-  is used for the munin init script
-
-'*'_munin_plugin_exec_t
-  is used for the munin plugin executables
-
-DAEMON FILES
-------------
-
-munin_log_t
-  is used for the munin logs
-
-munin_plugin_state_t
-  is used for the munin plugin state information
-
-munin_var_lib_t
-  is used for the variable information used by munin
-
-munin_var_run_t
-  is used for the variable runtime state information of munin
-
-POLICY
-======
-
-The following interfaces can be used to enhance the default policy with
-munin-related provileges. More details on these interfaces can be found in the
-interface HTML documentation, we will not list all available interfaces here.
-
-Plugin template
----------------
-
-With the ``munin_plugin_template`` interface, additional munin plugin domains
-can be created. The interface takes a single prefix (like "disk") and will create
-the proper types and privileges, including (using "disk" as the example):
-
-* *disk_munin_plugin_t* as plugin domain
-* *disk_munin_plugin_exec_t* as plugin executable type
-* *disk_munin_plugin_tmp_t* as plugin temporary file type
-
-To enable it::
-
-  munin_plugin_template(disk)
-
-Administrative role
--------------------
-
-The ``munin_admin`` interface grants a user role and type administrative access
-to the munin types::
-
-  munin_admin(myuser_t, myuser_r)
-
-BUGS
-====
-
-Munin
------
-
-The ``net-analyzer/munin`` package deploys the munin cronjobs as end user
-cronjobs inside ``/var/spool/cron/crontabs``. The munin cronjobs are meant to
-be executed as the munin Linux account, but the jobs themselves are best seen
-as system cronjobs (as they are not related to a true interactive end user).
-
-The default deployed files might not get the *system_u* SELinux ownership
-assigned. To fix this, execute the following command::
-
-  ~# chcon -u system_u /var/spool/cron/crontabs/munin
-
-For more information, see bug #526532.
-
-SEE ALSO
-========
-
-* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
-* Gentoo Hardened SELinux Project at
-  https://wiki.gentoo.org/wiki/Project:Hardened
diff --git a/policy/modules/contrib/portage.rst b/policy/modules/contrib/portage.rst
deleted file mode 100644
index ac03eb2e3..000000000
--- a/policy/modules/contrib/portage.rst
+++ /dev/null
@@ -1,238 +0,0 @@
-=================
- portage_selinux
-=================
-
-----------------------------------------
-SELinux policy module for Gentoo Portage
-----------------------------------------
-
-:Author:        Sven Vermeulen <swift@gentoo.org>
-:Date:          2013-04-11
-:Manual section:        8
-:Manual group:          SELinux
-
-DESCRIPTION
-===========
-
-The **portage** SELinux module supports the various SELinux domains and types
-related to Gentoo Portage. This includes the main **portage_t** domain and the
-functionality-related **portage_sandbox_t** and **portage_fetch_t** domains.
-Another provided domain is **gcc_config_t** for the ``gcc-config`` helper script.
-
-BOOLEANS
-========
-
-The following booleans are defined through the **portage** SELinux policy
-module. They can be toggled using ``setsebool``, like so::
-
-  setsebool -P portage_use_nfs on
-
-portage_use_nfs
-  Determine whether portage can use nfs file systems
-
-DOMAINS
-=======
-
-portage_t
----------
-
-The **portage_t** domain is used for the majority of Portage related applications.
-Applications that, when executed, will run in this domain are ``emerge``,
-``ebuild``, ``quickpkg``, ``regenworld``, ``sandbox`` and ``glsa-check``.
-
-This domain is able to trigger builds (for which it transitions to
-**portage_sandbox_t**) and holds the rights to merge the eventually built
-software onto the main system. As such, it should be regarded as a highly
-privileged domain.
-
-By default, only the **sysadm_r** role is allowed to transition to the
-**portage_t** domain as this domain is used for system administrative
-purposes.
-
-portage_fetch_t
----------------
-
-The **portage_fetch_t** domain is used to manage and update the Portage tree.
-
-Permission-wise, it is allowed to transition to the **portage_t** domain when
-it, for instance, needs to update metadata. 
-
-The domain is affected by the following booleans:
-
-* **portage_use_nfs** allows the **portage_fetch_t** domain to manage NFS-hosted
-  files, such as an NFS-hosted Portage tree.
-
-portage_sandbox_t
------------------
-
-The **portage_sandbox_t** domain is used when building software. It has a wide
-range of read rights as it has to be flexible enough to support all possible
-software builds. This includes networking support (for instance when using
-``distcc``). 
-
-This domain is only transitioned towards by the **portage_t** domain and is not
-directly accessible. Also, this domain is not allowed to transition towards any
-other domain.
-
-The domain is affected by the following booleans:
-
-* **portage_use_nfs** allows the **portage_sandbox_t** domain to manage
-  NFS-hosted files.
-  
-  If you have the repository on an NFS share, or any of the Portage related
-  locations (such as the temporary build dir) on NFS, then you will need to
-  enable this boolean.
-
-gcc_config_t
-------------
-
-The **gcc_config_t** domain is used by the ``gcc-config`` helper script which
-allows users to switch between installed compilers and compiler specifications.
-
-By default, only the **sysadm_r** role is allowed to transition to the
-**gcc_config_t** domain as this domain is used for system administrative
-purposes.
-
-The domain is affected by the following booleans:
-
-* **portage_use_nfs** allows the **gcc_config_t** domain to read NFS hosted
-  files. This was made necessary as the ``gcc-config`` application underlyingly
-  uses Portage code, which reads information from the repository and configuration
-  locations. 
-
-  This boolean only needs to be set if you have the Portage tree hosted on an
-  NFS share.
-
-LOCATIONS
-=========
-
-USER-ORIENTED
--------------
-
-The following list of locations identify file resources that are used by the
-Portage domains. They are by default allocated towards the default locations for
-Portage, so if you use a different location, you will need to properly address
-this. You can do so through ``semanage``, like so::
-
-  semanage fcontext -a -t portage_ebuild_t "/var/portage/tree(/.*)?"
-
-The above example marks the */var/portage/tree* location as the location where
-the Portage tree is stored (identified through the **portage_ebuild_t** type).
-
-portage_conf_t
-  is used for the Portage configuration files, and defaults to
-  */etc/portage*. It is also used for files or links such as
-  */etc/make.profile*.
-
-portage_ebuild_t
-  is used for the Portage tree, and defaults to */usr/portage*
-  This also includes the downloaded source code archives.
-
-portage_log_t
-  is used for the Portage logging. It is used for files such as
-  */var/log/emerge.log*, */var/log/emerge-fetch.log* and the */var/log/portage/*
-  directory.
-
-portage_srcrepo_t
-  is used for the live ebuild source code repositories,
-  and is used by locations such as */usr/portage/distfiles/cvs-src*.
-
-portage_tmp_t
-  is used for the Portage domain temporary files and the build location. It
-  is by default assigned to locations such as */var/tmp/portage*.
-
-INTERNAL
---------
-
-portage_cache_t
-  is used to identify the Portage cache (*/var/lib/portage*)
-
-portage_db_t
-  is used for the Portage database files (*/var/db/pkg*)
-
-OTHER RESOURCES
-===============
-
-EXECUTABLE FILES
-----------------
-
-portage_exec_t
-  is used as entry point for the various Portage applications that generally run
-  in the **portage_t** domain
-
-portage_fetch_exec_t
-  is used as the entry point for the fetch-related applications, which generally
-  run in the **portage_fetch_t** domain
-
-gcc_config_exec_t
-  is used as the entry point for the ``gcc-config`` application.
-
-POLICY
-======
-
-The following interfaces can be used to enhance the default policy with
-Portage-related privileges. More details on these interfaces can be found in the
-interface HTML documentation, we will not list all available interfaces here.
-
-Run interfaces
---------------
-
-The following run interfaces allow users and roles access to the specified
-domains. Only to be used for new user domains and roles.
-
-portage_run
-  Allow the specified user domain and role access and transition rights
-  to the **portage_t** domain.
-
-portage_run_fetch
-  Allow the specified user domain and role access and transition rights
-  to the **portage_fetch_t** domain.
-
-portage_run_gcc_config
-  Allow the specified user domain and role access and transition rights
-  to the **gcc_config_t** domain.
-
-Domtrans interfaces
--------------------
-
-The following domain transition interfaces allow domains to execute and
-transition into the mentioned Portage domains. Only to be used for domains
-assumed to be running within the general **system_r** role, or within a role
-already allowed access to the Portage domains (such as **sysadm_r**).
-
-portage_domtrans
-  Allow the specified domain access and transition rights to the
-  **portage_t** domain.
-
-portage_domtrans_fetch
-  Allow the specified domain access and transition rights to the
-  **portage_fetch_t** domain.
-
-portage_domtrans_gcc_config
-  Allow the specified domain access and transition rights to the
-  **gcc_config_t** domain.
-
-Resource access
----------------
-
-The following interfaces allow a specified domain access to the Portage
-resources. These can be assigned on user domains as well.
-
-portage_read_config
-  Allow the specified domain read access on the Portage configuration files
-
-portage_read_ebuild
-  Allow the specified domain read access on the Portage tree.
-
-  For instance, if you want to allow the **httpd_t** domain (used by web server
-  domains) read access::
-
-    portage_read_ebuild( httpd_t )
-
-SEE ALSO
-========
-
-* Gentoo and SELinux at 
-  https://wiki.gentoo.org/wiki/SELinux
-* Gentoo Hardened SELinux Project at
-  https://wiki.gentoo.org/wiki/Project:Hardened